16 Jul 2014

Slovenia: Data retention unconstitutional, deletion of data ordered

By Guest author

The Constitutional Court of the Republic of Slovenia abrogated the data retention provisions of the Act on Electronic Communications (ZEKom-1) in its judgement U-I-65/13-19 of 3 July 2014 following the constitutional request lodged by the Information Commissioner in March 2013 and ECJ judgment of 8 April 2014 in Joined Cases C-293/12 and C-594/12.

The Court abrogated ZEKom-1 articles 162, 163, 164, 165, 166, 167, 168 in 169 and instructed operators of electronic communications to delete retained data immediately after the judgment is published in the Official Gazette. The Court holds data retention as disproportionate for the following reasons:

  • unselective retention of data iconstitutes a breach of rights of a large proportion of population that did not provide any reason tj justify such this; – blanket data retention does not provide for anonymous use of communications, which is particularly important in cases where untraceable use is necessary (e.g. calling for help in mental distress);
  • arguments for the selected retention periods (8 months for internet related and 14 months for telephony related data) were not provided nor explained in the legislative preparatory documents;
  • the use of retained data was not limited to serious crime.

The Slovenian Information Commissioner Nataša Pirc Musar welcomed the ruling and sees it as an important step in protection of the right to privacy and data protection. The Court recognised the importance of personal data protection in relation to the use of modern information and communication technologies, particularly when used by law enforcement as repressive bodies of the state.

The Commissioner has been regularly warning about the problems of major breaches of privacy by law enforcement created by introduction of surveillance technologies. These tend to be used indiscriminately on large proportions of population, thereby encroaching on their right to privacy and data protection. The availability of new technologies such as drones, IMSI catchers and similar has, in several cases, led to requests by the police to the Ministry of Justice to legislate their use and to provide legal grounds enabling their deployment. Unfortunately these requests have often not been backed by sufficient assessments as regards their impact on human rights. In order to allow for transparency and to ensure that new law enforcement powers respect the principles of necessity and proportionality, the Commissioner has issued guidelines on privacy impact assessments (PIA) for the introduction of new police measures, representing a methodological framework for a prudent, reasonable and legitimate introduction of new measures.

The Information Commissioner Pirc Musar emphasised that this is one of her most important achievements during her 10-year mandate which is now ending. The decision of the Court represents an important part in the debate about the necessity and proportionality of the use of surveillance measures and technologies in the context of law enforcement and intelligence agencies.

Request to the Constitutional Court (only in Slovenian)
https://www.ip-rs.si/fileadmin/user_upload/Pdf/ocene_ustavnosti/ZEKom_-_Zahteva_za_oceno_ustavnosti__data_retention_.pdf

Decision of the Constitutional Court (only in Slovenian, 03.07.2014)
https://www.ip-rs.si/fileadmin/user_upload/Pdf/sodbe/US_RS_ZEKom-1_3julij2014.tif

Electronic Communications Act (ZEKom-1)
http://www.akos-rs.si/acts

Information Commissioner of the Republic of Slovenia (only in Slovenian)
https://www.ip-rs.si/

Privacy Impact Assessment (PIA) Guidelines for the Introduction of new Police Powers
https://www.ip-rs.si/fileadmin/user_upload/Pdf/smernice/PIA_guideliness_for_introduction_of_new_police_powers_english.pdf

(Contribution by Andrej Tomšič, Deputy Information Commissioner,
Information Commissioner, Republic of Slovenia)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
16 Jul 2014

Code Red, global initiative to support a reform of security services

By Heini Järvinen

More than two-dozen civil society activists from fourteen countries have joined the steering group of an ambitious global initiative to accelerate police and security services accountability.

The project, Code Red, was conceived during the preparation of a report “A Crisis of Accountability” that was published in June 2014 on developments in the twelve months since the start of Edward Snowden’s disclosures. The report concluded that despite a substantial and potent response from civil society, there was also a clear need for greater strategic support, resources and communication between activists working in different disciplines.

The steering group includes many well-known figures in civil society, among them MI5 whistleblower Annie Machon, former Wikimedia General Counsel Mike Godwin, Sunil Abraham head of CIS India Sunil Abraham, OpenMedia Canada’s David Christopher, Access Now’s Raegan McDonald, the Electronic Frontier Foundation’s International Rights Director Katitza Rodriguez and the former editor of Index on Censorship Judith Vidal-Hall. Also influential figures in the tech sector, including Jacob Appelbaum, the celebrated hacker who works at the core of Wikileaks, the Tor project and the Snowden disclosures, Whitfield Diffie, one of the pioneers of public key cryptography, and Bruce Schneier, possibly the world’s most influential security expert, have joined in. It’s expected that more people will join the group over the next two weeks.

In mid July 2014, Code Red kicked off a four-month global consultation to identify options for its objectives and structure. Currently the working group members have an open mind on how the initiative may develop, but the overriding view is that it should aim to be a clearinghouse and resource centre for groups working on security reform.

In the UK, civil right groups such as Privacy International and Big Brother Watch have launched legal challenges that have forced the government to make unprecedented disclosures about security activities. Code Red aims to support and promote such actions through a global communications and resource platform.

The initiative was founded by EDRi observer Simon Davies, who is regarded as one of the pioneers of the international privacy arena. Davies has wide experience of founding successful global initiatives, including the Big Brother Awards and Privacy International. In a summary of the initiative posted on Davies’ Privacy Surgeon blog on 10 July, he emphasised the need for cross-border and cross-disciplinary relationships, and declared: “It’s time to raise the stakes for secretive agencies that refuse to embrace accountability – and to do so fearlessly and relentlessly.”

“The many communities involved in this struggle – free speech, whistleblowing, anti-censorship, law reformers, policy reformers, privacy and the tech communities – must find a way to work together. A bridge of some sort should also be attempted with companies that are genuinely working to improve privacy and security,”

Davies told to EDRi-gram, highlighting that his intention was not to create a new NGO, but to help support a “platform that supports a network of networks”.

Accoring to Davies, many people involved in the initial dialogue around Code Red felt that the Snowden disclosures are just the tip of the iceberg. The involvement of law enforcement agencies, the military, international police organisations and other government authorities is largely unknown. “Snowden told us what security agencies do, but not what happens to this mass of information, which organisations use it or for what purposes. Police use of information – and international disclosure of that information – has largely escaped scrutiny in most countries. How civil society finds the means to counter this vast activity is a crucial challenge.”

“My personal view is that we need to look beyond the security services to understand the bottom-feeders in the data chain. We already have adequate evidence that police services are immersed in corrupt and unlawful practices, as evidenced by the use by Dutch police of “Stealth SMS” technology to circumvent legal safeguards, and the unlawful disclosure of personal information to journalists by London’s Metropolitan Police, uncovered during the News of the World phone hacking inquiries,” Davies added.

The steering group membership will be published in full on the privacysurgeon.org website in the fourth week of July 2014.

Global security analysis reveals widespread government apathy following Snowden disclosures (10.06.2014)
http://www.privacysurgeon.org/blog/incision/global-security-analysis-reveals-widespread-government-apathy-following-snowden-disclosures/

UK intelligence forced to reveal secret policy for mass surveillance of residents’ Facebook and Google use (17.06.2014)
https://www.privacyinternational.org/press-releases/uk-intelligence-forced-to-reveal-secret-policy-for-mass-surveillance-of-residents

Code Red, a global initiative to support national security reform (10.07.2014)
http://www.privacysurgeon.org/blog/events-2/

Dutch parliament wants clarification on using “Stealth” SMS in espial (21.08.2013)
http://www.zdnet.be/nieuws/151230/nederlands-parlement-wil-opheldering-over-gebruik-stealth-sms-bij-opsporing-/

Metropolitan Police role in the news media phone hacking scandal
http://en.wikipedia.org/wiki/Metropolitan_Police_role_in_the_news_media_phone_hacking_scandal#Illegal_payments_to_officers

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
02 Jul 2014

Denmark about to implement a nationwide ANPR system

By Guest author

The Danish police is planning to implement a nationwide automatic number plate recognition (ANPR) system over the next couple of years. The Danish newspaper Berlingske obtained the project description for the IT system through a Freedom of Information Act (FOIA) request, and reported about the ANPR plans.

The ANPR system will consist of mobile units in police cars and handheld devices. The units are designed to automatically register all number plates encountered on the road. The number plates are checked against a pre-compiled hotlist, for example because the vehicle or number plate is reported stolen, or because the owner has skipped a mandatory inspection of the vehicle. If there is a match on the hotlist, the police officers will get a signal from the ANPR device, so that they can decide whether to pursue the vehicle or not.

However, the mobile ANPR units will also store all number plates that are scanned, together with the location. Additionally, the system will store the number plates of all cars that pass the unit since no immediate police action is possible in case of a match on the hotlist.

The Danish police has studied ANPR systems in other European countries, but the United Kingdom is mentioned as the main inspiration for the Danish system. During a test period, a Danish police car equipped with ANPR was able to register about 50,000 cars in a single month, with a “hit rate” on the hotlist of 2%. It is estimated that the ANPR system will allow the police to check 30 times as many number plates compared to the current manual system.

The main privacy concern comes from the location data that is registered for all cars encountered on the road by the ANPR units, whether mobile or stationary. The police will retain that data for 30 days, and the documents from the Berlingske FOIA request show that they intend to use the data actively for investigations and data analysis; there are plans to employ 10-15 data analysts for the latter task. Since the police is the data controller, there is direct “data mining” access to the entire database, without the need for a court order.

The ANPR system will be implemented in all police districts in Denmark, but the project has a particular focus on cross-border crimes, including organised home burglaries. The funding for the ANPR project comes from a political agreement to prioritise police efforts against cross-border crimes. Cars that pass the Danish border with other EU member states are thus more likely to be scanned than other cars, even though there is no border control since Denmark is part of the Schengen Area. Violations of EU cabotage rules (local trucking transports after unloading of the international transport) are also a special priority in Denmark, and scanning number plates at the border has been discussed as one of the initiatives against these violations.

The ANPR data will be shared with the tax authorities and other authorities in Denmark. Their intended use of the data is not clearly indicated in the documents, but the tax authorities have previously tried (mostly unsuccessfully) to get access to the information stored by the telephone companies under the data retention law.

The Danish ANPR system will not be as massive as the one in the UK, but this is mainly for budgetary reasons. The initial budget for ANPR is 4 million euros, so not all police cars will be equipped with ANPR units. The Danish police estimates that “only” 30 million number plates will be scanned and registered every year. Needless to say, this number will increase if more public funds are allocated to the project.

According the documents obtained through the FOIA request by Berlingske, the legal basis for the ANPR project is the Danish video surveillance law (CCTV law) and the Danish Data Protection Act (transposing directive 1995/46/EC). The Danish CCTV law places no direct restrictions on video surveillance in public spaces (such as roads) when done by public authorities, and the police is exempted from the requirement to inform the public through clearly visible signs. Under the Data Protection Act, data processed from video surveillance systems must be deleted no later than 30 days after capture, and the Danish police interprets that as a legal basis for retaining the data for 30 days.

However, even though there are no direct restrictions on video surveillance in public spaces by public authorities, the video surveillance and the subsequent data processing are subject to general requirements of necessity and proportionality. The same principles must apply to ANPR, even though only number plates and not personal faces are registered and processed. Usually, CCTV is employed in areas with an increased risk of criminality, but the ANPR project effectively makes every Danish road an area suitable for CCTV monitoring in order to prevent crime.

The 30-day retention period, and the plans for active data-mining analysis by the police, make it even more questionable whether the ANPR project satisfies the necessity and proportionality requirements. This question must also be viewed in light of the recent judgement on the Data Retention Directive by the European Court of Justice (CJEU). A nationwide ANPR system clearly constitutes mass surveillance, and since the police is the data controller of the ANPR data, there are no judicial safeguards limiting the access to the retained data. The location data from ANPR can be compared to location data collected from mobile telephones.

On 2 June 2014, the Danish government published a legal analysis which said that the Danish data retention law does not violate the Charter of Fundamental Rights because the law has appropriate judicial safeguards for access to the retained data. No such access restrictions exist for the ANPR data. The fact that the Danish ANPR system will be limited (in the beginning) due to budgetary reasons can hardly be regarded as an effective judicial safeguard for this type of mass surveillance.

So far, there has been limited political discussion of the ANPR plans in Denmark, and the privacy implications have not been discussed at all. The documents from the Berlingske FOIA request also outline the PR strategy that the police intends to use for the ANPR project. The police will emphasise that most of the monitoring is done automatically by computers which only “react” when there is a hit. Clearly, the purpose here is to downplay the massive privacy invasion that the ANPR system will impose on Danish (and European) citizens.

Police will check millions of number plates, Berlingske (only in Danish, 21.06.2014)
http://www.b.dk/nationalt/politiet-vil-tjekke-millioner-af-danske-nummerplader

EDRi-gram: Denmark: Data retention is here to stay despite the CJEU ruling (02.06.2014)
http://edri.org/denmark-data-retention-stay-despite-cjeu-ruling/

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

close
02 Jul 2014

Supreme Court of the US on cell phone searches: get a warrant

By Guest author

In the court case Riley vs California, the Supreme Court of the United States (SCOTUS) affirmed on 25 June what many digital rights activists have been telling a long time: Our mobile phones, especially smartphones, have become such an extension of ourselves that warrantless searches of them violate fundamental rights.

Not only that, SCOTUS was unanimous on the issue, which is not common for the usually controversial questions that wind up on the Supreme Court’s plate. While this is not a European court case, core concepts of SCOTUS jurisprudence sometimes wind up in Europe as well, for example the so-called Miranda rights were widely copied in European countries. The SCOTUS opinion in Riley vs California is well worth reading since it de facto puts an end to the mantra that rules applying to the material world should automatically and unthinkingly apply to digital issues.

A few most interesting quotes from the ruling:

“A conclusion that inspecting the contents of an arrestee’s pockets works no substantial additional intrusion on privacy beyond the arrest itself may make sense as applied to physical items, but more substantial privacy interests are at stake when digital data is involved. Cell phones differ in both a quantitative and a qualitative sense from other objects that might be carried on an arrestee’s person. Notably, modern cell phones have an immense storage capacity. Before cell phones, a search of a person was limited by physical realities and generally constituted only a narrow intrusion on privacy. But cell phones can store millions of pages of text, thousands of pictures, or hundreds of videos.”

“The scope of the privacy interests at stake is further complicated by the fact that the data viewed on many modern cell phones may in fact be stored on a remote server. Thus, a search may extend well beyond papers and effects in the physical proximity of an arrestee, a concern that the United States recognizes but cannot definitively foreclose”

The ruling puts the last quotation squarely in the context of cloud computing, and it will be interesting to see how this will affect future expected rulings on the US Government position that data held by third parties cannot fall within Fourth Amendment protections. This ruling may very well be a first stepping stone to the long overdue curbing of US law enforcement and intelligence services alike when it comes to online surveillance.

As SCOTUS jurisprudence on “effects” as meant by the Fourth Amendment of the US Constitution had been sorely missing in the digital age, this is a major step forward for digital rights in the USA.

SCOTUS ruling Riley vs California (25.06.2014)
http://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf

SCOTUS Blog: Riley v. California
http://www.scotusblog.com/case-files/cases/riley-v-california/

(Contribution by Walter van Holst, EDRi member Vrijschrift, Netherlands)

close
02 Jul 2014

Romania: No communication without registration

By Guest author

Two bills initiated during the past month by the Romanian Government, with the direct and open support from the Romanian Secret Service (SRI), are attempting to kill any kind of electronic communication without prior identification and to expand dramatically the legal access to computer systems.

The first bill aims to make the registration of all prepaid mobile phone SIM cards mandatory. This is the fourth such attempt, using almost the same text, after the previous three attempts were rejected by the Parliament. However, this time the plan was better crafted in terms of political support: the new “urgent need” was directly pushed after the events in Ukraine last months by the Superior Council of Defence, a body that actually doesn’t have the power to suggest new laws, using a very vague notion of “preventing terrorist attacks”.

The new bill also includes the mandatory identification of all users of free WiFi networks. The text was formally adopted by the government and then pushed through the Senate in record time of five working days. After that, because it has been considered as extreme urgency, the Chamber of Deputies needed to debate and pass the law in just two days.

A quick reaction from several human rights NGOs, including EDRi-member ApTI, managed to get the IT&C Committee in the Chamber to call for a hearing on 11 June 2014. The Romanian Data Protection Authority was not invited, the text lacked any kind of basic assessment of human rights impact (actually the explanatory text says there is no impact on human rights) or event private business impact (even though it required mandatory registration of all current prepaid cards in just 6 months – there are 13 million active prepaid SIM cards in circulation and another 3 million inactive ones, a total of 16 million prepaid SIM cards).

Despite the general positive tone of the meeting on 11 June 2014, with questions from the MPs on the necessity and impact on privacy, and the public announcement that a second meeting will follow, the IT&C Committee adopted a much worse text in a meeting on 25 June with the Legal Committee, who did not discuss the text with anyone prior to its adoption. According to our sources, there was pressure by the Secretariat of the Chamber of Deputies to have the text adopted as soon as possible. On 2 July, the bill was adopted during the last extra-ordinary session of the Chamber of Deputies. At this point, the only chance for this bill not to come into force is for an exception of non-constitutionality to be raised to the Constitutional Court and for the Constitutional Court to strike it down.

The second bill that concerns cyber-security is in a much earlier stage from a legislative process perspective. It aims to give SRI the status of national competent authority in the field of “information security”, including specific rights to inspect and assess the information security standards to a not-defined-yet list of companies that own critical infrastructure. The invasiveness of the new provisions in all computer systems culminates with:

  • obligations for all private and public companies (irrespective of their size and importance) to have information security policies and organisational measures in place to protect their computers;
  •  the right for SRI and other nine public institutions to have access to the computer data held by those companies, at a simple “motivated request” from these institutions in their own attributions.

The cyber-security bill that is also being rushed , is contrary to all principles of the draft Network Information Service (NIS) directive. Nevertheless, the SRI representatives publicly stated that there are 18 victims of Internet fraud per second in the world, so they inferred that it should not take more than two weeks to debate this law. They also said the Internet is like the public roads, so computers need to be like cars in order to be allowed to access the Internet – to be registered and verified that they are technically fit. It seems that logical arguments are not the best tools to use in the Romanian public debate.

This law on the cyber-security was not yet voted by the committees of the Chamber of Deputies, so at least in theory the debated should be restarted in September 2014. But who knows if that will happen in practice…

Chamber of Deputies: File of the draft law on prepaid cards (only in Romanian)
http://www.cdep.ro/pls/proiecte/upl_pck.proiect?cam=2&idp=14203

“Let’s not talk about it”: how the mass surveillance debate was silenced in Romania (27.05.2014)
http://www.opendemocracy.net/can-europe-make-it/matei-vasile/lets-not-talk-about-it-how-mass-surveillance-debate-was-silenced-in-

SRI wants “road rules” for the Internet (only in Romanian, 25.06.2014)
http://www.apador.org/blog/sri-securitate-cibernetica-internet/

Updates on the prepaid cards and cybersecurity draft laws (only in Romanian, 30.06.2014)
http://apti.ro/noutati-cybersecurity-si-prepay-cdep

(Contribution by Bogdan Manolea, EDRi-member ApTI, Romania)

close
02 Jul 2014

Poland: Secret services escape citizens’ control

By Guest author

Poland celebrated its 25 years of democracy recently. In those two and a half decades, among other changes, most public institutions in Poland have got more or less used to citizens’ control. It has taken years of advocacy and watchdog activity, as well as a number of court cases to decide whether a given piece of information is actually “public”. But this investment is now paying off: today even some of the most secret of all secret services answer freedom of information requests concerning their work. There is, however, a stain in the image: one agency – Military Counterintelligence Service (SKW) – that keeps refusing to disclose any kind of information about its activity. Their approach is a reminder of much deeper and systemic problem faced by Polish authorities: the uncontrolled and uncoordinated secret services.

So far, EDRi member Panoptykon’s numerous attempts to obtain public information from the SKW have generated only derisory and senseless conversations with the agency’s office and two court cases. The agency has failed to answer Panoptykon’s requests, even when these are only for statistical data on how often they access telecommunication or Internet-related data. Their standard answers remain the same: 1) the data requested do not constitute public information, 2) the freedom of information law does not apply to them, 3) the freedom of information law is actually unconstitutional, 4) data requested could be used by foreign spies against Poland, so it cannot be revealed.

Needless to say, all other agencies provide the same type of data without objections. The freedom of information law applies to all public entities – including intelligence agencies – and covers any information about their activity. Of course, under certain circumstances such information can be refused and kept secret, for example for public security purposes. However, in Poland this is not the case of basic statistical data. The court has already decided twice that the data Panoptykon request constitute “public information”, which does not mean that it can be automatically revealed, but it has to be treated as such. Military Foreign Intelligence remains unconvinced: it fails to comply with the court’s decision by simply ignoring it.

The world is still discussing various aspects of the NSA spying programmes. Poland has recently been shaken by a “tapping scandal”, involving top level government officials. While the content of tapped conversations remains debatable – it may be anything between a corruption case and just a nonsense talk that happen to involve important public figures – the story exposed yet another face of uncontrolled surveillance. Not only were the highest government officials not able to prevent their conversations from being tapped and used against them, but the Internal Security Agency (ABW) ridiculed itself by trying to seize the original recordings directly from the weekly that published the material, thus threatening their journalistic sources. Prime Minister is now facing serious political crisis because of both: the content of tapped conversations held by his ministers, and aggressive behaviour of law enforcement that followed their publication. In fact, what he is actually responsible for, is that he did not make the effort to reform secret services and limit surveillance in the first place. Military Foreign Intelligence escaping citizens’ control is just a minor result of the same negligence.

The dream of an open SKW (only in Polish, 18.06.2014)
http://panoptykon.org/wiadomosc/marzenie-o-otwartym-skw

Panoptykon again in court against SKW. Military counterintelligence above the law when it comes to citizens’ access to public information? (only in Polish, 15.06.2014)
http://panoptykon.org/wiadomosc/panoptykon-znow-w-sadzie-przeciwko-skw-kontrwywiad-wojskowy-ponad-prawem-dostepu-obywateli

The freedom of information law (only in Polish, 6.9.2001)
http://isap.sejm.gov.pl/Download;jsessionid=24F648DD5FB123B93F1C751EFBF24D23?id=WDU20011121198&type=3

(Contribution by Anna Obem and Katarzyna Szymielewicz, EDRi member Fundacja Panoptykon, Poland)

close
02 Jul 2014

We are not accusing the German minister of interior of lying

By Kirsten Fiedler

On 30 June 2014, Germany’s Minister of the Interior Thomas de Maizière announced an initiative to help move forward the proposal for a General Data Protection Regulation. EDRi applauds this “initiative”, which comes after Germany has worked assiduously to stop progress in the Council. According to internal Council documents obtained by the Spiegel in December 2013, Germany was one of the countries actively seeking to water down and delay the reform. Now, finally, Germany seems to be willing to move forward.

In his statement, the German Minister announces the submission of concrete proposals to the Italian Presidency in order to discuss points where the Council was not able to reach a common position until now. With regard to transfers of personal data to third countries, de Maizière states that

Within the context of the NSA debate, Germany had put forward a proposal for Article 42a. (Original: “Den Vorschlag für einen entsprechenden Art. 42a hatte Deutschland im Zuge der NSA-Debatte eingebracht.”)

Great – but we already know that it was the European Commission that put forward the original proposal on Article 42, a full eighteen months before the NSA affair. How could Germany have possibly been the origin of the proposal (now as Art. 42a), as the Minister suggests?

The European Commission made a specific anti-spying proposal in its original draft, which was “leaked” during the final stages of the drafting process. As a result of the leak, after heavy lobbying from the US Department of Commerce, the Commission’s proposed Article 42 was abandoned. Commission President Barroso was reportedly afraid of upsetting the USA before the launch of the TTIP negotiations. In January 2012, the European Commission launched its weakened draft Regulation.

Then, in October 2012, eight months before the first Snowden leak, EDRi published the platform ProtectMyData.eu, where we made suggestions to improve the Commission text – including an amendment to re-insert Article 42 into the Regulation.

Subsequently, the Member of the European Parliament in charge of the Regulation, Jan Philipp Albrecht, tabled a similar amendment in his draft report (as Art 43a new) in November 2013, eight months before de Maizière’s letter to the Italian Presidency.

So, maybe the Minister is not aware of the fact that the proposal was made two and a half years ago. Maybe the Minister is not aware of our campaign to have the text put back into the Regulation months before the Snowden leaks. Maybe the Minister was not aware of the fact that the proposal was made in the European Parliament long before the Snowden leaks. Or maybe 42 is the answer. After all, we do not wish to accuse him of lying.

Release: Launching an initiative to General Data Protection Regulation (30.06.2014)
http://www.bmi.bund.de/SharedDocs/Kurzmeldungen/DE/2014/06/initiative-zur-datenschutz-grundverordnung.html

Leaked internal draft of the data protection regulation (December 2011)
http://statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-consultation.pdf

EU Council: German officials are slowing down European data protection rules (02.12.2013)
http://www.spiegel.de/netzwelt/netzpolitik/deutsche-beamte-bremsen-europas-datenschutz-aus-a-936704.html

US lobbying against draft Data Protection Regulation (22.12.2011)
http://edri.org/us-dpr/

EDRi proposal for the re-introduction of Article 42 (October 2012)
http://protectmydata.eu/articles/articles-41-50/article-42/

Letter by NGOs to the EU Council: International Data Privacy Day: We remind the European Council of our rights (28.01.2014)
https://www.accessnow.org/blog/2014/01/28/international-data-privacy-day-we-remind-the-european-council-of-our-rights

42
http://hitchhikers.wikia.com/wiki/42

close
18 Jun 2014

Belgian Big Brother Awards 2014: This year’s winners are…

By Guest author

On 4 June, EDRi member Liga voor Mensenrechten granted the Belgian Big Brother Awards. The public voted for the former public prosecutor Yves Liégeois for his views on DNA databases for newborn babies. The second prize, the professional jury’s prize, went to the “smartphone”, our ever-present pocket-size spy, and the third prize, the Lifetime Achievement Award, was given to the NSA for its tireless efforts to create a ubiquitous surveillance infrastructure.

The main goal of the Big Brother Awards is to create awareness of an endangered fundamental right: our right to privacy. Big Brother is everywhere. These days, there’s no domain of your daily life left where you’re not registered, spied upon or analysed for security or commercial reasons. IIt may happen with or without your consent, in return for a few discounts or “free” services that are paid for by  the creation and use of psychological profiles of the end-user.

The public voted Antwerp’s former public prosecutor Yves Liégeois as the winner of Big Brother Award. Liégeois became well-known in 2013 for his controversial statements regarding the introduction of DNA databases for babies.

“Mr. Liégeois should know how important his words are. Within his official function he is supposed to defend our fundamental rights, including our right to privacy,”

said Caroline de Geest, spokesperson for the Liga voor Mensenrechten.

A jury of experts awarded the jury prize to the “smartphone”. They clarified the reasons behind their choice by stating:

“The smartphone is in fact a pocket-size spy that registers who and where we are, what we do and with whom we’re doing it. The average smartphone user is partly to blame for his or her vulnerability because of their apathy towards their own privacy. As long as IT developers will keep showering us with greedy data collecting apps smartphone users seem to accept, we will keep overlooking the fact that using these apps is not risk-free. These days, the norm for data collection seems to be based on the adage “the more, the merrier”.

The American intelligence service NSA was awarded with a special prize. The NSA became known worldwide during the events set in motion due to Edward Snowden’s revelations about NSA’s snooping scandals in 2013. The NSA was hailed as the biggest Big Brother of all times, because of its espionage and surveillance practices. The organisation was rewarded for its role with a Lifetime Achievement Award.

Big Brother Awards 2014: And the winners are… (only in Dutch, 04.06.2014)
http://www.mensenrechten.be/index.php/site/nieuwsberichten/big_brother_awards_2014_en_de_winnaars_zijn

(Contribution by Caroline De Geest, EDRi member Liga voor Mensenrechten, Belgium)

close
18 Jun 2014

Facebook adds third-party website data to ad targeting profiles

By Heini Järvinen

Facebook announced in a blog post on 12 June 2014 that it will start expanding its users’ advertising data by letting marketers target ads based not only on users’ activities on the social network, but also on third-party websites.

By clicking on an arrow in the corner of the ads, a user can see the main attributes than led to the ad being shown. In theory, users will be able to access their “ad preferences” record and modify it by removing unwanted interest categories or adding more suitable ones – if they know the option exists, if they don’t delete the cookie that will store the preferences, if they do this on every machine that they use, and if Facebook respects the choices made. Getting completely rid of ads is still not possible; if a user deletes all the preferences collected, Facebook will simply show more generic ads based on the user’s basic information, such as location, gender and age.

Facebook has already previously maintained internal advertising profiles of its users, built according to their comments and “likes” within the network. It has also had access to the data on external websites and mobile apps its members are using, but it has so far not been used to target ads.

The change applies first to Facebook’s American users who can expect to have access to their profiles within the next few weeks, and it will be introduced around the world in coming months.

Only a few years ago even Facebook itself criticised such practices. However, it now explains the change by users’ will to see ads better compatible with their interests.

“The thing that we have heard from people is that they want more targeted advertising. The goal is to make it clear to people why they saw the ad,”

commented Brian Boland, Facebook’s vice president in charge of ads product marketing.

Integrating users’ activities on third-party website into their ad targeting profiles has predictably inflamed concerns about personal privacy. Giving users a bit more control over their data can be seen as a way to quell these concerns.

“The privacy announcements — are a political smokescreen to enable Facebook to engage in more data gathering. They claim to protect user privacy at the same time as they work to undermine it,”

said Jeff Chester, executive director of the Center for Digital Democracy, an American consumer protection and privacy organisation.

Asking its users to provide more accurate information on their preferences can be profitable to Facebook, as having a receptive audience willing to see ads relevant to them is more likely to interest marketers.

“Who in his right mind wouldn’t want relevant ads over irrelevant ads?”

said Joseph Turow, a professor at the University of Pennsylvania’s Annenberg School for Communication. However, he reminded that gathering more accurate information on its users is increasing Facebook’s power:

“It’s more likely to help Facebook than you.”

Facebook announced it will also provide a link to an industry website allowing them to not have their activities on third-party websites and their mobile app use tracked.

Making ads better and giving people more control over the ads they see (12.06.2014)
http://newsroom.fb.com/news/2014/06/making-ads-better-and-giving-people-more-control-over-the-ads-they-see/

Facebook to let users alter their ad profiles (12.06.2014)
http://www.nytimes.com/2014/06/13/technology/facebook-to-let-users-alter-their-ad-profiles.html?ref=technology&_r=0

Facebook expands users’ ad targeting profiles with website data (12.06.2014)
http://www.reuters.com/article/2014/06/12/us-facebook-ads-idUSKBN0EN0U520140612

Facebook brings in a new, eerily accurate form of ad (12.06.2014)
http://arstechnica.com/business/2014/06/facebook-brings-in-a-new-eerily-accurate-form-of-ad/

Facebook makes everything better – for itself (only in Dutch, 12.06.2014)
https://www.bof.nl/2014/06/12/facebook-maakt-alles-beter-voor-zichzelf/

Opt out from online behavioral advertising (BETA)
http://www.aboutads.info/choices/

close
18 Jun 2014

Report on Snowden – Government apathy but increased public concern

By Guest author

In the wake of the first anniversary of Edward Snowden’s first revelations, a global analysis was published, assessing  the international impact of those disclosures.

The report, “A crisis of Accountability” revealed not only that had most governments entirely ignored the Snowden revelations, but that some governments including the US and the UK have been actively campaigning to dissuade nations from undertaking reform of their security services. Two thirds of legal professionals and technology experts from 29 countries surveyed for the report said that they could recall no tangible measure taken by government.

More than forty authors from eighteen countries contributed to the report, from organisations including EDRi, EDRi members the Electronic Frontier Foundation, Access and Digital Rights Ireland, as well as OpenMedia, Privacy International and Reporters without Borders,and key academics, legal specialists and researchers.

The 90-page report was published by veteran activist Simon Davies of Privacy Surgeon in association with the University of Amsterdam and the Vrije Universiteit Brussel.

The analysis determined that, despite the fact that a large majority of governments have not responded in any “tangible, measurable way” to the disclosures, a significant positive global shift in public and political consciousness had been triggered.

Both the authors and the survey respondents reported a noticeable shift in thinking around the world toward increased awareness of the importance of accountability, transparency and the rule of law with regard to both the activities of security agencies and the value of privacy. This shift – in many parts of the world – has empowered civil society, created a resurgence of interest in legal protections and sensitised media to key issues that have hitherto escaped public scrutiny at any substantial level.

One of the most interesting findings was that despite a perception that the Snowden disclosures have became a global news story, reports from the majority of the countries, excluding the US, indicate that media coverage has been minimal or non-existent. Concern was expressed that the story was “owned” as a proprietary package by the Anglo-American press and was of little direct relevance to most parts of the world. This perception only shifted at the local level when such countries as Pakistan and Mexico were specifically cited in leaked documents.

Report: A crisis of Accountability (10.06.2014)
http://www.privacysurgeon.org/blog/wp-content/uploads/2014/06/Snowden-final-report-for-publication.pdf

The Privacy Surgeon
http://www.privacysurgeon.org/blog/

(Contribution by Simon Davies, EDRi observer)

close