This article is also available in:
Deutsch: Erste Abstimmung im EU-Parlament über PNR-Abkommen mit den USA
The latest chapter in the collection and processing of passenger data to cover all flights arriving in and departing from the US was opened when, in 2011, the European Commission tabled a renegotiated proposal for an air passenger data agreement with the US. After the attacks of 9/11, the US Government required to access travellers' personal data contained in the databases of all foreign carriers. In 2006 however, the first agreement was annulled by the European Court of Justice and since then, negotiations around each new proposal (in 2007 and 2011) have been characterised by tense negotiations between and within EU institutions. Sufficient and adequate protection of personal data of European citizens and the alleged need for such a wide-scale transfer of personal data have become the core of the debate once again.
At the beginning of February 2012, Dutch liberal MEP Sophie In't Veld urged the European Union to reject the Agreement. Her demand is not altogether surprising, given that nearly all of the demands of the European Parliament in its resolutions adopted in 2010 have been ignored in the proposed Agreement, for instance:
a. The retention period has not been reduced. PNR data will be stored for 15 years (out of which 10 in a "dormant" database) and then will be "fully anonymised" rather than deleted.
b. The European Parliament has asked that PNR data "shall in no circumstances be used for data mining or profiling". However, these uses have not been excluded in the agreement.
c. The agreement does not provide for sufficient protections and rights for citizens. According to US organisation Friends of Privacy: "Europeans cannot, as the agreement suggests, obtain independent and adequate relief from unlawful actions by the US Executive Branch (USG) by appealing those decisions under the Administrative Procedures Act (the APA)."
The Article 29 Working group pointed out in its letter to the LIBE committee dated 6 January 2012 that, in order to make "PNR data of all (...) passengers - nearly all of them being innocent and unsuspected citizens - available to foreign law enforcement agencies", irrefutable proof is required to show that the agreement is necessary and proportionate. So far however, the Commission has failed to credibly argue, let alone prove, that the use of PNR data is necessary and proportionate in order to combat terrorism effectively.
The Commission has also failed to provide the Parliament with systematic evidence and the Privacy Impact Assessment that it requested. Despite Commissioner Malmström's repeated statements that the Agreement has been significantly improved, there is no evidence to support this claim.
Another worrying point is the attempt to legitimise current illegal processing of European data by companies on which US jurisdiction is being imposed. According to a Department of Homeland Security (DHS) testimony to Congress, 5 October 2011, an Agreement is crucial "to protect US Industry partners from unreasonable lawsuits, as well as to reassure our allies, DHS has entered into these negotiations."
On 27 March 2012, the Civil Liberties Committee (LIBE) of the European Parliament is going to vote in favour or against a new text for an Agreement for the transfer of passenger data (PNR) to the USA. If the European Parliament manages to remain consistent with its earlier positions and decides to reject the new text, the Commission would have to renegotiate and the 2007 PNR agreement would continue to be provisionally in force.
EDRi Comments on the PNR Agreement with the USA (01.2012)
Sophie In't Veld's Draft Recommendation (1.02.2012)
Statewatch's Comparison between the PNR Agreements 2004 - 2007 - 2011
Letter by the Article 29 Data Protection Working Party to the LIBE
Friends of Privacy Opinion (26.12.2011)
Contact your MEP on the PNR vote (only in German)
No PNR mail campaign
(Contribution by Kirsten Fiedler - EDRi)
This article is also available in:
Deutsch: Dänischer Kinderpornographiefilter sperrt Google und Facebook
In the morning of 1 March 2012, about 8000 websites, including Google and Facebook, were blocked by the Danish child pornography (CP) filter. When the customers of the affected ISPs, Siminn Denmark and Tele Greenland, made Google searches or accessed their Facebook pages, they were met by the STOP page for the Danish CP filter. The STOP page warns people that they are trying to access websites with CP content, and that even viewing such content is illegal under the Danish law.
The Danish CP filter is implemented using DNS hijacking (DNS redirection). The participating ISPs (which are all mainstream ISPs with private customers in Denmark) receive a list of domains to be blocked from the Danish police, and the ISPs implement this list in their DNS resolvers. This is done in a completely automatic process, and the ISPs believe that the Danish police is responsible for the domains on the blocking list (although the police usually claim that they are merely simply providing a "service" to the ISPs, so the legal ramifications of who is responsible for what remain unclear).
The police made a serious error when they added the 8000 legitimate domains to the blocking list, including google.com and facebook.com. The error only affected two smaller ISPs in Denmark, because they were the first to do the daily CP list update on their DNS resolvers, but this was sheer luck. It could just as well have affected TDC, the largest Danish ISP. The vigilant technical support staff at Siminn Denmark immediately alerted the Danish police about the error, so that the blocking list was not pushed to the rest of the Danish ISPs.
The Danish police have issued a public statement about their error and made some comments to journalists. A police officer was investigating a number of websites, and by accident he copied the list with 8000 legitimate domains to a file directory that was used for updating the CP domain blocking list. The human error combined with sloppy procedures escalated into something that can almost be described as a "kill switch" for the Internet in Denmark. Attempts to censor the Internet always create an artificial single point of failure.
The Danish police in a press statement assured the public that they would implement additional checks in their updating procedures, so that this error cannot happen again. However, it is not the first time that the Danish police have added legitimate domains to the CP block list.
In 2010 AK Zensur thoroughly examined 167 internet domains that were blocked in Denmark and Sweden. Only three domains contained CP pictures, and two of those were found on the Danish CP list leaked to Wikileaks in 2008. This means that the websites had been on-line for more than two years, despite the fact that the Danish police had investigated the sites and put them on the Danish CP block list in 2008 or earlier. AK Zensur was able to take down the three CP websites by sending a few emails to the hosting providers. If the Danish police are just adding domains to the CP block list, without taking any further action, they are providing a "valuable" early-warning system to the organized crime organizations that are behind the distribution of CP content.
The EDRi-member IT-Political Association of Denmark (IT-Pol) has fought the Danish CP filter since its inception in 2006. Officially, it is voluntary for Danish ISPs to participate in the blocking scheme, but it is well know that the Danish government has threatened with legislation if the ISPs did not ("voluntarily") implement a blocking scheme for alleged CP content. In reality, the blocking scheme is mandatory, but unlike blocking of websites with copyright infringing material (another Danish speciality), the CP filter is updated without any oversight from the courts, and even the number of domains on the list is kept as a secret by the Danish police. Participating ISPs have to sign a contract requiring them not to distribute the CP domain list to anyone. On 1 March 2012 the Danish police even refused to confirm that Google and Facebook were affected by the block, but this is known from the complaints received by the customer service department of Siminn Denmark.
Official statement by the Danish police (only in Danish, 1.03.2012)
A human error blacklisted in the morning 8000 innocent websites (only in
Wrong file folder: The police blocked Facebook (only in Danish, 1.03.2012)
Facebook blocked by the child porn filter (only in Danish, 1.03.2012)
Blocked for two years, then taken down in just 30 minutes - a disastrous
result of Internet Blocking policy (30.09.2010)
(Contribution by Jesper Lund - EDRi-member IT-Pol Denmark)
This article is also available in:
Deutsch: Bündnis für ein kindersicheres Internet
Following an invitation by Commissioner Kroes in the summer of 2011, and founded on 1 December 2011, the CEO "Coalition to make the Internet a better place for kids" covers the whole industry value-chain. Its 30 members include Apple, BSkyB, BT, Dailymotion, Deutsche Telekom, Facebook, France Telecom - Orange, Google, Hyves, KPN, Liberty Global, LG Electronics, Mediaset, Microsoft, Netlog, Nintendo, Nokia, Opera Software, Research In Motion, RTL Group, Samsung, Skyrock, Stardoll, Sulake, Telefonica, TeliaSonera, Telecom Italia, Telenor Group, Tuenti, Vivendi and Vodafone.
Its statement of purpose and working plan mentions five working areas: simple tools for users to report harmful content and contact, age-appropriate privacy settings, wider use of content classification, wider availability and use of parental controls and the effective take down of child abuse material.
The CEO Coalition has recently opened itself to interested third parties. During the last two weeks, consultations have been held on all five working areas. Of course, from the viewpoint of the civil society, having such a big part of industry working for child online safety appears laudable, but there are some significant points where this endeavour could fail. At the moment, the Commission is putting a lot of pressure on the industry to come up with "results". For example, in the session about effective takedown of child abuse material (CAM), a Commission representative went as far as complaining about the resistance he perceives, complaining there was too much talk about civil rights and too little talk about what can be done. The only problem with the Commission's demand for "effective" takedown of child abuse material is that it has (and it confirmed this in response to a parliamentary question) failed dismally to provide any evidence whatsoever that takedown is not functioning effectively already. This failure is all the more abject when we consider that it has paid for statistics to be prepared.
Also, the Commission representative felt it necessary to point out of course that member states cannot force access providers to use deep packet inspection (DPI) but, of course, access providers could do so "voluntarily". It seems long overdue for the Commissions legal service to assess the appropriateness of promoting "voluntary" adoption of measures that would be in contravention of the Charter and the ECJ cases Scarlet/Sabam, Netlog/Sabam if implemented in law. As a side note, the Commission is now seeking to create new meanings for "takedown" and "removal" of illegal or allegedly illegal online content, with "removal" meaning definitive removal of specific content from all locations on the Internet, even though this interpretation was never discussed during the preparation of the recently adopted child abuse Directive where this issue is regulated. The "efficient takedown" emphasis totally overlooks the fact that takedown is the removal of a symptom - unconfirmed reports from the US suggest that as many as 80% of takedowns of allegedly criminal child abuse websites are not followed up by a police investigation. The EU does not collect statistics on this point. So instead of fighting the abuse that is the source of such images, this policy, on its own, serves only to hide the representation of the abuse. This approach is similar to what tends to happen in families where abuse happens, where everybody prefers to look away rather than act, putting all the energy into denial instead of helping the child victim.
The whole process is also burdened by political baggage that pre-dates its launch. From the outside, it looks as if, at the moment, the Commission's Safer Internet Unit appears to be under pressure both to resolve the quite deep problems that developed before its current management took over and to produce "something" before the end of the term of office of the current Commission. The most obvious approach would have been to collect the experiences from different countries regarding the problems identified and the outcomes of various options that have so far been tried.
At the same time the Coalition appears to have a lack of focus on specific, known problems that might need to be solved. Instead, each discussion appears to start from scratch, as if no experience existed. For example, the action on reporting tools which led to discussions about the style and placement of reporting buttons, but to no discussions about how the reports, especially of harmful content and bullying are to be dealt with. In light of recent revelations about how Facebook deals with reports of potentially harmful content, this is a very serious matter, regardless of the Commission's unwillingness to speak about civil liberties issues.
The pressure to deliver "something" risks to put the CEO Coalition into a mode where it just wants to deliver anything. This creates the setting were frankly idiotic proposals such as a scanning of all Windows computers for criminal content (child abuse material in this case) initiated by the automatic updates process or the proposal to whitelist the whole of the European web came up. Unfortunately, the Iranian and Chinese governments were not asked to send delegates to the meeting, to explain how this can be done most effectively.
One could also get the impression that part of the coalition's membership is still trying to find out what this exercise is all about (especially as many see it as a reiteration of the several consultation processes within the Safer Internet Program that have previously happened ). Additionally, some players appear to see this as being the chance to get a competitive advantage over other industrial stakeholders.
The discussions around reporting and removal of illegal or (potentially) harmful (two very different categories) deserve particular attention.
1. Implementing parental controls* is being pushed. This includes implementing them into the network (by the access providers) as a one-size-fits-all solution - fitting all religions, all ages, all families. This hardly seems to be an optimal solution, as it will always be easier and more precise for one consumer to set his/her devices as he/she wishes rather than the access provider configuring their network in a way that suits the needs of every family connected to it.
But apart from this fundamental problem of implementing parental controls in the network, this approach will lead to "solutions" that will violate net neutrality and will come with serious privacy issues, as well as endangering freedom of speech. To this end, there is an overwhelming need to properly include in the discussions other parts of the European Commission, such as the Directorates General responsible for Justice and for Consumer Affairs.
Additionally, any network-level restrictions (very much like the DPI mentioned against child abuse material) will certainly attract the copyright industry, which has a strong interest in the implementation of this kind of technology and which has the potential to completely swallow up the initiative if allowed to. The Coalition seems to be aware of this, just it does not seem to take this danger seriously. On the other hand, reading some of the responses to the Consultation on the review of the Directive on Enforcement of Intellectual Property Rights, from some of the members of the Coalition, perhaps this is not seen as a danger at all.
This leaves DG Information Society of the European Commission in a position where it (in the form of the Safer Internet Unit) is applauding the mobile sector for interfering with traffic flows (probably in contravention of Article 52 of the Charter, as there is no evidence that it is genuinely achieving an objective of general interest) and, at the same time, (through the Commission units responsible for ensuring a competitive network environment) urging the mobile operators not to interfere with traffic flows for their own business purposes.
2. There is interest in "age appropriate privacy setting" or the "privacy by default" as Kroes mentioned in October 2011.
Most interestingly, this concern about children's privacy only seems to encompass data shared with other users of the platform, not about data processed (and probably shared) by the platform itself. In the context of the Coalition, "Facebook" seems to be synonymous with "social networks" and is leader of Action 2 "Age appropriate privacy settings". Facebook seems to be unwilling to talk about data it collects about users and also about the tracking of users through social network plugins implemented on third party websites.
Additionally, there seems to be some competitive arm wrestling about "age appropriate privacy settings" versus "informed consent" or "even parental consent" for children in social networking services (SNS). Some industry stakeholders went further than Facebook and implemented schemes where the parents' consent is being actively sought. Facebook seems to wilfully ignore that fact that children lie about their age to get on the platform and thereby bypass what Facebook considers "age appropriate" settings thereby exposing them to risks.
If the Coalition were to start taking privacy seriously, it would soon realise that there are other groups who might also benefit from easier privacy settings or the principle of informed consent - such as mentally handicapped people or people under legal custody - so not only children benefit from getting this done right.
All of these bad practices also leave the door open to elements who argue that positive identification of every individual connected to the Internet is needed (to protect the children, of course).
3. Microsoft has taken the lead on the "takedown" working group, where it enthusiastically supports the use of its "photoDNA" software. While photoDNA (which effectively identifies previously-identified abuse images, even when they have been cropped or otherwise distorted) clearly has some very positive applications - such as allowing hotlines to immediately identify known images, minimising exposure of analysts to the content, no effort (as usual) has been given to examining the potential side-effects of widespread use of the technology. What is the risk, for example, of creating a potentially lucrative market for new images, if "known" images are removed very quickly?
4. There is a discussion about automatic content classification, where there seems to be a strong push for pan-European age-classification schemes even for non-linear media like websites. Generally the coalition could allow itself a little more room for pluralism. There is no "one size fits all". Other means for content guidance, for example descriptive (text) labels seem to be neglected. Research that points to a higher acceptance for parental guidance systems, rather than age-dependent restrictions, seems to be discounted too easily.
Perhaps we should remind the Coalition that its statement of purpose was not meant to be set in stone. Even though there would probably be some resistance, its goals can be amended or abandoned if proven to be impractical or not desirable. We must do this, if the Coalition truly wants to achieve effective, proportionate solutions that will lead to a safer Internet for children.
The several working groups take input from the civil society. The contact can be established through INFSO-SAFERINTERNETCOALITION@ec.europa.eu. If that does not work, you can also send feedback via the author to firstname.lastname@example.org
(*) On a personal side note - as a representative of a victims advocacy group (victims of sexual child abuse): Most children are being abused by their parents or other close relatives. We want children and adolescents to have helpful resources be available for them. These children need less parental control, rather than more. Perhaps we should also be talking about non-overridable whitelists or unlimited access to websites that label themselves as helpful resources for children (also information about family planing, STDs and sexual identity) For example our (MOGiS) website, because it concerns sexuality, violence and abuse, would be rated inappropriate or harmful even for adolescents - even though it might be a helpful resource for them (by putting their own suffering into a context that lets them feel less alien and shows them ways to cope)
Self regulation: responsible stakeholders for a safer Internet
Neelie Kroes' speech at the Safer Internet Forum - Luxembourg (20.10.2011)
Digital Agenda: Coalition of top tech & media companies to make internet
better place for our kids (1.12.2011)
Coalition to make the Internet a better place for kids - Statement of
Safer Internet Programme :: Policy:: Public Consultation
Inside Facebook's Outsourced Anti-Porn and Gore Brigade (16.02.2012)
Facebook in new row over sharing users' data with moderators (3.03.2012)
Research on parental guidance (10.2011)
Summary of child exploitation Directive
Microsoft's response to the review of the IPR Enforcement Directive
Commissioner Kroes' speech on privacy (20.10.2011)
(Contribution by Christian Bahls - German Association MoGiS)
This article is also available in:
Deutsch: Recht auf Vergessen: Spanische Datenschutzbehörde wendet sich an EuGH
While Spain's National Court, Audiencia Nacional de Espana (AN) has asked the European Court of Justice (ECJ) to clarify jurisdiction issues in cases involving individual privacy complaints against Google and search engines in general, Spain's Data Protection Agency DPA (Agencia Española de Protección de Datos - AEPD) reasserted its position that Spaniards and Europeans in general should be able to file such complaints in courts in their own countries.
AN stated it was unclear who should make a decision about personal privacy complaints made by people who did not want their data to appear on third-party websites such as search engines.
Google wants privacy complaints against it filed in California, where the search engine has its headquarters but, in AEDP's opinion, Google and other search engines are subject to the laws of European countries and of the EU when European citizens are involved.
The court believes that Spanish citizens whose data was indexed from web pages located in Spain, in relation to an information published in Spain, have to defend their right to protection of their personal data in Spain and based on a Spanish legal norm and not in US. Otherwise, this "would put those affected in an especially vulnerable situation and prevent or greatly hinder the effective protection of this right, which would be inconsistent with the spirit and purpose that inspires the European Directive and, above all, with an effective protection of a fundamental right contained in the European Charter of Fundamental Rights."
"The purpose of Directive 95/46/EC is to provide effective protection in the European Union to the data of individuals (this is apparent from paragraphs 10 and 18 of the preamble), which would hardly be compatible with the Google the company claim that the victims who want to exercise their right to removal, blocking and / or opposition to your browser have to go to the jurisdiction of the United States and subject to the rules that State. This company believes that it is not applicable Community legislation (or consequently the national) data protection and that those affected cannot go to the authorities and, where appropriate, the national courts for the protection of their rights" was the Spanish Court's statement.
In January 2012, the EC added "the right to be forgotten" proposal to the existing online privacy protections in the EU. This proposed regulation is meant to strengthen online privacy rights and give people the right to remove personal data from the Internet.
AEPD hopes that the ECJ ruling in response to questions raised by AN, will give Spanish, and implicitly European citizens, the exercise of their rights in their own counties. The data protection authority has received over 100 requests from Spanish citizens to have their data removed from Google's search results.
The Spanish court said in a statement on its website, that in response to the Spanish prosecutor, Google answered it needed more legal justification for removing references to events in an individual's history.
Furthermore, the newly proposed European Regulation on Data Protection establishes a clear regulation regarding the applicability of European data protection standards. "This Regulation applies to the processing of personal data of persons resident in the Union by a controller not established in the Union, when treatment activities are related to: A) supply of goods or services to those interested in the Union, or b) control of their behaviour," says Article 3.2 of the proposed regulation which also includes a new rule on the right to be forgotten in Article 17.
A Google spokesman told Reuters: "We welcome the Spanish national court's decision to refer this case to the European Court of Justice. We support the right to be forgotten, and we think there are ways to apply it to intermediaries like search engines in a way that protects both the right to privacy and the right to free expression."
Information note of DPA on the un-raised questions by ECJ on the exercise of
rights against Internet search engines (only in Spanish, 2.03.2012)
Spain Seeks Jurisdiction Guidance From EU for Google Privacy Complaints
Spain refers Google privacy complaints to EU's top court (2.03.2012)
This article is also available in:
Deutsch: Britisches Berufungsgericht bestätigt Digital Economy Act
The Court of Appeal has recently rejected the claims made by the two UK ISPs, BT and TalkTalk, that the Digital Economy Act (DEA) violates EU laws.
DEA requires ISPs to send warning letters to widespread file-sharers advising them that complaints have been made against them, and to provide lists of alleged infringements to music and film companies.
The ISPs brought the issue to the court arguing that DEA breached EU laws on data protection and privacy by restricting the customers' basic rights, was incompatible with provisions set out in the E-Commerce Directive and was unlawful because the Government did not give the European Commission enough time to scrutinise parts of the legislation.
The ISPs also argued that the measures introduced by the Act would place a financial burden upon them as they are required to support the costs of identifying illegal downloaders. Their only "success" was that the court admitted that they should not be required to pay 25% of the "case fees" resulting from ISP customers bringing appeals against warning letters. Hence, web users who consider they have been incorrectly added on the copyright infringement list, will have to pay 20 pounds in order to appeal against the notification.
"Publicly available wifi will be put at risk. Weak evidence could be used to penalise people accused of copyright infringement. And people will have to pay L20 for the privilege of defending themselves against these accusations. The Government needs to correct these errors with a proper, evidence-based review of the law," said Peter Bradwell of the EDRi-member Open Rights Group.
The ISPs have stated they would analyse the situation and decide on whether to appeal the decision. In any case, the first warning letters will be sent only in 2013 because media regulator Ofcom has first to set out a code of conduct for the new system.
Another case brought to court may cast some light on how DEA will function. On 9 March 2012, company Golden Eye International asked in court a Norwich Pharmacal Order (NPO) against Telefonica UK, requiring the latter to give away the details of about 9000 of its customers, so that they might send them threatening letters asking them to pay 700 pounds or face further legal action.
Under DEA, copyright owners would submit copyright infringement reports to ISPs and the latter would match IP addresses with customer records and pass on notifications to that user. After a certain number of notifications, a user may find himself on "copyright infringement lists". Copyright owners may apply for NPO for personal data of those who are on the copyright infringement list, and then take them to court for civil copyright infringement.
Ofcom is required to define the standards of evidence required against alleged infringers without which there is a risk that people are wrongly placed on infringement lists and are subject to the civil action. Once the technical means enter into force, all those on the blacklist may face restrictions on their Internet connections and even disconnection. The concern is that Ofcom might not have done enough to set that standard of evidence.
Guy Tritton representing Consumer Focus (covering the interests of those whose details Golden Eye are looking to get hold of) raised a number of concerns amongst which the uncertainty of Golden Eye' evidence (concerns related to which system was used to associate an IP address with the account holder) and the drafting of the letter which does not spell out to the recipients that just because an IP address has been associated with an act, it does not mean the identified subscriber has infringed copyright or authorised others to infringe.
One of the most worrying allegations in the respective letter is that Golden Eye could apply to the ISP to disconnect the subscriber from the Internet. The court gave Golden Eye a week to respond to the expert evidence submitted by Consumer Focus.
Broadband costs set to soar as BT and TalkTalk lose copyright bid
Digital Economy Act not in breach of EU laws, Court of Appeal rules
Speculative invoicing is back...and why it matters more than ever
Speculative invoicing 2: Golden Eye in court (9.03.2012)
This article is also available in:
Deutsch: Europa diskutiert ACTA
Several debates on ACTA are going around in several European countries these days. We would present in this article two events where EDRi participated in the past week in Brussles and Helsinki.
A Policy Forum on ACTA was organized in Brussels on 6 March 2012 by the Institute for European Studies at the Vrije Universiteit Brussel, in cooperation with IBBT-SMIT. The debate was led by Mr Harri Kalimo, Senior Research Fellow at the Institute for European Studies.
Mr Benoît Lory, Policy Officer at the European Commission DG Trade opened the conference stating that ACTA is an enforcement law conceived as a means of defense of livelihood, it's not a substantive law: it will not really change EU legislation nor criminalize new infringements. Along the lines of De Gucht's speech of last week, he underlined the necessity of an informed and fact based debate. Then, in response to the waves of protest by citizens who see ACTA as promoting Internet censorship and monitoring and after many attacks on computer systems, Mr. Lory listed what ACTA, in his opinion, "does not": it doesn't contain any provision allowing to close Internet accounts, it doesn't provide inspections of files of end users' laptops, since it contains a de minimis provision; moreover it doesn't settle any penalty damages, rather it covers only the prejudices.
Mr Burak Özgen, Senior Legal Advisor at GESAC - European Grouping of Societies of Authors and Composers came in saying, first of all, that GESAC wasn't involved in preparing ACTA: it hadn't been consulted by the Commission nor had it suggested what to include in the agreement. Speaking for the interest groups that GESAC represents, he alleged that he prefers to see what the Court decides, in compliance with treaties; nevertheless GESAC supported the principles embodied in ACTA, since the agreement provides a better protection of copyright, without being in contrast with other fundamental rights as freedom of speech, privacy etc. Mr. Özgen reminded us that, on the other hand, without such an agreement we would assist to a reduction of the incentives to access the market, because authors, composers and artists in general need to be payed for their creations, whereas those large-scale infringements of IPRs threaten the competitiveness of our economy. The only way, since at the source, according to GESEC, is that ISPs have a role to play: this role depends on legal systems (i.e. blocking system in Denmark works fine).
Then the floor went to Joe McNamee (EDRi), who started by enumerating all the misleading statements from the European Commission on this issue wondering whether the Commission doesn't know or doesn't care to know about: transparence, criminalization of new infringements and the general assertion that there is nothing to worry about in the digital chapter of ACTA. Notably he focused on the "self-regulation" initiative organized by the European Commission involving European Internet Service Providers and the music and film industries, which substantially consisted in presenting to the ISP the choice either to voluntarily introduce filtering, blocking and end-user notification measures in order to police, monitor and punish end-users or there would be a review of the IPR Enforcement Directive of 2004. The Commission has spent two years pushing ISPs to take these voluntary punitive measures, with detrimental consequences for privacy and freedom of communication rights of end users (see the Scarlet/Sabam and Scarlet/Netlog case). He concluded stating that cooperative enforcement means unpredictable enforcement based on business priorities and not the rule of law: it means privatizing and exporting online law enforcement (see Wikileaks case). Substantive law will not change, but whose law? Who applies the law?
Last but not least, Mr Carl Schlyter, Member of the European Parliament, pointed out that the Parliament had not been transparently informed and was victim of an unbalanced approach to negotiations. Indeed it was aware only about a few meetings because most of them were secret. Basically ACTA has been introduced by the back door: it's the result of bilateral agreements between Countries and it's not at all the product of a democratic process. What's more the agreement is incompatible with EU law, maybe this can't be noticed prima facie but substantially it is. Mr. Schlyter remarked the contradiction into which the EU Commission's representative fell, as he said that "ACTA doesn't change anything, but we need it".... as a matter of fact why do we need it, if it doesn't change anything? The truth is that ACTA threatens Net Neutrality putting responsibility (and unwarranted power) upon internet providers, limits our choice as consumer and limits creativity. Furthermore it could give rise to troubles for data protection.
A Q&A time and a debate session followed the lectures, during which many concerns regarding ACTA came to light. There were several exchanges of opinions about the Commission project on voluntary measures and the fact that consumer/citizens' organisations refused to participate because ACTA was too biased.
In Helsinki, Finland, another open debate on ACTA was organized on 10 March 2012 by the Socialist and Democrat Group of the EU Parliament. The panel that debated the treaty included politicians, lobbyists and a civil servant who had been part of the team preparing and pushing ACTA forward in the Finnish parliament. The attendance took both the organizers and the panellists by surprise. It was obvious that hiding and obfuscating the treaty content had done little to dampen public interest in it.
In the panel, the secretary of the Social Democratic Party (which is currently in the government) and the former head of the national broadcasting company Mikael Jungner surprised everybody by coming out strongly against ACTA and various other unfair intellectual property and copyright measures. Also claims by the civil servant that there had been no hiding or restricting information on ACTA were strongly rebuked, first by a written statement from the former member of the Finnish Parliament Jyrki Kasvi and then from the audience by the vice chairman of EDRi-member Electronic Frontier Finland (EFFi) Ville Oksanen, who pointed out that when called to give an expert opinion on the treaty, none of the experts summoned to the hearings were actually allowed to see the treaty they were supposed to advise the parliament on.
It was all about as heated as debates in Finland can get and the pro-ACTA side could not really put up a fight. Although Finland is a signatory to the treaty, the Finnish government has decided to postpone the implementation of ACTA until the European Court of Justice has given its verdict on it. Maybe this is why the pro-ACTA side of the debate is now keeping such a low profile.
ACTA policy forum in Brussels (6.03.2012)
Public word (radio program): Alea ACTA est with Tommi Karttaavi from ISOC
Finland, Leena Romppainen from EFFi and Ilari Kuittinen from Housemarque
game company (only in Finnish, 14.03.2012)
Morning TV: Debate on ACTA heating up with Ville Oksanen from EFFi and
Mary-Ann Nojonen from Ministry of
Foreign Affairs (only in Finnish, 13.03.2012)
(Contribution by Elena Cantello - EDRi intern and Ville Vuorela - EDRi- member EFFi - Finland)
This article is also available in:
Deutsch: eVoting: Elektronische Wahlurne lässt sich leicht manipulieren
On 11 March 2012, the Federal Chancellery of Switzerland reported that the eVoting trials that had taken place for the weekend's national ballot (in the Swiss semi-direct democratic system, such ballots and votes are held four to six times every year) had been "successful" and that they had "fulfilled the requirements".
Quite appropriately however, the official press release reports not only about what had appeared to work well, but also mentions what went wrong: One citizen unintentionally cast his vote twice when the process of electronic voting took an extraordinarily long time for him. The eVoting server accepted the vote twice, but an automated monitoring system raised an alarm because the number of people who had been recorded as having voted was no longer identical to the number of votes in the electronic urn. The official press release reports that the problem was corrected "professionally". A more detailed report about what happened and about the steps that were taken to address it has also been made available. From the official perspective, the problem is considered to be unlikely and of low impact, and therefore it is not seen as reason for concern.
IT-savvy activists, on the other hand, are alarmed. In particular the fact that officials were able to modify the contents of the electronic urn by what is officially described as "a simple procedure" raises significant concerns about the integrity of electronic voting and about what other security problems may exist, in particular in regard to possibilities of unauthorized modification of the software on the eVoting server, or of the contents of the electronic urn. The Swiss Pirate Party as well as a number of NGOs including Human Dignity Initiative and the Free Software and Linux user group GULL are calling for an immediate halt of the eVoting trials, and for publication of the source code of the eVoting system software, so that it can be analyzed under reasonable conditions.
Official press release: Success of e-voting trials in 12 cantons (in German,
French and Italian, 11.03.2012)
More detailed official information (only in French, 11.03.2012)
Technical description of the eVoting system (only in French, 06.2011)
Open letter of protest (in German and French, 14.03.2012)
(Contribution by Norbert Bollow - EDRi observer - Switzerland)
This article is also available in:
Deutsch: Der Europäische Datenschutzbeauftragte zur geplanten EU-Datenschutzre...
On 7 March 2012, Peter Hustinx, the European Data Protection Supervisor (EDPS) issued his Opinion on the proposed reform package adopted by the Commission on 25 January that includes a Regulation with general rules on data protection and a Directive with specific data protection rules for the law enforcement sector.
While welcoming the General Data Protection Regulation reform package, considering it a very big step ahead for the data protection right in Europe, the EPDS expresses his concern that the proposed regulation is "far from a comprehensive set of data protection rules on national and EU level in all areas of EU policy."
The shortcomings of the proposed regulation are first related to the law enforcement area, as it has left aside many instruments such as the data protection rules for the EU institutions and bodies as well as all the specific law enforcement instruments.
Peter Hustinx supports the proposed regulation as it eliminates the many inconsistencies deriving from the present national implementing laws, considering the new rules will strengthen individuals' rights, will make controllers more accountable for their personal data handling and will reinforce the powers and the role of the national supervisory authorities. However, in the EDPS' opinion, the Commission's separate proposals which will apply specifically to police and justice are "unacceptably weak" and should not involve such a big departure from the general rules with the new ground for exceptions to the purpose limitation principle and especially over the possibilities for restricting basic principles and rights.
"The proposed rules for data protection in the law enforcement area are unacceptably weak. In many instances there is no justification whatsoever for departing from the rules provided in the proposed Regulation. The law enforcement area requires some specific rules, but not a general lowering of the level of data protection," says Peter Hustinx in his Opinion.
Furthermore, he expressed concerns over the excessive powers granted to the Commission in the mechanism meant to provide consistency among supervisory authorities and the lack of a general duty for law enforcement authorities to demonstrate compliance with data protection requirements.
Another concern refers to the week conditions for transferring data to third countries due to the possible derogations.
Pan-European data protection policy still "far from comprehensive",
regulator warns (8.03.2012)
PRESS RELEASE - EDPS Opinion/07/12 - EDPS applauds strengthening of the
right to data protection in Europe, but still regrets the lack of
Opinion of the European Data Protection Supervisor on the data protection
reform package (7.03.2012)
EU Data Protection Reform - EDPS
EDRi-gram: EDRi Initial Comments on the Proposal for a Data Protection
This article is also available in:
Deutsch: „Gewinner“ der holländischen Big Brother Awards
The heavyweight Dutch privacy-infringers of the past year were announced during the ceremony of the Big Brother Awards 2011. The jury selected three winners out of a total of nine nominees: Facebook, Edith Schippers (the Dutch Minister of Health, Welfare and Sports) and the Dutch national police (KLPD). Fred Teeven, Dutch state secretary for Ssecurity and Justice, won the popular vote.
The prizes were awarded in three categories. In the category People, Minister Edith Schippers won the award for privatising the digitisation of medical data of Dutch citizens, after a bill with the same goal failed to pass the senate due to privacy concerns. In the category Companies, Facebook won the award. The jury gave the award to Facebook to draw attention to the fact that the planned IPO is mostly based on the personal data of the users, whereas Facebook has a very bad track record when it comes to privacy. In the category Government, the National police (KLPD) received an award for the use of spyware and re-hacking a number of victims of hacking.
The audience could speak out against privacy-breaches too. State secretary for security and justice Fred Teeven won the popular vote with a strong lead.
The nominations were selected by a professional jury from contributions by the Dutch public . The jury consisted of Dutch publicist Karin Spaink (chairwoman), journalist and TV-presenter Antoinette Hertsenberg, professor of Media and Telecommunication laws Nico van Eijk, rapper and privacy champion Typhoon and professor IT and Auditing and partner at KPMG Edo Roos Lindgreen.
(Contribution by EDRi-member Bits of Freedom - Netherlands)
This article is also available in:
Deutsch: Deutscher Bundesverfassungsgerichtshof entscheidet über Zugriff auf p...
According to the decision of the German Federal Constitutional Court (Bundesverfassungsgericht) on 24 February 2012, the law enforcement authorities must no longer request personal data unless justified by special conditions.
The court found that certain provisions in the present Federal Telecommunications Act concerning the disclosure of telecom user data to law enforcement agencies violated the German constitution and decided that the requests of personal data by the law enforcement authorities were not "proportionate", being thus in violation of the constitutional right to informational self-determination.
For instance, the usual practice to determine the owner of IP addresses on the basis of the Telecommunications Act, is a violation of telecommunications secrecy.
Therefore, strict conditions must apply when law enforcement authorities and intelligence agencies ask telecommunications service providers (which may include hospitals and hotels) to turn over certain user data such as passwords and PIN codes.
The decision is a result of a case initially brought to court by data privacy activists in 2005. "It's a major success that the court has barred excessive identification by the state of internet users, and that it is protecting the anonymity of our internet usage," stated Patrick Breyer, one of the plaintiffs.
The Court's decision was welcomed by privacy advocates and organisations. "The judgment makes it clear that access is permitted on telecommunications data only while maintaining the secrecy of telecommunications and the legislature has yet to do some homework. This includes the provision of information from dynamic IP addresses," stated the federal commissioner for data protection Peter Schaar.
The Court requested the Federal Government to revise of the present provisions of the German Federal Telecommunications Act by 30 June 2013.
Bundesverfassungsgericht Press Release (only in German, 24.02.2012) http://www.bundesverfassungsgericht.de/pressemitteilungen/bvg12-013.ht...
Privacy advocates welcome the Constitutional Court decision on the Telecommunications Act (only in German, 24.02.2012) http://www.heise.de/newsticker/meldung/Datenschuetzer-begruessen-TKG-E...
German court rules police access to passwords is unconstitutional
Constitutional Court judges give private lessons in data protection (only in
This article is also available in:
Deutsch: ENDitorial: Zur Urheberrechtsreform
EDRi presentation to ALDE Group Meeting on 7 March 2012
In this short presentation, I will briefly address two points. Firstly, the need to soberly assess the very difficult position we currently find ourselves in and, secondly, the dangers of failing to learn from past mistakes and endangering the openness of the Internet - its core asset that gives it the societal and economic benefits that we all now take for granted.
According to Commissioner Neelie Kroes, "citizens increasingly hear the word copyright and hate what is behind it. Sadly, many see the current system as a tool to punish and withhold, not a tool to recognise and reward." According to the European Commission's Communication on the Application of the IPR Enforcement Directive, breaches of intellectual property in the digital environment are "ubiquitous". Ubiquitous means that everywhere and all the time. When one person breaks a law, that person has a problem. When society breaks a law ubiquitously, the law has a problem.
It is crucial to recognise that this is our starting point. This would be a recognition of fact, not a radical departure. Whatever else one can say about Commissioners Kroes and Barnier, they are not revolutionaries.
We have come to this point because our existing policies have failed. Every few years we create repressive policies for the way things were two year ago, whether the injunctions in the 2001/29 Directive (and ACTA) or the information access obligations in the 2004 IPRED (and ACTA). But ACTA is worse, going into both privatising the law and exporting it.
Our approach has unquestionably failed and will fail. Einstein's definition of insanity was doing the same thing over and over again and expecting different results. Each round of discussions of repressive measures increase the divide between citizens, most particularly the younger generation, and lawmakers. We are bringing up a generation of citizens who watch law being developed and shake their heads in disbelief and are, as George Orwell said of the younger generation in 1984 "not rebelling against its authority but simply evading it."
The next generation of peer-to-peer filesharing is about to be launched. Technology makes another step forward while policy-making... doesn't. The problems lie elsewhere. The problem lies in all of the excuses that the current copyright regime gives to citizens to hate it, to ignore it and to evade it.
Citizens look at restrictions on private copying of content that they have paid for and say, this is unfair. "I will choose free and unrestricted rather than paid-for and restricted," they understandably say. Citizens look at services like Netflix being available in the USA but not in Europe. They wonder why European licensing is so tortured and counterproductive that Netflix' share price dropped by 27% on the day that the cost of expanding into just one European market became public.
Until there is a fundamental shift in thinking, the needed reforms are not going to be made. Instead, we will take more and more measures which threaten the openness and freedoms of the Internet, without learning from our mistakes. The Internet, with all of its societal and economic benefit, is a success because of its openness.
This openness is under threat already from a telecoms industry which has such a deeply ingrained anti-competitive instinct that the EU institutions have been working almost constantly for decades on legislation to force competition into the market - from the initial liberalisation in the eighties to the 1999 Communications Review, to the local loop unbundling regulation to the recent Telecoms Package to mobile roaming, mobile data roaming, etc.
Now, the largest ISPs want to interfere anti-competitively with online traffic to restrict access to certain sites and services - undermining competition between operators, undermining the online marketplace and, ultimately creating another barrier to entry for innovative online audiovisual services. All other things being equal, the current EU regulatory framework will struggle to stop them.
Within this context, the larger operators are overjoyed at the idea that they should volunteer to police the Internet. They love the incoherence of the European Commission's views that they should not be allowed to interfere with online traffic but that, under ACTA, they should be encouraged to interfere with traffic for copyright enforcement purposes. They love the incoherence of the Commission defending net neutrality and funding a whole range of directionless projects to encourage filtering and blocking of traffic for copyright, for terrorism, for anything as long as it is voluntary and can thereby circumvent the Charter on Fundamental Rights.
Encouraging Internet providers to become gatekeepers of the Internet would put one of Europe's most instinctively anti-competitive industries in charge of the online marketplace. Anyone who thinks that this will open up the market for innovative online services is sorely mistaken.
This is what ACTA does but, being international, does it on a nuclear scale. In the plenary two weeks ago, an ALDE-inspired debate was held in a European Parliament plenary session to deal with the unacceptable situation where the fundamental rights of EU citizens were being undermined by the extra-territorial legislation effects of US legislation. Under ACTA, we would be signing up to an agreement that would seek to place a binding obligation on the United States to encourage private companies to regulate the fundamental right to freedom of communication of EU citizens.
What might this look like? One instructive place to look at is the SOPA proposal. Section 104 offers unlimited liability protection to Internet access providers who voluntarily block websites, as well to any company that would take lawless punitive measures against online resources abroad. This would cover payment network provider, Internet advertising services, advertisers, Internet search engines, domain name registries or domain name registrars. There have already been isolated cases of European and other non-US websites being removed from the Internet under US law, for allegedly breaching gambling law and copyright law.
And what do these private punitive actions taken by intermediaries look like in the real world. Well, ask Wikileaks. Their domain name registrar removed wikileaks.org, their payment providers refused to process donations, their web hosting provider removed their hosting service. Commissioner De Gucht says that under ACTA, what was permitted by law, will continue to be permitted by law. What Wikileaks did was permitted by law. What Wikileaks did remains permitted by law. The only problem is, in the Wild West world of enforcement by private companies, based on private interests or under government pressure, the law is not the master.
Add to this the added incentives for disproportionate private enforcement produced by the increased scope of damages in ACTA and the absurd definitions on criminal sanctions and self-censorship and pre-emptive enforcement actions by private companies become the rule.
This destruction of our right to regulate our own freedom of expression and the destruction of legal certainty in the digital environment would be bad enough if there was any hope that the measure had any hope of actually achieving its intended target.
Instead, we know that repressive copyright enforcement measures do not work, so this is all cost and no benefit. We know that forcing Internet companies into becoming the Internet's gatekeepers will restrict the online marketplace for legitimate content, encouraging illicit offers rather than fighting them. We know that, to quote Commissioner Kroes, it will reinforce the view of citizens that copyright law is there to punish and withhold.
Commissioner Kroes speech: Who feeds the artist? (19.11.2011)
European Commission Communication on the application of enforcement of
intellectual property rights (22.12.2010)
(Contribution by Joe McNamee - EDRi)
This article is also available in:
Future of Copyright contest
What should the future of copyright law look like? Write, sing, animate or talk about it, and win the prize funded by crowds.
This article is also available in:
World Day Against Cyber-Censorship (12.03.2012)
BEREC preliminary findings on traffic management practices in Europe show
that blocking of VoIP and P2P traffic is common, other practices vary widely
Google is now in the PNR hosting business (1.03.2012)
Counter-terrorism, "policy laundering" and the FATF -legalising
surveillance, regulating civil society (2.03.2012)
This article is also available in:
16 March 2012, Rotterdam, Netherlands
EPSIplatform Conference: Taking government data re-use to the next level!
19 March 2012, Washington/Brussels
EU Conference: Privacy and Protection of Personal Data Live-webstreaming at:
24 March 2012, London, UK
29 March 2012, Reykjavík, Iceland
Reykjavík Digital Freedoms Conference
30 March - 1 April 2012, Berlin, Germany
Wikimedia Chapters Meeting 2012
13 April 2012, Biefeld, Germany
Big Brother Awards Germany
16-18 April 2012, Cambridge, UK
Cambridge 2012: Innovation and Impact - Openly Collaborating to Enhance Education OER12 and the OCW Consortium's Global Conference
25 April 2012, Helsinki, Finland
Finnish Internet Forum
26-28 April 2012, Belgrade, Serbia
SHARE 2 Conference
2-4 May 2012, Berlin, Germany
Re:Publica 2012: ACTION!
14-15 June 2012, Stockholm, Sweden
18-22 June 2012, Samos, Greece
Samos 2012 Summit on Open Data for Governance, Industry and Society
Academic Papers Submission Deadline: 29 April 2012
20-22 June 2012, Paris, France
2012 World Open Educational Resources Congress
2-6 July 2012, Budapest, Hungary
Policies and Practices in Access to Digital Archives: Towards a New Research and Policy Agenda
9-10 July 2012, Barcelona, Spain
8th International Conference on Internet Law & Politics: Challenges and Opportunities of Online Entertainment
11-13 July 2012, Vigo, Spain
The 12th Privacy Enhancing Technologies Symposium (PETS 2012)
12-14 September 2012, Louvain-la-Neuve, Belgium
Building Institutions for Sustainable Scientific, Cultural and genetic Resources Commons.
7-10 October 2012, Amsterdam, Netherlands
2012 Amsterdam Privacy Confernece