A measure which would be illegal if implemented by a government should also be illegal if implemented by industry as a “voluntary” measure, as a result of government pressure or for public relations or anti-competitive reasons. However, as key international legal instruments, such as the European Charter of Fundamental Rights and the European Convention on Human Rights, as well as national constitutions are binding for states and governments, they are not directly applicable to other entities, such as private companies. As a result, there is a major trend towards governments persuading or coercing companies to impose restrictions on fundamental freedoms under the guise of “self-regulation,” thereby circumventing legal protections.

24 Nov 2014

Price discrimination – the Commission’s plan B to undermine net neutrality?

By Joe McNamee

The European Commission is energetically defending the “right” of telecoms operators to use price discrimination, arguing that this is not a breach of net neutrality.

In price discrimination, the telecoms company establishes itself as a monopoly “gatekeeper” of access to its own customers. In other words, big online companies like Google and Facebook can pay to have their services accessible “for free”, while other services are paid for per megabyte or gigabyte downloaded.

In other forms of non-neutrality, the telecoms company establishes itself as a monopoly “gatekeeper” of access to its own customers. That means that big online companies like Google and Facebook can pay for preferential treatment for its services, while others are excluded due to blocking or throttling of their services.

Put simply, in one case, the big telecoms operators are allowed to create a new monopoly (access to the operator’s customers) while, in the other, the big telecoms operators are allowed to create a new monopoly (access to the operator’s customers).

The Commission argues that there is a fundamental difference in practice between an online service being disadvantaged by blocking and being disadvantaged by price discrimination.

The Commission also believes that the telecoms operators will not be able to levy specific charges to pay for particular online services, such as Whatsapp or Skype. However, if it is “free” to use an operator’s partner service while the use of Skype risks incurring additional download charges (particularly in the mobile environment), then this has the effect of a specific charge being levied.

While the Commission argues that this discrimination is not discrimination and that it is not possible to implement this kind of discrimination anyway, the Digital Fuel Monitor listed 75 different examples of this kind of abuse happening in the market in Europe.

Of course, the Commission’s position on price discrimination is simply what it inherited from ex-Commissioner Neelie Kroes. The new Commission appears not yet to have developed a clear position (although this has not stopped Commission officials from continuing to push the old arguments).

On the one hand, Digital Agenda Commissioner Günther Oettinger appears to be distancing himself from the great success of telecoms liberalisation in Europe, arguing that the market should be consolidated (less competition!) and that the EU’s regulatory actions should be focussed on giving profits to telecoms operators.

On the other hand, the Commission Vice-President Andrus Ansip, with overall responsibility in this field seems to have very different views. He defended policies in his nomination hearing which are the opposite of the Commission’s current position – “All the traffic in the Internet has to be treated equally, nobody has [the] right to abuse their dominant position in the market or gate keeper’s position.” “Treated equally” clearly covers both in the network and also in the bills of consumers.

No gatekeepers. No discrimination. Thank you Vice-President. We couldn’t agree more.

24 Nov 2014

Draft Commission Work Programme 2015: huge challenges for digital rights

By Kirsten Fiedler

EDRi has obtained a copy of the draft Commission Work Programme 2015. For those who have followed the nomination hearings of the Commissioners, this draft programme does not contain any major surprises. However, it does show the huge number of proposals and initiatives that will have a direct impact on our fundamental rights and freedoms in the coming years. Juncker’s aim is to adopt the Work Programme on 16 December in Strasbourg.

In a letter to the Commissioners, he explains that the draft Commission Work Programme consists of new initiatives, pending proposals and withdrawals of legislation – all with the aim of achieving his ten-point plan for Europe. In addition to the key list of initiatives and proposals, he invites all Commissioners to propose additional items – or to review the necessity of pending proposals – in light of the mission letters that were sent out along with the nominations in September.

Among the new initiatives in the draft list for 2015, in the work area of the “Connected Digital Single Market”, the document lists a “plan on cyber-security” and the already-announced reform of the E-Privacy Directive (once there is an agreement on the data protection reform).

Among the new major new initiatives that were initially proposed by the Secretariat General, the Commission announces a Digital Single Market Package (Q2 2015) and a proposal on copyright reform (2015). As we have pointed out on many occasions, copyright rules are no longer fit for the digital age and a move away from failed repressive measure towards a comprehensive reform would be more than welcome.

Furthermore, the document mentions a “possible amended proposal for Telecoms package” – which might include yet another effort at undermining net neutrality rules. Currently, the EU Member States (in the Council) is discussing the Telecoms Single Market Regulation and may delete some of the pro-net neutrality rules adopted by the European Parliament (EP). If the Regulation is amended to weaken those rules, we will have to work hard to ensure that the EP stands behind its decision and its defence of an open Internet.

Furthermore, the Commission announces its work on a “reasonable and balanced” Free Trade Agreement with the US (TTIP) – a peculiarly defensive wording. Why refer to the need for TTIP to be “reasonable and balanced” other than because the risk of this not being the case? This will be certainly one of the most important dossiers for digital civil rights that EDRi will be dealing with in the coming year. This is not only true for general concerns regarding the transparency of the negotiations but also with regard to the possible inclusion of data protection, protections for vigilantism by internet companies and copyright provisions.

In the area of Justice and Fundamental Rights, the Commission announces the long awaited accession to the European Convention on Human Rights (ECHR) and the conclusion of negotiations on a comprehensive data protection agreement with the US. Conclusion of these two sets of negotiations would market the end of a long process. Accession of the European Commission to the ECHR would be an historical step and is an important re-affirmation that any kind of restriction of fundamental rights needs to be “prescribed by law” (Article 10(2) ECHR).

Lastly, we welcome the announcement of Commission’s work aimed at increasing transparency of the institutions. The draft programme mentions the introduction of an Inter-Institutional Agreement (IIA) to create a mandatory lobby register for the EP, the Council and the Commission. This step is certainly long overdue. The previous Commission developed some atrocious habits on transparency, making access to documents unnecessarily bureaucratic and difficult – we would welcome any moves to consign this approach to history.

There is more than enough work for European Digital Rights in this new legislature. While the Commission is finalising its work programme, European Digital Rights started working on a public fundraising campaign which will be launched in the coming weeks. Now more than ever, EDRi needs your support to continue defending and promoting your rights and freedoms at EU level.

Draft Commission Work Programme 2015:


20 Nov 2014

Leaked documents show net neutrality may be in danger!

By Maryant Fernández Pérez

On 14 November 2014, the Italian Presidency presented amendments to the Telecommunications package for comment by the Member State delegations. We are hereby making the document and its annexes publicly available (Note and addendum). These documents show that the Italian Presidency is now back-pedalling on meaningful net neutrality protections – having previously made some much more meaningful and positive suggestions. It presented a “principles-based approach” to the Member States “in order not to inhibit innovation and to avoid” having an outdated regulation in the future. In reality, all the text would do is add confusion for freedom of communication and online innovation.

The text proposes the removal of the definitions of “net neutrality”. “Instead of a definition of net neutrality there could be a reference to the objective of net neutrality, e.g. in an explanatory recital, which would resolve the concerns that the definition might be at variance with the specific provisions.” Yet, without meaningful and enforceable net neutrality provisions, the fundamental right to receive and impart information would be hindered – with significant costs for growth, investment and innovation.

Additionally, the text removes the definition of “specialised services” from Article 23. The deletion would in principle not be such a bad idea, as long as non-discrimination was clearly supported by the text. Sadly, the proposal would achieve the opposite:

“Traffic management measures that block, slow down, alter, degrade or discriminate against specific content, applications or services, or specific classes thereof” could be maintained by providers of Internet access services under certain circumstances, such as to “prevent the transmission of unsolicited communications” (which seems strange because an e-mail service is not an internet access service); to prevent “temporary congestion control” (whose exceptional nature should be clarified not to be the default); or to meet their “obligations under a contract with an end-user to deliver a service requiring a specific level of quality to that end-user” (which makes little sense in the “best effort” Internet).

The biggest gap in the Council text however is that Article 23 fails to prohibit discrimination on the basis of billing. Allowing “free” access to certain services and metered access to everything else is as much – and as damaging – an infringement of net neutrality and the fundamental right of freedom to impart information, as any blocking or filtering. If people have to pay extra to access your website (or if you have to pay internet companies to allow them to do so), then the essence of the open internet has been dismantled.

The proposal also makes a bizarre reference to the legislation being without prejudice to the lawfulness of “information, content, application [sic] or services” – even though nothing in the text could possibly be understood as legalising illegal content. The purpose of this text appears to permit the widespread arbitrary “voluntary” blocking practised in some EU Member States, most notably the United Kingdom. If this is the meaning, then it is in clear and obvious breach of the EU Charter of Fundamental Rights.

In sum, this last proposal of the Italian Presidency would weaken citizens’ rights and annul the strong provisions adopted by the European Parliament in April 2014. If adopted, the text would lack the much needed protections to prevent internet access providers from creating a new monopoly – access to their customers. With all of the talk of the need for a single digital market in Europe, we would have new barriers and new monopolies.

National regulators would not have clear enforceable obligations to preserve citizens’ digital rights and freedoms by default. After Obama’s recent declarations emphasising the importance and need of real net neutrality, is the Council going to suggest leaving Europe in the slow lane?

The Member States are and will be discussing this document in the Council today and tomorrow. Any text that is adopted would need to be approved by the European Parliament before becoming law.

Leaked documents (14.11.2014)

The Members States will discuss it in the Council today and tomorrow (17.11.2014) (19.11.2014)


19 Nov 2014

ENDitorial: Transparency in TTIP? Yes, but in practice, please!

By Maryant Fernández Pérez

The EU and the US are currently negotiating the Transatlantic Trade and Investment Partnership (TTIP), which is a wide-ranging agreement likely to affect digital rights and freedoms. Lack of transparency is at the core of the criticism regarding the negotiations surrounding TTIP and the conclusion of a flurry of free trade agreements.

The TTIP negotiations officially started more than one year ago. In June 2013, the Council of the European Union provided the European Commission with the directives for the negotiations. Nevertheless, the mandate was not officially published until sixteen months later, on 9 October 2014. Many EU and national politicians have praised its publication for bringing greater transparency to the process. However, they appear to have conveniently “forgotten” what the former EU Commissioner for Trade, Karel De Gucht, recognised when referring to the mandate before the European Parliament on 15 July 2014: “By the way, everybody has it. It is on the Internet. So what are you talking about?” If publishing something that is already public is “transparency”, we are not heading in the right direction.

Due to the concerns raised by civil society and the increasing opposition to the TTIP, the European Ombudsman launched a public consultation. The European Ombudsman is currently analysing the 300 responses (including EDRi’s) and the 6 000 emails received regarding TTIP. In EDRi’s response, we identified areas for improvement, suggested changes and asked the European Ombudsman to extend her inquiries to other free trade agreements.

Contradictions regarding the secrecy/openness of the negotiations continue to appear not only in TTIP, but also in other free trade agreements negotiations. To the question “Are [Trade in Services Agreement, TiSA] negotiations secret?”, for instance, the Commission responded “No. Trade negotiations are not held in public, but they are not secret.” Actively withheld from the public but not secret – it is hard to see the difference. To our knowledge, the very first document for opening the negotiations still has not been published. The mandate for the TiSA was approved by the Council of the European Union in March 2013, before the TTIP’s mandate. Why is the TTIP mandate now made “public” and not the others? Is it because the TiSA mandate has not leaked yet?

The European Commission, the Council and the Member States seem to have realised the need for transparency. According to a document published by the Council, they want to do so by strengthening their communication, “explain[ing] the basics of the negotiations and [addressing] criticism”. However, transparency is not itself achieved by having more proficient spin doctors telling people that they know what they don’t know. Transparency is achieved by opening the negotiations to the public. Otherwise, mistakes seen in the ACTA negotiations may be repeated.

The new EU Trade Commissioner, Cecilia Malmström, has announced a “fresh start” in the TTIP negotiations. We welcome such approach in practice, not only for the TTIP, but for all free trade agreements – to the benefit of democracy and good policy-making.

EDRi’s response to the European Ombudsman’s Public Consultation on transparency in the TTIP negotiations (31.10.2014)

Minutes of the TTIP debate at the European Parliament (15.07.2014)

Leaked negotiating mandate for the TTIP (18.09.2013)

TTIP’s Mandate declassified (09.10.2014)

(mis)Communicating TTIP (10.11.2014)

Malmström plays transparency card, but gets timid applause (30.09.2014)



19 Nov 2014

UN calls for balance between privacy and security

By Heini Järvinen

In a special discussion at the Human Rights Council in Geneva, Flavia Pansieri, the United Nations (UN) Deputy High Commissioner for Human Rights, expressed her concern about increasing mass surveillance programs conducted by states and private corporations. Ms. Pansieri highlighted the importance of demonstrating that interferences with an individual’s right to privacy are both necessary and proportionate to address the specific identified security risk.

“Mandatory third-party data retention – where telephone companies and internet service providers are required to store metadata about communications by their customers, for subsequent access by law enforcement and intelligence agencies – appears neither necessary nor proportionate,” she said.

Ms. Pansieri’s call is one of the several attempts by the UN to tackle the issue. In June 2014, the High Commissioner for Human Rights published a report “The right to privacy in the digital age”, to respond to the global concern at certain surveillance practices and the threat they pose for human rights. The report gives examples of digital surveillance used to target political opponents or dissidents, and cases in which governments have demanded the access to traffic on the networks of telecom companies, threatening to otherwise ban their services. It recognises the necessity for surveillance of electronic communications, conducted in compliance with the law, for legitimate law enforcement or intelligence reasons, but points out that mass surveillance programs “raise questions around the extent to which such measures are consistent with international legal standards and whether stronger surveillance safeguards are needed”.

Another report, published in September 2014, focuses on the implications of mass digital surveillance for counter-terrorism purposes to the right to privacy. Ben Emmerson, the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, presented the report in the UN General Assembly on 23 September, saying that

“states need to squarely confront the fact that mass surveillance programmes effectively do away with the right to online privacy altogether”.

In the report Mr. Emmerson draws attention to the fact that states are able to easily maintain an overview of Internet activity of specific individuals or organisations, and that it’s possible without any prior suspicion related to them. He reminded that this kind of surveillance “amounts to a systematic interference with the right to respect the privacy of communications and requires a correspondingly compelling justification”. The report concludes that “merely to assert – without particularisation – that mass surveillance technology can contribute to the suppression and prosecution of acts of terrorism does not provide an adequate human rights law justification for its use”.

In 2013, the UN General Assembly adopted a resolution (68/167) on the right to privacy in the digital age. The final report prepared by the High Commissioner for Human Rights is expected to be presented at the UN General Assembly in 2015. It will be contributing to the development of an international convention on surveillance issues by giving recommendations and clarifying principles, standards and best practices to allow states to defend their safety respecting the international human right laws.

UN against mass surveillance on the Internet (only in French, 17.11.2014)

Mass surveillance: exceptional measure or dangerous habit? (13.11.2014)

UN General Assembly: Promotion and protection of human rights and fundamental freedoms while countering terrorism (23.09.2014)

The right to privacy in the digital age – Report of the Office of the United Nations High Commissioner for Human Rights (30.06.2014)

UN special rapporteur slams US, UK spying on Internet users (24.10.2014)

Right to online privacy at risk as governments engage in mass surveillance – UN expert (23.10.2014)



19 Nov 2014

Obama urges the FCC to adopt rules to ensure net neutrality

By Heini Järvinen

In a speech on 10 November, US President Barack Obama made a strong statement calling for net neutrality. He urged the Federal Communications Commission (FCC) to adopt rules to prevent Internet access providers from blocking or slowing down content, and from charging service providers to let them use a “fast lane” to reach their clients.

Obama emphasised the importance of a free and open Internet, stating that its effects on Americans’ lives can be compared to phone service or electricity, and consequently broadband services should be regulated as any other public utility. Obama suggested that the provision of internet service should be placed under Title II regulation of the Telecommunications Act, which regulates how common carriers must conduct business across all forms of communication in order to act “in the public interest”. This re-classification is a long-standing demand of net neutrality proponents.

“I believe the FCC should create a new set of rules protecting net neutrality and ensuring that neither the cable company nor the phone company will be able to act as a gatekeeper, restricting what you can do or see online,” Obama said is his video statement. “If carefully designed, these rules should not create any undue burden for Internet Service Providers (ISPs), but combined, these rules mean everything for preserving the Internet’s openness.”

FCC Chairman Tom Wheeler responded to Obama’s call shortly after it had been published, in a previously scheduled meeting with the major Internet companies. He expressed his support to the principle of upholding “an open platform for free expression, innovation and economic growth”, but argued that the concerns of access providers have to be taken into consideration as well, and that the approach adopted should “withstand any legal challenges it may face”. He repeatedly highlighted the fact that the FCC is an independent agency, and makes its own decisions independently of the president’s proposals.

It still remains to be seen if the FCC will listen to Obama’s recommendations. However, they represent an important step towards real net neutrality protections globally. It is now crucial that Europe does not find itself left in the slow lane in the race for an adoption of urgently needed net neutrality rules.

Obama asks FCC to adopt tough net neutrality rules (10.11.2014)

EFF: The White House Gets It Right On Net Neutrality. Will the FCC?

FCC chair said to balk at Obama’s net neutrality plan (11.11.2014)

Pressure mounts on FCC chief over net neutrality rules (12.11.2014)

The split between Obama and the FCC on net neutrality, in plain English (12.11.2014)

Questions and answers about Obama’s open Internet plan (13.11.2014)



19 Nov 2014

Denmark plans to use PNR data for increased Schengen border control

By Guest author

In Denmark, there is currently a public consultation for a new draft law which aims at improving the border checks at Denmark’s Schengen borders. Formally, the Schengen Border Code has abolished border checks at EU’s internal borders, but, under Article 21, member states are still allowed to carry out identity checks in the border territory, as long as the process is clearly distinct from systematic checks on persons at the external borders. In practice, this means that only spot checks are allowed at Schengen borders.

The draft law introduces a new legal framework for checking foreigners for illegal residence in Denmark. This part is inspired by Articles 4.17a and 4.17b of the Dutch decree on foreign nationals of 2000 (Vreemdelingenbesluit 2000), as well as a couple of recent judgments from the Court of Justice of the European Union (CJEU) clarifying the Schengen restrictions on identity checks in the border territory (C-188/10, C-189/10 and C-278/12).

Moreover, the Danish police will be allowed to use “intelligence-led policing” methods for improving the efficiency of the border control (identity checks). This involves collecting personal data on citizens passing the border and using that data for profiling and risk assessments of illegal immigration.

For citizens entering Denmark by car, automatic number plate recognition (ANPR) technology will be used. In a report about border control published in October 2014, the Danish Ministry of Justice cited a statement from the European Commission that the Dutch use of ANPR technology for control purposes in the border territory was not inconsistent with the Schengen Border Code.

ANPR will be used for counting the number of foreign motor vehicles entering Denmark (anonymously, it is claimed) for statistical purposes, and during specific time periods, the number plates of all foreign motor vehicles will be retained for further analysis. These number plates will be checked against Europol databases of wanted motor vehicles. It is also possible that the historic travel pattern of an individual motor vehicle will be used for the police analysis, for example the number of times that the motor vehicle has entered Denmark from Germany. A Danish police director has made statements to the media which could suggest that this type of individual profiling will be used. The Danish police is currently in the process of seeking approval of their ANPR plans with the Danish Data Protection Authority, so the specific use of ANPR could change. Barbara Körffer from the Schleswig-Holstein data protection authority (ULD) has expressed her concerns about the Danish ANPR plans in border areas in an interview with a daily newspaper Flensborg Avis on 18 October, as a similar surveillance scheme for Schleswig-Holstein was found unconstitutional in 2008 by the Federal Constitutional Court of Germany (BVerfG), but the preliminary reaction towards the ANPR plans from the Danish Data Protection Authority has been more forthcoming.

Border control at Danish airports for Schengen flights will also be based on data analysis of travellers, and passenger name records (PNR) will be used for that purpose. The draft law amends the Danish Alien Act with a new section that authorises the Minister of Justice to lay down rules for police access to PNR data in booking systems of airlines with flightsfrom other Schengen countries to Denmark.

The commenary of the draft law do not include a precise list of the specific PNR data which can be collected, for how long the PNR data can be retained by the Danish police, or an exhaustive list of purposes for which the PNR data can be processed. The comments only state that the purpose is risk assessment of illegal immigration, and among other things this will be based on information about suspicious ticket purchases and travel routes. It is not entirely clear from the comments of the draft law whether the data analysis will include profiling of individual passengers or just profiling of flights, but since ticket purchases and travel routes of passengers are mentioned specifically, some element of personal data processing is involved in the profiling scheme. Needless to say, the collection of PNR data is also processing of personal data.

In 2006, the Danish Parliament passed two laws granting police direct access to PNR data in the booking systems of airlines for, respectively, external border control (Alien Act) and anti-terror investigations. However, in 2012 the Ministry of Justice concluded that booking systems of airlines were too diverse, and that the planned pull method would not work. Instead, the Ministry of Justice wanted to wait for the adoption of the EU PNR Directive which is based on a push method with a standardised data format.

Against the background of the extensive rights of Danish police with regard passenger data, it is rather astounding that the Danish government now plans to introduce a new pull-method access to PNR data, this time for the purpose of checking (some) Schengen flights for illegal immigration. There are no comments in the draft law about earlier technical problems, or the apparent change of strategy in 2012 to await the possible adoption of the EU PNR Directive and a European-wide push-method system for exchange of PNR data.

The new Danish PNR initiative comes at a time when the PNR issue is becoming a hot topic at the European level. The UK government also wants access to PNR data from other EU Members States, but some are refusing, among them Germany. According to a recent article in the Guardian, the UK government is threatening to impose bans on airlines which refuse to hand over passenger lists in advance for British security screening.

Draft law with amendments of the Alien Act for more effective control in border areas and airports (only in Danish, 07.11.2014)

EDRi-gram: Denmark about to implement a nationwide ANPR system (02.07.2014)

More surveillance at the Danish border, Flensborg Avis (paywall, only in Danish with German summary, 18.10.2014)

German airlines face ban on UK landings without passenger lists, The Guardian (05.11.2014)

(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)



19 Nov 2014

PNR: Losing rights and paying for it

By Diego Naranjo

Passenger Name Records (PNR) are files containing information provided by the passengers and collected by air carriers for commercial purposes. PRN can contain information ranging from itineraries, to credit card numbers and meal preferences. The fact that this type of data is obtained by flight companies is not new; similar data may be obtained internally by other private companies in other contexts, such as fidelity cards on supermarkets. The difference is that governments are seeking to have access to the PNR data in a systematic legal basis. The information can then be stored for months or even years and used to guess at who might be engaged in serious illegal activity.

The EU has been trying to introduce a Directive regulating the use of PNR at the EU level, but the proposal was rejected in the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament in April 2013. Now the Directive on the use of PNR data is again on the LIBE agenda. This proposal, if adopted, would oblige air carriers operating flights between the EU and third countries to transfer PNR data to the national authorities in the Member State of departure or arrival.

In order to circumvent the European Parliament’s opposition to the Directive, the European Commission has been funding national PNR implementations on an unsystematic basis. This is generating a disharmony of the single market, instead of harmonising it, which the European Commission is expected to contribute to. The European Commission now argues it is obliged to resolve the disharmony introducing the Directive. This apparently duplicitous behaviour was the subject of heated exchanges in the European Parliament recently.

The necessity and proportionality of the PNR agreements and the proposed Directive have been discussed for a long time. The Fundamental Rights Agency, the European Data Protection Supervisor and the Centre for European Policy Studies (CEPS) have criticised different aspects of PNR. Furthermore, after the Court of Justice of the European Union (CJEU) ruling on data retention in April 2014, many doubts arise about how this proposal, as well as the agreements already in force with the US and Australia, can be legal at all. It is also very difficult to come up with coherent arguments to justify how, if the EU-Australia PNR agreement is necessary and proportionate, the more extensive EU-USA PNR agreement could not be considered to have crossed the bounds of what is necessary, proportionate and, therefore, legal.

There are also more mundane costs associated with excessive and needless airline data recording. It is not only that Governments will have access to a large amount of personal data of European citizens, but the cost may be higher than many realise. A BBC Watchdog report followed the issue of the payment of excessive administrative fees when a consumer tries to cancel a trip. The airline in question, Air France, argued that, since security agencies, in this case the Transportation Security Administration (TSA), are obliged to register the personal data connected to the traveller, changes in the traveller name that exceed, bizarrely, three letters, requires so much administrative cost that a completely new booking is required – costing 450 pounds in the case highlighted by Watchdog. Less a case of having your cake and eating it, more a case of losing your rights and paying for the privilege.

BBC One Watchdog report: Admin fees (13.11.2014)

European Commission: Passenger Name Record (PNR)

PNR: EDPS first reaction to the Court of Justice judgment (30.05.2006)

FRA: Twelve operational fundamental rights considerations for law enforcement when processing Passenger Name Record (PNR) data

CEPS Working Document: The EU Passenger Name Record (PNR) System and Human Rights: Transferring Passenger Data or Passenger Freedom?

Commission makes €50 million available for the development of “big brother” PNR databases – before legislation has even been agreed



19 Nov 2014

Irish ISP introduces child porn blocking – doesn’t know why

By Joe McNamee

The Irish broadband provider UPC has introduced blocking for web addresses that are alleged to contain child abuse material. It chose an interesting moment to do this – with the total number of domains allegedly hosting abuse material half what it was ten years ago and with sites staying online for historically short periods of time (three-quarters of them for less than ten days). It also appears to be rather odd timing, due to the significant move away from static websites to the (mis-)use of free image-hosting and similar services, where potentially illegal content is removed quickly and which cannot be blocked due to the fact that they contain almost exclusively legal content.

The fact that the “blocking” is happening at a time when there is less justification than at any time in the history of the internet is somewhat less surprising when looking at the uncritical press coverage surrounding the initiative. It was explained in the Irish Times, a daily Irish newspaper, that Internet users, who “either accidentally or deliberately” tried to access a site that was on the blocked list would be shown a page explaining why they had been blocked.

If the system is supposed to block accidental hits, one does have to wonder why there is no evidence at all as to whether this actually happens or not. The only “research” on the existence of this problem is from the UK’s online child abuse hotline, the Internet Watch Foundation (IWF), which discovered – with a margin of error of +/-3% – that 1% of men and 0.5% of women had ever accidentally accessed such content. In other words, the number is immeasurably small. In addition, only a fraction of that number would be prevented by such blocking measures, as it takes time for sites to get put on the blocking list.

If the system is supposed to stop deliberate visits to such websites, where is the evidence that this actually happens? Furthermore, if the worst thing that could happen when searching for such material is to see a blocking page, it seems to be more of a safety feature than a deterrent for people that would deliberately visit such sites.

The Irish Minister of Justice, Frances Fitzgerald, stated that the measure will “significantly reduce” the amount of child abuse material available. This is factually incorrect; all of the blocked material will remain available to anyone motivated to circumvent the blocking system.

However, her statement that the measure “will also reinforce the message that the viewing or possession or indeed trading in child abuse material is simply not acceptable” is more serious. The Irish Government is currently preparing the ratification of the Council of Europe Cybercrime Convention (“Budapest Convention”) and has consistently supported the EU’s demands for its worldwide adoption. The Budapest Convention provides an explicit option for states NOT to criminalise the procurement and possession of child pornography. Unlike the symbolic act of persuading an internet provider to claim to “block” this material, the Cybercrime Convention is a real, potentially global international legal instrument. It is hard to reconcile a statement that “possession and trading in child abuse material is simply not acceptable” with global promotion of a Convention which appears to suggest the opposite. Support for the Cybercrime Convention is also difficult to reconcile with the United Nations Convention on the Rights of the Child (UNCRC), the most widely ratified international children’s rights treaty, ratified also by Ireland.

Despite all the contradictions and inaccuracies, UPC received some good publicity, the Irish police and Interpol received some good publicity, Minister Fitzgerald received some good publicity. So, almost all of the people involved gain something from the initiative. Almost. Now, who are we forgetting?

Child abuse and child pornography offenses – this is how the police works (only in Swedish)

Child sex abuse sites to be blocked by broadband provider (10.11.2014)

EDRi-gram: ENDitorial: Child abuse online: Is ignorance the best policy? (16.07.2014)



05 Nov 2014

FTDI: Is the law criminal?

By Guest author

The EDRi-gram has previously reported on the general silliness, if not active harmfulness to an open society, of certain copying controls that are generically referred to as Digital Rights Management (DRM). However, it’s not often that a practical example comes around that underlines the problem and at the same time has potential to demonstrate the double-standards in equally silly and potentially harmful legislation on “cyber”-crime.

FTDI is a Scottish chip manufacturer that is highly successful in the market for chips that allow easy interoperability between embedded electronics and a PC’s USB port. It felt threatened by possibly trademark-infringing competitors. In response to this perceived threat, it released an update for the Windows driver for its flagship product. The update disables any product that is FTDI-compatible, but not an exact copy.

When called out about this rather unusual behaviour, it initially defended this practice as necessary to protect its so-called intellectual property rights (IPR), but later rescinded the offending driver.

Apparently, the company felt that the already overly generous means for enforcing its rights in both national and EU legislation were not sufficient. It subsequently not only went on to disable equipment of end-users who could not possibly know whether any counterfeit chips were used in their equipment, but also to disable equipment that contained compatible chips that are quite possibly not infringing at all. There is no way that software can recognise the difference between a chip that is infringing and one that is not.

Under the terms of the Council of Europe Cybercrime Convention, “the damaging, deletion, deterioration, alteration or suppression of computer data without right” is a crime, when committed intentionally. It could be argued, therefore, that FTDI was in literal breach of this provision when it took these steps to enforce rights that were not necessarily infringed at all. This course of action meets all the criteria of article 5 of the Convention against Cybercrime. Microsoft’s involvement in was also in literal breach of the Convention distributing this driver as part of its regular updating process also raises interesting questions.

If all the hand-wringing about computer-related crimes by law enforcement were serious, we would have expected a serious investigation of FTDI at least, and possibly Microsoft across Europe already. So far we’ave seen nothing of that sort, and we;re not holding our breath.

The take-away of all this is the algorithmic enforcement of legal rules, whether it is through DRM, automated notice-and-take-down procedures, data-mining the spoils of untargeted surveillance or automated filtering of web-traffic to combat child abuse, is error-prone and ultimately counterproductive.

Watch that Windows update: FTDI drivers are killing fake chips (22.10.2014)

Chipmaker FTDI bricking counterfeit kit – USB-serial imitators whacked by driver update (23.10.2014)

FTDI, or how to run a company into the ground using DRM (25.10.2014)

(Contribution by Walter van Holst, EDRi-member Vrijschrift, The Netherlands)