EDRI-gram newsletter - Number 13, 16 July 2003
EDRI-gram newsletter
edrigram at edri.org
Wed Jul 16 17:32:05 CEST 2003
==================================================================
EDRI-gram
bi-weekly newsletter about digital civil rights in Europe
Number 13, 16 July 2003
==================================================================
CONTENTS
==================================================================
1. Preparations for biometric chip in EU passports
2. Commission workshop on Privacy Enhancing Technology
3. Four new EDRI-members
4. Commission wants enforcement of spam-ban
5. French consumer unions fight CD copy protection
6. RFID developers aim to neutralize opposition
7. Opinion EU data protection authorities on WHOIS data
8. Danish agreement on digital civil rights
9. Swiss data protection chief criticizes USA
10. Recommended reading
11. Agenda
12. About
==================================================================
1. PREPARATIONS FOR BIOMETRIC CHIP IN EU PASSPORTS
==================================================================
International technical standards bodies (ISO) and civil aviation bodies
(ICAO) are preparing plans for 'globally interoperable machine readable
passports'. The technology should consist of RFIDs (Radio Frequency
Identification) that contain 'details that enable the machine-assisted
identification of the presenter'. These technical descriptions point at
passports that can transmit biometric data over a radio frequency.
The organizations aim at 'fast-track deployment' presumably because of an
October 2004 deadline. By that time the USA demand biometric data in
passports issued by countries whose citizens normally don't need visa for
travelling to the States, such as most EU countries. The US Enhanced
Border
Security and Visa Reform Act of 2002 states that those countries must have
a program to issue "machine-readable passports that are tamper-resistant
and incorporate biometric identifiers that comply with applicable
biometric
identifiers standards established by the International Civil Aviation
Organization".
During the June 2003 EU summit in Greece the European leaders already
decided to develop a 'coherent approach on biometric identifiers' and a
'harmonized solutions for documents'.
Cards and personal identification standards committee
http://www.sc17.com/
Meeting document regarding contact-less chip technology for machine
readable passports
http://www.sc17.com/refined.cfm?DocumentNumber=2330
Wenn die Pässe Bio-Daten funken (09.07.2003)
http://futurezone.orf.at/futurezone.orf?read=detail&id=169869
EU Summit: Agreement on "harmonized" biometric identification linked to EU
databases
http://www.statewatch.org/news/2003/jun/22bio.htm
==================================================================
2. COMMISSION WORKSHOP ON PRIVACY ENHANCING TECHNOLOGIES
==================================================================
On 4 July, the European Commission organised a technical workshop on
Privacy Enhancing Technologies (PETS) in Brussels. 39 experts, from
Europe,
the USA and Canada were invited to participate, ranging from Commission
officials to academic experts, from data protection authorities to
business
representatives. Amongst the invitees were also 2 EDRI-members; FIPR and
Bits of Freedom.
After a somewhat predictable debate about the meaning of the acronym PET,
the need to create PET-lovers, and possible other acronyms such as PUT and
PAT, the value of existing privacy enhancing technologies was discussed.
Basically, technology is considered privacy-friendly when it disables
traceability to a person (be it a person or a company). In the
implementation report of the 1995 privacy directive (95/46/EC), the
European Commission announced determined efforts to encourage and promote
the use and further development of these technologies.
John Borking, former member of the Dutch data protection authority,
defended PET as the most suitable method to prevent the linking of
databases. When he unfolded the theory of machine-made privacy choices, he
was sharply attacked by the Swedish business representative Stephan
Goldberg. According to Goldberg, "that kind of privacy-ontology is mainly
a
reflection of the typical idea of engineers that law is simple, and can
thus easily be implemented in technology".
A large part of the workshop was devoted to anonymity. According to
Stephanie Perrin, as a government official largely responsible for
privacy-legislation in Canada, the nucleus of any privacy legislation is
anonymity. She expressed regrets about the fact that PET is now largely
associated with weaker protection mechanisms, like opt-out boxes on
websites and cookie-management tools. As executive officer of Zero
Knowledge Systems, creators of the defunct anonymizer tool 'Freedom', she
was closely involved with the creation of a tool with anonymity in the
core. But acknowledging the market-failure of this and similar tools, she
argued the Commission should help develop these tools and generally focus
on anonymity.
Peter Hustinx, chief of the Dutch data protection authority and candidate
for the new function of EU Data Protection Supervisor, didn't agree.
Besides anonymity, it is also useful to promote the use of partial,
non-personalised, data. Legally such a requirement can be based on article
17 of the 1995 privacy directive (95/46/EC), which requires that
controllers implement security measures which are appropriate to the risks
presented for personal data in storage or transmission, with a view to
protect personal data against accidental loss, alteration, unauthorised
access, in particular where the processing involves the transmission of
data over a network, and against all other unlawful forms of processing.
According to Hustinx, this article is too easily considered old-fashioned
in its stress on security, but it also prevents unlawful collection and
processing of personal data.
Implementation report on Directive 95/46/EC (15.05.2003)
http://europa.eu.int/comm/internal_market/privacy/lawreport_en.htm
==================================================================
3. FOUR NEW EDRI-MEMBERS
==================================================================
On 5 and 6 July, European Digital Rights (EDRI) held its first general
assembly in Paris. During the assembly four new members were admitted from
4 different countries. With the acceptance of the Belgian Association
Electronique Libre (AEL), ISOC-Bulgaria, the Spanish chapter of CPSR and
the Swiss Internet User Group (SIUG) EDRI now has 14 members from 11
different countries. EDRI will continue to expand it activities in
Brussels
to defend civil rights in the information society focussing on data
retention, privacy, the impact of anti-terrorism measures on freedom,
copyright, freedom of speech and spam. An important goal of EDRI will be
to
identify and admit members from the EU accession countries. During the
meeting the members also chose a new board for a two year period, made up
of Maurice Wessling (nl), Andy Müller-Maguhn (de) and Ville Oksanen (fi).
Association Electronique Libre (AEL)
http://www.ael.be/
ISOC-Bulgaria
http://www.isoc.bg/
CPSR-ES
http://www.spain.cpsr.org/
Swiss Internet User Group (SIUG)
http://www.siug.ch/
==================================================================
4. COMMISSION WANTS ENFORCEMENT OF SPAM-BAN
==================================================================
The European Commission is planning to issue a Communication this autumn
calling for effective enforcement of the spam-ban, EU Commissioner Erkki
Liikanen said during a press conference yesterday.
Action would focus on effective enforcement, notably through international
cooperation, technical measures for countering spam, and consumer
awareness. The proposed measures would be first tested with Member States
and interested parties through a workshop to be convened in October.
Liikanen underlined the necessity for international cooperation both
within
the EU and with third countries. He referred to recent discussions with
his
US counterparts and proposal to host an OECD seminar on spam to be
organized in Brussels in January 2004.
Under the new directive for privacy in the electronic communications
sector
(2002/58/EC) all Member States have to transpose a 'ban on spam' into
national legislation by the end of October 2003. Results from a commission
questionnaire about transposition plans (described in EDRI-gram nr. 11)
showed a wide variety in approach. At that time, the Commission still
seemed unwilling to take any further steps to harmonize enforcement.
SPAM: European Commission goes on the offensive (15.07.2003)
http://europa.eu.int/information_society/newsroom/relinfo/dir000/dir013/di
r04/index_en.htm
==================================================================
5. FRENCH CONSUMER UNIONS FIGHT CD COPY PROTECTION
==================================================================
In a first result of legal procedures against record companies instituted
by two French consumer unions, EMI Music France is condemned for
deception.
Within a month, they must print the following warning on copy protected
CD's: 'Attention, this CD cannot be read by all players or car-radio's.'
Late in May, the 2 unions started legal procedures against several major
record companies in order to fight copy protection on CDs. The Union
Fédérale des Consommateurs (UFC-Que Choisir) deposited complaints in the
courts of Paris against EMI Music France, Warner Music France, Universal
Pictures Video as well as the distributors Auchan and FNAC. The consumer
union CLCV (Consommation, Logement et Cadre de Vie) brought complaints
against EMI, Sony and BMG in the court of Nanterre. The unions wish to
establish that copy-protection is illegal.
The unions want to defend the right to make private copies, made
impossible
by copy protection. Another disadvantage of copy protection they wish to
fight is the fact that many CDs cannot by played on many players, like
players built into computers. Finally the unions argue that artists are
not
asked for consent.
The UFC accuses the music industry of giving consumers a bad conscience
with false facts. In reality last year record sales in France increased
with 10 percent. On top of that, users of recordable CD-ROMs paid about
135
million Euro in copyright levies, an increase of 44 percent compared with
2001. According to the UFC, this is an adequate compensation for artists
and producers.
In response to the legal procedures, the director of SNEP, the French
phonography-association acknowledged that record companies made speed
prevail above precaution. The technique behind copy protection 'was not
entirely satisfying' according to the director. Sony music immediately
responded with the announcement to stop copy protection on its CDs.
CDs protégés: La CLCV fait condamner EMI Music France (25.06.2003)
http://www.clcv.org/index.php?v=detail&a=info&id=74
CD protégés: les associations de consommateurs attaquent les majors
(28.05.2003)
(The article contains direct links to the French press releases by the
unions)
http://www.transfert.net/a8881
==================================================================
6. RFID DEVELOPERS AIM TO NEUTRALIZE OPPOSITION
==================================================================
Developers of Radio Frequency Identification (RFIDs) are making plans to
'neutralize opposition' to their new technology. The strategy is discussed
in confidential documents from the Auto-ID Center, in which RFID
developers
work together. The documents were uncovered by Consumers Against
Supermarket Privacy Invasion and Numbering (CASPIAN) through a security
glitch on the Auto-ID Center' website.
In the document 'Managing External Communications', PR company
Fleishman-Hillard states that the "political climate and shifting public
perception require a proactive plan that [...] neutralizes opposition and
mitigates possible public backlash".
The document advises the Auto-ID Center to establish an 'International
Privacy Advisory Council' made up of 'potentially adversarial advocates'
such as the European Consumers' Union. It also suggests to 'educate
top-tier opinion leaders' such as officials from the EU Commission and
members of the European Parliament Industry Committee.
Other documents describe privacy as the key issue to overcome since 78% of
the consumers have privacy concerns regarding RFIDs. At the same time, the
Auto-ID Center also expects consumers to be 'apathetic' and willing to
'resign themselves to the inevitability of it' instead of acting on their
concerns. Other strategies in the communications strategy, such as
renaming
RFIDs into Green-Tags, are also discussed.
RFIDs are very small radio chips that transmit a unique serial code when a
reader is placed in their proximity. Consumer groups and privacy advocates
are campaigning for rules that inform consumers about the tags in or on
products (notification) and a default disabling of tags when leaving the
supermarket.
CASPIAN
http://www.nocards.org/
Confidential Auto-ID Center documents
http://cryptome.org/rfid-docs.htm
==================================================================
7. OPINION EU DATA PROTECTION AUTHORITIES ON WHOIS DIRECTORIES
==================================================================
The associated European data protection authorities (the Article 29
Working
Party) issued a formal opinion on WHOIS directories. These directories
associate social information (like holder's identity and contact
information) with network identifiers such as domain names or IP
addresses.
The opinion is focused on domain name WHOIS, especially the fact that
personal data about individual domain name holders are publicly
accessible.
The working party notes that the original purpose of making these data
publicly available -- finding contact points for addressing technical
problems in operating the internet -- is legitimate. Concerns are raised
about the compatibility of other purposes for which the data are being
used
today, e.g., private policing of intellectual property rights.
The working party questions whether the publication of contact information
about individual registrants is actually relevant to the original purpose.
This purpose could be served well -- or even better -- by publishing
contact information pointing to the registrant's ISP, who would then know
how to reach the registrant. The working party finds that "there is no
legal ground justifying the mandatory publication of personal data
referring to this person." Publication would lead to a conflict with
directive 2002/58/EC (Privacy in the electronic communications sector).
Concerns are also raised about proposals to introduce extended search
services which would, for instance, return a list of all domain names
registered by one individual. Earlier, the working party concluded that
the
inclusion of personal data with this kind of services must be based on
unambiguous and informed consent of the individual.
The working party explicitly supports recent decisions of the Internet
Corporation for Assigned Names and Numbers (ICANN) to improve the accuracy
of the data collected, and to forbid any marketing uses of WHOIS data
obtained in bulk.
Very recently, ICANN held a workshop in Montreal, Canada, on WHOIS policy.
This policy is part of ICANN's contracts with domain name retailers
('registrars') and database operators ('registries').
Registrars in general pointed to the contribution of WHOIS data to
consumer
fraud. European registrars in particular noted that the WHOIS provisions
of
their contracts with ICANN may be incompatible with applicable law. Data
users from the Intellectual Property and Law Enforcement communities
considered any possible restriction of access to WHOIS data as a nuisance
which would hamper effective law enforcement on the internet.
Opinion 2/2003 on the application of the data protection principles to the
WHOIS directories
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp76
_en.pdf
WHOIS-related consensus policies recently adopted by ICANN
http://www.icann.org/minutes/minutes-
27mar03.htm#GNSORecommendationonWhoisAccuracyandBulkAccess
Background material for the Montreal WHOIS workshop
http://www.icann.org/montreal/whois-topic.htm
(Contribution by Thomas Roessler, FITUG)
==================================================================
8. DANISH AGREEMENT ON DIGITAL CIVIL RIGHTS
==================================================================
On 4 July, the Danish Committee on citizens IT-rights published a list of
10 recommendations on digital civil rights. The committee was established
in September last year by the Danish Ministry of Science, Technology and
Innovation. The recommendations deal with communication with the public
sector, with privacy and registration, with freedom of expression and with
access to information.
The recommendations paint a bleak picture of privacy in the state of
Denmark. For example, as part of an anti-terrorism package telecom traffic
data must be retained for 1 year. The committee now urges government to
inform both citizens and internet service providers on the new rules and
procedures for data retention, "upon completion of the administrative
order, which is currently being drafted by the Ministry of Justice and the
Ministry of Research, Technology and Innovation."
Among the recommendations for freedom of information is a call to make
sure
filters or other means of protecting minors in public libraries do not
hinder parental rights to freely seek information. The committee also
agreed on establishing a working group with the aim of clarifying the
premises for granting citizens digital access to information regarding
which authorities have used their personal data and for which objective.
The committee consisted of representatives from various ministries,
consumer organisations, the IT-business sector and civil society, amongst
which EDRI-member Digital Rights.
Recommendations (04.07.2003)
http://www.edri.org/docs/denmark_it_rights.pdf
==================================================================
9. SWISS DATA PROTECTION CHIEF CRITICIZES USA
==================================================================
The head of Switzerland's data protection commission says the United
States' war on terror is undermining personal privacy. Hanspeter Thür
calls
for tighter controls on the campaign against terrorism and for more money
to safeguard individual rights. According to him, the Bush administration
is pursuing a repressive policy with little regard for data protection.
The unusually outspoken comments are contained in a new report to mark the
tenth anniversary of Switzerland's data protection commission. In
particular, Thür cites USA requirements for airlines flying to the USA to
supply personal details of all passengers, including their religion,
dietary preferences and credit card numbers to US customs. The mandatory
transfer of PNR-data is forcing Swiss airline to break Switzerland's own
laws on data protection, Thür says.
Data protection chief criticizes US (01.07.2003)
http://www.swissinfo.ch/sen/Swissinfo.html?siteSect=105&sid=3996292
==================================================================
10. RECOMMENDED READING
==================================================================
Report of research on privacy for electronic government. Report for
Japan's
Ministry of Public Management, Home Affairs Post and Telecommunications,
March 2003. On pages 351-402 there are 4 interesting European country
reports (Denmark, Finland, France and the UK), coordinated by EDRI-member
Privacy International. The authors are quite pessimistic about the
adequacy
of privacy enhancing technology.
"European data protection laws in general, arguably the most advanced in
terms of recognizing the importance of adequate data protection, have done
little to prevent the spread of DNA testing, the use of identity cards,
workplace surveillance, police powers, intrusion by tax authorities,
Internet snooping and national security surveillance of civilian
communications in the countries that comprise the European Union."
http://joi.ito.com/privacyreport/Contents_Distilled/EnglishSection/Europe_
E_p350-402.pdf
==================================================================
11. AGENDA
==================================================================
7-10 August 2003, Chaos Computer Camp 2003 - Berlin, Germany
http://www.ccc.de/camp/
5 September - Deadline Call for Papers about Copyright and Open and
Proprietary Software
On 4-5 December 2003, the Center for Tele-Information of the Technical
University of Denmark organizes its 8th annual international conference -
this year on copyright and software patents. A selection of the best
papers
for the conference will be published in the international journal
Telematics and Informatics in spring 2004.
http://www.cti.dtu.dk/
11-14 September 2003, Next 5 Minutes, International Festival of Tactical
Media - Amsterdam, Netherlands
http://www.n5m.org/
==================================================================
12. ABOUT
==================================================================
EDRI-gram is a bi-weekly newsletter from European Digital Rights, an
association of privacy and civil rights organisations in Europe. Currently
EDRI has 10 members from 7 European countries. EDRI takes an active
interest in developments in the EU accession countries and wants to share
knowledge and awareness through the EDRI-grams. All contributions,
suggestions for content or agenda-tips are most welcome.
Newsletter editor: Sjoera Nas <edrigram at edri.org>
Information about EDRI and its members:
http://www.edri.org/
- EDRI-gram subscription information
subscribe/unsubscribe web interface
http://www.edri.org/cgi-bin/mailman/listinfo/edri-news/
subscribe by email
To: edri-news-request at edri.org
Subject: subscribe
You will receive an automated email asking to confirm your request.
- EDRI-gram in Russian
EDRI-gram is also available in Russian, a few days after the English
edition. The contents are the same. Translations are provided by Sergei
Smirnov, Human Rights Network, Russia.
The EDRI-gram in Russian can be read on-line via
http://www.hro.org/editions/edri/
- Newsletter archive
Back issues are available at:
http://www.edri.org/cgi-bin/index?funktion=edrigram
- Help
Please ask <info at edri.org> if you have any problems with subscribing or
unsubscribing.
==================================================================
Publication of this newsletter is made possible by a grant from
the Open Society Institute (OSI).
==================================================================
More information about the Syndicate
mailing list