01 Apr 2015

French filesharers to be banned from flying?

By Joe McNamee

A proposed European Directive threatens the ability of French filesharers to use airlines. The problem is a new attempt to adopt a Directive on the collection and storage of “passenger name record” (PNR) data. The European Commission’s plan is for air travellers’ data to be used for profiling individuals, to guess if they are involved in “terrorist offences and serious online crime”. A “serious crime” is defined as punishable by imprisonment for a “maximum period of at least three years”. In France, filesharing (like manslaughter and death threats) can be punished by a period of up to three years in prison, and so falls under the Directive’s definition of “serious crime”.

In the European Parliament, the parliamentarian in charge, British MEP Timothy Kirkhope, has tabled an amendment to the Commission’s text, saying that it should be possible to compare the PNR databases against other “relevant” databases. France has a “three strikes” system of copyright enforcement, regulated by the so-called HADOPI authority. This involves the collection and storage of IP addresses of individuals accused of unauthorised filesharing, for the purpose of sending out repeated “warnings” that ultimately lead to the disconnection of the individual’s (or their family’s) internet connection.

While the European Commission’s proposal borrows its definition of “serious crime” from a piece of legislation adopted 13 years ago. Mr Kirkhope, by contrast, has provided a list of specific crimes that should be covered by the Directive and some very non-specific offences such as “computer-related crime” that should also be covered. He implicitly recognises that the definitions are far too broad and suggests, as a safeguard, that Member States may opt not to include minor offences (that are subject to up to three years in prison) from the crimes that would fall under the definition of “serious transnational crime”. However, bearing in mind that France punishes filesharing in a similar way to the way it treats manslaughter, the idea that France might exclude filesharing in this situation may be excessively optimistic.

So, where does this leave the French filesharers? Well, the PNR data (plus its comparison with any other relevant databases) will be used to carry out “ an assessment of the passengers prior to their scheduled arrival or departure from the Member State in order to identify any persons who may be involved in a terrorist offence or serious transnational crime and who require further examination by the competent authorities”. Obviously, if you have been identified as a possible perpetrator of the serious transnational crime of filesharing and need to be further examined by the “competent authorities”, the chances of getting to your plane on time are somewhat limited.

Why did we publish this today? Well, we thought that most people reading this article would assume that it was an “april fool” joke. The joke is… everything you have just read is factually correct.

facepalm

Commission proposal
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0032:FIN:EN:PDF

French report – Legal punishment for filesharing as severe as manslaughter (29.08.2011)
http://www.zeropaid.com/news/95546/french-report-legal-punishment-for-filesharing-as-severe-as-manslaughter/

Kirkhope report
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-549.223%2b01%2bDOC%2bPDF%2bV0%2f%2fEN

No mass surveillance of air passengers
http://igg.me/at/nopnr

PNR_postcards_20150324

Twitter_tweet_and_follow_banner

close
26 Mar 2015

EDRi needs an intern!

By Heini Järvinen

European Digital Rights (EDRi) is an international not-for-profit association of 33 digital civil rights organisations from 19 European countries. We defend and promote rights and freedoms in the digital environment, such as the right to privacy, freedom of expression, communication and access to information.

The internship will go from the 1st of September to the 18th of December 2015.

Key tasks:

  • Assisting with writing of the EDRi-gram newsletter;
  • Research and analysis on a range of policy topics;
  • Monitoring international, EU and national related policy developments;
  • Organising and participating in meetings and events;
  • Assisting with preparing draft reports, presentations and other internal and external documents;
  • Assisting with communication tasks;
  • Development of public education materials.

Qualifications:

  • A demonstrated interest in and enthusiasm for civil liberties or technology-related legal issues;
  • Excellent research and writing skills;
  • Fluent command of spoken and written English;
  • Computer literacy.

How to apply:

To apply please send a maximum one page cover letter and a maximum two page CV by email, to michela.petruzzo[at]edri.org

The closing date for applications is 10 April 2015.

close
25 Mar 2015

Patriot Act à la française: France to legalise unlawful surveillance

By Guest author

In recent years, France has increasingly tightened its laws on crimes committed on the Internet. From the LOPPSI law voted in 2012 to the latest anti-terror law voted in November 2014, the bill on Intelligence announced on 19 March by the French Prime Minister, Manuel Valls, is fully consistent with a history of repressive Internet legislation.

The LOPPSI law is the keystone of a comprehensive framework of administrative blocking of websites. This law, adopted in 2012, still needed its decree so that websites hosting child pornographic content could be blocked, but the decree was late to be published. Meanwhile, two more laws concerning terrorism and security were adopted: the 2014-2019 Defence Law (Loi de Programmation Militaire) in December 2013 and the latest anti-terror law in November 2014. The first one allow real-time wire tapping of phone calls without the need of a judicial authorisation and the retention of metadata of any type of terminals. The anti-terror law allows administrative blocking of websites considered as condoning to violent acts of terrorism.

Those three laws have already sparkled a great deal of criticism among civil society and private actors for being too repressive and destroying the balance of powers, a pillar of every democratic regime, by weakening the role of the judiciary with regard to surveillance. Also the measures were attacked on the basis that they can be easily bypassed.

After the tragic events in Paris in January 2015, Manuel Valls announced a new law on Intelligence, while French people were gathering around the democratic values of French Republic to stand against terror. At the same time, the processes of the publication of the LOPPSI and the anti-terror decrees were accelerated, resulting in their publication in late February 2015, and allowing administrative blocking of website without the intervention of a judge. The failure to differentiate information, and thus free speech, from propaganda in the blocking orders demonstrated the importance of a judge in the decision-making process for blocking websites. Restricting free speech is so important that it demands a fair and transparent process.

Unsurprisingly, the Bill on Intelligence presented in the Council of Ministers on 19 March 2015 goes further in the logic of weakening the judicial control, and formally permits a number of previously illegal practices used by the Intelligence services. Among the measures presented in the bill are IMSI-catchers, geolocalisation of cars, wiretapping of private places and vehicles, requests to access networks of private Internet Service Providers (ISPs) and more disturbingly, if possible, black boxes put on the network in order to guess at the identity of terrorists through a matching algorithm. All of those would be allowed without any judicial authorisation. There would be a possibility for a “a posteriori” control – a measure that can be considered too weak as a guarantee for human rights, privacy and democracy, comparing to the scope of intrusion.

The announcement of this bill was welcomed by heavy criticism by a large number associations defending civil liberties, as well as by private companies. The bill is widely considered to legalise mass-surveillance and constitute a French Patriot Act. It will be studied in April by the French Parliament. La Quadrature du Net, a French organisation promoting digital rights, will campaign to communicate to French parliamentiarians and citizens, that after Snowden’s revelations this type of state-organised mass-surveillance is unacceptable for a democracy.

Intelligence reform & the French government’s disastrous drift on surveillance (17.03.2015)
www.laquadrature.net/en/intelligence-reform-the-french-governments-disastrous-drift-on-surveillance

Intelligence law: The black box reveals its shadows (only in French, 20.03.2015)
http://www.nextinpact.com/news/93526-boite-noire-et-loi-sur-renseignement-details-l-etude-d-impact.htm

Islamic-news.info blocked without court order for endorsing or inciting to terrorism (only in French, 16.03.2015)
http://www.nextinpact.com/news/93457-islamic-news-info-bloque-sans-juge-pour-apologie-ou-provocation-au-terrorisme.htm

France pushes for scrubbing Internet of terrorism-related content (19.01.2015)
http://blogs.wsj.com/digits/2015/01/19/france-pushes-for-scrubbing-internet-of-terrorism-related-content/

The lonely battle of the opponents of the bill on Intelligence (only in French, 23.03.2015)
http://www.lefigaro.fr/secteur/high-tech/2015/03/23/01007-20150323ARTFIG00102-le-combat-solitaire-des-opposants-au-projet-de-loi-renseignement.php

(Contribution by Christopher Talib, La Quadrature du Net, France)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
25 Mar 2015

Copyright exceptions and limitations – back to the future

By Joe McNamee

The noise around the non-legislative report of the European Parliament on the Copyright in the Information Society Directive (also known as the InfoSoc Directive and Directive 2001/29/EC) in Brussels is deafening. With one Committee still to table its amendments, the total number of amendment has already reached 759.

Part of the reason for this is that one of the issues being discussed is exceptions and limitations to copyright. Any suggestion of harmonisation, predictability or flexibility is met by energetic opposition by those who claim to speak on behalf of authors. To assess how credible this opposition is, we should look back at some of the lobbying against the only mandatory exception in the Directive – for temporary technical copies.

In the Directive, the European Commission proposed an exception to copyright for copies that are made in networks. Every transfer of a file on a network makes a copy of some description – to get from a to b, the file needs to be in the network for at least a moment. For this reason, it was obvious that temporary, technical copies should not be subject to a separate authorisation from rightsholders. This was clearly uncontroversial – or it should have been.

There was a huge lobby against this exception. The European Publishers Council (EPC) raised several major concerns. Firstly, they argued that only authorised files should be subject to this exception. So, if you accessed an unauthorised file online, this would automatically make your internet access provider guilty of a copyright infringement.

The EPC went on to argue that the exception would create a “a gaping hole in rightsholders’ protection under the reproduction right”, which it explained was a “core right in both the analogue and digital worlds”. It said, but did not explain, that the restriction that such copying could have “no independent economic significance” was not enough to stop the copying of files that were of independent economic significance.

Overall, the text of Article 5.1 (as well as article 5.2b and Article 6) represented “an unacceptable threat to rightsholders”.

So, what happened when this “unacceptable threat” to rightsholders was transposed into national law in the European Union? Absolutely nothing.

The definition proved fully adequate. The safeguards proved fully adequate. No “gaping hole in rightsholders’ protection under the reproduction right was created”. Nothing. After all of the warnings. Nothing.

The damage that would have been caused by heeding the EPC’s warnings, on the other hand, is easier to demonstrate. Canadian legislators failed to implement a clear exception for temporary technical copies. The copyright industries did what one would have expected – they demanded royalty payments to authorise internet providers to do their jobs. This created an extended period of legal uncertainty for internet service providers at a crucial moment in broadband rollout, which only ended when the case was appealed to the Supreme Court, which ruled on the case in 2004.

Position Paper on the Proposal for a European Parliament and Council Directive (97/0359 COD) on the harmonisation of certain aspects of copyright and related rights in the Information Society
http://epceurope.eu/position-paper-on-the-proposal-for-a-european-parliament-and-council-directive-970359-cod-on-the-harmonisation-of-certain-aspects-of-copyright-and-related-rights-in-the-information-society-t/

Canadian High Court takes copyright heat off ISPs (07.01.2004)
http://www.technewsworld.com/story/34891.html

Parltrack summary of non-legislative work on Copyright in the Information Society Directive
http://parltrack.euwiki.org/dossier/2014/2256%28INI%29

(Contribution by Joe McNamee, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
25 Mar 2015

In Germany, Data Retention refuses to die

By Guest author

The debate is intensifying in Germany on whether telecommunications data retention should be reintroduced. At the centre of the controversy is Sigmar Gabriel, the leader of the Social Democrats (SPD, the smaller party in Germany’s “grand coalition” government since 2013), and consequently a government minister for the economy and chancellor Angela Merkel’s deputy. Gabriel’s role is pivotal because his party would be the focus of any hope of balancing calls for data retention from the larger coalition partner, the Christian Democrats (CDU/CSU).

Data retention has been judged, twice, to illegally violate fundamental rights under the German constitutioanl framework. In March 2010, a ruling by Germany’s Federal Constitutional Court struck down Germany’s national data retention law that had implemented the European Union’s Data Retention Directive since the end of 2007. In April 2014 the Directive itself was invalidated by the Court of Justice of the European Union (CJEU).

This U-turn has happened almost simultaneously with another major shift in policy for the SPD, which changed the party’s position on the transatlantic free-trade agreement TTIP, to which it was previously opposed.

On data retention, Gabriel has surprised many with the strange range of arguments he has used to defend his position. He says he never really opposed the measure, in fact he voted for its introduction in 2007. But since the European Commission gave up its plans to introduce a new Data Retention Directive after the CJEU’s ruling, it has become clear that the plan is to leave it to Member States to muddle their own ways through this question.

After the recent terrorist attacks in Paris and Copenhagen Gabriel has shown little restraint on using just any event or argument to portray data retention as indispensable. This includes the claim that data retention was an important means for Norway to deal with right-wing terrorist Anders Breivik’s attacks in 2011. This seems weird as Norway didn’t have a law for data retention in 2011 and still doesn’t have one today. After making this claim twice and being challenged on this, the latest statement from the SPD is that Norway used the instrument without legal basis, with support from US secret services. So, allegedly Norway’s authorities have disregarded their own country’s law and relied on organisations known to operate without any regard for legal boundaries, whose methods may or may not fall under the European definition of telecommunications data retention. How this should make Europeans accept a surveillance instrument whose effectiveness is questionable and which clearly requires strict legal controls is hard to imagine, probably even for Gabriel himself.

Other examples of fact bending include a claim that the previous data retention law had been the work of a Christian Democrat-Liberal government, when in fact it was introduced in 2007 by a previous CDU–SPD “grand coalition” (in which Gabriel himself served as environment minister), and misrepresentations of the points were the Constitutional Court ruling of 2010 had found fault with that previous law.

Sigmar Gabriel has now made up his mind that the time has come to work on a new German data retention law and push it through the Bundestag. He has recently instructed SPD’s Heiko Maas, Minister of Justice, previously an outspoken sceptic of data retention, to come up with a draft law in cooperation with the Interior Minister, CDU’s Thomas de Maizière. Getting a majority in Parliament will not be a problem, given the coalition’s almost 80-percent majority of seats. But what the true motives are and how the measure could be seen as constitutional after the court rulings, remains a mystery.

Data retention is Norway must actually be called NSA (only in German, 20.03.2015)
https://netzpolitik.org/2015/journalisten-sind-keine-buerger-und-vorratsdatenspeicherung-in-norwegen-heisst-in-wahrheit-nsa/

SPD leader Sigmar Gabriel calls for data retention to be reintroduced (only in German, 15.03.2015)
https://netzpolitik.org/2015/spd-chef-sigmar-gabriel-fordert-wiedereinfuehrung-der-vorratsdatenspeicherung/

Sigmar Gabriel retains misapprehensions (only in German)
http://www.taz.de/!156871/

An almost impossible law (only in German, 23.03.2015)
http://www.zeit.de/digital/datenschutz/2015-03/vorratsdatenspeicherung-heiko-maas-sigmar-gabriel-gesetz

(Contribution by Sebastian Lisken, EDRi-member Digitalcourage, Germany)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
25 Mar 2015

Denmark plans to preserve illegally collected medical data

By Guest author

In Denmark, a controversial plan to prevent illegally collected medical data from being deleted has become a hot topic for the government. The plan involves transferring the data to the National Archives, which has an exemption in the Danish data protection act.

Under the Danish health care act, general practitioners can transfer medical data to a third party without consent from the patients if it is done for limited groups of patients and if analysis of the data can be used to improve the treatment of patients. This provision was used to create a central database known as Danish General Practice Database (DAMD) with the Region of Southern Denmark as the data controller.

DAMD was limited to the diagnosis for diabetes at the outset in 2007, but within a couple of years, all ICPC diagnosis data from general practice was being transferred to DAMD. This is clearly illegal, since the data collection without consent is no longer done only for limited groups of patients.

In November 2014, the Danish Minister for Health and the Region of Southern Denmark finally admitted that most of the medical data in DAMD is collected illegally. The natural next step would have been to delete the illegally collected data, but the Minister for Health stated publicly that he would prefer that this does not happen.

Within a week of the comment by the Minister for Health, the Danish National Archives suddenly decided that DAMD is a unique database which should be preserved at the National Archives. The data protection act has an exemption for transfer of personal data to the Danish National Archive, so that this can be done without consent. Based on an administrative authority in the national archive law, the Danish National Archives instructed the Region of Southern Denmark to retain the illegally collected medical data until further notice.

Privacy activists, including EDRi-member IT-Pol Denmark, object to this blatant abuse of the national archive law to essentially whitewash an illegal data collection of highly sensitive medical data. The Ministry of Culture has the responsibility for the National Archives. After an initial promise to delete the illegally collected data by mid February 2015, the culture minister Marianne Jelved decided to preserve DAMD at the National Archives.

Together with this decision, the minister proposed an amendment to the archive law which blocks access to illegally collected medical data for up to 230 years. However, these restrictions can always be removed by another amendment in a couple of years (the amendment law must be revised after no more than five years). Moreover, no assessment has been made of the costs of storing the highly sensitive medical data securely for 230 years, so that it could be used for historical research starting in 2245.

While the Danish government and parliament consider the fate of the DAMD database, Danish citizens can use their right under the data protection act to demand that their own illegally collected data is deleted. However, the order from the Danish National Archives prevents the data controller from deleting the entire DAMD database.

On 18 March, the Ministry of Culture was forced to admit that the Danish National Archives have used an inappropriate administrative order for demanding that DAMD is preserved. The correct administrative order for records held by the Danish regions places DAMD in the category of records to be discarded when no longer needed. The Ministry of Culture apparently sees this as a minor problem which can be solved simply by issuing an amended administrative order which places DAMD in the preservation category. However, before the new administrative order can take effect, there must be a formal consultation period. The deadline for consultation responses is set at 27 March, and the new administrative order will take effect from 7 April.

On 19 March, the Region of Southern Denmark found out that there is currently no proper legal basis for demanding the preservation of DAMD by the National Archives, and decided that the entire database will be deleted. Rather than just doing it, the region sent a letter to the Ministry of Culture stating that DAMD will be deleted on 24 March at noon.

The Danish National Archives and the Ministry of Culture responded almost immediately to this “threat” of restoring the rule of law by deleting illegally collected medical data. On 20 March, the deadline for the consultation was moved forward to March 23 (giving one working day for consultation responses), and the new administrative order will take effect on March 24, just in time to prevent the planned deletion of the entire DAMD database.

The only public comment from the Minister of Culture on these absurd developments is that the illegally collected medical data must be preserved in order to document illegal acts in the public administration for future generations. This is a rather strange argument since the illegal data collection has been documented extensively in several reports from government agencies. Moreover, the proposed blocked access wouldn’t allow any exceptions for the first 120 years, and this would also prevent using the data to document the illegalities.

Who wins the race for deletion of our medical data in DAMD? DenFri (only in Danish, 22.03.2015)
https://www.denfri.dk/2015/03/kaploebet-om-sletning-af-damd/

Illegally collected health data will not be deleted under Danish law, Medium (15.12.2014)
https://medium.com/@chulu/illegally-collected-health-data-will-not-be-deleted-under-danish-law-e72d934f5124

Danish General Practice Database
http://www.dak-e.dk/flx/en/danish-general-practice-database/

The Danish National Archives (Rigsarkivet)
https://www.sa.dk/en/

(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
25 Mar 2015

Bad analogies and the threat to “cybersecurity”

By Guest author

In policy discussions about the online world a general pattern repeats: The online sphere is differentiated from its offline equivalent by adding the prefix “cyber”, giving it both immediacy and generating a fear of the unknown “cyberworld”. Then, in order to explain “cyberspace”, practitioners draw analogies between cyber and non-cyber, often being blissfully unaware of, or indifferent to, the invalidity of the comparisons.

Often, simplistic distinctions are made only to be “bridged” by means of equally simplistic – and politically expedient – analogies, leading to poor or even dangerous policies. Here we will focus on two clear examples stemming from recent news, namely Germany’s and Switzerland’s capability to hack computer systems and networks located abroad.

In Switzerland, the National Council, the higher chamber of the parliament and, in this case, the first to vote on the issue, has approved the plans of the defence minister that envisage an extensive broadening of the Federal Intelligence Service’s competences. Not only will the Service have increased surveillance capabilities – both concerning Swiss and foreign citizens – but it will also be given the option to attack foreign computer systems and networks.

The legislative proposal states the Swiss executive can in – undefined – “special circumstances and to preserve national interests” allow the Federal Intelligence Service to hack foreign systems. Defence Minister Ueli Maurer specifically mentioned economic espionage as one of the threats on which the service could act, hinting thus at a broad interpretation of “national interest”. What is more, such attacks can be undertaken not only to fulfil intelligence agencies’ classical goal of collecting information: they can also disrupt foreign systems if these are used to attack Swiss infrastructure. It is important to note that these decisions are not taken by the parliament but the executive, which can in “minor cases” (again lacking a clear definition) delegate decision-making power to the director of the federal intelligence service.

The analogy here runs of course between the standard “offline” field of operations in which national intelligence agencies have worked for years and the new field and threats they perceive in the digital world. Foreign spies in Switzerland could be stopped when they snooped on Switzerland’s soil, why not do the same online?

Well, for one these activities now require actively disrupting systems located abroad. What is more, the Swiss defence minister and parliament seem not to have paid sufficient attention to the fact that in the online sphere one cannot easily distinguish between acts perpetrated by states and those of private entities. The tools and methods used to compromise systems online are essentially the same for everyone, which makes it difficult to ascertain who did what. This can be observed after each major hacking incident, when conspiracy theories and (often false) accusations abound. What would for example happen if a functionary of a Swiss state institution by accident decided to disrupt the computer systems of an innocent state?

A similar case in Germany shows us something else – what is framed as active (counter-)intelligence work in the Swiss case can just as easily be defined as “cyberwarfare”. The German Federal Defence (“Bundeswehr”) has recently shed more light on its “Computer Network Operation” unit, which is developing its ability to wage war using the Internet. The unit has the stated goal of infiltrating, exploring, manipulating and destroying foreign networks – a scope of actions very similar to the Swiss case. However, unlike in Switzerland, it is Germany’s armed forces that act, and attacks are only allowed in a state of war and thus require a mandate by the German Bundestag.

The German government intends its “Computer Network Operation” unit to be able to act without ever making it known that the German army was behind the attacks. The argument here is that the identification requirement for soldiers only extends to the actual persons (“cyber soldiers” will have to wear official uniforms, too) but not to the technologies they use. Ground troops do not need to announce that it was them who shot a rocket, and thus Germany’s “cyber-troops” do not have to sign their hacks either.

The analogy of course conveniently forgets that military activities in the offline world cannot usually be confused with civilian activities, whereas the digital world makes it very difficult to distinguish the two. Consequently, retaliation might very likely strike the wrong target – either not the state that actually perpetrated the attack or possibly even a civilian actor.

The digital rights and hacker community has long criticised the obsession with “cyber” that many policy-makers seem to have fallen victim to or actively exploit. The fact that the same activity can be framed as either an intelligence operation or “cyberwarfare” in these examples shows the arbitrariness of the analogies that many policy-makers draw between the analogue and digital world.

More importantly, these analogies are also dangerous: An action by the Swiss Federal Intelligence Service might be interpreted as an act of war by a government looking at the same incident through a different prism. Adding to this the fact that perpetrators – and thus potential targets – cannot be easily identified, the danger to what is commonly called “cybersecurity” is clear indeed.

Secret service will be able to disrupt foreign computer networks (only in German, 17.03.2015)
http://www.nzz.ch/schweiz/nationalrat-stimmt-neuen-kompetenzen-fuer-nachrichtendienst-zu-1.18503896

Government proposes allowing army to hide their involvement in cyber attacks (only in German, 12.02.2015)
https://netzpolitik.org/2015/bundeswehr-darf-nach-ansicht-der-bundesregierung-bei-deutschen-cyberangriffen-deren-herkunft-verschleiern/

Swiss secret service should protect the financial market like a “Mini-NSA” (only in German, 18.03.2015)
http://www.heise.de/newsticker/meldung/Schweizer-Geheimdienst-soll-als-Mini-NSA-den-Finanzplatz-schuetzen-2577997.html

(Contribution by Julian Hauser, EDRi intern)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
25 Mar 2015

Parliament’s work on copyright enforcement – not worth copying

By Joe McNamee

The European Parliament’s Committee on Culture and Education (CULT) adopted an Opinion on Intellectual Property Rights (IPR) enforcement, in response to the European Commission’s Communication entitled “Towards a renewed consensus on the enforcement of Intellectual Property Rights: an EU Action Plan”.

It starts by offering support for “the” “follow the money” approach. The only problem here is that there is no “the” follow the money approach. The Commission’s Communication does not describe it, referring instead to “a” follow the money approach, that could be used to deprive “commercial scale” infringers of revenue streams. This might be an expansion of the US model, where US companies like Visa, MasterCard, PayPal and Google (who have been lobbying extensively for this) would act as a world police, removing services from companies around the world that are accused of breaching US copyright or trademark law. It might also be a rule-of-law based approach, whereby European courts could apply orders requiring payment or advertising services to withdraw payments on a case-by-case basis. It is not clear whether the Culture Committee does not know or does not care that “the” approach it supports does not exist, or could mean so many different things.

The report then goes on to mash together two different studies – one on “IP intensive industries”, whose methodology has been comprehensively shown to be inadequate, and one on “cultural and creative sectors” which is widely quoted but rarely referenced, either on the Commission or Parliament websites. Also its methodology and assumptions have shown to be dubious.

Worries are also expressed about the physical dangers of digital infringements, with Parliamentarians concerned about the potential health and safety risks associated with commercial scale IPR infringements, particularly among the younger generations growing up in the digital era.

The Opinion also places huge hope in private companies suddenly deciding that they are motivated, without any possible anti-competitive reasons, to enforce IPR. The Committee supports the Commission’s call for “due diligence” in the supply chain. The issue of privatised law enforcement is so simple in the eyes of the Committee that this can be described in one sentence. The approach covers the supply of physical goods and of digital goods and in every part of the supply chain, including internet companies and even end users. This approach is so enthusiastically supported that, having demanded this once, the Opinion then demands it again, in the context of voluntary “self-regulation” of everyone, including end users.

It seems just a little fanciful that ordinary citizens (“end users”) will develop “due diligence” and “self-regulatory” mechanisms. It seems equally fanciful that private companies will spontaneously do this in a way which is simultaneously proportionate, competitively neutral, not counterproductive and effective – and that this unlikely coincidence is going to remain stable in a digital environment which is constantly changing.

Finally, the Opinion does recognise the dangers of excessive IP enforcement measures and calls for remedies to be put in place for “platforms that are adversely affected by any measures”. Citizens that are adversely affected are, however, not mentioned.

The Opinion was adopted with 20 votes in favour, 9 against and two abstentions.

Opinion of the Committee on Culture and Education on “Towards a renewed consensus on the enforcement of Intellectual Property Rights: an EU action plan” (2014/2151(INI)(05.03.2015)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-544.344%2b02%2bDOC%2bPDF%2bV0%2f%2fEN

IPR intensive industries: Contribution to economic performance and employment in the EU, Industry-level analysis report, September 2013
http://ec.europa.eu/internal_market/intellectual-property/docs/joint-report-epo-ohim-final-version_en.pdf

EPO and OHIM publish misleading report on intellectual property rights intensive industries in EU economy (01.10.2013)
http://keionline.org/node/1803

Building a digital economy: The importance of saving jobs in the EU’s creative industries, March 2010
http://www.teraconsultants.fr/medias/uploads/pdf/Publications/2010/2010-Mars-Etude-Piratage-TERA-full-report-En.pdf

A note on TERA’s “The economic contribution of the creative industries to EU GDP and employment” (23.10.2014)
http://infojustice.org/archives/33488#more-33488

(Contribution by Joe McNamee, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
25 Mar 2015

The evolution of the concept of privacy

By Guest author

In 1776, John Adams wrote that it had been the British right to search houses without justification that sparked the fight for independence. In other words, John Adams thought that it had been an unjustified violation of privacy that had kindled one of history’s most noteworthy revolutions.

More than two centuries later, those unruly colonies – now the United States of America – see themselves once again at the centre of a debate on privacy. Many of the world’s most data-intensive companies hail from the US – and are criticised for what is perceived to be an excessive accumulation and use of their users’ personal data. Piled on top of this, we know, as a result of Edward Snowden’s revelations, that the National Security Agency (NSA) of the United States has been at the forefront of a group of intelligence agencies that have been using that and other data to build massive databases containing information on millions of people living everywhere that today’s information and computer technologies reach.

Throughout modern history, from searches without just cause to big data and mass surveillance, , the notion of privacy has surfaced time and again. However, while the word has remained the same, its meaning never stopped evolving. We must be aware of that development if we are to effectively deal with future challenges, in particular the pressing issue of the regulation of the collection, access, and use of personal information both by private and public actors.

What John Adams deemed unacceptable was the groundless intrusion into people’s private sphere. It was his fellow Americans, Louis Brandeis – later a Supreme Court Judge – and Samuel Warren, who would put this conception of privacy most succinctly: Privacy is the right to “being let alone”. On this understanding, privacy is something that you have as long as people, organisations or institutions are denied access to you. However, this notion, inspired mainly by the idea of physical boundaries, sees itself confronted with insuperable difficulties in an age where the debate’s focus lies squarely on informational privacy.

The internet is one of the areas in which informational privacy, the protection of personal information, has become crucial. Internet users do not want to be left alone; they want to partake in the offerings of the internet and participate in what has become one of their most important social spheres. Privacy concerns are nowadays focused to a large extent on the information we share or generate on the internet, often publicly, rather than what we wish to conceal within the private confines of our homes.

The notion of privacy has adapted to those changing circumstances and today the focus lies mainly on users’ control of their personal data. This concept forms the foundation of many political arguments; the “right to be forgotten”, “notice and consent” systems and transparency requirements all aspire to give users control. While control is important, the evolution of technology already strains the ability of users to meaningfully control their personal data by means of informed choices. In fact, this notion’s capacity to protect people’s fundamental interests is failing even before the relevant policies have seen widespread adoption.

A first problem is that people are so overloaded by requests to consent to the use of their data that informed choice becomes illusory. If people want to engage in the cultural and social life offered in the digital sphere, they will not be able to assess all the terms of services and privacy notices they see themselves confronted with. And opting-out of the internet can no longer be called a real option. Secondly, privacy is no longer a purely personal matter. The information we choose to share or allow to be gathered affects not only our own privacy but also the privacy of all those we interact with.

The complementary limitation theory of privacy could help bridge some of these difficulties. According to this notion, a person has privacy when access to personal information is limited in certain contexts. While we can only have limited control as to how some of our personal information is used, there should be limits as to who can use information gathered in a certain context. In the age of big data, and even more so in the future of the Internet of Things, this notion is poised to become all the more important. Many users feel very uneasy if the information collected by, for instance, their car or metro card is used to target them with advertisements the next time they visit an online retailer. This phenomenon is taken to another level with “profiling”, the use of your data to guess about aspects of your personality, generating insights into your personality and habits that you may not even know are possible. To the extent that more and more spheres of people’s lives will generate digital personal data, separation of those spheres will become more and more important.

While helpful in resolving some of the problems associated with the regulation of privacy, the limitation concept of privacy brings with it its own host of difficulties. There is for example the argument that privacy is essential for freedom and autonomy. Would Darwin or Copernicus have been able to make their ground-breaking and controversial discoveries if the prevailing powers at the time had more insight into their activities? Probably not. However, if consent cannot be the only principle governing privacy matters, then mandatory privacy standards seem unavoidable. It is then essential to ensure that the privacy standards serve to guarantee freedom and autonomy rather than unduly restricting it.

While today’s citizens’ worries about privacy are very different from John Adams’, their concerns are legitimate. These worries must be taken into account when designing the rules that should regulate the use of personal data in the digital world. And one thing is certain: An adequate concept of privacy is essential for a good regulation of personal data. The tasks before us are not simple, but they cannot be escaped and become more pressing with each passing day.

Originally published in the Synergy Magazine:
The evolution of the concept of privacy: From the American revolution, to big data and the Internet of Things
http://issuu.com/vpmarketing/docs/synergy_57_online_5e0911c1a89c2a/21?e=2936111/12021429

Sources:
Warren, Samuel D., and Louis D. Brandeis. “The Right to Privacy.” Harvard Law Review 4, no. 5 (December 15, 1890): 193–220.

Adams, John, Charles Francis Adams, and John Adams. Letters of John Adams, Addressed to His Wife. Boston, C.C. Little and J. Brown, 1848. 338.

Cohen, Julie E. “What Privacy Is For.” Harvard Law Review 126 (2013): 1904–33.

Tavani, Herman T. “Philosophical Theories of Privacy: Implications for an Adequate Online Privacy Policy.” Metaphilosophy 38, no. 1 (2007): 1–22.

(Contribution by Julian Hauser, EDRi intern)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
25 Mar 2015

EDRi joins the Document Freedom Day

By Kirsten Fiedler

Today, we are celebrating the Document Freedom Day to raise awareness for Open Standards. Open Standards allow us to share all kinds of data freely. They ensure availability, transparency and interoperability of software and document formats – and prevent us from being locked in to using a particular software or service.

We believe that the European Commission should lead by example – unfortunately in many communications that citizens have with the institutions this is not yet the case. We have therefore joined an open letter to the European Commission to request that it maximise inclusiveness and engagement through the use of Open Standards. Here is our joint letter (pdf) to the Commission:

opendocday

Today is Document Freedom Day, the international day to celebrate and raise awareness of Open Standards. On this occasion, we would like to reflect on the importance for public institutions in general, and for the European Commission in particular, considering its leadership role, of using Open Standards in all their digital communication and services.

Open Standards are formats and protocols which everybody can use free of charge and restriction and for which no specific software from a particular vendor is required. They are essential for interoperability and freedom of choice based on the merits of different software applications. For a public institution such as the European Commission, this is especially important because every EU citizen and company should have the right to communicate and interact with its administration using Open Standards exclusively, and not be forced to install and use software from any specific vendor. That is why we take this opportunity of Document Freedom Day, to voice our concerns on the improper use of standards in the context of applying for EU programmes.

Nowadays, when applying for most EU programmes, applicants are typically required to fill in PDF forms that use elements only implemented in proprietary software from a particular vendor (Adobe), software that is currently not available on all platforms. This is a problem for many applicants who end up bereft of choice or excluded from the process altogether. It does not have to be this way, when a number of efficient alternatives exist that are entirely based on Open Standards. Generally, we would advise against the use of PDF for online forms, and would instead recommend solutions based Open Web Standards like HTML5 and XForms. With this joint statement, we call on the European Commission to address this situation and ensure that all interactions with the public can be performed entirely using Open Standards, thereby ensuring maximum inclusiveness and freedom of choice for all European citizens. »

Signatories:
Jean-Christophe Becquet
President
April

Karsten Gerlof
President
Free Software Foundation Europe (FSFE)

Andreas Krisch
President
European Digital Rights (EDRi)

Graham Taylor
CEO
OpenForum Europe (OFE)

Peter Ganten
Chairman of the board
Open Source Business Alliance (OSBA)

close