30 Sep 2015

Civil rights groups condemn draft mass surveillance bill to be adopted in France

By Kirsten Fiedler

Today EDRi, together with 30 civil rights groups, sent the following letter to French parliamentarians to condemn a draft mass surveillance bill which is scheduled to be adopted on 1 October. You can download the letter in English (pdf) and in French (pdf). If your organisation wishes to sign, please contact us at brussels(at)edri.org.

Dear Member of the Assemblée Nationale,

The undersigned civil and human rights organisations call on French parliamentarians to reject the draft law on surveillance measures for international electronic communications (“Proposition de loi relative aux mesures de surveillance des communications électroniques internationales”). The bill fails to defend and protect the right to privacy of individuals worldwide.

With this new bill, parliament is about to approve new disproportionate surveillance measures to monitor international communications. Based on the principle of massive collections of data, the bill seeks to legitimise the civil and human rights abuses revealed by Edward Snowden about the practice of intelligence agencies such as the ones in the US and the UK. As a crucial part of the global Internet traffic goes through French submarine cables, this law would put France in the list of countries with sweeping surveillance capabilities. This bill follows from the Surveillance Law passed in June, which allows the French government, among other measures, to monitor people’s phone calls and emails without judicial approval; and to install black boxes on internet service providers’ infrastructure to collect metadata on millions of innocent individuals. Earlier this year, the French Constitutional Council struck down one of the provisions of the Surveillance bill, and the new proposal seeks to re-authorise the international surveillance programme impacted. The draft law will be voted on 1 October by the French National Assembly.

In particular, we are deeply concerned that

  • the bill would allow for indiscriminate mass surveillance of millions of people in France and abroad;
  • independent oversight and control mechanisms are completely lacking. The massive data collection scheme would be conducted under the sole authority of the French Prime Minister, with only ex post control from the oversight authority. This does not sufficiently guarantee the protection of privacy and the respect for rights and freedoms;
  • clearly excessive and unjustified retention periods for data (content for one year, metadata for six years, encrypted content for eight years) are foreseen, in contradiction with the principles laid out by the Court of Justice of the European Union (CJEU) in its ruling on 8 April 2014 invalidating the Data Retention Directive;
  • the justification of the measures is so broad as to be meaningless, such as the defence of “major interests of foreign policy” and “major economic and scientific interests of France”;
  • the broad language leaves room for the future use of undefined surveillance technologies which could lead to an extension of the scope of the bill without any involvement of democratic institutions;
  • only lawyers, journalists, representatives and magistrates established in France would theoretically be granted some form of protection, although, for instance, the private or professional nature of their communications can only be established during the data processing, and in any event the law does not protect them against bulk collection and exploitation of their communications.

We, the undersigned organisations urge the French Parliament to reject this international surveillance bill and protect the rights of individuals all around the world. The principle of universality of rights is a fundamental principle, especially the European Union. We call on you to strengthen civil liberties and human rights safeguards for all and reject this proposal. Thank you.


European Digital Rights (EDRi)
Electronic Frontier Foundation (EFF)
Chaos Computer Club (CCC)
Article 19
Code Red
Web We Want Foundation
Electronic Frontier Finland (EFFI)
AKVorrat.at (Working Group on Data Retention Austria)
Initiative für Netzfreiheit
Icelandic Modern Media Initiative (IMMI)
Global Voices
Amnesty International
Pen International
Digital Rights Foundation
Australian Privacy Foundation
CPJ (Committee to Protect Journalists)
Digitale Gesellschaft e. V.
Bits of Freedom
IT-Political Association
Panoptykon Foundation
Association for Progressive Communications
Privacy International
Reporters sans frontières (Reporter Without Borders)
Alternative Informatics Association
ACI-Participa (Honduras)


23 Sep 2015

AVG starts selling personal data to third parties

By Guest author

The Czech Republic based security software vendor AVG Technologies recently updated its privacy policy. The objective of the changes, according to the company, was to explain in a more transparent manner to their users how it intends to use what it calls ”non-personal information”. The new privacy policy will take effect on 15 October 2015.

The company defines “non-personal data” as data that cannot be linked to the identity of users in any way. The new privacy policy explains that the company might collect and sell this information to third parties, to allow their anti-virus product to stay free or charge to the users. AVG also notes that it might anonymise and aggregate data that could otherwise identify individual users. The text assures that the company does not sell or rent its clients’ personal data to third parties, but the next paragraph warns that certain personal data may be shared with any of their “affiliated AVG companies, search providers, selected AVG resellers, distributors and other partners”.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

The changes for the final user are not significant from the previous version of AVG’s privacy policy which stated that the company could collect data on “the words you search”, but did not make it clear whether browser history data could also be collected and sold to third parties.

The reactions to the new privacy policy are diverse. Data protection and IT law expert Orla Lynskey from the London School of Economics welcomed the improved wording, but said that users can be justifiably concerned by the implications to their privacy. “Its privacy policy is written in clear and simple language,” adding that users might expect an anti-virus provider to be “more respectful” of their privacy and data security. Alexander Hanff, security expert and chief executive of Think Privacy, stated that AVG’s potential ability to collect and sell browser and search history data places the company “squarely into the category of spyware”.

AVG’s new privacy policy is on the one hand more transparent than its previous ones that intentionally blurred the line between collecting data for malware tracking and using it for profit, which can be considered as a step in the right direction. On the other hand, by making its privacy policy easier to understand, the company shows more openly how it is collecting and re-selling the data – which is an activity that many would consider unethical for a security software company with elevated privileges to the personal and “non-personal” data of its clients.

AVG Privacy Policy

AVG can sell your browsing and search history to advertisers (18.09.2015)

AVG’s new privacy policy is uncomfortably honest about tracking users (17.09.2015)

Is AVG planning to sell user data to advertisers following privacy policy change? (17.09.2015)

(Contribution by Pierre Christopher, EDRi intern)



23 Sep 2015

Germany dreams of security: An ID for every “thing” connected

By Kirsten Fiedler

New infrastructures often resemble untapped oil sources – everyone tries to get in as early as possible in order to grab the biggest share. The German newspaper Die Zeit Online revealed in September that a chip manufacturer has apparently been going to great lengths to ensure a large share of the growing market of the “Internet of things”.

The Dutch company NXP lobbied the German Ministry for Economic Affairs to push for the introduction of unique identifiers for every “thing” connected to the Internet. NXP is one of Europe’s biggest semiconductor manufacturers and specialises in the production of identification hardware, such as security chips that are used in electronic ID cards and passports. In the market for chips, this is rather a tiny part – but Die Zeit suspects that the company now wants to use its lobbying skills to grow this market and to conquer it.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

According to an investigation conducted by the newspaper, the German Ministry for Economic Affairs was already en route to transform the Internet for things into a big surveillance infrastructure. The idea of the manufacturer is that every “thing” that is connected to the internet, such as fridges, central heatings, laptops, cars etc., should be equipped with a chip that makes it uniquely identifiable. This would then function as some sort of a digital ID card for every single device connected to the Net.

A draft “identity security law” is supposed to provide the legal framework in the country for this infrastructure. Currently, the details only exist in form of a “key issues paper”, a type of document which often serves as a basis for draft laws. Die Zeit’s article seems to be based on this 15-page long internal paper called “identity security law for the Internet of Things”.

The newspaper also reports on a meeting between Ministry of the Economy, Sigmar Gabriel, and representatives of NXP. During the meeting, Gabriel was successfully convinced to support the measure. The key issues paper drafted by NXP was then circulated internally in the Ministry and in other companies in order to discuss the paper.

The paper was criticised by civil society, opposition parties and industry representatives. Harald Summa, head of the Association of the German Internet Industry eco, stated that the chip would be a huge barrier to innovation and counter-productive for Germany’s information technologies future.

Frank Rieger, spokesperson of the German EDRi-member Chaos Computer Club Chaos stated:

The text attempts to use the security problem of some components of the internet of things as a springboard for a universal governmental device ID, which would be a surveillance nightmare. Moreover, this does not fix the actual problem: the software of the devices on the internet of things are as poor as in our computers and cell phones. One should start here in order to change market dynamics to increase security.

Zeit Online, An ID card for every toaster? (only in German, 17.09.2015)

(Contribution by Kirsten Fiedler, EDRi)



23 Sep 2015

Safe Harbor: European Court Advocate General says Agreement should be declared invalid

By Heini Järvinen

This morning, the Advocate General of the Court of Justice of the European Union (CJEU), in his Opinion on the “Safe Harbor” Agreement with the United States, advised the Court to declare the entire Agreement invalid. The catalyst for the case was the mass surveillance practices of the United States.

Sixteen years ago, the EU and US concluded an agreement to allow personal data to be transferred into the US jurisdiction, which does not have comprehensive privacy laws. Literally from day one, it was quite clear that the agreement was unlikely to succeed. Now, after fifteen years of criticism from academics, from privacy advocates and from independent studies, the Advocate General of the European Court of Justice has confirmed what we already knew – the Agreement should be declared invalid. The Agreement has been kept alive by the European Commission’s refusal to accept the ever-growing mountain of evidence of the inadequacy of the Agreement.

“If confirmed by the full Court, this is a very important step for the right to privacy in Europe,” said Joe McNamee, Executive Director of European Digital Rights. “What happens next is crucial. It must never again happen, like in this case, like in the case of the Data Retention Directive, that obduracy from the Commission can keep agreements or laws in force that are patently illegal.”

We now await the ruling of the full Court, which we fully expect to uphold the opinion of the Advocate General.

Read more:

Press Release from the CJEU: http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf

Full text of the Opinion:

FAQ – Safe Harbor

1) What is the Safe Harbor agreement?

Under EU data protection legislation, personal data can only be transmitted outside the EU under number of specific circumstances. One of these is a recognition of adequate data protection rules in the country where the data is being sent.

Due to the fragmented, inadequate approach to data protection in the US, a specific arrangement, called “Safe Harbor” was designed to create a framework for transfer of data to the United States. This was adopted in 2000.

There have long been serious concerns about the real protection that Safe Harbour actually provided. For example the 2008 study by Galexa called “The US Safe Harbor – Fact or Fiction” identified numerous problems. Implementation reports demanded by a sceptical European Parliament also resulted in reports from the European Commission that pointed to problems, but refused to recognise the scale of the instrument’s problems.

2) Why is it suddenly a problem now?

Under the current framework of the EU Data Protection law (Directive 95//46/EC), transfers of personal data need to ensure “an adequate level of protection”. Given the revelations exposed by Edward Snowden on the mass surveillance activities performed by the US National Security Agency (NSA), serious concerns were raised about how the Safe Harbour agreement provides the adequate level of protection for European data. In particular the surveillance under NSA’s PRISM programme facilitated by mass exports of data raise serious concerns.

During questioning in the hearing in the Court, the European Commission representative reportedly admitted that adequate protection is not offered by the agreement.

3) What happens if it is revoked by the Court of Justice?

There are other options for legal transfer of data outside the EU. While some industry representatives claim that suspension of the agreement would be hugely costly from an economic perspective, this is not the case.

4) What has the Advocate General said today? Is this already a “decision” or a “judgement”?

The Advocate General’s role is to advise the Court on what it should do. In most cases the Court (which will make a final decision shortly) follows the Opinion of the Advocate General. So, today’s announcement is not the final ruling.

In his opinion, the Advocate General stated that if a Data Protection authority considers there is not enough protection in a given country, the national authority needs to have the “power to suspend that transfer, irrespective of the general assessment made by the Commission in its decision “. He also added that the US practices allow for “large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection” and that this lack of judicial protection is a disproportional interference with the right of EU citizens of the to an effective remedy, protected by the EU Charter of Fundamental Rights.


09 Sep 2015

Romania: After PNR, a proposal for retention of tourist data

By Guest author

On 15 July 2015, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament narrowly voted in favour of the EU Passenger Name Record (PNR) Directive proposal (32 in favour, 26 against, no abstentions), a mass surveillance measure to collect and process air traveller data for profiling purposes. This came after the rejection of a previous PNR proposal by the LIBE Committee in 2013 and the subsequent abandonment of that proposal in 2014.

Even so, in a worst case scenario of having the PNR Directive proposal fast-tracked through the legislative procedure, like the Data Retention Directive of 2006, it would still take some six months for the proposal to go through all the steps before becoming European law.

Roughly at the same time, the Romanian Government was having far fewer qualms about PNR than the European Parliament and its Committees. On 13 July 2015, the draft law “Government Statute no. 13” was silently adopted, thus creating a Romanian PNR system. No public debate was conducted, and the impact of the new law on fundamental rights was not assessed.

On 5 August 2015, another proposal for a governmental decision was published, mandating the implementation of a PNR-like system for people staying at any hotel, hostel or guest house in Romania. This means that personal identification data of everyone who is renting a room in Romania is entered by a hotel employee in a centralised computer system called “Integrated Tourist Record Computer System” (SIET). The system would be hosted and run by Special Telecommunications Service (STS), which is a militarised intelligence agency with almost no civilian oversight.

Access to the tourist data gathered and stored within this system raises even more questions. The purpose of the system is, ostensibly, to gather and analyse tourist data to improve the quality of the Romanian tourism industry. However, while the tourism industry is only going to get access to statistical data, various law enforcement organisations of the Internal Affairs Ministry (MAI) will have unrestricted access to all data based simply on an agreement between them and the STS.

The proposal’s authors and supporters justify the measure by explaining that it just brings in a computer system to do what was already being done with pen and paper. Romania is still using a system from the communist times, where all tourists who book a room at a hotel or hotel-like establishment are being asked for identification as a mandatory precondition for their stay. The personal data collected by the hotel is being forwarded on a daily basis to the local police station.

On 26 August, at EDRi member ApTI’s request, the Romanian Economy, Commerce and Tourism Ministry (MECT) organised a public debate about SIET. Unfortunately, any attempt to debate the issues of SIET on the basis of its impact on fundamental rights is futile.

EU PNR document pool (27.07.2015)

Statute no. 13/2015 regarding the use of some data from the passenger name registers for cross-border cooperation in order to prevent and combat terrorism, terrorism-related infractions and infractions against national security, as well as preventing and removing threats to national security (only in Romanian, 13.07.2015)

Governemt Decision for the adoption of the Integrated Tourist Record Computer System and the Norms regarding the access, record keeping and protection of tourists in establishments with accommodation facilities (only in Romanian)

Do you want the Police to know where you go on vacation? Join the public debate about the Integrated Tourist Record Computer System (SIET) (only in Romanian, 20.08.2015)

How we found out that we’ll all have “a chip under our skin” at the public debate about SIET (only in Romanian, 03.09.2015)

(Contribution by Matei Vasile, EDRi member ApTI, Romania)



08 Sep 2015

Privacy Café 2.0: Improving the security of online communications

By Kirsten Fiedler

In order to repeat the success of our previous Privacy Café in the European Parliament, we are organising another training session on how to protect communications and privacy online. The event will provide basic hands-on guidance for increased online privacy for Members of the European Parliament, their assistants and Parliament staff. Since it is a hands-on session for beginners and experts alike, participants are asked to bring their devices (smartphones, laptops, tablets etc).


What: Privacy Café
When: 17 September 2015, 6pm
Where: Room ASP05E1, European Parliament
RSVP: kirsten.fiedler[at]edri.org

The Snowden revelations of massive intrusions into Parliament infrastructures should have led to better security. They didn’t. More than two years after the first publications, Parliamentarians are still not able to receive or send encrypted communications, to enhance security when browsing the internet or to use privacy-friendly messaging and calling solutions. The event will also emphasise that learning personal security is just a small link of a bigger chain – we also need strong privacy protections for all.

The “Privacy Café” is co-organised by three civil society organisations, EDRi, Access and the Flemish League for Human Rights.


01 Sep 2015

EDRi launches a campaign for online privacy for kids

By Heini Järvinen


Today, we launched a crowdfunding campaign to create a textbook to raise awareness among kids for the protection of their privacy online.

“We want to teach children what they need to consider to protect themselves online,” said Kirsten Fiedler, Managing Director of European Digital Rights. “The goal is to create material, translated into as many languages as possible, that can be used in schools, at home and elsewhere.”

The internet offers children tremendous opportunities to learn and to explore new ideas. However, younger internet users often possess insufficient knowledge of how their reputations can be affected by their interactions online. Sometimes it is not easy to tell who someone really is online, and there are many reasons for which businesses might try to get personal information about kids or their families. Parents and teachers cannot always be on hand, which is why it is important to empower kids to also protect their own online privacy.

The campaign will continue until 15 September, and if it reaches its target of 5000 euro, a textbook to explain how the internet works, with practical examples, exercises and sample lessons, will be published, translated, and distributed around Europe.

You can find the campaign here:


05 Aug 2015

Our internships at EDRi: We made digital rights matter

By Guest author

During the last couple of months, as EDRi’s interns, through advocacy, campaigning and reporting, we were given a unique opportunity to challenge threats to fundamental rights posed in the context of net neutrality, privacy, personal data and copyright. It was a fruitful and rewarding experience that allowed us to put our theoretical skills into practice while promoting human values of freedom and dignity in the online world.

Here is a short summary of our wonderful journey at EDRi:


During my internship, I had the opportunity to work closely on three currently “hot issues”: data protection, copyright and Passenger Name Record (PNR). Since my arrival at EDRi, I was following the activities concerning these subjects and gained a lot of insight by participating in meetings, conferences and events, reading and analysing documents, as well as monitoring the work progress of three main EU institutions: the European Parliament, the European Commission and the Council of the European Union.

Thanks to the fact that I was following the Data protection reform developments, I have learnt what is behind the mystery known as “trialogue” and how it functions. The European Parliament’s early steps in reforming and modernising copyright was a great chance to see how the work of the Members of the European Parliament (MEPs) evolves and how a document can significantly change from the first draft to the final vote in plenary.

Some of the moments I enjoyed the most were visiting the European Parliament, the Commission and the Council for the first time, listening to different perspectives and interesting debates at the events I attended, contacting and meeting Permanent Representations of the EU Member States, analysing the Data retention legislation in Member States, and learning about encryption and basic tools which can protect my privacy online.

All in all, my time at EDRi has helped me enrich my understanding of the European institutions and their work significantly. Participating in the whole process was extremely beneficial to see and understand how the legislation is made at the EU level and how civil society can influence and be part of this process. I have also realised that advocating for citizens’ rights can sometimes be overwhelming and seem pointless, like in the case of the recently adopted EU PNR proposal. However, analysing Marietje Schaake’s Opinion on human rights in third countries, where the suggestions from EDRi were adopted by the Parliament, assured me that organisations like EDRi definitely play an important role in changing the future into a better one.


During my experience at EDRi, I mainly worked on the Telecom Single Market (TSM) package and on trade agreements. To be honest, I didn’t expect trade agreements to be that relevant to digital rights. Indeed, it was very challenging and interesting to deal with trade law and try to understand how a new generation of free trade agreements could affect fundamental rights such as privacy and data protection, which seemed to be completely unrelated to trade issues at first sight.

During these last months, I had the opportunity to follow the legislative procedure of the European Parliament’s own-initiative report on the Transatlantic Trade and Investment Partnership (TTIP). I participated in a whole range of advocacy activities, like contacting MEPs offices to arrange meetings and participating in these meetings, assisting in the analysis of amendments, contacting Committee secretariats to get information on the legislative procedure, preparing documents for internal use and help drafting documents and analyses. In this context, it was particularly challenging and gratifying to take part in writing the “TTIP and Digital Rights” booklet (pdf).

Along with the internal work of the association, the experience at EDRi also gave me the opportunity to participate in several external meetings. Particularly as regards TTIP, I took part in events organised by stakeholders and think tanks, civil society meetings and events organised by the European Commission.

Concerning the Telecoms Single Market (TSM) which is crucial for a potential legal safeguard of net neutrality, my internship gave me the opportunity to understand how important it is to have early contacts with MEPs and keep them informed with position papers and analyses on your positions. Following the TSM trialogue was fundamental to understand how the European institutions work in practice. Only knowing the ordinary legislative procedure can be useless in Brussels because informal meetings can deeply affect how policies are made. Besides the ups and downs of the trialogue negotiations, it was very thrilling and instructive to be involved in the net neutrality “fight”. On some days, this file taught me how institutions can be obscure, producing text that makes it difficult to orientate yourself in the details of legislation. On other days, it was great to see the results of our work, and to see how civil society associations like EDRi can make a difference at EU level.


Unfortunately, our joyful ride of protecting digital freedoms at EDRi has come to its last stop. It is time to take our suitcases, fully packed with new skills and knowledge, as well as our bursting confidence and even stronger determination to advocate for digital rights, and head off to a new destination where we can put into practice all the knowledge we gained here.

Last, but certainly not least, we want to thank the EDRi Brussels team for being our amazing guides on this journey, supporting us and making us smile even on a grey, cloudy Brussels day.

Off to some new and exciting adventures!

(Contribution by Morana Perušić and Aldo Sghirinzetti, EDRi interns)


31 Jul 2015

Leaked documents: German news site Netzpolitik.org investigated for treason

By Kirsten Fiedler

If it were up to the Federal Attorney General and the President of the German Domestic Security Agency, two reporters of Netzpolitik.org, a German digital rights blog, would soon be in prison for at least two years. Yesterday, the news blog was officially informed about investigations against the editors Markus Beckedahl and Andre Meister. The accusation: Treason under Section 94 of the German Criminal Code:

Whosoever […] allows a state secret to come to the attention of an unauthorised person or to become known to the public in order to prejudice the Federal Republic of Germany or benefit a foreign power and thereby creates a danger of serious prejudice to the external security of the Federal Republic of Germany, shall be liable to imprisonment of not less than one year.

Until this week, the news site was reported merely as witnesses in a case following the publication of documents that revealed a €2.75m project for processing massive online datasets as well as plans for a 75-man unit in the German secret service to monitor Twitter, Facebook chats and other communications. Now however, two authors are accused of treason and as “joint principals”.

Markus Beckedahl, the editor-in-chief of Netzpolitik told EDRi:

We see this as an attack on press freedom. This is clearly an attempt at intimidation against us, other journalists and whistleblowers in order to prevent revelations on how deep the German government and intelligence agencies are involved with the US National Security Agency (NSA).

The last charges of treason against German journalists date back to the Spiegel scandal in 1962. Such investigations of a news site appear to be in breach of the reasoning in the ruling of the German Constitutional Court in the Cicero case in 2007.

Read the original German letter of the Federal Attorney General in full text.

Leaked documents (in German) of the Netzpolitik.org articles, February and April 2015: Haushaltsplan (pdf) and Einrichtung Referatsgruppe “Erweiterte Fachunterstützung Internet” im BfV (pdf)


22 Jul 2015

EU Commission – finally – confirms that its promise on data protection will be respected

By Joe McNamee

Last April, EDRi, supported by other sixty-five NGOs from the European Union, North, Central and South America, Africa, Asia and Australia sent a letter (PDF) to the European Commission. The letter asked if the Commission would respect the “absolute red line” that the protection levels in the 1995 Data Protection Directive would be maintained.

This commitment is now critically important, as the EU institutions are currently involved in “trialogue discussions” (infographic), which are expected to finalise the data protection reform process started five years ago with a Commission Communication. A clear position from the leadership of the Commission on the protection of existing standards is crucial to ensure that some of the more extremist policies (PDF) proposed by some Member States can be definitively taken off the table, for the benefit of the coherence, trust and credibility that all stakeholders need from the final Regulation and Directive.

Today, we received a positive answer (PDF) from the European Commission, confirming that they will respect the commitment to respect the levels protection set in the Directive 95/46/EC:

The Commission has been and will continue to be true to this commitment.

Ahead of the next trialogue meetings starting again in September, this commitment sets important boundaries on what is, and what is not, acceptable as this process moves forwards.

All actors involved in these negotiations need not to be distracted with siren calls from a small number of private actors who, as they historically always do, mistake good regulation for constraints on business. As Paul Nemitz, Director for Fundamental rights and Union citizenship in the Directorate – General for Justice of the European Commission, explained to the Wall Street Journal: “The path toward trust through high levels of protection is good for the economy, good for growth and employment.”

Read the Commission’s response: