EDRI-gram newsletter - Number 19, 8 October 2003
EDRI-gram newsletter
edrigram at edri.org
Thu Oct 9 19:38:23 CEST 2003
==========================================
========================
EDRI-gram
bi-weekly newsletter about digital
civil rights in Europe
Number 19, 8 October
2003
==========================================
========================
CONTENTS
==========================================
========================
1. EU proposal on biometrics in visa and
passports
2. 50% of Slovakian websites to be wiped
3. French DPA against tracking of
passenger movements
4. Dutch compulsory identification above
14 years
5. Protest against super database in
Romania
6. UK politicians call for more anti-spam
measures
7. Swiss jurisprudence about hyperlinks
and virus tools
8. UK car-tracking plans
9. Recommended reading: report on privacy
and security
10. Agenda
11. About
==========================================
========================
1. EU PROPOSAL ON BIOMETRICS IN VISA AND
PASSPORTS
==========================================
========================
The European Commission is proposing to
integrate biometric identifiers
into visas and residence permits for third
country nationals. Later this
year proposals will follow for biometrics
in passports of EU citizens,
likely to be similar to the visa proposal.
The Commission and member states want to
store two types of biometric data
into a contactless chip (RFID). A facial
digital image will the 'primary
biometric identifier in order to ensure
interoperability'. As reported in
EDRI-gram nr 13, facial images have been
chosen by the International Civil
Aviation Organisation (ICAO) as the
primary biometric identifier. The US
require facial images in passports for
countries to be able to take part
in the visa waiver program. Specifically,
the US is demanding biometrics
into EU passports from 26 October 2004
onwards.
The second biometric identifier in the
chip will be digital images of two
fingerprints. As all EU countries already
have criminal databases with
fingerprints this biometric identifier
will make it possible to do
automated one-to-many checks. The
fingerprints taken for visa will be
stored into a new Visa Information System
(VIS).
The Commission proposal leaves a lot of
choices open and seems the product
of considerable time pressure. EU members
states can choose freely if they
want to use the facial image for facial
recognition systems. The financial
consequences of the proposal are unknown.
The Commission states in its
draft regulation that the price of the
chip is not known but 'with the
demand of chips needed for 25 Member
States, the price will drop
significantly'.
The chip will also have room for
additional text. The proposal stresses
the need for protection of privacy but
gives no insight how this can be
achieved when crossing borders. This
problem is acutely visible in the
recent disagreement between the EU and the
US about passenger data. The
proposal also lacks any information how
the data in the chip can be
protected against unauthorised access
(read and write) and how third
countries can be prevented from storing
all biometric data from EU
citizens when visiting that country.
Proposal for a Council regulation (COM
2003/558)
http://europa.eu.int/eur-
lex/en/com/pdf/2003/com2003_0558en01.pdf
==========================================
========================
2. 50% OF SLOVAKIAN WEBSITES TO BE WIPED
==========================================
========================
The French E-zine Transfert.net reports
that the Slovakian domain registry
Euroweb is threatening to wipe more than
40.000 domain-names ending on
.sk, eliminating half of the Slovakian
web-presence. Slovakian domain
owners have been given one month extra,
until 3 November, to renew their
registration under new commercial
conditions. The first deadline expired
on 1 October, but less than half of the
owners migrated to the new system.
Until 2002 domain registration under .sk
was free and handled by Sanet,
the main Slowakian university network.
That way, 70.000 domain names were
registered. On the first of January 2003
Euroweb, a subsidiary of the
Dutch telecom firm KPN, took over. Euroweb
charges 20 euro administrative
costs per domain per year, plus the
obligation to sign a contract through
a notary and the obligation to hand over
proof of identity. On top of
that, owners of existing domain names have
to pay a migration fee.
Reportedly, the Slovakian NIC often has
technical problems. A number of
addresses is still not migrated, starting
with the site of the National
Bank of Slovakia and several universities.
Euroweb also handles domain
registrations in the Czech Republic,
Romania and Hungary.
Le web slovaque menacé d'extinction?
(01.10.2003)
http://www.transfert.net/a9362
Euroweb
http://home.euroweb.sk
==========================================
========================
3. FRENCH DPA AGAINST TRACKING OF
PASSENGER MOVEMENTS
==========================================
========================
The French Data Protection Authority, the
CNIL, considers the current use
of chip-cards for public transport a
serious danger for privacy. The cards
combine identity-data with travel data
like point of entrance to the
subway, date and time, and even exact
route in case the passenger switches
route halfway.
In its recommendation of 16 September, the
CNIL says: "In fact, the
movements of persons using these cards can
be reconstructed and thus they
are no longer anonymous. This limits the
fundamental and constitutional
freedom of coming and going as well as the
right to a private life, which
also is a constitutional value."
The possibility of anonymous travelling
should be maintained, according to
the French DPA, independent of any card
system. Alternatively, all data
relating to itineraries should be
anonymised, irrespective of central
storage or only on the card itself, except
in case of fraud control.
However, even for the purpose of fraud
control storage may never exceed a
period of 2 days.
Another suggested measure to protect
privacy is to create an electronic
form with which passengers can object
against the storage of their
picture.
In 2001, the Parisian public transport
authority (Ratp) received a Big
Brother Award for the initiative to
develop the track-and-trace
technology. The use of these chip-cards is
not limited to Paris though, in
2002 the CNIL has also researched the
storage period of databases with
passenger movements in Amiens, Lyon,
Valenciennes, Marseille and Nice.
Earlier this summer in Finland a Big
Brother Award was given to YTV, a
firm that controls public transport in the
Helsinki region, for storing
individual passenger information including
social security numbers.
Similarly, in the Netherlands the company
Translink is nominated this year
for plans to introduce the same
technology, putting a higher price on
anonymous travelling.
CNIL recommendation (16.09.2003)
http://www.cnil.fr/textes/recomand/d03-
038.htm
Big Brother Awards
http://www.bigbrotherawards.org
==========================================
========================
4. DUTCH COMPULSORY IDENTIFICATION ABOVE
14 YEARS
==========================================
========================
Last week in the Netherlands a legal
proposal became public to introduce
compulsory identification for all persons
from the age of fourteen. People
unable to immediately show a valid
passport, drivers license or (cheaper)
identity-card risk a fine with a maximum
of 2.250 Euro. Every
police-officer including military police,
any extra-ordinary law
enforcement agent and any police related
supervisor/watcher may ask for
proof of identity. According to the
explanatory statement the police must
have a reasonable cause related to her
task to ask for ID, but there is no
need for an actual suspicion of an
offence.
Dutch people currently only have partial
identification requirements, for
example when opening a bank account or at
the workplace. Like the Dutch
Data Protection Authority before, the
Council of State (an advisory body
to the government) is very critical in her
evaluation of the legal
proposal to extend the requirement to
everybody always. The proposal does
not substantiate why mandatory ID is
necessary, on what reasons the age of
14 is chosen and why such an extremely
large number of officials should be
granted this power.
"To justify introducing such a general
obligation that limits the right to
privacy, there must be well-founded
reasons. An important element is the
effect that the regulation may be expected
to have on the suppression of
crime and the improvement of law
enforcement. The explanatory memorandum
hardly contains any (empirical) material
about that."
The Minister of Justice Piet Hein Donner
admits the lack of empirical
substantiation, but sees no possibility
nor necessity to create a
prognosis of the expected effects of the
regulation. In defence, the
minister refers to the fact that none of
the neighbouring countries with
compulsory identification have made any
evaluations. Besides, the
complaints about discrimination in France
and Belgium, incidental
according to the Minister, have not yet
lead to a procedure for the
European Court of Human Rights.
It is unknown when the legal affairs
committee of the Lower House will
discuss the proposal.
==========================================
========================
5. PROTEST AGAINST SUPER DATABASE IN
ROMANIA
==========================================
========================
Human rights experts in Romania issued
harsh criticism at the government
resolution adopted last week to set up an
Integrated Information System
(SII), as they consider it as extremely
dense, imprecise and giving room
to arbitrary interpretation. The SII is a
database that will
centralise the information held by all
public institutions regarding
natural and legal persons, that may likely
become the electronic arm of
the Romanian Intelligence Service (SRI).
Manuela Stefanescu, representative of the
Association for the Defence of
Human Rights in Romania - the Helsinki
Committee (APADOR-CH), said the
government resolution referred to a
decision of the Supreme Defence
Council (CSAT), which could not be a
substitute for the parliament.
"Furthermore, this is not a public
resolution, because if you take a look
on the CSAT's web site, you will see that
the latest resolutions of the
council are from 2001", said Stefanescu.
Consequently, the government
resolution on the setting up of the SII
refers to a CSAT decision which
has not been published and therefore it
does not exist and is also
unconstitutional, said the APADOR-CH
official.
She said her organisation agreed to the
article published in "Evenimentul
Zilei" daily which said the people who
would control the SII would
actually control everything. "We do not
know to whom this integrated
information system is subordinated, we do
not know to whom it is of use,
and it is extremely dangerous to create a
superpower, especially without
the slightest guarantee that the personal
data will be protected (...)
Furthermore, natural and legal persons
lack any means of controlling the
way in which the data centralised in this
mammoth system is used (...)",
said Manuela Stefanescu.
Evenimnetul Zilei (in English, 29.10.2003)
http://www.evz.ro/english/?news_id=132980
(Contribution by Bogdan Manolea, legal
coordinator RITI - Romanian
Information Technology Initiative)
==========================================
========================
6. UK POLITICIANS CALL FOR MORE ANTI-SPAM
MEASURES
==========================================
========================
In the UK an influential group of Members
of Parliament has called for
more anti-spam measures. In a report
published last Monday, the MPs ask
for greater enforcement powers for the
government watchdog responsible for
tackling spam, the information
commissioner. The All Parliament Internet
Group is also urging the Department of
Trade and Industry to ban
unsolicited e-mails sent to business
addresses, not just to private ones.
To be able to enforce the ban, the
Department should encourage a 'super
complaints' system. This would allow
outside organisations to act on
behalf of people with spam complaints to
ensure the major culprits are
stopped.
The chairman of the group, MP Derek Wyatt
urged for more consistent global
legislation and cooperation in tackling
spam. Joint vice-chairman Richard
Allan confidently added "If all the
report's recommendations were
implemented then our constituents could
expect to see a significant
reduction in the amount of spam they
receive."
Apig report (06.10.2003)
http://www.apig.org.uk/spam_report.pdf
BBC: Spam watchdog 'needs more bite'
(6.10.2003)
http://news.bbc.co.uk/1/hi/technology/3167
658.stm
==========================================
========================
7. SWISS JURISPRUDENCE ABOUT HYPERLINKS
AND VIRUS TOOLS
==========================================
========================
The appeal court of Zurich (Obergericht)
recently published an interesting
ruling about hyperlinks. Linking to an
anti-racism page which contains
links to hate sites does not breach Swiss
anti-racism law. A former
professor of computer science was accused
of racism by setting a link to
the site www.stop-the-hate.org. Both in
first instance in 2000 and in this
appeal he was fully acquitted on all
charges.
This American-based website is online
since 1992 and contains annotated
hyperlinks to hate sites. The public
prosecutor argued that the former
professor had made the content of the site
his own. To prove this, the
prosecutor launched the remarkable theory
that the web should be seen as a
book, because of the 'forward' and 'back'
buttons in browsers melting
linked sites in unity.
The Swiss Internet User Group "finds the
behaviour and the substantiation
of the public prosecutor incomprehensible.
All the more SIUG welcomes the
rulings in first instance and from the
appeal court, that both state that
creating a link on a website does not
automatically lead to identification
with the contents.
Earlier this summer, the highest, Federal
Court in Switzerland ruled that
selling instructions on how to build
viruses is illegal. According to the
courts ruling, it's illegal to publish
even partial instructions on how to
build programs that harm data.
The case began in the spring of 1996, when
a 33-year old man closed a
license agreement with an American group
to distribute the American
version of a CD-ROM in Europe and
consequently offered the CD for sale
online. The disk did not contain an
executable virus-program, but
instructions and references to software
that might infect or disrupt data
or make them useless.
After a long legal procedure, the Federal
Court confirmed an earlier
judgement of the appeal court of Zurich,
condemning the man to 2 months
prison sentence and a fine of 5.000 Swiss
franks (3.227 Euro).
SIUG press release 'Links auf Webseiten
nicht strafbar' (30.09.2003)
https://your.trash.net/pipermail/siug-
announce/2003-October/000087.html
Bedingt Gefängnis für gewerbsmässige
Datenbeschädigung (10.09.2003)
http://www.nzz.ch/2003/09/10/il/page-
newzzDKF3EE2Q-12.html
Ruling in CD-ROM case (06.08.2003)
http://wwwsrv.bger.ch/cgi-bin/AZA/JumpCGI?
id=06.08.2003_6S.499/2002
(With the kind help of Felix Rauch, SIUG)
==========================================
========================
8. UK CAR-TRACKING PLANS
==========================================
========================
The UK police are coming to the end of
their second phase trials on
Automatic Number Plate Recognition (ANPR)
and preparing to roll out the
technology nationwide next summer. ANPR
tracks cars using the omnipresent
CCTV systems and specialised fixed and
mobile cameras. It can use
government databases to detect untaxed,
unroadworthy and uninsured
vehicles. It also means that over time a
record of the majority of car
journeys around the country will be built
up.
Privacy advocates have warned that
'function creep' will mean that these
records become used for many purposes
unrelated to their initial
justification. They could allow the
government to bring forward plans to
introduce congestion charging across the
country, charging drivers for all
journeys according to the level of traffic
on the road. They could be used
to enforce speed restrictions across long
distances. And they will
certainly be used in all sorts of police
investigations and even civil
cases such as divorce.
Number plate recognition poised for
national UK rollout (21.09.2003)
http://www.theregister.co.uk/content/6/329
39.html
(Contribution by Ian Brown, FIPR)
==========================================
========================
9. RECOMMENDED READING
==========================================
========================
Report on the balance between security and
privacy after 11 September
2001, commissioned by the European
Parliament, the committee on Citizens?
Freedoms and Rights, Justice and Home
Affairs (LIBE). The study analyses
the security and privacy implications of
three emerging technologies:
identity management (on-line services
based on the identification of the
user), location-based services (focusing
on local positioning and tracking
of the user) and virtual residence in an
ambient intelligence environment
(with smart and mobile electronic devices
connected to our home, office,
car etc.). According to the report, there
is a need to restore the balance
in favour of privacy as the use of these
technologies for some
governmental or commercial actions stretch
the ability of current
legislation to provide adequate personal
data protection.
Security and Privacy for the citizen in
the Post-September 11 Digital Age
(06.10.2003)
http://www.jrc.es/home/publications/public
ation.cfm?pub=1118
Executive summary available in English,
French, German and Spanish
==========================================
========================
10. AGENDA
==========================================
========================
Upcoming Big Brother Awards 2003:
11 October, Amsterdam, Netherlands
24 October, Bielefeld, Germany
24 October, Iruna (Pamplona), Spain
26 October, Vienna, Austria
1 November, Berne, Switzerland
6 November, Budapest, Hungary
http://www.bigbrotherawards.org
13-14 October 2003, Oslo, Norway - OECD
Global Forum on Information
Systems and Network Security: Towards a
Global Culture of Security
http://www.oecd.org/document/14/0,2340,en_
2649_34223_8165070_1_1_1_1,00.html
16 October 2003, Brussels, Belgium -
Workshop on Spam
Workshop organised by the European
Commission to discuss additional
measures needed to address the various
legal, technical and educational
facets of spam e.g.: effective enforcement
by public authorities,
co-operation within industry (filtering,
codes of conduct), consumer
awareness, international co-operation. The
workshop will be introduced by
Commissioner Liikanen.
E-mail: INFSO-b1 at cec.eu.int
21-22 October 2003, Zurich, Switzerland -
8th Symposium on Privacy and
Security
Issues covered include identity
management, anonymisation and the
development of data protection within
Europe. NB! high entrance fee.
http://www.privacy-security.ch
24-26 November, Paris, France - EGOVOS
The EGOVOS conference is a high-level
international event covering the
topic of free/open source software,
interoperability and open standards in
the government sphere.
http://www.egovos.org/nov-2003/agenda.html
8-9 January 2004, Sheffield, UK - CCTV and
Social Control
Conference organised by the Centre for
Criminological Research, University
of Sheffield on the politics and practice
of video surveillance, from a
European and global perspective.
http://www.sheffield.ac.uk/ccr/publicity/c
onference/index.html
30-31 January 2004, Stockholm, Sweden -
WHOLES
A Multiple View of Individual Privacy in a
Networked World
An international workshop to explore
interdisciplinary approaches to
privacy. Contribution deadline for papers:
31 October 2003.
http://www.sics.se/privacy/wholes2004/
==========================================
========================
11. ABOUT
==========================================
========================
EDRI-gram is a bi-weekly newsletter from
European organisations in Europe.
Currently EDRI has 14 members from 11
European countries. EDRI takes an
active interest in developments in the EU
accession countries and wants to
share knowledge and awareness through the
EDRI-grams. All contributions,
suggestions for content or agenda-tips are
most welcome.
Newsletter editor: Sjoera Nas
<edrigram at edri.org>
Information about EDRI and its members:
http://www.edri.org/
- EDRI-gram subscription information
subscribe/unsubscribe web interface
http://www.edri.org/cgi-
bin/mailman/listinfo/edri-news/
subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe
You will receive an automated email asking
to confirm your request.
- EDRI-gram in Russian
EDRI-gram is also available in Russian, a
few days after the English
edition. The contents are the same.
Translations are provided by Sergei
Smirnov, Human Rights Network, Russia.
The EDRI-gram in Russian can be read on-
line via
http://www.hro.org/editions/edri/
- EDRI-gram in Italian
EDRI-gram is also available in Italian, a
few days after the English
edition. The contents are the same.
Translations are provided by
autistici.org
The EDRI-gram in Italian can be read on-
line via
http://www.autistici.org/edrigram/
- Newsletter archive
Back issues are available at:
http://www.edri.org/cgi-bin/index?
funktion=edrigram
- Help
Please ask <info at edri.org> if you have any
problems with subscribing or
unsubscribing.
==========================================
========================
Publication of this newsletter is made
possible by a grant from
the Open Society Institute (OSI).
==========================================
========================
More information about the Syndicate
mailing list