15 Sep 2014

FNF 2014: Brussels privacy advocates summit to tackle surveillance, censorship, net discrimination

By Kirsten Fiedler

header-fnf14Between 26 and 29 September, the annual Freedom not Fear (FNF) conference and barcamp will take place in Brussels. As every year, the action days are challenging the false dichotomy that better security comes at a price: the abandonment of our privacy rights.

On Friday evening, the event will be kicked off with a keynote speech by Simon Davies, publisher of the Privacy Surgeon and co-founder of Privacy International, who recently released the first global analysis of the impact of the Snowden revelations. He will be joined by Paul Nemitz, Director at DG Justice of the European Commission, for a discussion of the data protection reform and the future of the EU-US umbrella and Safe Harbor agreements.

During the weekend, there will be speakers and workshops on a wide range of topics including Glyn Moody on the Trans-Atlantic Trade Agreement (TTIP/TAFTA) and Jillian York on surveillance. The barcamp style event will allow participants to propose additional ad-hoc presentations or workshops in an open environment. On Sunday evening, there will be a screening of the documentary “The Internet’s Own Boy: The Story of Aaron Swartz”. See the full schedule .

On Monday, participants of the conference will have the possibility to experience EU policy-making first-hand with a visit of the European Parliament. On that day, the Parliament will be very busy with the first hearings of the “Juncker team” and a meeting of the Civil Liberties, Justice and Home Affairs committee.

Supporters of this year’s Freedom not Fear are, among many others, European Digital Rights, the Electronic Frontier Foundation, Digitale Gesellschaft, Access, NURPA, digitalcourage…

Download the poster (PDF):

FNF14_posterA4_thumbnail

close
10 Sep 2014

Open letter to Google’s Advisory Council on the “right to be forgotten”

By Kirsten Fiedler

On 9 September, European and international civil rights organisations submitted an open letter (pdf) to Google’s Advisory Council on their assessment of the so-called “right to be forgotten”.

The groups urge the Council’s members to avoid inadvertently delaying the adoption of the data protection reform package. They remind the members of the urgent need for legal safeguards in cases where courts place unclear obligations on internet intermediaries to interfere with online communications (which cannot be replaced by the Council’s findings) and call on them to shed more light on the mission and objectives of this European tour.

As the ruling has been largely misrepresented by parts of the press, the letter first clarifies some of the misunderstandings that have circulated about the context and scope of the ruling:

When the CJEU ruled on the case, the press reported the decision as an example of a new “right to be forgotten,” even though such a right is not articulated in the legislation on which the ruling is based. The media coverage created the mistaken impression that Google would have to start deleting information from the internet (or its own index) whenever an EU citizens asked the search engine to do so, if information was irrelevant, inaccurate, outdated or excessive. The court specified that search results based on a person’s name are to be removed if the request meets the criteria laid out in the ruling. However, not only will the information remain on the internet, but it will remain in Google’s index.

The civil rights organisations then emphasise the need for a quick conclusion of the current data protection reform, not least because the Snowden revelations have shown that strong and reliable rules are crucial for citizens’ rights to privacy and data protection:

This need has been acknowledged by several companies, including Google, through their participation in the movement for global government surveillance reform. This movement recognises the need for governments to take action in order to protect their citizens’ safety and security and advises for the review of current laws and practices.

The full letter can be accessed here: https://edri.org/wp-content/uploads/2013/09/Open-Letter-to-Google-Advisory-Council.pdf

Signatories:
Access
ApTI
Bits of Freedom
Chaos Computer Club (CCC)
Digitalcourage
Digitale Gesellschaft
European Digital Rights (EDRi)
Initiative für Netzfreiheit
IT-Pol
Panoptykon Foundation
Vrijschrift

EDRi: Google’s right to be forgotten – industrial scale misinformation? (09.06.2014)
https://edri.org/forgotten/

EDRi: Google and the right to be forgotten – the truth is out there (02.07.2014)
https://edri.org/google-right-forgotten-truth/

EDRi: Good Lord! Lords forget their own right to be forgotten analysis (31.07.2014)
https://edri.org/good-lord-lords-forget-right-forgotten-analysis/

EDRi: Google now supports AND opposes the “right to be forgotten” (27.08.2014)
https://edri.org/google-now-supports-and-opposes-right-forgotten/

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
27 Aug 2014

Europe vs. Facebook class action attracts over 60 000 plaintiffs

By Guest author

Privacy activist Max Schrems, founder of the “Europe-v-Facebook” initiative, is known for his battles involving Internet social network giant Facebook. However, all the lawsuits he filed in Ireland haven’t led to meaningful outcomes, so far.

Therefore, Mr. Schrems now takes a different approach, by suing Facebook Ireland Ltd. This time he has filed suit in front of a court in his home country, Austria, and he asked the public to join him: it was possible for any Facebook user of age who is not located in the USA or Canada to join the legal battle against Facebook’s numerous alleged violations of European privacy laws. This is due to the fact that every Facebook user worldwide, living outside of the US or Canada, has a contract with Facebook Ireland Ltd. Mr. Schrems is claiming 500 Euro in symbolic damages per contributing joint plaintiff for alleged privacy violations such as Facebook contributing to NSA´s PRISM program, Graph Search, the Facebook app or third party tracking via “Like Buttons”.

Within just a few days, more than 25 000 people signed up at www.fbclaim.com in order to participate in the class action suit. This turned the initiative, almost overnight, into the largest privacy class action throughout Europe. It also forced Europe-v-Facebook to close the registration early, as every joint plaintiff has to be reviewed separately. However, one can still register as an interested person. Max Schrems and his team may later decide to add more registered users to the class action. Also, an increasing number of people who indicate they want to take part in the class action may strengthen the public position of Mr. Schrems and his team.

On 21 August, the group took their first successful step in the legal proceedings: the Vienna Regional Court ordered Facebook Ireland to respond to the class action within four weeks, with a possibility that thedeadline could get extended by four further weeks.

At the time as the court order was announced, already more than 35 000 additional individuals had registered at www.fbclaim.com.

Facebook class action: Registration for interested parties
https://www.fbclaim.com/ui/register

Class action against Facebook attracts 60,000 users (21.08.2014)
http://www.reuters.com/article/2014/08/21/us-facebook-europe-claim-idUSKBN0GL1I420140821

Facebook needs to defend Austrian privacy violation case (22.08.2014)
http://www.theregister.co.uk/2014/08/22/facebook_needs_to_defend_austrian_privacy_violation_case/?mt=1408733441009

Press Announcment: Class Action: Facebook ordered to submit counterstatement (21.08.2014)
http://www.europe-v-facebook.org/PA_KB_mx.pdf

Vienna Regional Court: Request for Facebook to respond (19.08.2014)
http://www.europe-v-facebook.org/AuftragKB.pdf

Facebook class action – FAQ
https://www.fbclaim.com/ui/page/faqs?lang=en

(Contribution by Josef Irnberger, EDRi-member Initiative für Netzfreiheit, Austria)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
16 Jul 2014

Slovenia: Data retention unconstitutional, deletion of data ordered

By Guest author

The Constitutional Court of the Republic of Slovenia abrogated the data retention provisions of the Act on Electronic Communications (ZEKom-1) in its judgement U-I-65/13-19 of 3 July 2014 following the constitutional request lodged by the Information Commissioner in March 2013 and ECJ judgment of 8 April 2014 in Joined Cases C-293/12 and C-594/12.

The Court abrogated ZEKom-1 articles 162, 163, 164, 165, 166, 167, 168 in 169 and instructed operators of electronic communications to delete retained data immediately after the judgment is published in the Official Gazette. The Court holds data retention as disproportionate for the following reasons:

  • unselective retention of data iconstitutes a breach of rights of a large proportion of population that did not provide any reason tj justify such this; – blanket data retention does not provide for anonymous use of communications, which is particularly important in cases where untraceable use is necessary (e.g. calling for help in mental distress);
  • arguments for the selected retention periods (8 months for internet related and 14 months for telephony related data) were not provided nor explained in the legislative preparatory documents;
  • the use of retained data was not limited to serious crime.

The Slovenian Information Commissioner Nataša Pirc Musar welcomed the ruling and sees it as an important step in protection of the right to privacy and data protection. The Court recognised the importance of personal data protection in relation to the use of modern information and communication technologies, particularly when used by law enforcement as repressive bodies of the state.

The Commissioner has been regularly warning about the problems of major breaches of privacy by law enforcement created by introduction of surveillance technologies. These tend to be used indiscriminately on large proportions of population, thereby encroaching on their right to privacy and data protection. The availability of new technologies such as drones, IMSI catchers and similar has, in several cases, led to requests by the police to the Ministry of Justice to legislate their use and to provide legal grounds enabling their deployment. Unfortunately these requests have often not been backed by sufficient assessments as regards their impact on human rights. In order to allow for transparency and to ensure that new law enforcement powers respect the principles of necessity and proportionality, the Commissioner has issued guidelines on privacy impact assessments (PIA) for the introduction of new police measures, representing a methodological framework for a prudent, reasonable and legitimate introduction of new measures.

The Information Commissioner Pirc Musar emphasised that this is one of her most important achievements during her 10-year mandate which is now ending. The decision of the Court represents an important part in the debate about the necessity and proportionality of the use of surveillance measures and technologies in the context of law enforcement and intelligence agencies.

Request to the Constitutional Court (only in Slovenian)
https://www.ip-rs.si/fileadmin/user_upload/Pdf/ocene_ustavnosti/ZEKom_-_Zahteva_za_oceno_ustavnosti__data_retention_.pdf

Decision of the Constitutional Court (only in Slovenian, 03.07.2014)
https://www.ip-rs.si/fileadmin/user_upload/Pdf/sodbe/US_RS_ZEKom-1_3julij2014.tif

Electronic Communications Act (ZEKom-1)
http://www.akos-rs.si/acts

Information Commissioner of the Republic of Slovenia (only in Slovenian)
https://www.ip-rs.si/

Privacy Impact Assessment (PIA) Guidelines for the Introduction of new Police Powers
https://www.ip-rs.si/fileadmin/user_upload/Pdf/smernice/PIA_guideliness_for_introduction_of_new_police_powers_english.pdf

(Contribution by Andrej Tomšič, Deputy Information Commissioner, Information Commissioner, Republic of Slovenia)

 

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
16 Jul 2014

Code Red, global initiative to support a reform of security services

By Heini Järvinen

More than two-dozen civil society activists from fourteen countries have joined the steering group of an ambitious global initiative to accelerate police and security services accountability.

The project, Code Red, was conceived during the preparation of a report “A Crisis of Accountability” that was published in June 2014 on developments in the twelve months since the start of Edward Snowden’s disclosures. The report concluded that despite a substantial and potent response from civil society, there was also a clear need for greater strategic support, resources and communication between activists working in different disciplines.

The steering group includes many well-known figures in civil society, among them MI5 whistleblower Annie Machon, former Wikimedia General Counsel Mike Godwin, Sunil Abraham head of CIS India Sunil Abraham, OpenMedia Canada’s David Christopher, Access Now’s Raegan McDonald, the Electronic Frontier Foundation’s International Rights Director Katitza Rodriguez and the former editor of Index on Censorship Judith Vidal-Hall. Also influential figures in the tech sector, including Jacob Appelbaum, the celebrated hacker who works at the core of Wikileaks, the Tor project and the Snowden disclosures, Whitfield Diffie, one of the pioneers of public key cryptography, and Bruce Schneier, possibly the world’s most influential security expert, have joined in. It’s expected that more people will join the group over the next two weeks.

In mid July 2014, Code Red kicked off a four-month global consultation to identify options for its objectives and structure. Currently the working group members have an open mind on how the initiative may develop, but the overriding view is that it should aim to be a clearinghouse and resource centre for groups working on security reform.

In the UK, civil right groups such as Privacy International and Big Brother Watch have launched legal challenges that have forced the government to make unprecedented disclosures about security activities. Code Red aims to support and promote such actions through a global communications and resource platform.

The initiative was founded by EDRi observer Simon Davies, who is regarded as one of the pioneers of the international privacy arena. Davies has wide experience of founding successful global initiatives, including the Big Brother Awards and Privacy International. In a summary of the initiative posted on Davies’ Privacy Surgeon blog on 10 July, he emphasised the need for cross-border and cross-disciplinary relationships, and declared: “It’s time to raise the stakes for secretive agencies that refuse to embrace accountability – and to do so fearlessly and relentlessly.”

“The many communities involved in this struggle – free speech, whistleblowing, anti-censorship, law reformers, policy reformers, privacy and the tech communities – must find a way to work together. A bridge of some sort should also be attempted with companies that are genuinely working to improve privacy and security,”

Davies told to EDRi-gram, highlighting that his intention was not to create a new NGO, but to help support a “platform that supports a network of networks”.

Accoring to Davies, many people involved in the initial dialogue around Code Red felt that the Snowden disclosures are just the tip of the iceberg. The involvement of law enforcement agencies, the military, international police organisations and other government authorities is largely unknown. “Snowden told us what security agencies do, but not what happens to this mass of information, which organisations use it or for what purposes. Police use of information – and international disclosure of that information – has largely escaped scrutiny in most countries. How civil society finds the means to counter this vast activity is a crucial challenge.”

“My personal view is that we need to look beyond the security services to understand the bottom-feeders in the data chain. We already have adequate evidence that police services are immersed in corrupt and unlawful practices, as evidenced by the use by Dutch police of “Stealth SMS” technology to circumvent legal safeguards, and the unlawful disclosure of personal information to journalists by London’s Metropolitan Police, uncovered during the News of the World phone hacking inquiries,” Davies added.

The steering group membership will be published in full on the privacysurgeon.org website in the fourth week of July 2014.

Global security analysis reveals widespread government apathy following Snowden disclosures (10.06.2014)
http://www.privacysurgeon.org/blog/incision/global-security-analysis-reveals-widespread-government-apathy-following-snowden-disclosures/

UK intelligence forced to reveal secret policy for mass surveillance of residents’ Facebook and Google use (17.06.2014)
https://www.privacyinternational.org/press-releases/uk-intelligence-forced-to-reveal-secret-policy-for-mass-surveillance-of-residents

Code Red, a global initiative to support national security reform (10.07.2014)
http://www.privacysurgeon.org/blog/events-2/

Dutch parliament wants clarification on using “Stealth” SMS in espial (21.08.2013)
http://www.zdnet.be/nieuws/151230/nederlands-parlement-wil-opheldering-over-gebruik-stealth-sms-bij-opsporing-/

Metropolitan Police role in the news media phone hacking scandal
http://en.wikipedia.org/wiki/Metropolitan_Police_role_in_the_news_media_phone_hacking_scandal#Illegal_payments_to_officers

 

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
02 Jul 2014

Denmark about to implement a nationwide ANPR system

By Guest author

The Danish police is planning to implement a nationwide automatic number plate recognition (ANPR) system over the next couple of years. The Danish newspaper Berlingske obtained the project description for the IT system through a Freedom of Information Act (FOIA) request, and reported about the ANPR plans.

The ANPR system will consist of mobile units in police cars and handheld devices. The units are designed to automatically register all number plates encountered on the road. The number plates are checked against a pre-compiled hotlist, for example because the vehicle or number plate is reported stolen, or because the owner has skipped a mandatory inspection of the vehicle. If there is a match on the hotlist, the police officers will get a signal from the ANPR device, so that they can decide whether to pursue the vehicle or not.

However, the mobile ANPR units will also store all number plates that are scanned, together with the location. Additionally, the system will store the number plates of all cars that pass the unit since no immediate police action is possible in case of a match on the hotlist.

The Danish police has studied ANPR systems in other European countries, but the United Kingdom is mentioned as the main inspiration for the Danish system. During a test period, a Danish police car equipped with ANPR was able to register about 50,000 cars in a single month, with a “hit rate” on the hotlist of 2%. It is estimated that the ANPR system will allow the police to check 30 times as many number plates compared to the current manual system.

The main privacy concern comes from the location data that is registered for all cars encountered on the road by the ANPR units, whether mobile or stationary. The police will retain that data for 30 days, and the documents from the Berlingske FOIA request show that they intend to use the data actively for investigations and data analysis; there are plans to employ 10-15 data analysts for the latter task. Since the police is the data controller, there is direct “data mining” access to the entire database, without the need for a court order.

The ANPR system will be implemented in all police districts in Denmark, but the project has a particular focus on cross-border crimes, including organised home burglaries. The funding for the ANPR project comes from a political agreement to prioritise police efforts against cross-border crimes. Cars that pass the Danish border with other EU member states are thus more likely to be scanned than other cars, even though there is no border control since Denmark is part of the Schengen Area. Violations of EU cabotage rules (local trucking transports after unloading of the international transport) are also a special priority in Denmark, and scanning number plates at the border has been discussed as one of the initiatives against these violations.

The ANPR data will be shared with the tax authorities and other authorities in Denmark. Their intended use of the data is not clearly indicated in the documents, but the tax authorities have previously tried (mostly unsuccessfully) to get access to the information stored by the telephone companies under the data retention law.

The Danish ANPR system will not be as massive as the one in the UK, but this is mainly for budgetary reasons. The initial budget for ANPR is 4 million euros, so not all police cars will be equipped with ANPR units. The Danish police estimates that “only” 30 million number plates will be scanned and registered every year. Needless to say, this number will increase if more public funds are allocated to the project.

According the documents obtained through the FOIA request by Berlingske, the legal basis for the ANPR project is the Danish video surveillance law (CCTV law) and the Danish Data Protection Act (transposing directive 1995/46/EC). The Danish CCTV law places no direct restrictions on video surveillance in public spaces (such as roads) when done by public authorities, and the police is exempted from the requirement to inform the public through clearly visible signs. Under the Data Protection Act, data processed from video surveillance systems must be deleted no later than 30 days after capture, and the Danish police interprets that as a legal basis for retaining the data for 30 days.

However, even though there are no direct restrictions on video surveillance in public spaces by public authorities, the video surveillance and the subsequent data processing are subject to general requirements of necessity and proportionality. The same principles must apply to ANPR, even though only number plates and not personal faces are registered and processed. Usually, CCTV is employed in areas with an increased risk of criminality, but the ANPR project effectively makes every Danish road an area suitable for CCTV monitoring in order to prevent crime.

The 30-day retention period, and the plans for active data-mining analysis by the police, make it even more questionable whether the ANPR project satisfies the necessity and proportionality requirements. This question must also be viewed in light of the recent judgement on the Data Retention Directive by the European Court of Justice (CJEU). A nationwide ANPR system clearly constitutes mass surveillance, and since the police is the data controller of the ANPR data, there are no judicial safeguards limiting the access to the retained data. The location data from ANPR can be compared to location data collected from mobile telephones.

On 2 June 2014, the Danish government published a legal analysis which said that the Danish data retention law does not violate the Charter of Fundamental Rights because the law has appropriate judicial safeguards for access to the retained data. No such access restrictions exist for the ANPR data. The fact that the Danish ANPR system will be limited (in the beginning) due to budgetary reasons can hardly be regarded as an effective judicial safeguard for this type of mass surveillance.

So far, there has been limited political discussion of the ANPR plans in Denmark, and the privacy implications have not been discussed at all. The documents from the Berlingske FOIA request also outline the PR strategy that the police intends to use for the ANPR project. The police will emphasise that most of the monitoring is done automatically by computers which only “react” when there is a hit. Clearly, the purpose here is to downplay the massive privacy invasion that the ANPR system will impose on Danish (and European) citizens.

Police will check millions of number plates, Berlingske (only in Danish, 21.06.2014)
http://www.b.dk/nationalt/politiet-vil-tjekke-millioner-af-danske-nummerplader

EDRi-gram: Denmark: Data retention is here to stay despite the CJEU ruling (02.06.2014)
http://edri.org/denmark-data-retention-stay-despite-cjeu-ruling/

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

 

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
02 Jul 2014

Supreme Court of the US on cell phone searches: get a warrant

By Guest author

In the court case Riley vs California, the Supreme Court of the United States (SCOTUS) affirmed on 25 June what many digital rights activists have been telling a long time: Our mobile phones, especially smartphones, have become such an extension of ourselves that warrantless searches of them violate fundamental rights.

Not only that, SCOTUS was unanimous on the issue, which is not common for the usually controversial questions that wind up on the Supreme Court’s plate. While this is not a European court case, core concepts of SCOTUS jurisprudence sometimes wind up in Europe as well, for example the so-called Miranda rights were widely copied in European countries. The SCOTUS opinion in Riley vs California is well worth reading since it de facto puts an end to the mantra that rules applying to the material world should automatically and unthinkingly apply to digital issues.

A few most interesting quotes from the ruling:

“A conclusion that inspecting the contents of an arrestee’s pockets works no substantial additional intrusion on privacy beyond the arrest itself may make sense as applied to physical items, but more substantial privacy interests are at stake when digital data is involved. Cell phones differ in both a quantitative and a qualitative sense from other objects that might be carried on an arrestee’s person. Notably, modern cell phones have an immense storage capacity. Before cell phones, a search of a person was limited by physical realities and generally constituted only a narrow intrusion on privacy. But cell phones can store millions of pages of text, thousands of pictures, or hundreds of videos.”

“The scope of the privacy interests at stake is further complicated by the fact that the data viewed on many modern cell phones may in fact be stored on a remote server. Thus, a search may extend well beyond papers and effects in the physical proximity of an arrestee, a concern that the United States recognizes but cannot definitively foreclose”

The ruling puts the last quotation squarely in the context of cloud computing, and it will be interesting to see how this will affect future expected rulings on the US Government position that data held by third parties cannot fall within Fourth Amendment protections. This ruling may very well be a first stepping stone to the long overdue curbing of US law enforcement and intelligence services alike when it comes to online surveillance.

As SCOTUS jurisprudence on “effects” as meant by the Fourth Amendment of the US Constitution had been sorely missing in the digital age, this is a major step forward for digital rights in the USA.

SCOTUS ruling Riley vs California (25.06.2014)
http://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf

SCOTUS Blog: Riley v. California
http://www.scotusblog.com/case-files/cases/riley-v-california/

(Contribution by Walter van Holst, EDRi member Vrijschrift, Netherlands)

close
02 Jul 2014

Romania: No communication without registration

By Guest author

Two bills initiated during the past month by the Romanian Government, with the direct and open support from the Romanian Secret Service (SRI), are attempting to kill any kind of electronic communication without prior identification and to expand dramatically the legal access to computer systems.

The first bill aims to make the registration of all prepaid mobile phone SIM cards mandatory. This is the fourth such attempt, using almost the same text, after the previous three attempts were rejected by the Parliament. However, this time the plan was better crafted in terms of political support: the new “urgent need” was directly pushed after the events in Ukraine last months by the Superior Council of Defence, a body that actually doesn’t have the power to suggest new laws, using a very vague notion of “preventing terrorist attacks”.

The new bill also includes the mandatory identification of all users of free WiFi networks. The text was formally adopted by the government and then pushed through the Senate in record time of five working days. After that, because it has been considered as extreme urgency, the Chamber of Deputies needed to debate and pass the law in just two days.

A quick reaction from several human rights NGOs, including EDRi-member ApTI, managed to get the IT&C Committee in the Chamber to call for a hearing on 11 June 2014. The Romanian Data Protection Authority was not invited, the text lacked any kind of basic assessment of human rights impact (actually the explanatory text says there is no impact on human rights) or event private business impact (even though it required mandatory registration of all current prepaid cards in just 6 months – there are 13 million active prepaid SIM cards in circulation and another 3 million inactive ones, a total of 16 million prepaid SIM cards).

Despite the general positive tone of the meeting on 11 June 2014, with questions from the MPs on the necessity and impact on privacy, and the public announcement that a second meeting will follow, the IT&C Committee adopted a much worse text in a meeting on 25 June with the Legal Committee, who did not discuss the text with anyone prior to its adoption. According to our sources, there was pressure by the Secretariat of the Chamber of Deputies to have the text adopted as soon as possible. On 2 July, the bill was adopted during the last extra-ordinary session of the Chamber of Deputies. At this point, the only chance for this bill not to come into force is for an exception of non-constitutionality to be raised to the Constitutional Court and for the Constitutional Court to strike it down.

The second bill that concerns cyber-security is in a much earlier stage from a legislative process perspective. It aims to give SRI the status of national competent authority in the field of “information security”, including specific rights to inspect and assess the information security standards to a not-defined-yet list of companies that own critical infrastructure. The invasiveness of the new provisions in all computer systems culminates with:

  • obligations for all private and public companies (irrespective of their size and importance) to have information security policies and organisational measures in place to protect their computers;
  •  the right for SRI and other nine public institutions to have access to the computer data held by those companies, at a simple “motivated request” from these institutions in their own attributions.

The cyber-security bill that is also being rushed , is contrary to all principles of the draft Network Information Service (NIS) directive. Nevertheless, the SRI representatives publicly stated that there are 18 victims of Internet fraud per second in the world, so they inferred that it should not take more than two weeks to debate this law. They also said the Internet is like the public roads, so computers need to be like cars in order to be allowed to access the Internet – to be registered and verified that they are technically fit. It seems that logical arguments are not the best tools to use in the Romanian public debate.

This law on the cyber-security was not yet voted by the committees of the Chamber of Deputies, so at least in theory the debated should be restarted in September 2014. But who knows if that will happen in practice…

Chamber of Deputies: File of the draft law on prepaid cards (only in Romanian)
http://www.cdep.ro/pls/proiecte/upl_pck.proiect?cam=2&idp=14203

“Let’s not talk about it”: how the mass surveillance debate was silenced in Romania (27.05.2014)
http://www.opendemocracy.net/can-europe-make-it/matei-vasile/lets-not-talk-about-it-how-mass-surveillance-debate-was-silenced-in-

SRI wants “road rules” for the Internet (only in Romanian, 25.06.2014)
http://www.apador.org/blog/sri-securitate-cibernetica-internet/

Updates on the prepaid cards and cybersecurity draft laws (only in Romanian, 30.06.2014)
http://apti.ro/noutati-cybersecurity-si-prepay-cdep

(Contribution by Bogdan Manolea, EDRi-member ApTI, Romania)

close
02 Jul 2014

Poland: Secret services escape citizens’ control

By Guest author

Poland celebrated its 25 years of democracy recently. In those two and a half decades, among other changes, most public institutions in Poland have got more or less used to citizens’ control. It has taken years of advocacy and watchdog activity, as well as a number of court cases to decide whether a given piece of information is actually “public”. But this investment is now paying off: today even some of the most secret of all secret services answer freedom of information requests concerning their work. There is, however, a stain in the image: one agency – Military Counterintelligence Service (SKW) – that keeps refusing to disclose any kind of information about its activity. Their approach is a reminder of much deeper and systemic problem faced by Polish authorities: the uncontrolled and uncoordinated secret services.

So far, EDRi member Panoptykon’s numerous attempts to obtain public information from the SKW have generated only derisory and senseless conversations with the agency’s office and two court cases. The agency has failed to answer Panoptykon’s requests, even when these are only for statistical data on how often they access telecommunication or Internet-related data. Their standard answers remain the same: 1) the data requested do not constitute public information, 2) the freedom of information law does not apply to them, 3) the freedom of information law is actually unconstitutional, 4) data requested could be used by foreign spies against Poland, so it cannot be revealed.

Needless to say, all other agencies provide the same type of data without objections. The freedom of information law applies to all public entities – including intelligence agencies – and covers any information about their activity. Of course, under certain circumstances such information can be refused and kept secret, for example for public security purposes. However, in Poland this is not the case of basic statistical data. The court has already decided twice that the data Panoptykon request constitute “public information”, which does not mean that it can be automatically revealed, but it has to be treated as such. Military Foreign Intelligence remains unconvinced: it fails to comply with the court’s decision by simply ignoring it.

The world is still discussing various aspects of the NSA spying programmes. Poland has recently been shaken by a “tapping scandal”, involving top level government officials. While the content of tapped conversations remains debatable – it may be anything between a corruption case and just a nonsense talk that happen to involve important public figures – the story exposed yet another face of uncontrolled surveillance. Not only were the highest government officials not able to prevent their conversations from being tapped and used against them, but the Internal Security Agency (ABW) ridiculed itself by trying to seize the original recordings directly from the weekly that published the material, thus threatening their journalistic sources. Prime Minister is now facing serious political crisis because of both: the content of tapped conversations held by his ministers, and aggressive behaviour of law enforcement that followed their publication. In fact, what he is actually responsible for, is that he did not make the effort to reform secret services and limit surveillance in the first place. Military Foreign Intelligence escaping citizens’ control is just a minor result of the same negligence.

The dream of an open SKW (only in Polish, 18.06.2014)
http://panoptykon.org/wiadomosc/marzenie-o-otwartym-skw

Panoptykon again in court against SKW. Military counterintelligence above the law when it comes to citizens’ access to public information? (only in Polish, 15.06.2014)
http://panoptykon.org/wiadomosc/panoptykon-znow-w-sadzie-przeciwko-skw-kontrwywiad-wojskowy-ponad-prawem-dostepu-obywateli

The freedom of information law (only in Polish, 6.9.2001)
http://isap.sejm.gov.pl/Download;jsessionid=24F648DD5FB123B93F1C751EFBF24D23?id=WDU20011121198&type=3

(Contribution by Anna Obem and Katarzyna Szymielewicz, EDRi member Fundacja Panoptykon, Poland)

close
02 Jul 2014

We are not accusing the German minister of interior of lying

By Kirsten Fiedler

On 30 June 2014, Germany’s Minister of the Interior Thomas de Maizière announced an initiative to help move forward the proposal for a General Data Protection Regulation. EDRi applauds this “initiative”, which comes after Germany has worked assiduously to stop progress in the Council. According to internal Council documents obtained by the Spiegel in December 2013, Germany was one of the countries actively seeking to water down and delay the reform. Now, finally, Germany seems to be willing to move forward.

In his statement, the German Minister announces the submission of concrete proposals to the Italian Presidency in order to discuss points where the Council was not able to reach a common position until now. With regard to transfers of personal data to third countries, de Maizière states that

Within the context of the NSA debate, Germany had put forward a proposal for Article 42a. (Original: “Den Vorschlag für einen entsprechenden Art. 42a hatte Deutschland im Zuge der NSA-Debatte eingebracht.”)

Great – but we already know that it was the European Commission that put forward the original proposal on Article 42, a full eighteen months before the NSA affair. How could Germany have possibly been the origin of the proposal (now as Art. 42a), as the Minister suggests?

The European Commission made a specific anti-spying proposal in its original draft, which was “leaked” during the final stages of the drafting process. As a result of the leak, after heavy lobbying from the US Department of Commerce, the Commission’s proposed Article 42 was abandoned. Commission President Barroso was reportedly afraid of upsetting the USA before the launch of the TTIP negotiations. In January 2012, the European Commission launched its weakened draft Regulation.

Then, in October 2012, eight months before the first Snowden leak, EDRi published the platform ProtectMyData.eu, where we made suggestions to improve the Commission text – including an amendment to re-insert Article 42 into the Regulation.

Subsequently, the Member of the European Parliament in charge of the Regulation, Jan Philipp Albrecht, tabled a similar amendment in his draft report (as Art 43a new) in November 2013, eight months before de Maizière’s letter to the Italian Presidency.

So, maybe the Minister is not aware of the fact that the proposal was made two and a half years ago. Maybe the Minister is not aware of our campaign to have the text put back into the Regulation months before the Snowden leaks. Maybe the Minister was not aware of the fact that the proposal was made in the European Parliament long before the Snowden leaks. Or maybe 42 is the answer. After all, we do not wish to accuse him of lying.

Release: Launching an initiative to General Data Protection Regulation (30.06.2014)
http://www.bmi.bund.de/SharedDocs/Kurzmeldungen/DE/2014/06/initiative-zur-datenschutz-grundverordnung.html

Leaked internal draft of the data protection regulation (December 2011)
http://statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-consultation.pdf

EU Council: German officials are slowing down European data protection rules (02.12.2013)
http://www.spiegel.de/netzwelt/netzpolitik/deutsche-beamte-bremsen-europas-datenschutz-aus-a-936704.html

US lobbying against draft Data Protection Regulation (22.12.2011)
http://edri.org/us-dpr/

EDRi proposal for the re-introduction of Article 42 (October 2012)
http://protectmydata.eu/articles/articles-41-50/article-42/

Letter by NGOs to the EU Council: International Data Privacy Day: We remind the European Council of our rights (28.01.2014)
https://www.accessnow.org/blog/2014/01/28/international-data-privacy-day-we-remind-the-european-council-of-our-rights

42
http://hitchhikers.wikia.com/wiki/42

close