EDRI-gram newsletter - Number 23, 3 December 2003
EDRI-gram newsletter
edrigram at edri.org
Wed Dec 3 20:05:34 CET 2003
==================================================================
EDRI-gram
bi-weekly newsletter about digital civil rights in Europe
Number 23, 3 December 2003
==================================================================
CONTENTS
==================================================================
1. EP Committee wants to jail file sharers
2. PNR talks between EU and US move slowly
3. Irish Labour Party wants to stop e-voting
4. EP Rapporteur sceptic about biometrics in ID-cards
5. Retrial of DVD-Jon in Norway
6. Dutch parliament questions crypto telephone
7. UK government's biometric plans undermined
8. European court allows trademark Fur Elise
9. French provider wins lawsuit about website
10. Statement on human rights in the information society
11. EDRI-gram in Ukrainian
12. Recommended reading: handbook on cybercrime
13. Agenda
14. About
===================================================
1. EP COMMITTEE WANTS TO JAIL FILE SHARERS
===================================================
On 27 November the Legal Affairs Committee (JURI) of the European
Parliament finally voted on the Draft Directive on the Enforcement of
Intellectual Property Rights. The vote was a total victory for the
Rapporteur, French Conservative Janelly Fourtou. Every single one of her
amendments passed, and so did all of the compromise amendments she had
worked out with other MEPs. There is no official version of the report as
amended now - it has to be prepared by the JURI Secretariat from circa 250
pages of amendments and a 19-page list on the outcome of the vote. It can,
however, already be concluded that the amended version is even more
unproportional than it looked in worst-case scenarios during the weeks
preceding the vote - and that is not entirely the fault of Mrs Fourtou,
but also of a Green MEP from Austria called Mercedes Echerer.
Part of the last Compromise proposal Mrs Fourtou had presented more than
two weeks before the vote was an agreement with the authors of amendments
aiming at the deletion of article 20. This article contains an obligation
for Member States to introduce criminal law sanctions for infringements of
intellectual property rights, which do not yet exist in most EU Member
States. The deletion of this article was proposed by Mrs. Echerer,
together with her party colleague Neil MacCormick from Scotland, and three
other MEPs from different parties. Mrs Fourtou's proposal was to support
the deletion of criminal law provisions, if in return she would get a
majority for widening the scope of the Directive to infringements that do
not cause significant harm and are not committed for a personal purpose.
This had always been one of Mrs Fourtou's most important objectives; some
say because her husband - Jean-Rene Fourtou, the CEO of Vivendi Universal,
the world's biggest music company - would like to crack down on file
sharers.
When it came to the vote last Thursday, this widening of the scope was
already accepted when Mrs Echerer proposed an oral amendment to Article
20, aiming not at the deletion of that Article as had done her former
amendment, but indeed at the introduction of criminal sanctions for all
kinds of intellectual property rights infringements, if they are serious
and committed intentionally.
What 'serious' means would be left to the transposition of the Directive
in Member States, or to be judged by courts. Generally the term refers to
either commercial or large-scale infringements, the latter of which could
very well apply to hundreds of thousands of users of the internet, and
lead to young file sharers landing up in prison, as has happened in the
U.S. under similar regulations in the Digital Millennium Copyright Act.
It is not yet clear when the report will be adopted in the European
Parliament's plenary. It is not on the schedule for the December session
in two weeks, and rumours have it that it will not even be voted in
January, because the EU Council proposes massive changes, which will
require several rounds of discussion.
Directory with personal websites and e-mail addresses of all MEPs
http://www.the-elected.com/showInstitution/1
===================================================
2. PNR TALKS BETWEEN EU AND US MOVE SLOWLY
===================================================
Talks between the European Commission and the US department of Homeland
Security about airline passenger data are moving very slowly. Commissioner
Frits Bolkestein told the European Parliament that the US are only willing
to compromise on a few disagreements. Most importantly the US do not want
to limit the use of airline passenger data to the purpose of fighting
terrorism.
Since March the US are demanding passenger data from European airlines
flying to or through the US. The data is sent to the US prior to flight
departure and used by the US to screen passengers and apply a risk
assessment. The passenger name record data (PNR) consist of many data
items: departure and return flights, connecting flights, special services
required on board the flight (meals such as Kosher, Halal) and payment
information such as credit card numbers. Airlines might lose landing
rights if they do not comply with US demands. European Parliament, the
European Data Commissioners and even the European Commission agree that
the current transfer of passenger data violates EU privacy regulations.
On 9 October the European Parliament passed a resolution concerning the
transfer of passenger data to the US. The resolution details various
concessions the European Commission must require of the United States
concerning data protection and collection limitation, and requires that
the Commission act within two months or else be brought to the Court of
Justice by the European Parliament for failure to do so.
On 1 December Commissioner Frits Bolkestein gave an overview of where the
negotiation stands. The retention period is down from the previous 7 years
to 3,5 years. The number of required PNR items is only down from 39 to 34
items. But most importantly, the US don't want to limit the use of PNR to
fighting terrorism. Previously the US said it wanted to use the data also
for combating 'other serious crimes'. Bolkestein told Parliament that "the
US text is more precise than it was, but barely any narrower." The only
'concession' the Commission got is that the US will use the PNR only for
crimes that are punishable by a minimum imprisonment term of at least 4
years. That still makes the use of PNR possible for a huge variety of
crimes that are not related to terrorism at all.
Stefano Rodota, chair of the European Data Commissioners, already said
that the US concessions won't comply with European law: "there are no
grounds for saying that the American system is proper and suitable".
Marco Cappato, Italian member of European Parliament, has asked the
Commission to take action against airlines that have passed his PNR to the
US.
Bolkestein has committed himself to reach an agreement with the US before
Christmas.
Speech by Frits Bolkestein (01.12.2003)
http://europa.eu.int/rapid/start/cgi/guestfr.ksh?
p_action.gettxt=gt&doc=SPEECH/03/586%7C0%7CRAPID&lg=EN&display=
Speech by Stefano Rodota (25.11.2003)
http://www.statewatch.org/news/2003/nov/PNR-Rodota25-11-03.pdf
Marco Cappato complaints to Commission (07.11.2003)
http://coranet.radicalparty.org/pressreleases/press_release.php?
func=detail&par=6253
Travel Data and Privacy
http://hasbrouck.org/articles/travelprivacy.html
===================================================
3. IRISH LABOUR PARTY WANTS TO STOP E-VOTING
===================================================
The Irish Labour Party is urging suspension of e-voting until major flaws
are fixed. Ireland is planning to completely changeover to electronic
voting in June 2004, for both local and European elections.
According to a report commissioned by the party the major defects are:
- An integrated end-to-end test of the entire system has not yet been
conducted, only a partial test;
- The source code is not available, but code reviews indicate that certain
formal methods have not been used to prove the accuracy of the software;
- It is possible to load the Microsoft Access database on the
vote-counting computer with pre-prepared data. In addition vote
information is transferred between PCs at the Count Centre on floppy
discs. It would not be difficult to exchange discs.
- Unauthorised persons could produce an alternative version of the NEDAP
voting machine software and/or the voting system biased in favour of a
particular party or candidate.
Besides organising an end-to-end test and using formal mathematical
methods to insure the reliability of the system, Labour demands the
introduction of a Voter Verifiable Audit Trail (VVAT). That means creating
a parallel paper record of votes cast which could be stored and checked in
the event of a dispute over an election outcome.
The Belgian e-voting expert David Glaude reports an incident with e-voting
in Belgium. Not widely published it took place on 18 May 2003, in the
municipality of Schaerbeek. The total number of preferential votes cast on
a specific candidate was higher than the total number of votes for his
list. A series of tests was conducted on the computer of the president of
the voting committee, but the error could not be reproduced. The
difference in votes was exactly 4.096, leading the research-team to the
conclusion that the error was probably due to a spontaneous inversion of a
binary position in the read-write memory of the PC.
The Belgian e-voting system is fairly complex, with a blank magnetic card
that every voter has to insert into a voting machine. After voting, the
card must be entered into a ballot-box. Attached to the ballot-box is a
computer with a floppy-drive. The voting-results are written on a
floppy-disk.
Press release Irish Labour party (03.11.2003)
http://www.labour.ie/press/detail.tmpl?SKU=20031103143251
Electronic voting in Ireland: a threat to democracy? (November 2003)
http://www.labour.ie/policy/download/evoting.pdf
Website David Glaude (in French)
http://www.poureva.be
===================================================
4. EP RAPPORTEUR SCEPTIC ABOUT BIOMETRICS IN ID-CARDS
===================================================
Ole Sorensen, the Rapporteur for the European Parliament on two proposals
for Council Regulations to include biometric identifiers into visas and ID
cards, is questioning the proportionality and the adequacy of this measure
to enhance security standards of EU travel documents. In a Working
Document discussed at an internal meeting with the shadow rapporteurs of
the political groups, Sorensen criticises the Commission and the Council
for not even being able to enumerate the number of falsified visas,
passports and ID cards, which still have to serve as a justification for
the biometrics proposal. He recalls that visas are already well protected
by numerous technical features: "a sign consisting of nine ellipses in a
fan-shape, a kinegram (an optically variable mark), a logo, the appearance
of the word 'visa' in optically variable colouring depending on the angle
of view etc. The visa itself is placed in the passport in a way that does
not allow its removal and use in another passport."
Sorensen also questions the need for two biometric identifiers instead of
just one: "Normally one would assume that a trained border control
official should be able to check whether the person in front of him is the
one on the visa and / or the chip and the passport." The Rapporteur
criticises the Commission for not being able to tell what the proposal
will cost: "The implementation of the proposal will be very expensive for
Member States..." He is afraid that at the end - because of the high
costs - Member States will be tempted to increase the costs of visas,
which could ultimately result in third country nationals forced into
illegal ways of entering the Union's territory. Concerning Data
Protection, Sorensen praises the Commission proposal for being
'surprisingly honest' by pointing out that the supervisory authorities are
currently under-resourced for their wide range of tasks... "Although very
honest, the language used is suggesting: Well, it is a problem but it is
one of Member States and we cannot do anything about it."
Unfortunately, the proposal is in the Consultation Procedure, which means
the Parliament can't do anything to stop it.
Proposal for a Council Regulation amending Regulation (EC) 1683/95 laying
down a uniform format for visas
http://europa.eu.int/cgi-bin/eur-lex/udl.pl?REQUEST=Service-
Search&LANGUAGE=en&GUILANGUAGE=en&SERVICE=all&COLLECTION=com&DOCID=503PC0558
Article 29 - Data Protection Working Party - Working document on biometrics:
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp80
_en.pdf
===================================================
5. RETRIAL OF DVD-JON IN NORWAY
===================================================
The Norwegian Jon Johansen pleaded 'not guilty' during the retrial on 2
December of his acquittal for reverse-engineering DVD technology and
creating DeCSS in 1999. DeCSS is computer software that Johansen and
others wrote in an effort to build an independent DVD player for the Linux
operating system.
In January 2003, a three-judge panel in Oslo rejected charges against
Johansen for accessing his DVD movies using an independently created DVD
player. The court also rejected Hollywood's claim that it has the right to
control the way in which an individual views a DVD after purchase.
The charges against Johansen were brought under the Norwegian criminal
code section 145.2, which outlaws bypassing technological restrictions to
access data that one is not entitled to access. Johansen's prosecution is
the first time that this law has been used to prosecute a person for
accessing his own property. This data theft law has been used in the past
only to prosecute those who illegally access another's bank or phone
records or data that they have no lawful right to access.
If Johansen's acquittal is over-turned on appeal, it will become illegal
for Norwegians to bypass DVD region code restrictions or technical
restrictions that prevent fast-forwarding over advertisements, or
otherwise circumvent digital controls on their own property.
The case in the Oslo Appeals Court is set to end on 12 December with a
verdict expected in early 2004.
In November 2003, Johansen published a new computer program called
QTFairUse that allows consumers to make digital fair use of their Apple
iTunes music collections by legally opening a music file and then saving
it as an unrestricted file.
Timeline of DeCSS litigation by IP Justice
http://www.ipjustice.org/publications/decsstable.htm
Jon Johansen's page
http://www.nanocrew.net/
===================================================
6. DUTCH PARLIAMENT QUESTIONS CRYPTO TELEPHONE
===================================================
The presentation of a crypto mobile telephone has stirred some controversy
in the Netherlands. The Cryptophone has been developed in the Netherlands
and is sold through a German company. The device is a combined GSM and
organiser running Windows Pocket PC. The software encrypts the call when
connecting to another Cryptophone. The Cryptophone should make it
impossible for any third-party, including the phone company and police, to
listen to the call.
The Dutch christian-democrat Member of Parliament Haersma-Buma has asked
the Dutch government if there is a possibility of forbidding the phones,
since they can make it impossible for police to use the information from a
wiretapped mobile phone call. Dutch police relies heavily on phone
interception with an estimated 12.000 phone taps per year. This number is
higher then in any other European country or even the US.
The Cryptophone is legal under Dutch law, that does not put any
restriction on the use of cryptography by its citizens. It is not expected
that legislation will be passed to change this situation. In 2002 the
Netherlands decided not to evoke key escrow on Trusted Third parties.
Dutch export regulation is in accordance with the liberal EU regulations
that put little restrictions on cryptographic products for the consumer
market. Furthermore, in recent years Dutch government proclaimed that the
wide availability of cryptography is essential to information security and
helps to maintain privacy of telecommunications.
Other European countries have little or no restrictions on the use of
cryptography. France, that used to have laws against the use of strong
crypto, liberalised its law completely in 2001. Programs like PGP and GPG
are widely availably and used throughout Europe.
Cryptophone
http://www.cryptophone.de/
Crypto Law Survey
http://rechten.kub.nl/koops/cryptolaw/
PGP
http://www.pgp.com/
GPG
http://www.gnupg.org/
===================================================
7. UK GOVERNMENT'S BIOMETRIC PLANS UNDERMINED
===================================================
The biometric technique that has been selected for incorporation into the
new UK national ID card has been undermined in the scientific press. New
Scientist has reported that the technique of iris scanning is not as
perfect and infallible as the Home Secretary (Minister of Internal
Affairs) has claimed. The article alleged that the technology was prone to
failure and that its success could not be guaranteed if used on a national
scale.
New Scientist reported that the key problem "is the limited accuracy of
biometric systems combined with the sheer number of people to be
identified. The most optimistic claims for iris recognition systems are
around 99 per cent accuracy - so for every 100 scans, there will be at
least one false match".
"This is acceptable for relatively small databases, but the one being
proposed will have some 60 million records. This will mean that each
person's scan will match 600,000 records in the database, making it
impossible to stop someone claiming multiple identities. Even if they
already had one or more records in the database, these would be swamped by
the hundreds of thousands of false matches".
The magazine quoted Simon Davies, director of EDRI member Privacy
International, as saying that the technology's performance would not
improve in the foreseeable future.
The Guardian took Davies critique to a more complex level. "A system with
0.999999 reliability would make a false match, on average, once every
million times - great for verification. But for identification, the
chances of the system correctly comparing someone with its entire database
can be calculated by its success rate to the power of the database size.
If that is two, with the example above it would be 0.999999 squared, or
0.999998. That means 100 people would produce a 0.9999 success rate,
100,000 a 0.9048 success rate. A database holding the whole UK population
- 50 million - leads to less than one in five thousand billion billion -
in other words, useless".
Media extensively reported the issue, first through Reuters and then in
the International Herald Tribune. The allegations sparked a lengthy and
heated email exchange between Davies, iris scanning inventor John Daugman,
and many of the world's leading biometric experts. New Scientist will
publish some of the exchanges this week.
'Biometric cards will not stop identity fraud', New Scientist (21.11.2003)
http://www.newscientist.com/news/news.jsp?id=ns99994393
'Report faults biometric ID card plans', Reuters (20.11.2003)
http://www.iht.com/articles/118306.html
'Image Problem', The Guardian (20.11.2003)
http://www.guardian.co.uk/online/story/0,3605,1088437,00.html
===================================================
8. EUROPEAN COURT ALLOWS TRADEMARK FUR ELISE
===================================================
According to the European Court of Justice, music can be deposited as a
trademark in Europe. This is the outcome of a test-case instigated by the
Dutch trademark agency Shieldmark. The founder of the company Shieldmark
formally sued his father, founder of the trademark agency Kist, in order
to get a European trademark on part of Beethoven's Fur Elise. The tune is
used in an advertisement with a chicken that cackles the first nine tones
of the world-famous tune. The trademark is granted on the picture of a
musical score with the notes e, d sharp, e, d sharp, e, b, e, c, a.
The Dutch Supreme Court wondered whether sounds could be registered
because normally trademarks are only granted on things that are capable of
a graphic presentation. For this reason sounds could not be registered as
a trademark. The European Court of Justice confirmed that a musical score
is an effective representation of sound, and can therefore be registered.
The case can have serious consequences for the public availability of
European musical heritage. Trademarks can now be used to claim exclusive
rights even when the copyright has long passed and works belong to the
public domain.
Press release European Court (27.11.2003)
http://www.curia.eu.int/en/actu/communiques/cp03/aff/cp03106en.htm
===================================================
9. FRENCH PROVIDER WINS LAWSUIT ABOUT WEBSITE
===================================================
The French provider RAS does not have to remove a website from the
trade-union SUD-PTT. On 24 November a Paris court rejected the claim from
2 telemarketing companies that the website was both hurtful and
defamatory. The rejection is technical; the companies should have chosen 1
single argument for their complaint.
The contested remarks state that one of the companies is being reigned by
'little bosses', a manager is described as being unable to distinguish
between friendship and hierarchical relationships and a female president
is disqualified as being perfectly aware of the situation, but not acting
on it - as usual. (See EDRI-gram nr. 21, 5 November 2003)
The companies are ordered to pay 2.000 Euro to the trade union and 3.000
Euro to provider RAS. The judge explicitly authorised to put the remarks
back online, since the editor removed them before the ruling.
EDRI-member IRIS voluntarily joined the defendants in the lawsuit. IRIS'
Meryem Marzouki is excited about the verdict. "It shows that the current
French law shouldn't be modified towards recognition of notice and take
down procedure (this is in the draft law for e-commerce directive
transposition): if even a judge cannot find evidence that content is
illegal, how should a private party or an ISP be able to do that?"
Press release IRIS and RAS (26.11.2003)
http://www.ras.eu.org/ras/actions/ceritex-SudPTT/index.html
"Independent providers are not responsible for content, at the moment"
(25.11.2003)
http://www.transfert.net/a9625
===================================================
10. STATEMENT ON HUMAN RIGHTS IN INFORMATION SOCIETY
===================================================
Early in November independent experts from all regions of the world met in
Geneva to discuss about the fundamental human rights in the information
society. The meeting was supported by the Swiss Agency for Development and
Cooperation (SDC), the European Commission, the Office of the High
Commissioner for Human Rights and the Government of Mali, Chair of the
Human Security Network. The experts produced a paper that was distributed
during one of the last preparatory conferences (PrepCom 3A) for the World
Summit on the Information Society (WSIS), that started on 12 November in
Geneva. The paper calls on governments to protect all human rights related
to the information society; ranging from freedom of expression and
information to privacy to intellectual property rights, and from bridging
the digital divide to good governance.
About freedom of expression the paper states:
"Full respect for freedom of expression and information by States and
non-State actors is an essential precondition for the building of a free
and inclusive information and communication society. ICTs must not be used
to curtail this fundamental freedom."
Statement in MS Word (12.11.2003)
http://www.pdhre.org/wsis/statement.doc
===================================================
11. EDRI-GRAM AVAILABLE IN UKRAINIAN
===================================================
The not-for-profit group Privacy Ukraine will provide regular translations
of EDRI-gram in Ukrainian. A back archive is already available from nr. 19
onwards. EDRI-gram is also regularly available in Russian and Italian.
EDRI-gram in Ukrainian
http://www.internetrights.org.ua/index.php?page=edri-gram
===================================================
12. RECOMMENDED READING
===================================================
A new handbook about the Cybercrime convention warns that the interests of
law enforcement are currently prevailing above respect for fundamental
human rights. The handbook is written by dr. Yaman Akdeniz from the UK
not-for-profit organisation Cyber-rights and Cyber-liberties.
The Cyber-Crime Convention (November 2001) and its additional protocol on
racist and xenophobic acts committed through computer systems (January
2003) was developed by the Council of Europe, representing 45 European
countries. The convention enters into force after ratification by 5
members. Currently only Albania, Croatia and Estonia have ratified the
convention; no member state has yet ratified the first protocol.
The report concludes: "Governments and supranational and international
organisations should co-operate to respect fundamental rights such as
freedom of expression and privacy, and should encourage rather than limit
the people's usage of the Internet through excessive regulation at the
national level. (...) It should be remembered in the words of Judge
Pettiti that 'the mission of the Council of Europe and of its organs is to
prevent the establishment of systems and methods that would allow Big
Brother to become master of the citizens private life'."
==================================================================
13. AGENDA
==================================================================
10-12 December 2003, Geneva, Switzerland, First Phase
of WSIS - The World Summit on the Information Society
http://www.itu.int/wsis/index.html
8-9 January 2004, Sheffield, UK - CCTV and Social Control
Conference organised by the Centre for Criminological Research, University
of Sheffield on the politics and practice of video surveillance, from a
European and global perspective.
http://www.sheffield.ac.uk/ccr/publicity/conference/index.html
15 January 2004 deadline 'Nothing to hide' cartoon-contest
The Berlin Humanistic Union invites everybody to join a cartoon-contest
about the theme 'I've got nothing to hide'. Submissions can be
drawings, paintings, photo's or computer generated images. The first price
is rewarded with 500 euro, the second with 400 and third price with 300
euro.
http://www.humanistische-union.de/karikaturenwettbewerb/ (in German only)
30-31 January 2004, Stockholm, Sweden - WHOLES
A Multiple View of Individual Privacy in a Networked World
An international workshop to explore interdisciplinary approaches to privacy.
http://www.sics.se/privacy/wholes2004/
==================================================================
14. ABOUT
==================================================================
EDRI-gram is a bi-weekly newsletter about digital rights in Europe.
Currently EDRI has 14 members from 11 European countries. EDRI takes an
active interest in developments in the EU accession countries and wants to
share knowledge and awareness through the EDRI-grams. All contributions,
suggestions for content or agenda-tips are most welcome.
Newsletter editor: Sjoera Nas <edrigram at edri.org>
Information about EDRI and its members:
http://www.edri.org/
- EDRI-gram subscription information
subscribe/unsubscribe web interface
http://www.edri.org/cgi-bin/mailman/listinfo/edri-news/
subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
- EDRI-gram in Russian, Ukrainian and Italian
EDRI-gram is also available in Russian, Ukrainian and Italian, a few days
after the English edition. The contents are the same.
Translations are provided by Sergei Smirnov, Human Rights Network, Russia;
Privacy Ukraine and autistici.org, Switzerland
The EDRI-gram in Russian can be read on-line via
http://www.hro.org/editions/edri/
The EDRI-gram in Ukrainian can be read on-line via
http://www.internetrights.org.ua/index.php?page=edri-gram
The EDRI-gram in Italian can be read on-line via
http://www.autistici.org/edrigram/
- Newsletter archive
Back issues are available at:
http://www.edri.org/cgi-bin/index?funktion=edrigram
- Help
Please ask <info at edri.org> if you have any problems with subscribing or
unsubscribing.
==================================================================
Publication of this newsletter is made possible by a grant from
the Open Society Institute (OSI).
==================================================================
More information about the Syndicate
mailing list