EDRI-gram newsletter - Number 9, 21 May 2003
EDRI-gram newsletter
edrigram at edri.org
Sat Jun 21 18:22:28 CEST 2003
==================================================================
EDRI-gram
bi-weekly newsletter about digital civil rights in Europe
Number 9, 21 May 2003
==================================================================
CONTENTS
==================================================================
1. Outsider recommended as new EU Data Protection Supervisor
2. Airport protests against data transfer to USA
3. 100 million phone records seized by UK agencies
4. Romania forbids free access to online pornography
5. New cybercrime legislation in Romania
6. German supermarket announces introduction of RFIDs
7. Trial of Nigerian spammers in the Netherlands
8. EP vote on software patents delayed
9. Update on Swiss website blocking order
10. Recommended reading
11. Agenda
12. About
==================================================================
1. OUTSIDER RECOMMENDED AS NEW EU DATA PROTECTION SUPERVISOR
==================================================================
In their vote yesterday on the future EU Data Protection Supervisor, the
Committee of the European Parliament on Justice and Home Affairs (LIBE)
produced a very surprising result. Out of 8 possible candidates, a majority
of the MEPs voted for the only candidate who has no record of dealing with
privacy, data protection or even the protection of any other civil rights.
Joaquín Bayo Delgado has become known to regular readers of the Official
Bulletin of the State of Spain as the dean of the university of Barcelona,
and that's about it. His election - at the expense of likely candidates as
Netherlands Data Protection Commissioner Peter Hustinx or Commission Data
Protection tsar Ulf Brühann - seems to be the result of a behind-the-scenes
deal between the forepersons of the Social Democrat and the Conservative
Groups in the LIBE Committee, Anna Terrón i Cusí and Jorge Salvador
Hernandez-Mollar, both of whom happen to be Spanish.
The vote was quite a complicated procedure, in which the political groups
had a certain number of points, according to their size, that they could
place on the different candidates. The candidates and their results were as
follows:
1. Joaquin Bayo Delgado (Spain), Magistrado-Juez Decano, Barcelona (56 points)
2. Waltraut Kotschy (Austria), Datenschutzbeauftragte des Europarats,
Mitglied der österr. Datenschutzkommission, Vienna (51 points)
3. Peter Johan Hustinx (Netherlands), College bescherming persoonsgegevens
(CBP), The Hague (50 points)
4. Ulrich Dammann (Germany), 2. stellv. Bundesbeauftragter für den
Datenschutz, BMInneres, Berlin (48 points)
5. Anne Carblanc (France), OECD, Paris (41 points)
6. Ian John Harden, Head of Legal Dept., Office of European Ombudsman,
Brussels (24 points)
7. Ulf Brühann (Germany), European Commission DG Market, Brussels (23 points)
8. Maurice Méda (France), Maitre des requetes au Conseil d'État, Paris (9
points)
9. Francis George Aldhouse (UK), Deputy Information Commissioner, London (9
points)
Brühann, who was regarded, along with Hustinx, as one of the 'natural
candidates', was voted by the Green and GUE (Left) Groups only, while
Hustinx was the candidate of the Liberal Democrat Group.
The vote is not a final decision, though. The list of the eight candidates
was the result of an obscure selection among the more than 300 applicants
for the position among Council and EP delegates. And the charades will
continue. After last Tuesday's vote, which, in EP slang, was only
an 'orientation vote', a delegation of the LIBE Committee will meet on May
27 with the Permanent Representative of the Greek Presidency at the Council
to see whether the candidates who have found a majority in the Committee
are to the liking of the Council. If that is the case, they will vote once
more on June 2, and this time the vote will result in two definitive
candidates (the Assistant Supervisor will be voted, also). If everything
works well, the Conference of Presidents of the political groups in the EP
- and not the EP Plenary - will confirm the LIBE committee's vote.
European Data Protection Supervisor
http://europa.eu.int/comm/internal_market/privacy/application_en.htm
(Contribution by Andreas Dietl, consultant on EU privacy issues)
==================================================================
2. AIRPORT PROTESTS AGAINST DATA TRANSFER TO USA
==================================================================
EDRI and its partners held successful actions on 20 May at Schiphol
(Amsterdam), Zaventem (Brussels) and Vienna airport.
At all three airports EDRI members have provided airline passengers with
important information about the transfer of their personal data to US
authorities. Passengers were given a letter they can send to the national
Data Protection Authority in their country to request an investigation of
the illegal transfer of their personal data.
The action in Amsterdam was done by Bits of Freedom with Kathalijne
Buitenweg (member of the European parliament) and Marijke Vos and Jan de
Wit (members of the Dutch parliament). In Brussels Kathalijne Buitenweg and
Marco Cappato (both members of the European parliament) informed
passengers. In Vienna passengers were given information and letters by
Public Netbase.
The two most important Dutch news channels had items about the action,
stressing the pressure on airlines to give full access to their databases
or else risk loosing their landing rights in the US. Dutch airline KLM
admitted to have opened their passenger databases to American law
enforcement officers. The Dutch Data Protection Authority send a
representative to observe the action and comment to the gathered press.
EDRI-members from Denmark and Finland found out their airlines (SAS and
Finnair) had not yet succumbed to American pressure, and refuse to open
their databases to US Customs.
In Switzerland, the Internet User Group sent out a press release and
prepared a flyer and a letter for complaints and inquiries.
EDRI campaign against the transfer of passenger data
http://www.edri.org/cgi-bin/index?funktion=campaigns
Pictures from the Schiphol action:
http://www.p7.nl/gallery/view_album.pcgi?set_albumName=album13
Report on the Vienna action (in German)
http://www.t0.or.at/t0/projects/edri/
Swiss press release and flyer (in German)
http://www.bigbrotherawards.ch/index.shtml.de
==================================================================
3. 100 MILLION PHONE RECORDS SEIZED BY UK AGENCIES
==================================================================
Police and other officials in the UK are investigating a 100 million phone
records per year. The number is based on estimates supplied by the Home
Office, ministerial statements, legal experts, the communications industry
and members of parliament.
During an open consultation meeting on data retention with the Home Office
last week, EDRI-member Privacy International released figures that indicate
a million requests a year for telephone billing data, email logs, personal
details of customers and records showing the location of mobile phone
calls. These requests involve an estimated 100 million individual phone
calls, subscriber data on nearly a million consumers, and the acquisition
of an unknown number of email and internet logs.
This mass of seized information comprises perhaps a billion individual
items of data, ranging from credit card numbers to dialed numbers.
Combined, this extraordinary array of data creates a comprehensive dossier
on the contacts, friendships, interests, transactions, movements and
personal information on almost everyone in the UK. A single customer file
can involve thousands of items. BT stores records for up to seven years and
these are sent automatically on request to government agencies without the
need for human intervention. Mobile phone providers - 02 in particular -
are able to provide authorities with information on their customers'
geographic movements (while using their phone) going back months and
sometimes years.
This 'communications data' can include all the calls made and received, who
a user is in contact with, the geographic location of mobile phones, the
emails sent and received, websites that have been visited, television
programs watched, personal financial data and other personal information.
Privacy International's Director, Simon Davies, said the estimates were
"very much on the low side" and did not include access to email or internet
activity, or investigations by security organisations such as GCHQ. "We
literally halved the Home Office estimate before commencing the
extrapolation, just to be on the safe side", he said.
The Home Office attempted in 2002 to authorise under the Regulation of
Investigatory Powers Act 2000 an even more extensive list of public
authorities to access this communications data, but following a public
outcry was forced to temporarily withdraw the proposal. This unprecedented
access would have been available - as indeed it is currently - without any
judicial oversight. The Home Office is now consulting over these issues
before taking further action, but its two consultation documents it has
published indicate that the current surveillance regime is likely to become
universal.
At the same time, Privacy International launched a campaign to help UK
consumers retrieve the information that is held about them. In order to
help customers know their data, PI offers 3 different model letters to
phone, mobile phone and internet service providers. Under the Data
Protection Act of 1998 companies are obliged to honour these requests.
Know Your Data Campaign
http://www.privacyinternational.org/countries/uk/surveillance/knowdatacampaign.html
==================================================================
4. ROMANIA FORBIDS FREE ACCESS TO ONLINE PORNOGRAPHY
==================================================================
Romania has adopted a new law to make free access to pornography illegal.
Online pornography must always be protected by a password, and should
always charge a fee per minute, to be declared with the fiscal authorities.
Free access is explicitly forbidden in a law formally adopted on 20 May
2003. The law has raised a number of comments from the civil society and ISPs.
The National Regulatory Authority on Communications ( ANRC) can receive
claims regarding non-compliance with the law. In case of receiving such
claims and after checking the contents of the site, ANRC may require
internet service providers to block access to the respective site. If
providers don't comply with these requests, they can be fined 100 - 500
millions lei (approx 2.700-13.500 euro).
Unofficial translation of these provisions
http://www.legi-internet.ro/en/lawporno.htm
==================================================================
5. NEW CYBERCRIME LEGISLATION IN ROMANIA
==================================================================
Romania has implemented the Cybercrime Convention in Title III of the
Anticorruption law no 161/2003, published in the Official Monitor no 279
from 21 April 2003. Romania signed the convention in the end of 2001. There
are no provisions regarding data retention, even though in some previous
versions of the law there was an obligation for service providers to keep
all traffic data for 6 months. The Romanian implementation precedes the
ratification of the Convention. Only Croatia, Albania and Estonia have
ratified the Convention.
The main crimes foreseen in the law are :
Art 42 - illegal access to a computer system
Art 43 - illegal interception of any transmission of computer data
Art 44 par 1 - illegal alteration, deletion or deterioration of computer
data of the access restriction to such data
Art 44 par 2 - unauthorized data transfer from a computer system
Art 45 - serious hindering, without right, of a computer system operation
Art 48 - Input, alteration or deletion, without right, of computer data or
the restriction, without right, of the access to these data
Art 51 - Child pornography through computer systems
In a press conference held on 7 May, the Romanian Police gave insight in
the number of internet related crimes. During the year 2002 242 complaints
were registered about 35 internet related crimes. 96 persons were
investigated and 54 were preventively arrested. The damages were estimated
at 800.000 USD. From the beginning of the year 2003, 82 complaints have
been solved in 12 penal cases where 18 people were arrested.
Unofficial translation of the law
http://www.legi-internet.ro/en/cybercrime.htm
(2 contributions by Bogdan Manolea, legal coordinator RITI - Romanian
Information Technology Initiative)
==================================================================
6. GERMAN SUPERMARKET ANNOUNCES INTRODUCTION OF RFIDS
==================================================================
Last month, during a congress on supermarket logistics, German supermarket
Metro AG announced the introduction of RFIDs to boost store efficiency and
eliminate long checkout queues. The announcement comes at a time of
heightened public awareness of the negative privacy-implications of this
new track & trace technology. In March, clothing designer Benetton
announced plans to weave radio frequency ID chips into its garments to
track its clothes worldwide. After massive protests the plans were
postponed and Benetton made it clear that they will first do more research
on the use of RFID technology for its garments including an assessment of
the related privacy-effects.
RFID-tags are becoming smaller and cheaper everyday. In general the tags
are passive. That means they don't have a power supply, and can't transmit
any information themselves. They receive the energy they need to transmit
the stored information from the readers which receive the information. The
drawback of this technology is that this small amount of energy is not
enough to perform encryption algorithms or any kind of access control
mechanisms. So the information stored on the tag is normally readable to
any reader using the same frequency as the tag (usually 13,56 MHz).The main
privacy-concern about the tags is that individual consumption-patterns can
be tracked and traced by any outsider with a reader. The only possibility
to protect your privacy would be to remove or destroy the smart tags. A
difficult task if the tag is invisibly small and woven into the garment or
vulcanized into the soles of shoes.
In the last few years an increasing number of prototypes of RFID-technology
were tested in real world situations. Beginning of 2003 Gillette announced
the order of 500 million RFID-tags with the intent to attach them to
products such as razors and razor blades. In combination with smart shelves
they will be used to track inventory and send managers automatic alerts
when stocks are low. Just a few days later, on 14 January 2003 Michelin
announced that they are also introducing Radio Frequency Tire
Identification Technology. Finally, many public libraries in the world have
started using RFIDs for the identification and handling of books. Amongst
them the newly built public library in Vienna, Austria.
Consumer groups and privacy advocates wish that RFID are either removed of
disabled after purchasing a product and that a label will notify consumers
that a product has an RFID embedded. Such ground rules can prevent RFIDs
from becoming a tracking device instead of a logistical tool.
German supermarket introduces RFIDs (18.04.2003)
http://www.forbes.com/home_europe/newswire/2003/05/14/rtr970418.html
Boycott Benetton
http://www.boycottbenetton.org/
RFID tags: Big Brother in small packages
http://news.com.com/2010-1069-980325.html
(Contribution by Andreas Krisch, VIBE!AT)
==================================================================
7. TRIAL OF NIGERIAN SPAMMERS IN THE NETHERLANDS
==================================================================
A gang of 6 Nigerian spammers was put to trial on 15 May. The gang was
arrested last year in the Netherlands. Operating from Amsterdam the group
posed as very rich businessmen from Nigeria. Victims were promised a lot of
money in exchange for a temporary loan.
The Dutch police estimates the gang earned at least 4 million euro's. The
most spectacular victim of the gang, a Swiss professor, transferred almost
half a million euro. The money was necessary to buy chemicals to clean
banknotes with a total value of 36 million US Dollars, the gang told the
gullible professor. He was promised 25% of that amount.
The public prosecutor accused the Nigerians of swindle, participation in a
criminal organisation and money-laundering. No date is known yet for the
verdict.
Nigerian Scam Letter Gallery (note the Brad Christensen archive with
answers to the spammers)
http://www.quatloos.com/cm-niger/nigerian_scam_letter_museum.htm
==================================================================
8. EP VOTE ON SOFTWARE PATENTS DELAYED
==================================================================
The vote in the European Parliament on a new EU Directive on Patent Law
will most likely be delayed until the end of June. Originally, parliament
was supposed to have voted in plenary this week. The delay is due to the
immense differences in opinion between large software companies like
Microsoft and IBM on the one hand and small and medium enterprises, (open
source) programmers and civil rights activists on the other hand. A
hearing, organised by members of the Greens/EFA in the European Parliament
on 8 May, showed massive resistance from programmers and open source
developers against the creation of a European patent on software. Guest
speaker Richard Stallman, one of the founding fathers of the open source
movement, compared the patenting of computer algorithms with the patenting
of musical notes, warning about a situation where composers can no longer
write symphonies. He also cited a recent Harvard/MIT study about the
negative impact on innovation that software patents have had on the
American economy.
The proposal for a new directive on software patents was pre-discussed in 3
parliamentary committees, of which JURI (on legal affairs) was leading.
While the 2 other committees (ITRE on industrial affairs and CULT on
cultural affairs) opposed the patenting of software, JURI, lead by
rapporteur Arlene McCarthy, was in favour of extensive patents on software.
JURI is now expected to take their final vote on 10 or 17 June.
Hearing on Software Patents - speakers and presentations (08.05.2003)
http://www.greens-efa.org/en/issues/?id=14#5
Sequential Innovation, Patents and Imitation, by James Bessen and Eric
Maskin, Harvard University and MIT
http://www.researchoninnovation.org/patrev.pdf
Commission proposal COM(2002) 92 ? 2002/0047
http://europa.eu.int/eur-lex/en/com/pdf/2002/en_502PC0092.pdf
EP - JURI draft report by Arlene McCarthy
http://www.europarl.eu.int/meetdocs/committees/juri/20030521/488980en.pdf
==================================================================
9. UPDATE ON SWISS WEBSITE BLOCKING ORDER
==================================================================
The internet censorship requests issued by the examining magistrate of the
canton of Vaud (see EDRigram number 2 from 12 February) have been rejected
on 30 April by a judge from the court of Lausanne. In December, over 30
providers had received the order, and while most of them installed some
technical blocking-measures, they joined the legal protest.
The verdict however isn't based on any ethical or constitutional objections
against provider-filtering, but on the wrong selection of legal arguments.
The judge recommends other heavier laws to proceed with the case, for
example suing the providers for acting as accessaries.
The examining magistrate immediately responded by sending a threatening
letter to at least one of the ISPs involved, Init Seven AG. Though she
admits she was wrong with her blocking order, she warns that the ISP is
still with one foot in jail. If Init Seven AG, in its quality as "conductor
of society and receiver of this formal warning" decides not to block the
incriminated websites, "you risk a criminal investigation against you as an
accessary to crimes of defamation, slander and injure".
Original text of the decision (in French)
http://www.nrg4u.com/abuse/canton-de-vaud-tribunal-daccusation.pdf
(Contribution by Felix Rauch, Swiss Internet User Group SIUG)
==================================================================
10. RECOMMENDED READING
==================================================================
The US Defense Advanced Research Projects Agency (DARPA) has send a report
to Congress on their enormous data mining project. The program's name is
changed from Total Information Awareness Program (TIA) to Terrorism
Information Awareness Program because "the program?s previous name created
in some minds the impression that TIA was a system to be used for
developing dossiers on U.S. citizens".
DARPA stresses in the report that the collection and data mining of
financial records, medical records, communication records and travel
records will be completely lawful. Supposedly US law puts very little
limitations on these activities.
Although the report to Congress only discusses the privacy concerns of US
citizens, it is worth noting that the program will not limit itself to the
collection of privacy sensitive data about US citizens. Europeans who
wonder how their passenger data will be handled by the US might take an
interest in the details of the TIA program.
Terrorism Information Awareness Program
http://www.darpa.mil/body/tia/tia_report_page.htm
==================================================================
11. AGENDA
==================================================================
13-14 June 2003, Amsterdam, The Netherlands - Freedom of the Media and the
Internet
2-day conference organised by OSCE, the Organisation for Security and
Co-operation in Europe.
http://www.osce.org/events/fom/amsterdam/
25 June 2003, London, United Kingdom - International Big Brother Award
http://www.privacyinternational.org/bigbrother/
30 June - 2 July 2003 St. Petersburg, Russia - Building the Information
Commonwealth
http://www.communities.org.ru/conference/
9-12 July 2003, Metz, France - RMLL2003
(Unofficial) fourth annual Libre Software meeting
http://www.rencontresmondiales.org/
7-10 August 2003 Berlin, Germany - Chaos Computer Camp 2003
http://www.ccc.de/camp/
==================================================================
12. ABOUT
==================================================================
EDRI-gram is a bi-weekly newsletter from European Digital Rights, an
association of privacy and civil rights organisations in Europe. Currently
EDRI has 10 members from 7 European countries. EDRI takes an active
interest in developments in the EU accession countries and wants to share
knowledge and awareness through the EDRI-grams. All contributions,
suggestions for content or agenda-tips are most welcome.
Newsletter editor: Sjoera Nas <edrigram at edri.org>
Information about EDRI and its members:
http://www.edri.org/
- EDRI-gram subscription information
subscribe/unsubscribe web interface
http://www.edri.org/cgi-bin/mailman/listinfo/edri-news/
subscribe by email
To: edri-news-request at edri.org
Subject: subscribe
You will receive an automated email asking to confirm your request.
- EDRI-gram in Spanish
EDRI-gram is also available in Spanish, usually 3 days after the English
edition. The contents are the same. Translations are provided by David
Casacuberta, secretary of the Spanish chapter of Computer Professionals for
Social Responsibility (CPSR).
To subscribe to the Spanish language EDRI-gram, please visit
http://www.edri.org/cgi-bin/mailman/listinfo/edri-grama/
or subscribe by email:
To: edri-grama-request at edri.org
Subject: subscribe
- EDRI-gram in Russian
EDRI-gram is also available in Russian, a few days after the English
edition. The contents are the same. Translations are provided by Sergei
Smirnov, Human Rights Network, Russia.
The EDRI-gram in Russian can be read on-line via
http://www.hro.org/editions/edri/
- Newsletter archive
Back issues are available at:
http://www.edri.org/cgi-bin/index?funktion=edrigram
- Help
Please ask <info at edri.org> if you have any problems with subscribing or
unsubscribing.
==================================================================
Publication of this newsletter is made possible by a grant from
the Open Society Institute (OSI).
==================================================================
More information about the Syndicate
mailing list