15 Nov 2017

High time: Policy makers increasingly embrace encryption

By Bits of Freedom

Encryption is of critical importance to our democracy and rule of law. Nevertheless, politicians frequently advocate for weakening this technology. Slowly but surely, however, policy makers seem to start embracing it.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Encryption is essential for the protection of our digital infrastructure and enables us to safely use the internet – without it, our online environment would be a more dangerous one. Thanks to encryption, companies can better protect our personal data online and internet users can safely communicate and exchange information. This makes encryption of the utmost importance not only for our democratic liberties, but also for innovation and economic growth.

Our governments should therefore stimulate the development and implementation of encryption, more than they currently do. It is without doubt undesirable when governments force companies to create backdoors in their encryption technologies, or to incorporate other ways of weakening it. Policy makers generally grapple with this position though, as they face pressure from police and security services.

Fortunately, in 2016, the Dutch government came to the same conclusion. It rightfully determined that “cryptography plays a key role in the technological security of the digital domain”. It further stated that there were “no viable options to weaken encryption technology in general without compromising the safety of digital systems that utilise it”. Put differently, creating a backdoor for the police also creates a backdoor for criminals. Because of this, the Dutch cabinet argues that it is “undesirable to implement legislative measures that would hamper the development, availability and use of encryption in the Netherlands”.

Then again, the Netherlands is only a small country and much of its legislation is determined by the decisions made at the European level. It is therefore heartening to see that the European Parliament passed a resolution in early November 2017, calling on the European Commission and the member states to “enhance security measures, such as encryption and other technologies, to further strengthen security and privacy”. The Parliament also explicitly asked EU Member States to refrain from “enforcing measures that may weaken the networks or services that encryption providers offer, such as creating or encouraging ‘backdoors’”.

The European Commission has also spoken out on the issue. It recently published “Eleventh progress report towards an effective and genuine Security Union”, which lists measures meant to make Europe safer. One of these measures entails supporting law enforcement in dealing with encrypted information. However, the report immediately adds that this should be done “without prohibiting, limiting or weakening encryption”, since “encryption is essential to ensure cybersecurity and the protection of personal data”.

This definitely does not mean it will be smooth sailing from here on. Political positions change rapidly. The Dutch government, for example, states explicitly that weakening encryption is undesirable “at this moment in time”. All it takes for our political leaders to collectively lose their resolve is one serious terrorist attack after which law enforcement and security services investigations are hindered by encryption. It is also hard to predict how Dutch and European lawmakers will respond when pressure mounts from France, Germany or the United States.

The biggest threat, however, is probably far more subtle. Businesses are often pressured to “take their social responsibility” in fighting whatever is seen to be evil at that particular time. They are told: “You don’t want to be seen as a safe haven for terrorists, do you?” The consequence of this is that far too often, these businesses agree to make their digital infrastructure more vulnerable, without any checks or balances. This cooperative attitude is of course adopted “willingly” – but not without pressure from legislation or fear of damage to their reputation. The proposal of the European Commission in its recent policy document to create a “better and more structured collaboration between authorities, service providers and other industry partners” should be read in this light.

The European Commission struggles to find a position on encryption (31.10.2017)
https://edri.org/european-commission-struggles-find-position-encryption/

EU’s plans on encryption: What is needed? (16.10.2017)
https://edri.org/eus-plans-on-encryption-what-is-needed/

EDRi delivers paper on encryption workarounds and human rights (20.09.2017)
https://edri.org/edri-paper-encryption-workarounds/

EDRi position paper on encryption (25.01.2016)
https://www.edri.org/files/20160125-edri-crypto-position-paper.pdf

Encryption – debunking the myths (03.05.2017)
https://edri.org/encryption-debunking-myths/

(Contribution by Rejo Zenger, EDRi-member Bits of Freedom, the Netherlands; translation by David Uiterwaal)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
31 Oct 2017

The privacy movement and dissent: Protest

By Guest author

This is the fourth blogpost of a series, originally published by EDRi member Bits of Freedom, that explains how the activists of a Berlin-based privacy movement operate, organise, and express dissent. The series is inspired by a thesis by Loes Derks van de Ven, which describes the privacy movement as she encountered it from 2013 to 2015.*

In order to describe, analyse, and understand the ways in which the privacy movement uses protest, it is important to bear in mind the internet plays an all-encompassing role. First, we can distinguish between actions that are internet-supported and actions that are internet-based. Protests that are internet-supported are traditional means of protest that the internet has made easier to coordinate and organise, whereas protests that are internet-based could not have happened without the internet. Second, there is the height of the threshold for people to become involved. A high threshold means that participating entails a high risk and level of commitment, while a low threshold means a low risk and level of commitment. In the privacy movement, internet-supported protest with a low threshold and internet-based protest with a high threshold are the most common forms of protest.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

Internet-supported protest with a low threshold

The most common types of internet-supported protest with a low threshold that we find in the privacy movement are asking for donations and organising legal protest demonstrations.

The internet has given an impulse to donations: whereas in the analogue age the costs to coordinate such actions would outweigh the benefits, in the digital age collecting money has become much more accessible and easier. The Courage Foundation, for instance, collects donations for the legal defense of whistleblowers such as Edward Snowden and Lauri Love. Many other European organisations similarly offer their members and supporters the opportunity to make donations. However, it is worth noting that specifically in the case of the privacy movement, the threshold for donating money is higher than usual, as whistleblowing is a politically sensitive subject and community members have a heightened knowledge of privacy concerns associated with online payments. It is not surprising that donating via the anonymous digital currency Bitcoin is an option many organisations offer.

When it comes to demonstrations, the internet has also been an enhancing factor, as it has made the spreading and exchanging of information about the goal and practical details of a demonstration much easier. This also proves to be the case for demonstrations organised by the privacy movement. A fitting example of how the internet can help rapidly spread information and the effect that has on protest is the Netzpolitik demonstration held in Berlin on 1 August 2015. The announcement by Netzpolitik, a German organisation concerned with digital rights and culture, that two of their reporters and one source had been charged with treason, made thousands of people gather in the streets of Berlin to protest for the freedom of the press.

Here, too, it is worth considering how low the threshold for demonstrating actually is for activists within the privacy movement. In the analogue age it was difficult for governments to get a clear image of who exactly took part in a demonstration. Modern technology, however, has changed and continues to change the game. For instance, after participating in a protest, protesters in the Ukraine received a text message from their government that stated, “Dear Subscriber, you have been registered as a participant in a mass disturbance”. Something similar happened in Michigan, USA, in 2010. After a labour protest the local police asked for information about every cellphone that had been near the protest. Thus, the height of the risk that is involved in these sorts of protest is definitely worth reconsidering, especially when reflecting on a movement with so much awareness of (digital) surveillance.

Internet-based protest with a high threshold

Internet-based actions with a high threshold include protest websites, alternative media, culture jamming, and hacktivism.

Protest websites are websites that “promote social causes and chiefly mobilise support”. The privacy movement is involved in a number of these sorts of websites, for example edwardsnowden.com and chelseamanning.org, which are dedicated to whistleblowers and explain how supporters can help them, and savetheinternet.com, which asks supporters to take action in protecting net neutrality.

Alternative media have proven to be a crucial part of how the privacy movement voices dissent and “bears witness”, as the internet has made it possible to circumvent mass media and has reduced the effort to spread information to a large audience. A well-known example of alternative media, emerging from the privacy movement, is The Intercept, an online news organisation co-founded by Glenn Greenwald, Laura Poitras, and Jeremy Scahill. This newspaper aims, according to its website, to “[produce] fearless, adversarial journalism” and focuses on stories that provide transparency about government and corporate institutions’ behaviour.

Culture jamming is a form of protest where corporate identity and communications is appropriated for the protesters’ own goals, using tactics such as “billboard pirating, physical and virtual graffiti, website alteration, [and] spoof sites”. An example for spoof sites is the Twitter account: @NSA_PR, or NSA Public Relations in full, a reaction to the actual official Twitter account the public relations department of the US National Security Agency that was launched at the end of 2013. The spoof account often responds to recent surveillance and security issues in a humorous way. For example, when WikiLeaks published documents about the NSA’s interception of French leaders, NSA Public Relations posted, “Parlez-vous Français?”.

Hacktivism is the last form of internet-based protest with a high threshold. It is defined as “confrontational activities like DoS attacks via automated email floods, website defacements, or the use of malicious software like viruses and worms”. These activities are not commonly used within the privacy movement. Instead a “”digitally correct” form of hacktivism is practised. Digitally correct hacktivism designs computer programs that help confirm and accomplish their political aims. Of the many programs that exist, two of the most well-known and widely used programs for this kind of protest are the Tor Project web browser and Pretty Good Privacy. Both programs are designed to secure the user’s privacy. Whereas it is debatable whether direct action hacktivism is legal or not, the use of the Tor browser and email encryption are, of course.

The digital age has undeniably affected the way in which social movements protest. Traditional forms of protest have become internet-supported, but additionally there are also forms of protest being used that cannot even exist without the internet. This is even more the case for the privacy movement. For a movement that is so intertwined with the internet, we see that it is difficult to even make the distinction between online and offline protest, and that it comes up with its own specific alterations to already existing forms of protest.

The series was originally published by EDRi member Bits of Freedom at https://www.bof.nl/tag/meeting-the-privacy-movement/

Dissent in the privacy movement: whistleblowing, art and protest (12.07.2017)
https://edri.org/dissent-in-the-privacy-movement-whistleblowing-art-and-protest/

The privacy movement and dissent: Whistleblowing (23.08.2017)
https://edri.org/the-privacy-movement-and-dissent-whistleblowing/

The privacy movement and dissent: Art (04.10.2017)
https://edri.org/the-privacy-movement-and-dissent-art/

(Contribution by Loes Derks van de Ven; Adaptation by Maren Schmid, EDRi intern)

* This research was finalised in 2015 and does not take into account the changes within the movement that have occurred since then.


Sources:
Della Porta, Donatella, and Mario Diani. Social movements. An Introduction. Malden: Blackwell Publishing, 2006.
Van Aelst, Peter, and Jeroen van Laer. “Internet and Social Movement Action Repertoires. Opportunities and Limitations.” Information, Communication & Society 13:8 (2010): 1146-1171.

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
25 Oct 2017

Tell the European Parliament to stand up for e-Privacy!

By Diego Naranjo

On 26 October, the European Parliament (EP) will decide on a key proposal to protect your privacy and security online. This step consists in confirming (or not) the Parliament’s mandate to negotiate the e-Privacy Regulation with the Council of the European Union.

This vote has been demanded as part of an effort to either water down or completely destroy the proposal. As a result, we (very exceptionally) support the mandate being granted.

Do you want to protect the privacy of millions of people in the next generations? Then take action now and contact the Members of the European Parliament (MEP) from your country in order to be able to make sure that the European Parliament approves the mandate. You can:

  1. Call your MEP using the free call system (developed by La Quadrature Du Net) and ask them to vote on Thursday 26 October to support the mandate for the e-Privacy trilogues.
  2. Tweet to the MEPs from your own country now (and also other MEPs, ideally in their own language). Use the hashtag #ePrivacy! You could tweet for example along the lines:

Dear <@MEP>, please vote for a mandate for the #ePrivacy #trilogues. Good for citizens, for trust, for innovation, for competition!

You can find below the list of MEPs’ Twitter handles for each Member State:

The Regulation applies to confidentiality of communications, online and offline tracking and device security. It has been the subject of a huge lobbying campaign by industry associations peddling a range of outlandish claims including that the Regulation would ban advertising and would even be responsible for “killing the internet” (seriously).

e-Privacy Directive: Frequently Asked Questions
https://edri.org/epd-faq/

e-Privacy Mythbusting (25.10.2017)
https://edri.org/files/eprivacy/ePrivacy_mythbusting.pdf

Quick guide on the proposal of an e-Privacy Regulation (09.03.2017)
https://edri.org/files/epd-revision/ePR_EDRi_quickguide_20170309.pdf

Last-ditch attack on e-Privacy Regulation in the European Parliament (24.10.2017)
https://edri.org/last-ditch-attack-on-e-privacy-regulation-in-the-european-parliament/

Dear MEPs: We need you to protect our privacy online! (05.10.2017)
https://edri.org/dear-meps-we-need-you-to-protect-our-privacy-online/

Twitter_tweet_and_follow_banner

close
24 Oct 2017

Last-ditch attack on e-Privacy Regulation in the European Parliament

By Joe McNamee

The ECR, the right-wing, Eurosceptic political group in the European Parliament has joined forces with German Conservatives, Axel Voss and Monika Hohlmeier, as well as the Danish Liberal Morten Løkkegaard to try to overturn progress made on the e-Privacy Regulation.

The Regulation applies to confidentiality of communications, online and offline tracking and device security. It has been the subject of a huge lobbying campaign by industry associations peddling a range of outlandish claims including that the Regulation would ban advertising and would even be responsible for “killing the internet” (seriously).

As the myths and mythology that Members of the European Parliament (MEPs) are being confronted with every day are getting more and more ridiculous, on 24 October, we wrote to all 751 MEPs. However, to avoid the e-mail getting too long, we restricted ourselves to the six most outlandish myths:

  1. that e-Privacy bans online advertising (advertising existed before online surveillance)
  2. that e-Privacy is bad for democracy (tracking has manipulated elections)
  3. that e-Privacy is bad for media pluralism and quality of journalism (tracking is the business model of fake news)
  4. that e-Privacy prevents the fight against illegal content (the telecoms companies made this false argument about net neutrality. It wasn’t true and still isn’t)
  5. that e-Privacy helps Google and Facebook (no, seriously, the lobbyists are actually saying this)
  6. that we need a level playing field (actually that one is true, we need everyone to be regulated fairly)

You can read our letter here.

Tell your MEPs you want a strong e-Privacy Regulation – as agreed by the European Parliament Committee on Committee on Civil Liberties, Justice and Home Affairs (LIBE). Find your MEPs here.

Twitter_tweet_and_follow_banner

close
18 Oct 2017

Extending the use of eID to online platforms – risks to privacy?

By Anne-Morgane Devriendt

On 10 October 2017, the European Commission published the “draft principles and guidance on eID interoperability for online platforms” on the electronic Identification And Trust Services (eIDAS) observatory. Building on the eIDAS Regulation, the Commission would like to extend the scope of use for the eIDs to online platforms, in addition to public services. This raises a number of issues, particularly on the protection of privacy.

The eIDAS Regulation, adopted in 2014, is part of the “European eGovernment Action Plan 2016-2020”. It aims at making all Member State issued eIDs recognisable by all Member States from 28 September 2017. By extending the scope of use of eIDs to “online platforms” in general and not only public services, the Commission is trying to make authentication easier and more secure, as the eID itself would allow logging in. It would answer some of the issues raised by the use of passwords as main authentication method. It would also be more convenient for the users who could use the same eID across different platforms.

However, as are presented in the Commission’s document, the guidelines raise a number of issues, such as the lack of definition of “online platforms”. As the eIDAS Regulation concerns access to public services throughout the EU with the same, government approved eID, it appears that “online platforms” refers to the private sector. “Online platforms” are defined, to a certain extent, in the Commission’s Communication on Online Platforms. However, the characteristics that are used are so wide they encompass both online sales websites and social media platforms.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The second issue is protection of privacy. Indeed, the draft document states that “users should be able to preserve a level of privacy and anonymity, e.g. by using a pseudonym”. The failure to understand the basic notion that anonymity and pseudonymisation are fundamentally different is worrying. It is, or should be, obvious that using one’s eID to authenticate oneself would allow the platform to link the pseudonym to the real identity and personal information. Furthermore, while it might be useful for online sale platforms to make sure transactions are taking place between real people, it defeats the purpose of using a pseudonym on social media to separate online activities to be linked to one’s real identity.

Finally, if the Commission sets the direction to make authentication easier for both platforms and users with the use of the eID, they do not provide guidelines on the implementation of privacy by default. This would make sure that online platforms only have access to authentication information and do not use it for other purposes. One of the safeguards for the use of eIDs to access public services is the ability to monitor which public servant accessed the data and when. However, regarding the use of eIDs for authentication on online platforms, there is no provision in the draft guidelines that would make sure that data are properly secured.

Bearing in mind the huge and varied damage caused to Facebook users by its “real names” policy, the risks of this project being used by certain online platforms are real and significant.

All interested stakeholders can communicate their opinion on this draft to the Commission before 10 november 2017 through the eIDAS observatory post or by email.

Draft principles and guidance on eID interoperability for online platforms – share your views! (10.10.2017)
https://ec.europa.eu/futurium/en/blog/draft-principles-and-guidance-eid-interoperability-online-platforms-share-your-views

Workshop: Towards principles and guidance on eID interoperability for online platforms (24.04.2017)
https://ec.europa.eu/digital-single-market/en/news/workshop-towards-principles-and-guidance-eid-interoperability-online-platforms

Communication from the Commission – Online Platforms and the Digital Single Market: Opportunities and Challenges for Europe (25.05.2016)
https://ec.europa.eu/transparency/regdoc/rep/1/2016/EN/1-2016-288-EN-F1-1.PDF

(Contribution by Anne-Morgane Devriendt, EDRi intern)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
05 Oct 2017

Dear MEPs: We need you to protect our privacy online!

By EDRi

They’re hip, they’re slick and they follow you everywhere. They know you like new shoes, playing tennis and tweeting at odd hours of the morning. Do you know what that says about your health, your relationships and your spending power? No? Well, the online companies do. They follow you everywhere you go online, they have a perfect memory, they know the sites you visited last year even if you’ve forgotten… Look who’s stalking.

European legislation protecting your personal data was updated in 2016, but the battle to keep it safe is not over yet. The European Union is revising its e-Privacy rules. We welcomed the European Commission (EC) proposal as a good starting point, but with room for improvement. The online tracking industry is lobbying fiercely against it. Online tracking and profiling gave us filter bubbles and echo chambers. Yet the lobbyists lobby for it under the pretext of “saving the internet”, “protecting quality journalism” – even “saving democracy”.

The European Parliament is currently debating its position on the EC proposal. Some Members of the European Parliament (MEPs) support “tracking business, as usual” while others support a strong future-proof norm to protect the privacy, innovation and security of future generations of EU citizens and businesses.

Priorities for defending privacy and security:

1) Protect confidentiality of our communications – both in transit and at rest!
Confidentiality of communications needs to be protected both in transit and when it is stored. Lobbyists have been campaigning for a technicality that would allow them to read and exploit your emails stored in the cloud. (Art. 5)

2) Protect our privacy: Do not add loopholes to security measures!
A “legitimate interest” exception was not included in any version of the previous e-Privacy Directives. This would be a major weakening of the legislation compared with existing rules. Our member Bits of Freedom wrote about the problems with “legitimate interest” here. (several Articles and Recitals)

3) Do not let anyone use our data without asking for our consent!
It is crucial to keep consent as the legal ground to process communications data. Neither “legitimate interest” nor “further processing” should be allowed to weaken the security and privacy of European citizens and businesses (Art.6)

4) Privacy should not be an option – what we need is privacy by default!
Provisions about default privacy settings need to be strengthened and improved, certainly not watered down or deleted. e-Privacy must ensure “privacy by design and by default” and not, as in the EC proposal, “privacy by option”. You can find our specific proposals here. The European Parliament previously adopted a Directive that criminalises unauthorised access to computer systems. It would be completely incoherent if it were to adopt legislation that foresees default settings that do not protect against unauthorised access to devices. (Art. 10)

5) No new exceptions to undermine our privacy!
Exceptions for Member States cannot become a carte blanche rendering e-Privacy useless. Therefore, the safeguards established by the Court of Justice of the European Union on cases regarding the exceptions in the relevant sections of the e-Privacy Regulation should be diligently respected – the scope of the exception should not be expanded. (Art. 11)

6) Do not undermine encryption!
Imposing a ban on undermining or attacking encryption should be a priority.

7) Protect our devices (hardware+software) by design and by default!
Hardware and software security need to be protected by design and by default.

MEPs, protect our #ePrivacy – Support amendments that follow the principles listed above!

e-Privacy revision: Document pool
https://edri.org/eprivacy-directive-document-pool/

e-Privacy: Consent (pdf)
https://edri.org/files/eprivacy/e-privacy-onepager_consent.pdf

e-Privacy: Legitimate interest (pdf)
https://edri.org/files/eprivacy/e-privacy-onepager_legitimate-interest.pdf

e-Privacy: Privacy by design and by default (pdf)
https://edri.org/files/eprivacy/e-privacy-onepager_privacy-by-default.pdf

e-Privacy: Offline tracking (pdf)
https://edri.org/files/eprivacy/e-privacy-onepager_offline-tracking.pdf

Your privacy, security and freedom online are in danger (14.09.2016)
https://edri.org/privacy-security-freedom/

Five things the online tracking industry gets wrong (13.09.2017)
https://edri.org/five-things-the-online-tracking-industry-gets-wrong/

ePrivacy Regulation: Call a representative and make your voice heard!
https://eprivacy.laquadrature.net/-piphone/

Who’s afraid of… e-Privacy? (04.10.2017)
https://medium.com/@privacyint/whos-afraid-of-e-privacy-7969a1cfe776

Twitter_tweet_and_follow_banner

close
04 Oct 2017

ENDitorial: Tinder and me: My life, my business

By Maryant Fernández Pérez

Tinder is one of the many online dating companies of the Match Group. Launched in 2012, Tinder started being profitable as of 2015, greatly thanks to people’s personal data. On 3 March 2017, journalist Judith Duportail asked Tinder to send her all her personal data they had collected, including her “desirability score”, which is composed of the “swipe-left-swipe-right” ratio and many other pieces of data and mathematic formulae that Tinder does not disclose. Thanks to her determination and support from lawyer Ravi Naik, privacy expert Paul-Olivier Dehaye and the work of Norwegian consumers advocates, Judith reported on 27 September 2017 that she received 800 pages about her online dating-related behaviour.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Tinder did not disclose how desirable the company considered Duportail to be, though, even if it had disclosed it to another journalist. The 800 pages contained information such as her Facebook “likes”, her Instagram pictures (even if she had deleted her account), her education, how many times she had connected to Tinder, when and where she entered into online conversations, and many more things. “I was amazed by how much information I was voluntarily disclosing”, Duportail stated.

800 pages of personal data – surprising?

As a Tinder user, you should know that you “agree” to Tinder’s terms of use, privacy policy and safety tips, as well as other terms disclosed if you purchase “additional features, products or services”. These include the following:

  • “You understand and agree that we may monitor or review any Content you post as part of a Service.”
  • “If you chat with other Tinder users, you provide us the content of your chats.”
  • “We do not promise, and you should not expect, that your personal information, chats, or other communications will always remain secure.”
  • “By creating an account, you grant to Tinder a worldwide, transferable, sub-licensable, royalty-free, right and license to host, store, use, copy, display, reproduce, adapt, edit, publish, modify and distribute information you authorize us to access from Facebook, as well as any information you post, upload, display or otherwise make available (collectively, ‘post’) on the Service or transmit to other users (collectively, ‘Content’).”
  • “You agree that we, our affiliates, and our third-party partners may place advertising on the Services.”
  • “If you’re using our app, we use mobile device IDs (the unique identifier assigned to a device by the manufacturer), or Advertising IDs (for iOS 6 and later), instead of cookies, to recognize you. We do this to store your preferences and track your use of our app. Unlike cookies, device IDs cannot be deleted, but Advertising IDs can be reset in “Settings” on your iPhone.”
  • “We do not recognize or respond to any [Do Not Track] signals, as the Internet industry works toward defining exactly what DNT means, what it means to comply with DNT, and a common approach to responding to DNT.”
  • “You can choose not to provide us with certain information, but that may result in you being unable to use certain features of our Service.”

Tinder explains in its Privacy Policy – but not in the summarised version of the terms – that you have a right to access and correct your personal data. What is clear to the company is that you “voluntarily” provided your information (and that of others). Duportail received part of the information Tinder and its business partners hold, no doubt partly because she is a journalist. Her non-journalist friends have not experienced the same benevolence. Your personal data has an effect not only on your online dates, “but also what job offers you have access to on LinkedIn, how much you will pay for insuring your car, which ad you will see in the tube and if you can subscribe to a loan”, Paul-Olivier Dehaye highlights.

Worse still, even if you close your account or delete info, Tinder or its business partners do not necessarily delete it. And the worst, you’ve “agreed” to it: “If you close your account, we will retain certain data for analytical purposes and recordkeeping integrity, as well as to prevent fraud, enforce our Terms of Use, take actions we deem necessary to protect the integrity of our Service or our users, or take other actions otherwise permitted by law. In addition, if certain information has already been provided to third parties as described in this Privacy Policy, retention of that information will be subject to those third parties’ policies.”

You should be in control

Civil society organisations fight this kind of practices, to defend your rights and freedoms. For instance, the Norwegian Consumer Council successfully worked for Tinder to change its terms of service. On 9 May 2017, EDRi and its member Access Now raised awareness about period trackers, dating apps like Tinder or Grindr, sex extortion via webcams and the “internet of (sex) things” at the re:publica 17 conference. Ultimately, examples like Duportail’s shows the importance of having strong EU data protection and privacy rules. Under the General Data Protection Regulation, you have a right to access your personal data, and companies should provide privacy by default and design in their services. Now, we are working on the e-Privacy Regulation to ensure you have real consent instead of a tick on a box of something you never read, to prevent companies from tracking you unless you provide express and specific consent, among many other things.

Now that you know about this or have been reminded of this, spread the word! It does not matter whether you are on Tinder or not. This is about your online future.

I asked Tinder for my data. It sent me 800 pages of my deepest, darkest secrets (26.09.2017)
https://www.theguardian.com/technology/2017/sep/26/tinder-personal-data-dating-app-messages-hacked-sold

Getting your data out of Tinder is really hard – but it shouldn’t be (27.09.2017)
https://www.theguardian.com/technology/2017/sep/27/tinder-data-privacy-tech-eu-general-data-protection-regulation

Safer (digital) sex: pleasure is just a click away (09.05.2017)
https://re-publica.com/en/17/session/safer-digital-sex-pleasure-just-click-away

Tinder bends for consumer pressure (30.03.2017)
https://www.forbrukerradet.no/siste-nytt/tinder-bends-for-consumer-pressure

(Contribution by Maryant Fernández Pérez, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
04 Oct 2017

The privacy movement and dissent: Art

By Guest author

This is the third blogpost of a series, originally published by EDRi member Bits of Freedom, that explains how the activists of a Berlin-based privacy movement operate, organise, and express dissent. The series is inspired by a thesis by Loes Derks van de Ven, which describes the privacy movement as she encountered it from 2013 to 2015.*

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

Although there are relatively few privacy movement members involved in the actual process of creating art, it does affect the movement as a whole. Art reflects the movement’s beliefs and is used as a weapon of resistance against injustice.

The two art projects of the privacy movement which will be introduced in this article are Panda to Panda and Anything to Say?. They both share a number of features that belong to activist art in general. One of these features is the way activist art comes into being; the art activists create almost always comes from personal experiences and wants to draw attention to and gain recognition for those experiences. In addition, it problematises authority, domination, and oppression and seeks to alter the current situation. Moreover, activists like their work to evoke emotion and provoke intellectually, and they aim to form a community among those who share a similar aversion to oppression.

Panda to Panda (2015) is part of a larger project called Seven on Seven, a project initiated by Rhizome, the influential platform for new media art affiliated with the New Museum in New York City. Each year, Rhizome matches seven artists with seven technologists. In 2015, one of the pairs Rhizome invited to participate were Ai Weiwei and Jacob Appelbaum. The result of their collaboration, Panda to Panda, consists of twenty stuffed pandas from which the stuffing has been replaced with shredded documents that Glenn Greenwald and Laura Poitras received from Edward Snowden. In addition, a micro SD card with the documents on it has been placed inside each panda. By distributing the pandas to as many places as possible, the pandas function as a “distributed backup” that is difficult to destroy, since that would mean destroying all twenty objects. The project was documented by Ai, who shared the images with his followers on social media. Laura Poitras was invited to film the process and eventually published the film in the online edition of The New York Times.

Panda to Panda is an example of ethico-political subversion, in which authority is undermined in a number of ways. First, the project in its totality is a complaint against government surveillance and state power. As Ai, Appelbaum, and Poitras were working on the project, they continuously filmed each other. With the constant filming they emphasise and visualise the surveillance they are under: while they film each other, they are also watched by the surveillance cameras placed in front of Ai’s studio by the Chinese authorities. There is a constant awareness of always being under watch.

Second, the pandas also have a symbolic meaning. From Appelbaum’s frame of reference, Panda to Panda is a variation on peer-to-peer communication, a means of communication in which there is no hierarchy and that allows all peers to interact in an equal way. This system is seen as a philosophy of egalitarian human interaction on the internet. This reference also materialises the goals of the movement. From Ai’s frame of reference, the pandas satirically reference popular culture: in China, the secret police, the “government spies” that also monitor Ai, are often referred to as pandas.

Anything to Say? A Monument of Courage (2015) is a life-size bronze sculpture by American author Charles Glass and Italian artist Davide Dormino. The sculpture portrays three people: Julian Assange, Edward Snowden, and Bradley Manning (who is now Chelsea Manning). The three each stand on a chair, a fourth chair is left empty. This fourth chair is meant for other individuals to stand on, to enable them to stand with the whistleblowers and freely express themselves. Anything to Say? has its own Twitter account where followers can follow the realisation, unveiling, and journey of the sculpture. The sculpture has never been placed in a typical museum context: it was unveiled at Alexanderplatz in Berlin in and has been travelling since.

An analysis of Anything to Say? demonstrates a number of ways in which art functions to strengthen the privacy movement. Taking a stand and expressing your thoughts does not come naturally to everyone; it takes a certain amount of courage – as the sculpture’s subtitle A Monument of Courage indicates. By inviting individuals to stand on the fourth, empty chair, the sculpture encourages them to do the same as whistleblowers: to step out of their comfort zone and become visible. Young or old, rich or poor, German or not, part of the movement or not: the sculpture gives the audience a reason to connect. Furthermore, here as in the case of Panda to Panda, the sculpture carries out some of the beliefs of the privacy movement, informing individuals within as well as outside of the movement.

Anything to Say? not only highlights the importance of freedom of speech and freedom of information; it also comes from the personal experiences of whistleblowers and it shows great respect for them. It encourages the audience to show the same courage as Assange, Snowden and Manning have shown, but the sculpture in itself is also a sign of gratitude towards them. Furthermore, the sculpture in itself represents movement ideas and values, but by asking members of the audience to stand on the chair and express themselves, it actually practices free speech and thereby practices one of the privacy movement’s aims.

Activist art is a valuable way for the privacy movement to express what it stands for. Although there is only a relatively small group of activists within the movement that actually creates art, it affects the entire movement; it encourages members within the movement, allows them to experience both their own and the group’s strength, and the personal character of the art reinforces the unity within the movement. In the next article of this series, protest as an expression of dissent of the privacy movement will be explored.

The series was originally published by EDRi member Bits of Freedom at https://www.bof.nl/tag/meeting-the-privacy-movement/.

Dissent in the privacy movement: whistleblowing, art and protest (12.07.2017)
https://edri.org/dissent-in-the-privacy-movement-whistleblowing-art-and-protest/

The privacy movement and dissent: Whistleblowing (23.08.2017)
https://edri.org/the-privacy-movement-and-dissent-whistleblowing/

(Contribution by Loes Derks van de Ven; Adaptation by Maren Schmid, EDRi intern)

* This research was finalised in 2015 and does not take into account the changes within the movement that have occurred since then.

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner


Sources:
Andelman, David A. “The Art of Dissent. A Chat with Ai Weiwei.” World Policy Journal 29.3 (2012): 15-21.
Goris, Gie. Art and Activism in the Age of Globalization. Ed. Lieven de Cauter, Ruben de Roo, and Karel Vanhaesebrouck. Rotterdam: NAi Publishers, 2011.
Reed, T.V. The Art of Protest. Culture and Activism from the Civil Rights Movement to the Streets of Seattle. Minneapolis: University of Minnesota Press, 2005.
Simonds, Wendy. “Presidential Address: The Art of Activism.” Social Problems 60.1 (2013): 1-26.

close
04 Oct 2017

Tear down the tracking wall

By Bits of Freedom

It has become a daily routine: “consenting to” being tracked, on the basis of meaningless explanations (or no explanation at all) before you’re allowed access to a website or online service. It’s about time to set limits to this tracking rat race.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

An ever-growing portion of our personal and professional communication, our news consumption and our contact with government, is mediated through the internet. Access to online information and services is crucial to participating in today’s society. Yet, on a daily basis we are forced to allow ourselves to be tracked – from across multiple websites and app , and across several devices – before we’re given access to information or digital services.

The infamous cookie walls you encounter when visiting websites are a prime example of this. If you want to get beyond that wall, you first have to consent to having your online behaviour minutely tracked. To be clear, we are not talking about the cookies that are necessary to, for example, store your settings or for gathering stats on the use of your website in a privacy friendly manner. We are talking about all those trackers that usually originate from multiple, completely different parties from the website you intended to visit, and that continue to track your behaviour across the internet.

Issues with tracking

Tracking raises many concerns. First of all, while we become more transparent to online tracking companies, a lot of the current practices, and the parties employing them, are highly opaque. We are unaware how much of our activity online is registered, analysed and used, by how many different parties, for what purposes nor what inferences about our activities are generated.

Secondly, the information collected through trackers makes us susceptible to manipulation – indeed, that is the usual purpose. This can have serious consequences for the power (im)balances between citizens and consumers on the one hand and governments, corporations and other organisations that have access to this data on the other. Just think of the instrumental role tracking plays in micro-targeted political advertising, price discrimination or exploiting the cognitive biases and specific weaknesses of individual users.

Third, the data gathered through tracking is increasingly used for making decisions about us. For example, the answer to whether you have access to credit and under what terms may depend on such data. This often happens under the cloak of long terms full of legalese you consented to which provide you no meaningful transparency. Even if you are aware that data about you is being used for making automated decisions, it is hard to challenge the inaccuracy of such decisions or the data they rely on.

An often heard response is that you are free to withhold your consent to being tracked. That is correct in theory, but much harder in the real world. In our daily lives it is often a choice between limited or no access at all, or subjecting yourself to opaque tracking. This is particularly problematic when the information or services you would like to access are provided by public institutions, health service providers or organisations that play an important role in society and that you therefore cannot simply avoid.

Think for instance of public institutions such as the Tax Administration, but also hospitals, health insurance companies, banks or internet access providers. By making access to their services conditional on your consent to being tracked, your consent becomes involuntary and essentially meaningless. This practice has to stop.

As a user you should be able to gather information and use services without being forced to consent to being tracked. And why shouldn’t we take it one step further and put an end to tracking walls for all the online information and services that we use?

What will the EU do?

At this very moment, European Union institutions are working on an overhaul of specific privacy rules for electronic communications, e-Privacy Regulation. Who is permitted to read your messages, are tracking walls allowed and may your phone be used to map your physical location without your consent? These are some of the important questions these new rules address. They will have a substantial impact on all internet users across the EU.

This overhaul of the rules offers an excellent opportunity to tear down tracking walls for all of Europe. EDRi Brussels office and EDRi members are not the only one advocating for this. The data protection authorities in Europe also recommend to put an end to this practice. In October 2017, the European Parliament will vote on the new rules proposed by the European Commission and the hundreds of amendments that have been submitted by different Members of the European Parliament (MEPs). Will the rights of internet users be safeguarded and will we get a digital environment free from opaque tracking practices?

This is a shortened version of an article originally published by EDRi member Bits of Freedom: https://bof.nl/2017/09/20/tear-down-the-tracking-wall/.

(Contribution by David Korteweg, EDRi member Bits of Freedom, the Netherlands; Adaptation by Maren Schmid, EDRi intern)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
04 Oct 2017

TiSA impact assessment report ignores crucial human rights concerns

By Ana Ollo

In 2013, the European Commission decided to subject the draft Trade in Services Agreement (TiSA) to a Trade Sustainability Impact Assessment (SIA) in support of the negotiations. The Final Report, which was published in July 2017, fails to address several key fundamental rights concerns.

The report was conducted by the consultancy Ecorys and the Centre for Economic Policy Research (CEPR). The aim was to evaluate how TiSA’s provisions under negotiation could affect economic, social and human rights, as well as environmental issues, in the EU and in other TiSA parties and selected third countries.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The report went through various review processes among stakeholders, to which EDRi responded in three occasions. The draft that preceded the final Report was published in May 2017. In June 2017, EDRi submitted comments regarding both the draft and its Annexes.

We welcome certain parts of the final report. It clearly says that there is a lack of evidence of meaningful barriers to e-commerce. In fact, it states that barriers to e-commerce identified by industry groups “are not necessarily the true barriers to e-commerce”. In addition, the report makes a distinction “between the true underlying barriers and the barriers that are reported” by industry, industry associations or individual stakeholders. It argues that “in the absence of robust evidence on policy impact and effectiveness […] it is tempting to rely on the input and suggestions of interest groups and stakeholders”, which leads to “the usual risk of being beholden to special interests or to be lost in a mosaic of different opinions, concerns and suggestions”.

Despite these important recognitions, the report still has at least three major problems:

First, the analysis overlooked several key human rights concerns. Freedom of expression and opinion was disregarded, despite its relevance in the context of TiSA, especially for potential provisions on intermediary liability and net neutrality proposed by some TiSA countries. To address these points, we suggested including an impact assessment of the lack of human rights commitments by TiSA parties.

Secondly, the report refers to data protection and privacy as “issues”, rather than fundamental rights that must be respected. Indeed, the failure to protect them constitutes a barrier to trade and not the opposite. In our comments, we pointed out that both the European Commission and the European Parliament have stated on several occasions that such rights cannot be subject to negotiations in trade agreements, and that this needs to be taken into account. Furthermore, we highlighted that the Final Report should not assess the data protection situation only from an EU perspective, as the different TiSA parties have a variety of commitments in this regard.

Thirdly, the report includes contradictions with regard to data flows. While it acknowledges the lack of evidence of the existence of meaningful barriers to e-commerce, it states in its human rights assessment that “the issue of data flows […] is particularly relevant”, without indicating what it may be relevant to. In the same vein, the report does not present evidence of the ostensible problems related to data flows, while it also says that “limitations to the free flow of data” are “a key concern for e-commerce”. Finally, it identifies the movement of people as the biggest trade barrier for computer services and telecommunication, but then states that “the core issue” is that of the free flow of data. The report warns about the risks of lacking robust evidence, whereas in this matter it is clear that such problem affected the assessment.

Despite all the concerns highlighted on several occasions, when the final Report was published, we learned that almost all of our suggestions and remarks had been disregarded. This is regrettable, as an independent academic study by the University of Amsterdam “Trade and Privacy: Complicated Bedfellows? How to achieve Data Protection-Proof Free Trade Agreements” (Irion, K., S. Yakovleva, and M. Bartl, 2016), that is even cited in the Final Report, shows that the EU has homework to do to bring trade agreements in line with EU law.

EDRi’s response to the Trade SIA consultation (02.06.2017)
https://edri.org/files/consultations/tsia_tisa_draftfinalreport_edricomments_20170602.pdf

EDRi’s input to the Draft Interim Technical Report “Trade SIA in support of negotiations on a plurilateral Trade in Services Agreement (TiSA)” (27.01.2017)
https://edri.org/files/TiSA/ecorysdraftinterimreport_edriinput_20170127.pdf

EDRi’s response to the Ecorys Survey on TiSA commissioned by the European Commission (15.03.2016)
https://edri.org/files/TiSA/TiSA_ecoryssurvey_EDRiresponse.pdf

EDRi’s position paper on TiSA (01.2016)
https://edri.org/files/TiSA_Position_Jan2016e.pdf

Documents regarding TiSA’s Trade Sustainability Impact Assessment since 2013
http://ec.europa.eu/trade/policy/policy-making/analysis/policy-evaluation/sustainability-impact-assessments/#study-geo-19

Trade Sustainability Impact Assessment – Final Report (07.2017)
www.trade-sia.com/tisa/wp-content/uploads/sites/7/2014/02/TiSA-Final-Report.pdf

Trade Sustainability Impact Assessment – Annexes to the Final Report (07.2017)
www.trade-sia.com/tisa/wp-content/uploads/sites/7/2014/02/TiSA-Final-Report-Annexes.pdf

(Contribution by Ana Ollo, EDRi intern)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close