EDRI-gram - Number 3, 26 February 2003
EDRI-gram newsletter
edrigram at edri.org
Sun Jan 26 18:37:40 CET 2003
==================================================================
EDRI-gram
bi-weekly newsletter about digital civil rights in Europe
Number 3, 26 February 2003
==================================================================
Contents
==================================================================
1. EU questionnaire on spam-ban
2. Data-retention scandal in Ireland
3. Dutch interception secrecy
4. USA gets direct access to EU passenger data
5. Belgium introduces electronic passport
6. ID-requirements in Europe
7. Criticism gone from EP report on safer internet plan
8. Bulgarian Big Brother Award for Interior Affairs
9. Recommended reading: Digital Lithuania
10. Agenda
11. About
==================================================================
1. EU QUESTIONNAIRE ON SPAM-BAN
==================================================================
Per 31 October 2003 spamming will be prohibited in all EU member states,
but it is completely unclear what authority should supervise the spam-ban.
The European Commission doesn't have a ready-made answer, and is currently
asking privacy-authorities and telecommunications ministries what approach
they prefer.
The new Privacy Directive prohibits the sending of unsolicited e-mail but
doesn't regulate the practicalities of penalties, damage claims or
prosecution of cross-border violations. To make matters even more
complicated, the Directive leaves the level of privacy protection of legal
persons up to member states. Therefore, in some countries all e-mail
addresses will be protected, in other states the spam-ban is limited to
natural persons. On top of that, the directive bans commercial spam, but
does allow for a ban on all unsolicited electronic communications,
including those for charity and political purposes.
Seven EU member states already have anti-spam legislation; Austria,
Denmark, Germany, Finland, Greece, Italy and Spain. In Europe-at-large,
spam is also banned in Hungary and Norway. Punishments differs widely. In
Austria for example, spammers can be fined to a maximum of 36.330 Euro,
while in Italy spammers risk prison sentence, next to the obligation to pay
damages of 500 to 5000 euro per spammail.
Answers to the questionnaire from DG Infosoc should be in by 28 February
2003. Based on the answers, the European Commission will probably produce a
guideline for recommended practice. Most likely, direct marketers will
lobby for self-regulation, leaving it up to the industry to punish itself.
EDRI opposes such a soft approach, and strongly recommends the institution
of a European hotline for spam, to solve the problem of having to find out
where the spam was sent from. This should not be left up to individual
citizens, nor should they have to instigate cross-border procedures themselves.
Previous initiatives by the Belgian and French data-protection authorities
to open up a national spam-box showed immense public interest. The Belgian
authority even closed its mailbox after 2 months, after having received
50.000 spams. As well-intended as it was, they were inundated with
identical spams. To withstand the spam-deluge, more is needed, like a
dedicated transnational institute, with smart automatic processing of
spams, a searchable public database and professionally trained staff.
Privacy-directive (2002/58/EC)
http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf
Overview of anti-spam legislation in Europe-at-large
http://www.euro.cauce.org/en/countries/
Questionnaire
http://edri.org/EU-spam-questionnaire.pdf
Belgian privacy-authority (in Dutch and French)
http://www.privacy.fgov.be/
==================================================================
2. DATA-RETENTION SCANDAL IN IRELAND
==================================================================
Ireland has had a secret data retention regime for almost a year, after the
Cabinet confidentially instructed telecommunications operators to store
traffic information about every phone, fax and mobile call for at least
three years. The Irish Data Protection Commissioner Joe Meade revealed this
last monday at a forum on data retention. Telcos even used to keep these
data for a period of 6 years, the commissioner found out in January 2001,
when he obliged ISPs and telcos to register with the Office for Data
Protection. Following EU privacy-guidelines the Commissioner pressed for a
maximum retention period of 6 months.
Meade said: 'While this period was eventually acceptable to most of the
telcos and ISPs it raised legitimate concerns in the Department of Justice
regarding access for security and crime investigations. Following
discussions with me the Department indicated that a retention period of
three years, rather than the then six years, was necessary for security
purposes for telcos.'
In spite of the Commissioners protest, in April 2002 the Minister for
Public Enterprise issued directions to telcos to keep detailed,
non-anonymous traffic data for a three-year period. Without any public
debate government went on to prepare official legislation, Meade stated,
including mandatory data-retention for internet providers. Details are not
yet known, but legislation could oblige providers to keep track of the
destination, origin, timing, size and itinerary of every e-mail, as well as
the locations of every website visited by every customer.
The Irish scandal comes at a time of relative quiet about a possible
European decision about mandatory data retention. In September 2002 the
answers to a questionnaire became available, showing a large majority of EU
member states in favour of a decision for systematic retention of traffic
data concerning all kinds of telecommunication for a period of one year or
more. The Danes concluded their presidency of the Justice and Home Affairs
Council in December 2002 with the recommendation to organise more
discussions with the industry. Under current Greek presidency, the topic
seems to have dropped from the priority-list.
All over Europe, the privacy authorities, organised in the Article 29
Working Party, have expressed grave doubts about the legitimacy and
legality of such broad measures and stated that systematic retention of all
kinds of traffic data for a period of one year or more would be clearly
disproportionate and therefore unacceptable in any case.
Statement by Joe Meade (24/02/03)
http://www.dataprivacy.ie/7nr240203.htm
Conclusions Danish Presidency 15763/02 (19/12/02)
https://umbrella.quintessenz.at/cgi-bin/image?user=edri&funktion=content/9
&mimetype=application/pdf
Answers to questionnaire on traffic data retention (November 2002)
http://www.effi.org/sananvapaus/eu-2002-11-20-original.html
Statement of the European Data Protection Commissioners (September 2002)
http://www.cbpweb.nl/documenten/med_20020912_eu_verkeersgegevens.htm
==================================================================
3. DUTCH INTERCEPTION SECRECY
==================================================================
The quantity of police interceptions of telecommunication in the
Netherlands is higher than anywhere else in the world, according to the few
available official statistics. Government however, tries to maintain
secrecy about the exact numbers and the technical specifications of the
equipment.
Last week, a Freedom-of-Information request by EDRi-member Bits of Freedom
for statistics covering the nineties was turned down by government because
of 'the lack of available statistics'. The ministry of Justice could not
explain why there seem to be no statistics for most years.
The few official publications show an explosive increase of interception
numbers in the nineties. According to a 1996 report by the Ministry of
Justice's research centre, in 1993 and 1994 respectively 3.619 and 3.284
telephone lines were wiretapped. The researchers concluded that those
numbers already were considerably higher than the absolute quantity in the
USA and the UK. According to Ministerial answers to Parliament, in 1999 the
number of intercepts had increased to an astonishing 10.000 tapped phones
by Dutch police (TK 27591, nr. 2). Official reporting by the US Courts and
the UK Communications Commissioner show considerably lower numbers over
1999: 1.277 for the USA and 1.933 for the UK.
Police in the Netherlands have made themselves very dependent of
wiretapping. Since 1998, the introduction of the Dutch Telecommunications
Act, all telephone companies and internet service providers are obliged to
install interception devices at their own expense. Wiretapping being such
an elementary part of police investigation, government shies away from
transparency and accountability. Even though telecom and internet operators
regularly send bills for operational wiretapping costs, the ministry of
Justice claims it doesn't keep account of the numbers.
But secrecy is not limited to the numbers; there are no certifications for
the wiretapping equipment. In recent criminal court cases lawyers have
declared wiretap evidence unreliable and manipulated. Since most of the
interception equipment in the Netherlands is closed-source (even for the
police) and not certified, little assurance can be given that the produced
evidence is indeed correct and reliable. In a high profile court case
against the Kurd Baybasin, a former signals intelligence expert from the
military intelligence service has come forward as an expert for the defence
lawyers, stating that the intercepts were clearly manipulated.
Report of the UK Commissioner for 1999
http://www.archive.official-documents.co.uk/document/cm47/4778/4778.htm
US Courts Wiretap Reports
http://www.uscourts.gov/wiretap.html
Making up the rules: Interception versus privacy (August 2000)
http://www.burojansen.nl/crypto/english/
==================================================================
4. USA GETS DIRECT ACCESS TO EU PASSENGER DATA
==================================================================
From 5 March onwards, USA officials will have direct electronic access to
databases with EU passenger data. On 19 February, U.S. Deputy Customs
Commissioner Douglas Browning and officials of the European Commission
agreed to give the custom officials direct access to the personal data of
passengers flying to, from and through the United States.
These databases don't just include names of passengers, but also itinerary,
phone and credit card number, time of booking and possible changes. The
discussion about data of a sensitive nature, such as meal preferences, was
closed with a recommendation to jointly develop measures to protect these
data, preferably before 5 March 2003.
In return, 'US Customs undertakes to respect the principles of the Data
Protection', at least, as long as these principles don't stand in the way
of the secret services. 'US Customs may provide information to other US law
enforcement authorities only for purposes of preventing and combating
terrorism and other serious criminal offences, who specifically request PNR
information from US Customs.'
According to a press statement on 18 February by EU Traffic-Commissioner
Loyola de Palacio, information would only be transferred with the consent
of the passenger. If the passenger didn't agree, he or she would pay with
more stringent checks upon arrival. However reasonable that might sound, it
is highly unlikely that US Customs will just close its eyes, every time it
sees a mark in the database that the passenger doesn't agree to share
personal data.
Joint statement of the European Commission and US Customs
http://quintessenz.org/pnr.pdf
Article about the statements of Palacio (in German)
http://futurezone.orf.at/futurezone.orf?read=detail&id=145486
==================================================================
5. BELGIUM INTRODUCES ELECTRONIC PASSPORT
==================================================================
Ignoring criticism from the national privacy authority, Belgian parliament
approved of the introduction of an electronic passport. The new chipcard
will be tested in 11 municipalities. If the pilot succeeds, all inhabitants
of Belgium will have an electronic ID within 5 years. The new credit-card
sized passport shows regular data like name, date of birth and national
ID-number, but the chip will also contain the address-data.
The revised law simultaneously lowers the access barriers to the national
register. Every public and private authority or any of its assignees are
granted access 'to excise tasks of public interest'. On top of that, a
newly instituted 'sectoral committee' can authorise any other sort of
access-request.
The new credit-card sized passport contains several digital keys, to enable
remote identification via internet. Personal data on the chip are secured
via a public key infrastructure (PKI). To be able to read or scramble data,
a combination is required of a public and a private key. The public key can
be given out to everybody, while the 'private key' is locked in the chip on
the ID-card.
Revised ID-law, nr. 50/2226/066 (in Dutch and French)
http://www.dekamer.be/
http://www.lachambre.be/
==================================================================
6. ID-REQUIREMENTS IN EUROPE
==================================================================
Only a few EU-member states currently have ID-requirements.
Privacy-authorities and civil rights groups alike doubt the practical
effects and warn against highly arbitrary checks. Belgium, France and
Spain, where ID-requirements have been in place for a long time, have bad
track-records of police discrimination.
Belgium currently has the strictest legislation, requiring everybody age 15
and older to show ID when asked by a police officer, without the need for a
suspicion. In the Netherlands, the minister of justice recently proposed an
ID-requirement for everybody age 12 and above. According to research by the
ministry of justice, published in a letter to parliament 29 October 2001,
the Netherlands would suddenly have the most repressive ID-scheme in Europe.
According to this research, in Germany inhabitants 16 years and older are
required to show ID to police officers. In practice ID-requirement is
limited to financial transactions. In France and Spain, officials must
provide some ground, like danger to public safety, to require ID, but in
practice there is a lot of debate about arbitrary checks, like in Belgium.
In Portugal ID-requirements are limited to very specific transactions and
to suspects of criminal offences. In Sweden ID-requirements are very
specific as well. No ID-requirements exist in the UK, Denmark, Norway and
Switzerland, though the plans for a national entitlement-card in the UK are
heavily criticised as a hidden ID-scheme.
Netherlands: ID-checks to be introduced
http://www.statewatch.org/news/2003/jan/05neths.htm
==================================================================
7. CRITICISM GONE FROM EP-REPORT ON SAFER INTERNET PLAN
==================================================================
In a remarkable change of heart, rapporteur Bill Newton Dunn removed all
criticism from his draft report on the Safer Internet Action Plan (EU
Document Number COD/2002/0071). In stead of the original recommendation to
discontinue the program because of its complete in-effectiveness, Mr.
Newton Dunn (British Liberal) now pleads for an extension of the program.
The change is the outcome of a series of so-called trilogue meetings,
high-level, closed-door meetings of Council and Commission representatives
as well as EP rapporteurs and shadow rapporteurs. Newton Dunn subdued
completely to the will of the Council. Not only did he withdraw all of his
critical original amendments, he even asked the Council for formulas he
then tabled as last-minute amendments in his own name. The result: not a
single amendment was adopted in the EP Internal Affairs committee that had
not been approved by the Council before. It is very likely that the outcome
in the EP Plenary, which will vote on March 10, will look likewise.
The Action Plan can now be extended to almost all forms of electronic
communication and all protocols. At the last trilogue meeting, Newton Dunn
agreed to withdraw part 2 of his original amendment 4, which would have
taken 'peer-to-peer file transfer, text and enhanced messages and all forms
of real-time communications such as chat rooms and instant messages' out of
the scope of the program, on the grounds that 'the aims of the initial
Action Plan have not been entirely achieved'. Instead, the rapporteur
accepted an insignificant formula saying the goal of the program is
'primarily (...) improving the protection of children and minors'.
Amendment 5, which contained implicit criticism that hotlines were not
known to users, disappeared as well, without giving any explication about
the sudden increase of knowledge about these hotlines.
The deadline for amendments for the Plenary is 6 March.
LIBE Revised report
https://umbrella.quintessenz.at/cgi-bin/image?user=edri&funktion=content/7
&mimetype=application/pdf
Voting list
https://umbrella.quintessenz.at/cgi-bin/image?user=edri&funktion=content/8
&mimetype=application/pdf
(Contribution by Andreas Dietl, consultant on EU privacy issues)
==================================================================
8. BULGARIAN BIG BROTHER AWARD FOR INTERIOR AFFAIRS
==================================================================
In Bulgaria, a Big Brother Award was awarded to the Ministry of Interior
Affairs for the double achievement of a proposal to wiretap all internet
traffic and the censorship of a satirical homepage.
The draft new Telecommunications Law would have obliged internet service
providers to buy wiretapping equipment that would have given police live
access to all data traffic going through the networks of the providers. The
proposal was stopped just in time and sent back to several parliamentary
committees.
In September 2001, the National Unit for Combating Organized Crime traced
down and confiscated the computer of the 26-year old individual Lubomir
Kolev. His 'crime' was that he published a website under the name of a
Bulgarian bank, where he made mockery of the election promise of the prime
minister to give a rent-free loan of 5000 Leva (EUR 2.500) to every
Bulgarian citizen.
The Ministry explained the take-down because 'in the web site a picture of
the prime minister Mr. Simeon Sax-Coburg-Gota was published, with which
Lubomir K. has lowered not only the image of the bank, but also of the
official Bulgarian institutions'. Many people joked 'We didn't know that
publishing a picture of the prime minister could ruin the image of
Bulgarian institutions or banks'.
Though never charged for the satire, Kolev recently received a fine of EUR
1.000 for having illegal software on the confiscated computer. To obtain
the report, send an e-mail to veni at veni.com
Explanation of the Interior Ministry
http://www.mvr.bg/show/index.asp?dat=200109&nom=23
(Contribution by Veni Markovski, GIPI Bulgaria)
==================================================================
9. RECOMMENDED READING: DIGITAL LITHUANIA
==================================================================
There is not much research done about privacy and digital civil rights in
the Baltic EU accession countries (Estonia, Lithuania and Latvia). Estonia
refers to itself as E-stonia, with the ambition to outclass even Finland as
ICT-nation. Groundwork was done by the Open Society Institute in Lithuania,
resulting in the report Digital Lithuania in 2001 by Marius P. Saulauskas.
In spite of extreme pessimism about the level of ICT-development in 2001,
seventy-four percent of the interviewed Lithuanians felt that the
development of an information society would favourably influence the
Lithuanian economy. With Parliament reviewing the conclusions, the study
has become an important factor in official plans for Lithuania's
development over the next 15 years. In cooperation with the Ministry of the
Economy, the Institute launched a website to allow people to express their
opinions about the development program.
Summary in English
http://www.politika.osf.lt/inf_society/summaries/DigitalLithuania2001.htm
==================================================================
10. AGENDA
==================================================================
27-28 February 2003 Luxembourg, Luxembourg - 2 workshops on 'Safer Internet'
http://www.saferinternet.org/news/Events-feb2003.asp
10-12 March 2003 Malmo, Sweden - ASEM summit on Globalisation and ICT
http://www.iked.org/asem2003ict/program.html
15 March 2003 Nomination deadline for the Stupid Security Award
http://www.privacyinternational.org/activities/stupidsecurity/
25 March 2003 - UK Big Brother Awards
http://www.privacyinternational.org/bigbrother/uk2003/
1-4 April 2003 New York, USA - CFP 2003
http://www.cfp2003.org/cfp2003/program.html
22-24 April 2003 St Petersburg, Russia - Building the Information Commonwealth
http://www.communities.org.ru/conference/
6-7 May 2003 Padova, Italy - Information Society Visions and Governance
Contact for information: Claudia Padovani, claudia.padovani at unipd.it
8 - 9 May 2003, Namur, Belgium - Collecting and Producing Electronic
Evidence in Cybercrime Cases
2-day workshop organised by the University of Namur
http://www.ctose.org/workshop-8-9-may-2003.html
==================================================================
11. ABOUT
==================================================================
EDRI-gram is a bi-weekly newsletter from European Digital Rights, an
association of privacy and civil rights organisations in Europe. Currently
EDRI has 10 members from 7 European countries. EDRI takes an active
interest in developments in the EU accession countries and wants to share
knowledge and awareness through the EDRI-grams. All contributions,
suggestions for content or agenda-tips are most welcome.
Newsletter editor:
Sjoera Nas, edrigram at edri.org
Information about EDRI and its members:
http://www.edri.org/
You may redistribute the EDRI-gram newsletter freely (but only for free).
- EDRI-gram subscription information
subscribe/unsubscribe web interface
http://www.edri.org/cgi-bin/mailman/listinfo/edri-news
subscribe by email
To: edri-news-request at edri.org
Subject: subscribe
You will receive an automated email asking to confirm your request.
- EDRI-gram in Spanish
EDRI-gram is also available in Spanish, usually 3 days after the English
edition. The contents are the same. Translations are provided by David
Casacuberta, secretary of the Spanish chapter of Computer Professionals for
Social Responsibility (CPSR).
To subscribe to the Spanish language EDRI-gram, please visit
http://www.edri.org/cgi-bin/mailman/listinfo/edri-grama/
or subscribe by email:
To: edri-grama-request at edri.org
Subject: subscribe
- Newsletter archive
Back issues are available at:
http://www.edri.org/cgi-bin/index?funktion=edrigram
- Help
Please ask info at edri.org if you have any problems with subscribing or
unsubscribing.
==================================================================
Publication of this newsletter is made possible by a
grant from the Open Society Institute (OSI)
==================================================================
_______________________________________________
More information about the Syndicate
mailing list