16 Feb 2017

Recklessly unclear Terrorism Directive creates significant risks for citizens’ security


On 16 February 2017, the European Parliament voted in favour of the EU Directive on combating terrorism. Weak, unclear, ambiguous wording in the Directive presents dangers for the rule of law, the right to privacy and freedom of opinion and expression of people in the European Union.

Adopting a Directive that is unclear and wide open to abuse is little short of reckless. The Directive brings few obvious gains for security, but its ambiguity creates major risks for democratic freedoms,

said Maryant Fernández Pérez, Senior Policy Advisor at European Digital Rights (EDRi).

We will now have to wait over four years for the European Commission to assess whether the Directive and its implementation by Member States violate our fundamental rights and freedoms. This is unacceptable,

she added.

EDRi and other civil society organisations have worked hard with policy-makers to solve key issues. As a result, for example, the freedom to express radical, polemic or controversial views in the public debate on sensitive political matters is now part of the final text of the Directive. This, at least in principle, recognises human rights that have been affirmed by the European Court of Human Rights. However, the EU co-legislators decided to ignore a long list of dangerous provisions. For instance, the Directive criminalises “glorifying terrorism”, without defining what it means, thereby creating the risk of accidental or deliberate imposition of (or threat of) excessive punishment and censorship. In addition, the Directive criminalises consulting “terrorist websites”, which will create an obvious chilling effect as people avoid the risk of viewing anything that might be subsequently decided to be a “terrorist website”. Indeed, this week, the French Constitutional Court declared a similar provision unconstitutional.

Civil society has repeatedly warned policy-makers against the adoption of a seriously flawed Directive. According to the European Parliamentary Research Service, all stakeholders that have followed this legislative process have expressed serious concerns. Yet, the flaws have been ignored. What’s more, the final text also ignores valuable recommendations given by the European Economic and Social Committee on 17 March 2016.

We thank the MEPS who voted against the Directive, as they have understood that we cannot fight terrorism by weak, ambiguous legislation that will undermine the freedoms we are defending.

Background information:

The legislative process to adopt the Directive lacked in public participation and transparency. The European Parliament vote is the conclusion of a fast-tracked process, whose excessive haste can be seen in its weak drafting. Member States now have 18 months to implement the Directive, except for the United Kingdom, Ireland and Denmark, which decided not to be bound by it. The European Commission will have to conduct a report assessing the implications of the implementation of the Directive on human rights and the rule of law. However, we will have to wait a minimum of 54 months for this report to be delivered.

Read more:

The time has come to complain about the Terrorism Directive (15.02.2017)

Terrorism Directive: Document pool

European Union Directive on counterterrorism is seriously flawed (30.11.2016)


15 Feb 2017

Lead Parliamentarian for Culture Committee defends upload filtering

By Diego Naranjo

On 6 February 2017, the Parliamentarian in charge of the Copyright Directive for the European Parliament (EP) Committee for Culture and Education (CULT), Marc Joulaud, published his draft Opinion on the proposal for the Directive.

As we described in our previous blogposts (here, here and here) the European Commission’s proposal has not fulfilled hopes for a reform that could deliver a modern, harmonised European copyright framework. The proposal has been disappointing both for not introducing the much needed changes and scary for what it proposes, namely an upload filter for all types of content and the ancillary copyright that failed in two European countries already.

Our main concern relates to the upload filter proposed in Article 13. We analysed the article in detail and summarised the three main problems. The upload filter:

  1. requires internet companies to install filtering technology to prevent the upload of content that has been “identified by rightsholders”;
  2. seeks to make internet providers responsible for their users’ uploads;
  3. gives internet users no meaningful protection from unfair deletion of their creations, because of the bad wording of the proposal for user redress.

The CULT Draft Opinion fails to fix any of these issues: First, in the Amendment (AM) 28 (related to recital 38 of the proposed Directive) the draft Opinion broadens the scope from covering providers hosting a “large amount of works” to “user-generated content, copyright-protected works or other subject-matter actively uploaded or displayed by their users”. This adds nebulosity where previously there was fogginess.

In addition to suggesting an incomprehensible broadening of the already bewildering scope, it does not challenge the implications of the Commission’s proposal which, in essence, argues that, by providing web hosting services, companies “thereby” go beyond being web hosting services. This strange construction is key in the intended destruction of the liability regime for hosting services provided for in the e-Commerce Directive, while claiming in the text that this change is “without prejudice to the e-Commerce Directive”.

Then, changes proposed in recital 39 (AM 29) do not help to clarify the text by replacing “services” with “platforms”, despite Rapporteur Joulaud’s possibly good intention to restrict the wording. A good attempt to fix the proposal in the recitals is found in the next AM 30 (new recital 39a), where the Rapporteur acknowledges that “measures and technologies deployed by digital content platform providers in application of this Directive may occasionally have a negative or disproportionate effect on legitimate content that is uploaded or displayed by users, in particular where the concerned content is covered by an exception or limitation”. In order to counter-balance these real concerns about inevitable restrictions on citizens’ freedoms, the Rapporteur of the Draft Opinion proposes new wording to “strengthen” the redress mechanism in Article 13.2.

Oddly enough, the Rapporteur appoints the rightsholder (not the platform, nor the platform in cooperation with the relevant rightsholder nor, of course, not an independent authority) to be the judge that will “examine and process” the complaints by the user. The proposal also tries to prevent a situation whereby, while the dispute is being settled, a party makes a profit out of content which is not theirs. In order to do that, the proposal establishes that the alleged rightsholder will not be able to monetise the content which is being examined (by the rightsholder) until the complaint has been addressed. This is welcome, as it could help to speed up the process. However, putting the foxhunter in charge of the rules of the foxhunt lacks a degree for credibility. Although the proposed amendment establishes that the rightsholder should “justify” the decision, it is unclear how this “justification” can bring any more legal certainty than the wholly arbitrary proposal of the Commission. Finally, Rapporteur Joulaud adds a new paragraph on AM 76 to propose an alternative dispute resolution mechanism for rightsholders and “digital content platforms” involved, to which the individual user potentially affected by the decision is not consulted.

The text does contain, however, positive proposals such as the new exception for user-generated content (which, however, risks being filtered out as a result of Article 13) and a (sadly incomplete) attempt to include an exception on freedom of panorama (with, of course, this freedom being vulnerable to being negated by the restrictions in Article 13). We welcome that the Rapporteur has acknowledged the importance of these two issues. Now that they are included in the draft Opinion, there is at least the chance of a debate that could make these two proposals stronger and part of the final text from the European Parliament.

In a nutshell, Rapporteur Joulaud has tried unsuccessfully to improve the profoundly broken text of the European Commission but, as the old saying goes, “you can’t make a silk purse out of a pig’s ear”. His attempts to fix the worst parts of the proposal may well be well-intentioned, but unfortunately they do not achieve the goal of making the proposals acceptable, especially regarding to the wording in Article 13. Deletion is the only credible option for the upload filter proposal, just like the proposal for ancillary copyright. Some positive aspects can be found in the draft Opinion but both there and in the rest of the Directive we will need to see much more thorough work to make something good out of it.

Copyright reform: Document pool

The copyright reform (02.11.216): A guide for the perplexed

C4C: CULT Opinion on the Copyright in the Digital Single Market Directive: bad on filtering, press publishers’ rights and TDM, but putting users back in the picture! (13.02.2017)


15 Feb 2017

Citizens’ rights undermined by flawed CETA deal


On 15 February 2017, the European Parliament voted in favour of the Comprehensive Economic Trade Agreement (CETA). This concludes the process at the EU level. The EU Member States will now have to ratify the agreement, without having a right to make changes to the text. CETA creates significant risks for citizens’ fundamental rights, especially with regard to privacy and data protection.

CETA raises serious questions to the protection of our online rights and freedoms. These concerns have been sadly ignored. We now turn to the EU Member States to stand up for the interest of their citizens by rejecting CETA.

said Maryant Fernández Pérez, Senior Policy Advisor at European Digital Rights (EDRi).

The Parliament approved the agreement despite EDRi’s and other civil society organisations’ calls to improve the agreement text. We raised concerns about the lack of transparency in the negotiation process, weakened protection of the personal data and privacy of European citizens, the possibility of corporations to challenge government decisions under the so-called Investment Court System, and the inclusion of intellectual property rights (IPR) obligations without focusing on promoting access to knowledge.

Despite not being yet ratified by the EU Member States, CETA is expected to already be provisionally applied as of Spring 2017, with some exceptions, meaning that parts of it will start having a practical impact, for example on data protection. If Member States don’t stand up for citizens’ rights by rejecting the agreement, CETA could become a blueprint for other trade agreements and increase growing public mistrust in trade policy. It is the time to better design trade agreements, in order to maintain a high level of protection for the EU citizens. This is possible only with better transparency and inclusion of public interest organisations.

It is crucial for national and local NGOs to make their arguments heard in the ratification process of CETA in each of the EU Member States.

Read more:

Civil Society Letter asking MEPs to vote against CETA (13.02.2017)

Despite large opposition, CETA limps forward in the European Parliament (24.01.2017)

European and Canadian civil society groups call for rejection of CETA (28.11.2016)

CETA signature ignores Agreement’s flaws (30.10.2016)

CETA puts the protection of our privacy and personal data at risk (05.10.2016)

CETA’s cross-boder data flows will be provisionally applied (07.10.2016)

CETA will undermine EU Charter of Fundamental Rights (04.05.2016)


15 Feb 2017

The time has come to complain about the Terrorism Directive

By Maryant Fernández Pérez

Nearly a year has passed since we told that you’d be now complaining about the Terrorism Directive. On 16 February, Members of the European Parliament (MEPs) will vote on the draft Terrorism Directive. EU policy-makers have meaningfully addressed only very few of the concerns that EDRi and other NGOs have raised since the beginning of the EU legislative process.

We worked hard during the elaboration of the Terrorism Directive at the EU level: we defended digital rights since the very beginning, providing policy-makers with expert input; we joined forces with other digital rights organisations; and raised our voice against key proposals together with NGOs like Amnesty International, Human Rights Watch (HRW), the International Commission of Jurists (ICJ), the Open Society Foundations (OSF), the European Network Against Racism (ENAR) and the Fundamental Rights European Experts (FREE) Group (see our joint statements here and here). As a result of the hard work and numerous exchanges with policy-makers, not everything in the Directive is bad for digital rights.

What’s good?

Unfortunately, not as much as we would like. However, there are still some positives. Several provisions that we had advocated for are part of the final text, for example an assurance, in principle, of being able to express radical, polemic or controversial views. We managed to eliminate mandatory internet “blocking”, and some safeguards were introduced with regard to removing and blocking online content and limiting when the absurdly vague concept of unduly compelling a government can constitute a terrorist offence. We also killed some bad proposals that, for instance, tried to undermine encryption and the use of TOR.

What’s wrong?

From a digital rights perspective, there is a long list of bad elements that the European Commission, EU Member States* and the majority of the MEPs of the European Parliament’s Committee on Civil Liberties (LIBE) have introduced and/or kept in the draft Terrorism Directive, including the following:

To sum up, it took a year and two months to conclude a legislative instrument that endangers the protection of our rights and freedoms. This compares badly with the time that it took the EU to conclude an instrument to protect fundamental rights, such as the General Data Protection Regulation (five years, and two more years until it enters into force). Obvious, depressing, conclusions can be drawn about the priorities that drove different parts of the EU decision-making process in both cases.

Therefore, we urge the European Parliament to vote against this Directive or at least vote in favour of some of the amendments proposed to improve some of the elements listed above.

What can you do?

You can raise awareness and contact your MEPs prior to the debate on 15 February (starting around 3pm CET) and the vote on the Directive on 16 February (around 12pm CET). After the vote, it will be the turn of your Member State to implement the Directive and give meaning to the ambiguous provisions of the Directive. If the Terrorism Directive is adopted, civil society should look closely how their national parliaments will implement it, so it will not lead to abusive provisions. Ultimately, yet again, we will have to rely on the courts to be the guardians of our civil liberties.

If you have any questions, don’t hesitate to contact us!


* The United Kingdom, Denmark and Ireland decided not to be bound by this Directive.

08 Feb 2017

ENDitorial: Fake news about fake news being news

By Joe McNamee

We have heard a lot about fake news over recent months. We have heard urgent calls for action from politicians to deal with this new problem – governments should regulate truth, Facebook should regulate truth, new ministries of truth should regulate the truth. The political world is clear – somebody should do something, quickly!

In 2003, the University of Maryland and Knowledge Networks undertook a survey of what they very carefully called “misperceptions” about the Iraq war that correlated closely to support for that war. Researchers looked at three “misperceptions” – that there were

  1. links between Saddam Hussein and al-Qaeda;
  2. that weapons of mass destruction had been found, and
  3. that world public opinion was favourable to the war.

The survey was conducted from January through September 2003 with seven different polls probing the perceptions of a total of 8634 respondents. Overall, it was found that 80% of people who relied on Fox News as their main news source had somehow ended up believing at least one of these three pieces of fake news. This compared with a little less than half (47%) of those who said that print media were their primary source of news and just less than a quarter (23%) of those who said that PBS-NPR (public TV and radio) was their main source.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Among all three “misperceptions”, the trend was strikingly consistent as regards news sources that were relied upon. In relation to those who held the “misperception” that clear evidence existed of Iraq working closely with Al Qaeda, 67% of individuals who relied on Fox as their news source, compared with 40% who relied on print media and just 16% who relied on public service TV and radio.

The report also looked at correlations between supporters of the incumbent president (who obviously supported the war) and “misperceptions”. Unsurprisingly, there was a strong correlation. Crucially, the study also showed that there was a very significant correlation between news sources and likelihood of “misperceptions”, even among this group – 78% of Bush supporters who relied on Fox believed in “misperceptions”, compared with 50% who relied on public broadcasters.

Crucially, those with none of the “misperceptions” opposed the war, while “each additional misperception is accompanied by sharply higher support for the war”. Indeed, a different poll showed that 80% of supporters of the war indicated that “Iraq’s connection with groups like Al-Qaeda” was a major reason for their support.

In short, a war whose cost in human lives is, according to lower estimates, at least 100 000 civilians – fathers, mothers, sons and daughters… actual people with dreams and hopes, not numbers – appears (recognising that correlation is not causality) to have gained considerable support as a result of “misperceptions” that can be linked to certain news sources. This did not inspire political outrage about “fake news”.

The Iraq “misperceptions” survey is now 13 years old, yet we appear to have learned nothing from it. We have witnessed years of mass harvesting of data for the purpose of manipulation, feeding an unaccountable data trawling industry, yet we appear to have underestimated the danger. Now that data industry has created an opportunity to generate 20 000 US dollars for one opportunist fake news website. We have online platforms channelling our world view into narrow “filter bubbles” that make society more susceptible to being targeted with misinformation. Now, instead of learning from this, we appear unable to respond rationally.

If we could end the fake news about “fake news” being news, we might move a little closer to finding a meaningful answer. The medicine proposed to magically bring an end to misinformation is to ask the data trawling industry to become the arbiters of truth… to invite the companies that are at the origin of the noxious filter-bubbles to filter out the fake news… not too much… just enough. Please.

If we could be honest about the deep roots of the phenomenon, and the dangers of many of the remedies being proposed by policy-makers desperate to be seen to be doing something, we might actually get to the destination.

The PIPA/Knowledge Networks Poll: Misperceptions, the media and the Iraq war (02.10.2003)

From headline to photograph, a fake news masterpiece (18.01.2017)

In race against fake news, Google and Facebook stroll to the starting line (25.01.2017)

Regulations are a bigger threat than fake news (12.01.2017)

(Contribution by Joe McNamee, EDRi)



08 Feb 2017

SHARE Foundation honoured with a certificate of gratitude

By Guest author

Data Protection Day was celebrated on 28 January, and it was especially festive for EDRi observer SHARE Foundation. The organisation received a certificate of gratitude from the Commissioner for Information of Public Importance and Personal Data Protection of Serbia for their immense contribution to affirmation of the right to protection of personal data.

The official Data Protection Day gathering, traditionally organised by the Office of the Commissioner, was held on 30 January in Belgrade, Serbia. At the event, the Commissioner Rodoljub Šabić addressed the participants, together with the Head of Organization for Security and Co-operation in Europe (OSCE) Mission to Serbia Andrea Orizio and the Ombudsman of the Republic of Serbia Saša Janković.

As part of the celebration, the Commissioner awarded SHARE Foundation with a certificate of gratitude for an immense contribution to the affirmation of the right to personal data protection. Director Vladan Joler accepted the certificate of gratitude on Foundation’s behalf. Legal and Policy Director Djordje Krivokapic also presented the results of the latest research on personal data of minors in the data economy.

28 January was chosen as the international Data Protection Day, because the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the first legally binding international agreement in this area, was opened for signatures on that day in 1981.

SHARE Foundation will continue to contribute to the improvement of the right to personal data protection through cooperation with the Office of the Commissioner and other competent state bodies, civil society and information and communications technology (ICT) industry.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

SHARE Foundation honoured with a certificate of gratitude on Data Protection Day (02.02.2017)

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (28.01.1981)

SHARE Foundation guide for state bodies on personal data protection (only in Serbian)

Mojipodaci.rs – web portal on personal data in the public sector (only in Serbian)

(Contribution by EDRi observer SHARE Foundation, Serbia)



08 Feb 2017

Are the US-EU data agreements still alive?

By Guest author

Late on the first day of Computers, Data Protection and Privacy (CPDP) Conference on 25 January 2017, word came through that US President Donald Trump had issued Executive Order (EO), “Enhancing Public Safety in the Interior of the United States”, which included the following:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

Member of the European Parliament (MEP) Jan Philipp Albrecht immediately tweeted that the European Commission must suspend Privacy Shield and sanction the US for breaking the Umbrella Agreement. To the many experts at CPDP, the situation was less clear-cut. Much of the conference’s closing discussion, the Caspar Bowden panel on Privacy Shield and Mass Surveillance, focused on it.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The executive order places three things at risk: Privacy Shield, the EU-US Umbrella Agreement, and the EU-US Passenger Name Records (PNR) Agreement.

The Umbrella Agreement is a framework for transferring law enforcement data from the EU to the US, and was created under the Judicial Redress Act (JRA). Passed in 2015 as an enabler for Privacy Shield, the JRA gives citizens from the EU and its member countries limited rights under the US Privacy Act. The Umbrella Agreement and the list of EU countries were published in the Federal Register on 23 January 2017. Because the pre-conditions have now been met, a data protection lawyer Peter Swire, speaking at CPDP, said that the Umbrella Agreement will enter into force on 1 February.

Swire, therefore, believes that while unknown political implications will stem from the executive order, there is no operational legal effect on Privacy Shield; the ombudsperson is still in place. He then listed three positive and three negative thoughts.

The positive:

  1. Trump’s campaign platform did not include hurting American business, and disrupting Privacy Shield makes no business sense;
  2. there is no important US constituency opposing Privacy Shield;
  3. Safe Harbor was signed under Bill Clinton and became routine under George W. Bush. With 1 700 companies now signed up for Privacy Shield and more applications pending, there seems to be no reason why the agreement negotiated by Barack Obama should not become routine under Trump. Immigration, on the other hand, was a big campaign issue, and accordingly, Swire believes the executive order is focused on the immigration authorities’ mixed records. However, the incoming Attorney General could change or revoke the list of covered countries, forcing the EU to decide how to act.

The negative:

  1. few are optimistic about the Trump administration with respect to privacy;
  2. Trump is against free trade and is fundamentally shifting the US away from it;
  3. Trump is proud of not being polite or politically correct.

Swire added that the relative peace and prosperity of recent times provided a fortunate opportunity to work on data protection; he believes in the coming years privacy will be forced to take a back seat to even more fundamental issues – nuclear arms, for example.

Marcy Wheeler from the emptywheel.net blog was more pessimistic. Presidents modify or waive older Executive Orders rather than issue new ones. On 3 January 2017, Obama approved procedures to allow the US’s 17 intelligence agencies to share signals intelligence data collected under EO 12333, which was originally issued by Ronald Reagan in 1981. Together with statements by the new Central Intelligence Agency (CIA) director, Mike Pompeo, that leads Wheeler to believe that Trump will demand that the EU participates in sharing data. She also noted that a key element of Privacy Shield is assuming that the US will adhere to Presidential Policy Directive 28 (PPD-28), “Signals Intelligence Activities”, which specifies how the US will use the data it collects. Meanwhile, the US immigration service is already asking arriving international travellers for their social media identifiers, and Immigration and Customs Enforcement (ICE) and the Department of Homeland Security can share this data via the Intelligence Cloud the US government began setting up in 2013.

Edward Hasbrouck, an EDRi observer from the organisation Papers Please, argues that Trump’s EO more directly affects the EU-US PNR Agreement, which depends on administration action. PNR specifies that any individual should be entitled to request their PNR data, correct or delete it, and seek effective redress if it’s been misused. However, neither the US Privacy Act nor the JRA requires giving foreigners these rights; instead, they depend on administration action that Trump’s EO has now eliminated for foreigners. Some access to records should still be available under the Freedom of Information Act, but not the rights of correction or deletion. Hasbrouck accordingly pronounces the EU-US PNR Agreement dead and asks what the EU and its citizens and residents are going to do about it.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The ironies of the EO 12333 sharing expansion for Obama and Trump (30.01.2017)

Trump repudiates agreement with EU on PNR data (29.01.2017)

(Contribution by Wendy M. Grossman, freelance writer, member of the advisory councils of EDRi members Open Rights Group and the Foundation for Information Policy Research, the United Kingdom)



08 Feb 2017

Dutch Parliament: Safety net for democratic freedoms or sleepnet?

By Guest author

Currently, Dutch parliament is doing everything they can to get a dragnet surveillance bill approved before the elections on 15 March 2017. If they succeed, soon the online communications of Dutch citizens can, on a massive scale, get caught up in the secret services’ dragnet. So what’s happened since the last time we reported to you on this subject?

In September 2016, Rob Bertholee, head of the General Intelligence and Security Service of the Netherlands (AIVD) gave a notorious interview, in which he stated that he was fed up with discussions about privacy. A month later, and despite a serious backlash, Minister Ronald Plasterk decided to advance his plans to carry out bulk interception of innocent citizens’ communications: he sent the definitive dragnet bill for the new Intelligence and Security Services Act to the House of Representatives.

Oversight Committee finds proposal insufficient

The Review Committee on the Intelligence and Security Services (CTIVD) assessed the bill in an extensive report published in November 2016. In this report, the CTIVD painstakingly shows that essential safeguards like data limitation and duty of care regarding the quality of data analyses are missing in the current proposal. In addition, the CTIVD ruled that the oversight of the secret services needs to be significantly improved in order to be effective.

The House of Representatives discussed the proposal shortly before the Christmas recess. A discussion between the oversight committee, a private meeting with the services themselves, and a hearing with several experts and private parties took place. There was a lot of criticism towards the bill.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

Hearing with experts and companies

During the hearing with experts and public parties, a broad spectrum of organisations sharply criticised the proposal. In an impassioned plea, the vice-chairman of the Dutch Data Protection Authority (DPA) criticised parliament’s plans for instating a dragnet, the hacking of third parties, and the exchange of intelligence with foreign agencies. He called the term “investigation assignment-focused interception”, meant to describe the dragnet, which must be a candidate for the prize of euphemism of the year.

In an extensive written response, the DPA further elaborates on why the necessity for the proposed expansion of powers has been insufficiently argued. In addition, the DPA states that the powers are insufficiently well known and predictable for citizens, that they lack safeguards, and that truly independent and effective oversight of the services is still lacking. In other words, it is patently illegal under basic international legal principles.

On behalf of a large group of researchers, Professor of Media and Telecommunications Law Nico van Eijk elaborated an analysis of the flaws in the proposed surveillance bill and its lack of transparency. In addition, the Scientific Council for Government Policy (WRR) raised concerns regarding the danger of chilling effects as a consequence of the proposed expansion of powers.

The companies present were also very critical – not only concerning the impact that the dragnet might have on their businesses, but also on their users. For example, Microsoft clearly opposed the creation of a dragnet by stating: “[N]on-directional collection of data is disproportionate and harms the privacy of users and their trust in our technology”.

Criticism from the House of Representatives

As a result of all the meetings, the lower house presented the cabinet with over 52 pages of questions concerning the proposal. Many of those questions concern the untargeted nature of the dragnet, the relevance and retention period of the collected data, the quality of data analyses, and oversight of the agencies. The 52 pages of questions have now been met with 110 pages of answers. These prove mainly to be reiterations of previous assertions and in no way succeed to assuage the concerns that have been expressed. The Dutch government is doing its best to cover up the fact that the implementation of the dragnet means implementation of mass surveillance, and continues to call the new power “investigation assignment-focused interception”. Minister Ronald Plasterk has even proceeded to abbreviate the term to the apposite and deeply ironic Orwellian “OOG” (“eye” in Dutch).

What will happen in the coming weeks?

During a procedural hearing on Thursday 19 January 2017, it was decided that the bill would be discussed next in a lower house plenary, meaning that it will most probably only be discussed one more time before proceeding to a vote. The plenary will take place on 8 February and the voting will take place one week later.

Dutch dragnet surveillance bill leaked (04.05.2016)

‘Threat hasn’t been this high in years’ – Interview Rob Bertholee, chief of the domestic security services (only in Dutch, 17.09.2016)

Head of Dutch security service is fed up with privacy concerns (19.09.2016)

Critique and questions about bill for for a new Intelligence and Security Services Act: what will the cabinet do? (only in Dutch, 05.01/2017)

Reaction Autoriteit Persoonsgegevens to the bill for a new Intelligence and Security Services Act (only in Dutch, 15.12.2016)

Text contribution prof. dr. Nico van Eijk (Director of the Institute for Information Law, University of Amsterdam) during the hearing of the commission for the Ministry of the Interior (only in Dutch, 15.12.2016)

Scientific Council for Government Policy (only in Dutch, 15.12.2016)

Position paper Microsoft: Hearing Intelligence and Security Services Act (only in Dutch, 15.12.2016)

(Contribution by David Korteweg, EDRi member Bits of Freedom, the Netherlands; translation by Maren Vos)



08 Feb 2017

Nine controversies about obligatory prepaid registration

By Guest author

“Register your prepaid and get free calls/internet transfer/win a car” – you can hear from Polish telecom operators, as a reminder that all pre-paid SIM cards have to be registered by 1 February 2017. One could almost think that this is just a nicely coordinated campaign of leading telecoms, aimed at collecting a bit more data about their clients in exchange for a bonus.

A real stake in this data collection effort is to increase control over all users of telecommunication networks in Poland, with a particular focus on foreigners. The demand for more data came this time not from the market but directly from the policing arm of the state. Indeed, in response to this measure being rolled out by restrictive regimes around the world, the GSM Association has been very good at pointing out the limited value of this approach from a law enforcement perspective.

Obligatory registration of prepaid SIM cards was introduced in Poland by the controversial anti-terrorism law in June 2016. This law is based on the assumption that every foreigner may pose a threat to national security and, therefore, can be subjected to surveillance. Obligatory registration of SIM cards took effect on 1 February 2017. After that, all the unregistered cards have stopped working. However, this should not stop us from questioning the logic behind the new regulation and showing its consequences, also the unintended ones.

1. Why should I register my prepaid card?
This is the number one question on the lists of frequently asked questions (FAQ) at every telecom operator’s website. Their answer is: because the anti-terrorism law says so. But they do not answer why this obligation was introduced. Our answer is: because the Polish intelligence agencies want to have even more control, despite the complete lack of empirical evidence that this measure has any meaningful benefit to crime-fighting.

2. How registering prepaid cards is going to facilitate the work of intelligence agencies?
The reasoning of the lawmakers was that registered cards are going to make it way easier to identify the owners of the numbers linked to the criminal activity, especially in the context of false bomb alarms. However, the registered owner can sell the card or pass it to somebody else, without obligation to update personal data in the operator’s register. Engaging a number of intermediaries and leaving false traces will not be much of a challenge for a determined criminal. In short, if criminals take precautions, they can easily circumvent mandatory SIM registration. On the other hand, if they don’t, metadata of mobile phones (especially call records and location data) mean that they can be identified without mandatory registration.

3. Do I have to register a card in my own name?
No. You can use a card registered in someone else’s name or pass a card registered in your name to another person. You can buy an already registered card on an online auction website Allegro (even if its rules officially say this is not allowed). You can buy one in Germany or the Czech Republic, or allow it to be registered by anyone that will be open to doing you such a favour. It is also relatively easy to register a number on somebody without this person even knowing it.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

4. Is the obligatory registration going to help fighting terrorism?
In theory, registration of all SIM cards should limit the ability of anonymous communications related to criminal activity. But no criminal will register the card in their own name, unless they want to be caught! Cecilia Malmström in her role as European Commissioner for Justice and Home Affairs said there is no evidence that this is a successful measure to fight crime. Even the British government, that is famously extreme in its data collection practices, thinks so too, and based on the detailed analyses carried out by intelligence agencies and security experts, decided not to introduce such regulation in the British law.

5. What consequence can I face for selling registered SIM cards?
The minister for internal affairs, Mariusz Błaszczak, stated in the media that “those selling those cards can face legal consequences in the situation whereby these cards were used for a criminal activity”. However, there are no legal sanctions for selling SIM cards.

6. Cards used in elevators and vending machines also have to be registered. Why?
Both the Polish Office of Electronic Communications (UKE) and the Ministry of Digital Agenda have recently pointed out that not only phones but also machines – such as vending machines and elevators – are using prepaid cards for automatic communication with its operators. UKE clarified that “the main aim of the regulation it to increase the effectiveness of the Polish anti-terrorism system and the safety of Polish citizens. It is, however, even in the colourful imagination of the UKE, unclear how registering a prepaid card in the vending machine is going to help to catch terrorists.

7. What about the right to anonymous communication?
Forget about it. Polish lawmakers believe that the convenience of intelligence agencies (if we generously believe that this demonstrably ineffective measure would actually generate convenience) is much more important than fundamental rights, such as the right to anonymous communication.

8. Is my personal data safe?
From the point of view of data protection, registering cards at petrol stations, in banks, by snail mail or email, with a scan of your ID attached, sounds like a joke. We should also be asking about safeguards preventing misuse of our data by the intelligence agencies. Most countries where registration of SIM cards is obligatory have in place much stricter control mechanisms over how law enforcement agencies access and use telecommunication data, including the personal data of card owners. In Poland, this area of state activity is beyond any form of independent control.

9. Who is going to pay for it?
The lawmakers cunningly counted that the new obligation will not incur any costs for the public budget. This burden is shifted to telecom operators and their clients, and it is obvious that the bill will be rather high. Aggressive marketing campaigns, the risk of losing the customers who do not register the number on time, and building the whole network of registration points for SIM cards will represent a high cost, which will be transferred to the users.

9 controversies about obligatory prepaid registration (31.01.2017)

GSM Association: Mandatory registration of prepaid SIM cards: Addressing challenges through best practice (April 2017)

Poland adopted a controversial anti-terrorism law (22.06.2016)

(Contribution by Anna Obem, with co-authors Wojciech Klicki, Katarzyna Szymielewicz and Małgorzata Szumańska, EDRi member Panoptykon Foundation, Poland)



08 Feb 2017

Belgium agrees on passenger controls of international rail traffic

By Heini Järvinen

Belgium, the Netherlands, France and the United Kingdom have agreed on new checks of passengers’ identities on international trains. The agreement was reached on 26 January 2017 in an informal meeting between the Ministers of the Interior and Ministers of Justice in Malta. The Belgian Minister of the Interior and Security Jan Jambon announced the news on 27 January, stating that he believes that other European countries will follow the example of this “pilot project”.

The practical implementation of the Passenger Name Records (PNR) for the international trains departing from and arriving in Belgium will be discussed in a working group composed of representatives of the four states and the train companies Eurostar and Thalys. The working group will issue its first proposal by the end of March 2017, and the implementation is scheduled to be finalised before the end of 2018.

PNR legislation is already in place for international air travel in Europe although, having demanded that the European Parliament rush to adopt the new rules, governments have shown no urgency at all to put the rules into operation. This expensive new experiment seeks to extend it to all means of international transport within Belgium, the Netherlands, France and the UK. Justified as part of the “fight against terrorism”, the new system will allow examining the identities of the passengers of the rail traffic between the four countries in advance.

Experts, such as the European Data Protection Supervisor have repeatedly pointed out that there is no evidence this type of measures would be effective in preventing terrorist attacks. Indeed, the European Directive on telecoms data retention was struck down by the Court of Justice of the European Union because untargeted mass surveillance measures such as collecting the personal data of all passengers.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The first agreement on the passenger controls in international railways (only in French, 27.01.2017)

Fight against terrorism: First agreement on passenger controls in international railways (only in French, 27.01.2017)

EDRi: FAQ: Passenger Name Records (PNR)

“The curious tale of the French Prime Minister, PNR and Peculiar Patterns (04.10.2016)

EU PNR: EDPS warns against unjustified and massive collection of passenger data (25.09.2015)