security & surveillance

While offering fast opportunities for exercising and enhancing fundamental rights, the digital envionment also offers both opportunities to committ new offences and to impose new restrictions on our online rights. Measures such as filtering, blocking and untargeted surveillance are often easy to implement and extremely difficult to rectify. EDRi therefore works to ensure that all security and surveillance measures are necessary, proportionate and implemented based on solid evidence.

22 Jul 2014

EDRi’s response to FCC consultation on net neutrality

By Heini Järvinen

The US Federal Communications Commission’s (FCC) consultation on net neutrality “Protecting and Promoting the Open Internet” initially had a deadline of 15 July, which was subsequently extended due to the huge volume of responses (reportedly above one million).

Read EDRi’ response to the consultation here:

In Europe, the Council is now now edging towards a decision on whether it should accept or reject the democratic decision of the European Parliament to support net neutrality. As things stand, it appears that the Council will reject the views of European citizens and the European Parliament. The two most likely outcomes are the abandonment of the entire telecoms single market regulation or support for the kind of meaningless, uenforceable, failed “code of conduct” approach chosen by the UK.




18 Jul 2014

EDRi’s response to the ISDS consultation

By Heini Järvinen

The European Commission’s public “consultation” on investor-state dispute settlement (ISDS) in the Transatlantic Trade and Investment Partnership Agreement (TTIP) drew over 100 000 responses by its deadline 13 July.

To help people respond the consultation EDRi published an answering guide and an online form. Our lobbycharter website also explains briefly the principal problems of ISDS.

Here is the response EDRi submitted:




16 Jul 2014

UK: Emergency legislation on data retention pushed through

By Guest author

Faced with a lawsuit from NGOs challenging the legality of its data retention regulations (which are based on the data retention directive the European Court of Justice found unlawful in April 2014), the UK government brought in emergency legislation, a Data Retention and Investigatory Powers Bill (DRIP), to not only declare data retention to be still lawful but also expand the scope of both retention and lawful intercept in a number of ways.

For example, the UK government has awarded itself the extra-territorial power to demand assistance with surveillance of UK persons from foreign companies that provide communications services to people in Britain. This means that the UK security and intelligence services can demand that Google UK wiretap someone associated with Britain, rather than filing an application via the relevant mutual legal assistance treaty.

UK civil society campaigned actively against the new legislation. Many Members of Parliament (MP) received hundreds of emails each from EDRi member Open Rights Group’s (ORG) and a campaigning community 38 Degrees’ supporters, as well as phone calls from concerned constituents.

The law was pushed through the House of Commons on 15 July, while the press were distracted by a reshuffle of the Cabinet. Following secret negotiations, it was supported by all three main parties. They claimed untruthfully that the new law creates no new powers. The government was claiming it was an emergency and without it the powers needed by the police to fight terrorists and paedophiles would be lost.

“This fast track legislation contains sweeping surveillance powers that will affect every man, woman and child in the UK. The Bill contains the powers for Government to continue to mandate the blanket retention of the communications data of the whole population for 12 months,”

concludes the briefing on the fast-track Data Retention and Investigatory Powers Bill by Liberty, Privacy International, Open Rights Group, Big Brother Watch, Article 19 and English PEN.

“This is in direct contradiction of a Court judgement which held that blanket indiscriminate retention of communications data breached human rights.”

Liberty, Privacy International, Open Rights Group, Big Brother Watch, Article 19 and English PEN briefing on the fast-track Data Retention and Investigatory Powers Bill

#DRIP heroes, round one (15.07.2014)

The DRIP myth list (14.07.2014)

(Contribution by Ross Anderson, EDRi member Foundation for Information Policy Research, United Kingdom, and Jim Killock, EDRi member Open Rights Group, United Kingdom)


EDRi-gram_subscribe_banner Twitter_tweet_and_follow_banner

16 Jul 2014

Slovenia: Data retention unconstitutional, deletion of data ordered

By Guest author

The Constitutional Court of the Republic of Slovenia abrogated the data retention provisions of the Act on Electronic Communications (ZEKom-1) in its judgement U-I-65/13-19 of 3 July 2014 following the constitutional request lodged by the Information Commissioner in March 2013 and ECJ judgment of 8 April 2014 in Joined Cases C-293/12 and C-594/12.

The Court abrogated ZEKom-1 articles 162, 163, 164, 165, 166, 167, 168 in 169 and instructed operators of electronic communications to delete retained data immediately after the judgment is published in the Official Gazette. The Court holds data retention as disproportionate for the following reasons:

  • unselective retention of data iconstitutes a breach of rights of a large proportion of population that did not provide any reason tj justify such this; – blanket data retention does not provide for anonymous use of communications, which is particularly important in cases where untraceable use is necessary (e.g. calling for help in mental distress);
  • arguments for the selected retention periods (8 months for internet related and 14 months for telephony related data) were not provided nor explained in the legislative preparatory documents;
  • the use of retained data was not limited to serious crime.

The Slovenian Information Commissioner Nataša Pirc Musar welcomed the ruling and sees it as an important step in protection of the right to privacy and data protection. The Court recognised the importance of personal data protection in relation to the use of modern information and communication technologies, particularly when used by law enforcement as repressive bodies of the state.

The Commissioner has been regularly warning about the problems of major breaches of privacy by law enforcement created by introduction of surveillance technologies. These tend to be used indiscriminately on large proportions of population, thereby encroaching on their right to privacy and data protection. The availability of new technologies such as drones, IMSI catchers and similar has, in several cases, led to requests by the police to the Ministry of Justice to legislate their use and to provide legal grounds enabling their deployment. Unfortunately these requests have often not been backed by sufficient assessments as regards their impact on human rights. In order to allow for transparency and to ensure that new law enforcement powers respect the principles of necessity and proportionality, the Commissioner has issued guidelines on privacy impact assessments (PIA) for the introduction of new police measures, representing a methodological framework for a prudent, reasonable and legitimate introduction of new measures.

The Information Commissioner Pirc Musar emphasised that this is one of her most important achievements during her 10-year mandate which is now ending. The decision of the Court represents an important part in the debate about the necessity and proportionality of the use of surveillance measures and technologies in the context of law enforcement and intelligence agencies.

Request to the Constitutional Court (only in Slovenian)

Decision of the Constitutional Court (only in Slovenian, 03.07.2014)

Electronic Communications Act (ZEKom-1)

Information Commissioner of the Republic of Slovenia (only in Slovenian)

Privacy Impact Assessment (PIA) Guidelines for the Introduction of new Police Powers

(Contribution by Andrej Tomšič, Deputy Information Commissioner,
Information Commissioner, Republic of Slovenia)



16 Jul 2014

Code Red, global initiative to support a reform of security services

By Heini Järvinen

More than two-dozen civil society activists from fourteen countries have joined the steering group of an ambitious global initiative to accelerate police and security services accountability.

The project, Code Red, was conceived during the preparation of a report “A Crisis of Accountability” that was published in June 2014 on developments in the twelve months since the start of Edward Snowden’s disclosures. The report concluded that despite a substantial and potent response from civil society, there was also a clear need for greater strategic support, resources and communication between activists working in different disciplines.

The steering group includes many well-known figures in civil society, among them MI5 whistleblower Annie Machon, former Wikimedia General Counsel Mike Godwin, Sunil Abraham head of CIS India Sunil Abraham, OpenMedia Canada’s David Christopher, Access Now’s Raegan McDonald, the Electronic Frontier Foundation’s International Rights Director Katitza Rodriguez and the former editor of Index on Censorship Judith Vidal-Hall. Also influential figures in the tech sector, including Jacob Appelbaum, the celebrated hacker who works at the core of Wikileaks, the Tor project and the Snowden disclosures, Whitfield Diffie, one of the pioneers of public key cryptography, and Bruce Schneier, possibly the world’s most influential security expert, have joined in. It’s expected that more people will join the group over the next two weeks.

In mid July 2014, Code Red kicked off a four-month global consultation to identify options for its objectives and structure. Currently the working group members have an open mind on how the initiative may develop, but the overriding view is that it should aim to be a clearinghouse and resource centre for groups working on security reform.

In the UK, civil right groups such as Privacy International and Big Brother Watch have launched legal challenges that have forced the government to make unprecedented disclosures about security activities. Code Red aims to support and promote such actions through a global communications and resource platform.

The initiative was founded by EDRi observer Simon Davies, who is regarded as one of the pioneers of the international privacy arena. Davies has wide experience of founding successful global initiatives, including the Big Brother Awards and Privacy International. In a summary of the initiative posted on Davies’ Privacy Surgeon blog on 10 July, he emphasised the need for cross-border and cross-disciplinary relationships, and declared: “It’s time to raise the stakes for secretive agencies that refuse to embrace accountability – and to do so fearlessly and relentlessly.”

“The many communities involved in this struggle – free speech, whistleblowing, anti-censorship, law reformers, policy reformers, privacy and the tech communities – must find a way to work together. A bridge of some sort should also be attempted with companies that are genuinely working to improve privacy and security,”

Davies told to EDRi-gram, highlighting that his intention was not to create a new NGO, but to help support a “platform that supports a network of networks”.

Accoring to Davies, many people involved in the initial dialogue around Code Red felt that the Snowden disclosures are just the tip of the iceberg. The involvement of law enforcement agencies, the military, international police organisations and other government authorities is largely unknown. “Snowden told us what security agencies do, but not what happens to this mass of information, which organisations use it or for what purposes. Police use of information – and international disclosure of that information – has largely escaped scrutiny in most countries. How civil society finds the means to counter this vast activity is a crucial challenge.”

“My personal view is that we need to look beyond the security services to understand the bottom-feeders in the data chain. We already have adequate evidence that police services are immersed in corrupt and unlawful practices, as evidenced by the use by Dutch police of “Stealth SMS” technology to circumvent legal safeguards, and the unlawful disclosure of personal information to journalists by London’s Metropolitan Police, uncovered during the News of the World phone hacking inquiries,” Davies added.

The steering group membership will be published in full on the website in the fourth week of July 2014.

Global security analysis reveals widespread government apathy following Snowden disclosures (10.06.2014)

UK intelligence forced to reveal secret policy for mass surveillance of residents’ Facebook and Google use (17.06.2014)

Code Red, a global initiative to support national security reform (10.07.2014)

Dutch parliament wants clarification on using “Stealth” SMS in espial (21.08.2013)

Metropolitan Police role in the news media phone hacking scandal



16 Jul 2014

Almost one in five sites blocked by filters in the UK

By Heini Järvinen

EDRi member Open Rights Group’s (ORG) Blocked project reveals that nearly one in five of the most popular websites are blocked by at least one of the “voluntary” filters implemented by Internet Service Providers (ISPs) in the United Kingdom when strict filtering settings are used.

The UK ISPs filter and block the sites by default. The filters, installed on the mobile and broadband networks, were ostensibly implemented to protect children from being exposed to adult content. However, besides pornography, violence, gambling, drugs and alcohol, a great deal of legitimate non-adult content sites that are not necessarily harmful to children have ended up being blocked.

As a follow-up to their Mobile Filtering Report launched in May 2012, ORG has built a website that offers any web user a free checking tool that can be used to find out if a website has been blocked by filters in UK’s main Internet networks. Already over 130,000 sites have been checked through the Blocked project; almost one in five of them is blocked by at least one of the ISPs by the stronger settings, and around one in ten by the standard settings.

The arbitrary, groundless blocking affects individuals looking for information, but also businesses and non-profit organisations.

“Filters can stop customers accessing your business, block political commentary or harm your education,” said Jim Killock, Executive Director of ORG. “The government has told everybody that they have to take child safety extremely seriously and that filters are in some way an answer to that. People are being pushed into filtering lots of content that they simply don’t need to and is not dangerous to children.”

Some of the more ridiculous examples of sites that were blocked include the well-known conservative blog, womens’ rights website and feminist blog

Ironically, the former CEO of one of the UK’s largest ISPs Talktalk phoned EDRi late on a Friday evening a few years ago to complain about our position on blocking. He rejected completely our contention that blocking of allegedly illegal material, in the absence of any democratic or judicial controls, would lead to blocking of legal content. The conversation was very polite – we agreed to disagree.

“We would really appreciate it if TalkTalk would remove us from their block list. The only people who block us are them, and the Chinese government.”

- Paul Staines, Editor, Guido Fawkes’ blog

ORG’s Blocked project finds almost 1 in 5 sites are blocked by filters (02.07.2014)

UK’s web filters blocking nearly one-fifth of the world’s most popular websites (03.07.2014)

Internet filters blocking one in five most-popular websites (02.07.2014)

Nearly 20% of the most popular sites are blocked in the UK (only in French04.07.2014)

Mobile Internet censorship: what’s happening and what we can do about it (14.05.2012)



16 Jul 2014

Germany asks CIA chief to leave the country over spying scandal

By Heini Järvinen

On 10 July 2014, the German government told the senior CIA representative in Berlin, known as the station chief, to leave the country over spying allegations.

The decision came one day after German authorities searched an apartment and an office of a German military intelligence official alleged to have been working for the US intelligence. A week earlier, a German intelligence operative was arrested on suspicion of being a CIA informant and admitted handing over confidential documents to a US contact.

Ever since the revelations in 2013 based on the documents leaked by Edward Snowden, US spying has been a sensitive issue in Germany. The two new cases of alleged American spying, together with the scandal raised by the NSA surveillance programs whose targets included chancellor Angela Merkel, have further chilled the German–American relations. Germany has demanded a mutual “no-spy deal” which Washington has refused.

“Spying on allies – - is a waste of energy. In the Cold War maybe there was general mistrust. Today we are living in the 21st century. Today there are completely new threats. We should concentrate on what is essential,” said Merkel. “I can’t say in advance if [the measures taken] will have an effect, of course I hope something will change. But the important thing is to show how we view things – - and it is not a co-operative partnership when such things take place.”

“Our decision to ask the current representative of the US intelligence services to leave Germany is the right decision, a necessary step and a fitting reaction to the break of trust which has occurred,” explained Frank-Walter Steinmeier, the German Foreign Minister. “Taking action was unavoidable, in my opinion. We need and expect a relationship based on trust.”

Despite the dissenting views on the work of intelligence services, both Germany and the US have highlighted their willingness to continue working closely together.

“It is essential that cooperation continue in all areas and we will continue to be in touch with the German government in appropriate channels,”

stressed a White House spokesperson.

Germany asks CIA station chief in Berlin to leave country over US spying row (10.07.2014)

Berlin tells CIA station chief to leave in spy scandal (10.07.2014)

Germany orders CIA station chief to leave over spying allegations (10.07.2014)

Germany “right” to expel CIA official in US spy affair (11.07.2014)

Merkel blasts US spying, hopes Washington will change tack (12.07.2014)

Hunting American spooks: Germany prepares further spying clampdown (14.07.2014)



16 Jul 2014

ENDitorial: Child abuse online: Is ignorance the best policy?

By Joe McNamee

Why is online child abuse so unimportant that, politically, it does not need laws? Why is online child abuse so unimportant that the policies that are proposed to address this problem are never subject to review to test their effectiveness? Why is online child abuse protection so unimportant that policies that are implemented are never subject to any review?

Sweden and the United Kingdom both introduced web blocking in the middle of the last decade. In both cases, this was as a result of political and media pressure and, in neither case, on the basis of any particular evidence. Having been set up without any evidence of usefulness, they have never been subjected to any analysis to find out if the are useful or, worse still, if they might be actually causing problems.

The issue of whether the blocking systems could be worse than useless is a serious one. Blocking lists have “leaked” into the public on more than one occasion. Only last week, a hacker was able to gain access – and publish – the list of web pages blocked on an ad hoc basis in Germany. And, of course, if one, well-intentioned, hacker could do it and publish the fact that this had been done, it is entirely possible that one or ten or twenty ill-intentioned hackers have been doing this every day of every week since this blocking system was introduced.

The stubborn refusal of “child protection” authorities to submit any of their policies to any form of democratic control or any sort of assessment of usefulness is probably unique in the policy-making world. The very real risk of the list being hacked and becoming a tool for obtaining access to illegal material was obvious. So, what was the corresponding benefit? Nobody ever asks the question. If it is to prevent deliberate access, where is the evidence to suggest that feeble blocking systems achieve this goal? If it is to stop accidental access, where is the evidence to suggest that this happens in real life?

So, we come back again to the question. Why is child protection online so utterly unimportant that policy can be developed where the goals are unquantified and, frequently, unknown and where the risks are very real and verifiable?

Instead of real research, we get blatant nonsense. The UK’s blocking industry leader, the Internet Watch Foundation (IWF), with income of nearly one and a half million pounds last year is not shy in generating clever headlines. In March 2013, it published a press release saying that 1.5 million adults in the UK had “stumbled upon” child abuse material. This statistic is truly shocking.

Shocking… except… the figure was based on an opinion poll that produced results that showed that 4% of men and 2% of women THOUGHT they had possibly stumbled upon child pornography and the IWF chose to ignore the fact that 75% of people that contact the IWF to report “illegal” content are, in fact, mistaken. So, the correct figures can reasonably be assumed to be 1% of men and 0.5% of women. So, we discover that 1% of men and 0.5% of women, to an accuracy of plus or minus 3% accidentally accessed child pornography – which tells us precisely nothing. We should hope that the IWF honestly believed that their “statisics” were meaningful and not grossly manipulative and misleading.

The blocking “voluntarily” introduced in the UK for dubious child protection reasons has now devolved into a blocking free-for-all where everything from a conservative blog to a Porsche brokerage to a feminist blog, while the Swedish private and for-profit company Netclean recently hit the jackpot with a contract for 40 million Euro to provide blocking and filtering technology to Turkey, which has been repeatedly condemned before the European Court of Human Rights for illegal blocking. Netclean’s software comes “pre-configured” with the IWF blocking list but, usefully, can use ”multiple lists”.

New study reveals child sexual abuse content as top online concern and potentially 1.5m adults have stumbled upon it (18.03.2013)

Internet Watch Foundation annual & charity report 2013

Netclean and IWF

(Contribution by Joe McNamee, EDRi)



16 Jul 2014

ENDitorial: Commission Communication on IP Enforcement

By Joe McNamee

On 1 July, 2014, the European Commission launched an oddly-named Communication entitled “Towards a renewed consensus on the enforcement of intellectual property rights.” It is good to see the Commission being ambitious, but renewing something that never existed appears to be quite challenging.

The document opens by referring to the impressive statistic that a “recent study has estimated that IPR-intensive sectors account for around 39% of EU GDP”. Sadly, the Commission chose to include this “statistic” in the full knowledge that the methodology of the study has absolutely no credibility. The fact that the Commission chose not to provide a link directly to the dodgy “research” indicates they are aware of this. The study “borrowed” the methodology of a US study that used absurdly broad definitions that led to grocery stores being classified as the number one “IP intensive industry” in the USA.

Having started to renew the “consensus” on the basis of demonstrably nonsensical “statistics, the Commission then turns to the enforcement of intellectual property rights (IPR) against “commercial scale” infringers. There is a small problem here, what does “commercial scale” actually mean? The Commission appears to be completely clear on the issue in its Communication. However, the Commission is also clear that it does not know what “commercial scale” means – having pointed out in its 2012 Roadmap on a revision of the IP Enforcment Directive that a “clearer definition of “commercial scale”” was needed to avoid end-users being unfairly target. So… the Commission is seeking a “renewed consensus” on a point where it cannot agree with itself whether existing definitions are adequate or not.

The Communication then delves back into the reservoir of questionable statistics – again failing to link directly to the report in question – simply giving the domain name (presumably of the author of the report), which is owned by a company that has a clear vested interest in over-estimating the scale of the problem, as it offers IP protection tools. The Communication explains that a global report found, on the basis of a small sample size of 800 undefined “senior executives”, 11% of their companies were “victims” of IP infringements. The actual report says that 11% said that they believed that their companies were “affected”. Being affected by something is not the same as being a victim. EDRi’s creative commons licences are occasionly breached, usually inadvertently. We are affected by these breaches, we would certainly not call ourselves victims. The Commission is not in consensus (renewed or otherwise) with the report whose statistics it is imaginatively re-engineering.

On the basis of this rather weak, if not downright misleading introduction, the Commission sets itself a series of “actions”. The first action is to raise awareness among the public (who are forced to live with the incoherence, contradictions and unpredictability of the chaotic, disjointed and incomprehensible European copyright regime) of the economic damage that THEIR actions.

It is, however, the third action, “voluntary” measures and “follow the money” that is the most outlandish. The US payment service providers (the credit card companies and PayPal) and US online advertising industry have already signed agreements with the President of the United States to take voluntary, ad hoc punitive measures against non-US services that are suspected of breaching US law. Those companies are not going to change their agreements with the US President, they are not going to be obliged to follow the rule of law, as the EU should be demanding. Instead, the European Commission is proposing to do tomorrow what the companies in question were already doing yesterday.

Commission Communication: Towards a renewed consensus on the enforcement of Intellectual Property Rights: An EU Action Plan (01.07.2014)

Roadmap for review of the IP Enforcment Directive

EPO and OHIM publish misleading report on intellectual property rights intensive industries in EU economy (01.10.2013)

Kroll: 2013/2014 Grobal Fraud Report

Payment providers: 2011 US Intellectual Property Enforcement Coordinator Annual Report on Intellectual Property Enforcement

Advertising networks: White House and ad networks release best practices (19.07.2013)

(Contribution by Joe McNamee, EDRi)



11 Jul 2014

Job vacancy: EU Advocacy Manager

By Heini Järvinen

Do you have the energy and ambition to join a small non-governmental organisation that is defending civil and human rights in the digital environment? European Digital Rights’ Brussels office is looking for a talented, dedicated Advocacy Manager who will be responsible for leading the organisation’s work on copyright and data protection issues.

Founded in June 2002, the Brussels office opened in 2009 and has expanded from one to five employees over the past three years. Some examples of regulations and developments that have the attention of European Digital Rights are copyright and data protection reforms, surveillance, filtering and blocking of internet content and net neutrality.

The Advocacy Manager will have to provide policy-makers with expert, timely and accurate input, provide EDRi’s members with information about the European Union’s relevant legislative processes, coordinate the organisation’s working groups, develop campaign messages and provide the public with information about the EU’s relevant legislative processes and EDRi’s activities.

Please note that this position is for an initial one-year period to be extended if funding permits.

Qualifications and experience:

  • A university degree in law, EU affairs/policy or a related field;
  • Demonstrable knowledge of, and interest in, a wide range of copyright law, privacy law and data protection issues;
  • Knowledge and understanding of the EU, its institutions and its role in human rights issues;
  • At least three years work experience;
  • Experience of creating networks of influence;
  • Understanding of issues related to the intersection of technology and human rights;
  • Exceptional communications and presentation skills, both written and oral
  • Good IT skills, notably in using free and open software;
  • Strong multitasking abilities and ability to manage multiple deadlines;
  • Experience of working with and in small teams;
  • Experience of organising events and/or workshops;
  • Ability to work in English and French. Other European languages an advantage.

To apply, please send a CV and covering letter to michela.petruzzo(at) by 21 July 2014.