08 Apr 2015

Report says Facebook tracking breaches EU law

By Guest author

On 31 March 2015, researchers of the University of Leuven and Vrije Univeristeit Brussel, Belgium, issued a report claiming that Facebook tracks online activity both of its users and non-users. According to the report, which was commissioned by the Belgian Privacy Commission, this type of tracking contravenes EU online privacy laws.

Facebook uses a tracking cookie to trace its users online activity whenever visiting a web page belonging to a facebook.com domain. Furthermore, users are being tracked across websites even when they are logged out or do not use social plug-ins. This means that Facebook receives data whenever someone visits a website with the Facebook “Like button”, even if a person does not use this plug-in. What is more, people who do not have a Facebook account are being tracked with the help of a “datre” cookie. “Datre” cookie contains a unique identifier which is placed onto the browsers of people in Europe who are not Facebook users. When placed, it takes two years before it expires.

The report argues that this kind of behaviour is clearly in violation of the EU e-Privacy Directive. In order for a website to use a cookie or perform tracking via social plug-ins it must require a prior consent, unless it is needed to connect to the service network or is specifically requested by the user.

According to an opinion of the Article 29 Data Protection Working Party, issued in 2012, Facebook’s tracking practices have no legal basis in the EU. Social plug-ins must have a consent before placing a cookie, unless one of the exceptions applies. Since social plug-ins are by definition for the member of a social network, the e-privacy directive exception cannot apply to non-users. Furthermore, the report argues that it is not legal to trace even Facebook users who are logged out at the time of browsing. The Article 29 Working Party document explains that logged-in users cannot be served a “datre” cookie but only a “session cookie” which expires when logged out or when the browser is closed.

Therefore, Facebook default settings that allow it to gather information about people for advertising purposes contravenes EU privacy policy. As explained by Brendan Van Alsenoy, one of the authors of the report: “To be legally valid, an individual’s consent towards online behavioural advertising must be opt-in.”

Facebook spokesperson commented the report by Belgian academics claiming that it contains factual inaccuracies, however he not specifying what he was referring to, and stating that Facebook completely complies with the EU Data Protection Directive. On the other hand, the authors of the study claim the opposite, saying the users have very little control over the data Facebook tracks and are unaware how exactly their data is used for advertising purposes.

Facebook ”tracks all visitors, breaching EU law” (31.03.2015)

Facebook tracking said to breach EU law (01.04.2015)

Facebook “violates Euro data law” say Belgian data cops’ researchers (01.04.2015)

ICRI/CIR and iMinds-SMIT advise Belgian Privacy Commission in Facebook investigation

(Contribution by Morana Perušić, EDRi intern)



08 Apr 2015

Data protection and privacy must be excluded from TTIP

By Maryant Fernández Pérez

Data protection is a contentious issue in the discussions about the Transatlantic Trade and Investment Partnership (TTIP) and other trade or investment agreements, such as the Trade in Services Agreement (TiSA). Now that the European Parliament is preparing to issue a non-legislative resolution on TTIP, various parliamentary committees are giving their input to the committee in charge, the Committee on International Trade (INTA).

The committee that takes the lead as regards fundamental rights and freedoms is the Committee on Civil Liberties, Justice and Home Affairs (LIBE). While everyone has one eye on the reform of data protection and one eye on TTIP developments, LIBE adopted a strong Opinion on 31 March 2015 for the European Commission to respect EU fundamental rights and freedoms, especially as regards data protection and privacy.

Led by its rapporteur, Member of the European Parliament (MEP) Jan Albrecht, the LIBE Opinion refers to the need for a binding and suspensive human rights clause; the exclusion of data protection and privacy; the respect of democracy and the rule of law; the fight against mass surveillance and the need for further transparency and accountability, among other important subjects.

Concerning data protection and privacy, the LIBE Committee asks the Commission to exclude these fundamental rights from both TTIP and TiSA negotiations. In fact, the EU and the United States are discussing data transfers and data protection in other fora, namely on the Safe Harbor and the Data Protection Umbrella Agreement. In relation to TiSA, the LIBE Committee rejects the draft chapter on e-commerce proposed by the US. When addressing data flows, LIBE asks for compliance of EU adequacy rules. This point is of particular importance since the European Commission “has conceded that it cannot guarantee EU citizens’ fundamental right to privacy when their data is transferred to the US”, as the Irish Times reported in relation to the case C-362/14, Schrems v Data Protection Commissioner.

Accordingly, one of the fundamental points of the Opinion is the inclusion of an enforceable horizontal clause based on Article XIV of the General Agreement on Trade in Services (GATS) to exempt “the existing and future EU legal framework for the protection of personal data from the agreement, without any condition that it must be consistent with other parts of the TTIP”.

The next round of the TTIP negotiations is going to take place in New York, between 20-24 April 2015. Now, it is crucial that the INTA committee takes the LIBE Opinion in full consideration for the Commission to follow Parliament’s advice.

TTIP Resolution: document pool (last update 08.04.2015)

TTIP: Trade agreements must not undermine EU data protection laws, say Civil Liberties MEPs (31.03.2015)

Do Facebook and the USA violate EU data protection law? The CJEU hearing in Schrems (29.03.2015)

EU cannot guarantee citizens’ privacy when transferring data to US, court told (25.03.2015)

Documents of CJEU case C-362/14, Schrems v Data Protection Commissioner (25.03.2015)

EDRi-gram: Revelations on Safe Harbour violations go to hearing at EU Court (11.03.2015)

EDRi’s red lines on TTIP (13.01.2015)

(Contribution by Maryant Fernández Pérez, EDRi)



25 Mar 2015

The evolution of the concept of privacy

By Guest author

In 1776, John Adams wrote that it had been the British right to search houses without justification that sparked the fight for independence. In other words, John Adams thought that it had been an unjustified violation of privacy that had kindled one of history’s most noteworthy revolutions.

More than two centuries later, those unruly colonies – now the United States of America – see themselves once again at the centre of a debate on privacy. Many of the world’s most data-intensive companies hail from the US – and are criticised for what is perceived to be an excessive accumulation and use of their users’ personal data. Piled on top of this, we know, as a result of Edward Snowden’s revelations, that the National Security Agency (NSA) of the United States has been at the forefront of a group of intelligence agencies that have been using that and other data to build massive databases containing information on millions of people living everywhere that today’s information and computer technologies reach.

Throughout modern history, from searches without just cause to big data and mass surveillance, , the notion of privacy has surfaced time and again. However, while the word has remained the same, its meaning never stopped evolving. We must be aware of that development if we are to effectively deal with future challenges, in particular the pressing issue of the regulation of the collection, access, and use of personal information both by private and public actors.

What John Adams deemed unacceptable was the groundless intrusion into people’s private sphere. It was his fellow Americans, Louis Brandeis – later a Supreme Court Judge – and Samuel Warren, who would put this conception of privacy most succinctly: Privacy is the right to “being let alone”. On this understanding, privacy is something that you have as long as people, organisations or institutions are denied access to you. However, this notion, inspired mainly by the idea of physical boundaries, sees itself confronted with insuperable difficulties in an age where the debate’s focus lies squarely on informational privacy.

The internet is one of the areas in which informational privacy, the protection of personal information, has become crucial. Internet users do not want to be left alone; they want to partake in the offerings of the internet and participate in what has become one of their most important social spheres. Privacy concerns are nowadays focused to a large extent on the information we share or generate on the internet, often publicly, rather than what we wish to conceal within the private confines of our homes.

The notion of privacy has adapted to those changing circumstances and today the focus lies mainly on users’ control of their personal data. This concept forms the foundation of many political arguments; the “right to be forgotten”, “notice and consent” systems and transparency requirements all aspire to give users control. While control is important, the evolution of technology already strains the ability of users to meaningfully control their personal data by means of informed choices. In fact, this notion’s capacity to protect people’s fundamental interests is failing even before the relevant policies have seen widespread adoption.

A first problem is that people are so overloaded by requests to consent to the use of their data that informed choice becomes illusory. If people want to engage in the cultural and social life offered in the digital sphere, they will not be able to assess all the terms of services and privacy notices they see themselves confronted with. And opting-out of the internet can no longer be called a real option. Secondly, privacy is no longer a purely personal matter. The information we choose to share or allow to be gathered affects not only our own privacy but also the privacy of all those we interact with.

The complementary limitation theory of privacy could help bridge some of these difficulties. According to this notion, a person has privacy when access to personal information is limited in certain contexts. While we can only have limited control as to how some of our personal information is used, there should be limits as to who can use information gathered in a certain context. In the age of big data, and even more so in the future of the Internet of Things, this notion is poised to become all the more important. Many users feel very uneasy if the information collected by, for instance, their car or metro card is used to target them with advertisements the next time they visit an online retailer. This phenomenon is taken to another level with “profiling”, the use of your data to guess about aspects of your personality, generating insights into your personality and habits that you may not even know are possible. To the extent that more and more spheres of people’s lives will generate digital personal data, separation of those spheres will become more and more important.

While helpful in resolving some of the problems associated with the regulation of privacy, the limitation concept of privacy brings with it its own host of difficulties. There is for example the argument that privacy is essential for freedom and autonomy. Would Darwin or Copernicus have been able to make their ground-breaking and controversial discoveries if the prevailing powers at the time had more insight into their activities? Probably not. However, if consent cannot be the only principle governing privacy matters, then mandatory privacy standards seem unavoidable. It is then essential to ensure that the privacy standards serve to guarantee freedom and autonomy rather than unduly restricting it.

While today’s citizens’ worries about privacy are very different from John Adams’, their concerns are legitimate. These worries must be taken into account when designing the rules that should regulate the use of personal data in the digital world. And one thing is certain: An adequate concept of privacy is essential for a good regulation of personal data. The tasks before us are not simple, but they cannot be escaped and become more pressing with each passing day.

Originally published in the Synergy Magazine:
The evolution of the concept of privacy: From the American revolution, to big data and the Internet of Things

Warren, Samuel D., and Louis D. Brandeis. “The Right to Privacy.” Harvard Law Review 4, no. 5 (December 15, 1890): 193–220.

Adams, John, Charles Francis Adams, and John Adams. Letters of John Adams, Addressed to His Wife. Boston, C.C. Little and J. Brown, 1848. 338.

Cohen, Julie E. “What Privacy Is For.” Harvard Law Review 126 (2013): 1904–33.

Tavani, Herman T. “Philosophical Theories of Privacy: Implications for an Adequate Online Privacy Policy.” Metaphilosophy 38, no. 1 (2007): 1–22.

(Contribution by Julian Hauser, EDRi intern)



11 Mar 2015

Danish anti-terror proposal expands surveillance

By Guest author

On 19 February 2015, the Danish government presented a 12-point plan for new anti-terror initiatives in response to the Charlie Hebdo attack in Paris and the shooting incident in Copenhagen on 14 February. This will become the third major anti-terror package since 2001 to be presented to the Danish Parliament.

The focus of the plan is on surveillance measures in Denmark and abroad through increased budgets, new IT-systems, and new powers for the intelligence services, the Danish Defence Intelligence Services (DDIS) and the Danish Security and Intelligence Service (PET), which is part of the Danish police.

The most controversial element is targeted surveillance and eavesdropping of communications of Danish citizens abroad. This will be done by DDIS without a court order. The head of DDIS will decide whether a Danish citizens can be targeted for surveillance. It is currently not clear whether an unspecified group, for example Danish citizens in Syria, can be targeted in this way. Statements in an interview given by the Danish Minister of Defence support the conjecture that this would indeed be possible.

Since 2006, DDIS can collect, analyse and retain information about Danish citizens if that information is discovered “by chance” in an operation directed against activities in a foreign country. This includes signal intelligence and mass collection of electronic communication, for example by tapping fibre-optic cables. Until it is analysed, the mass collection is referred to as “raw data”. DDIS is allowed to exchange this information with intelligence services in other countries, including raw data that may contain information about unknown Danish citizens. Information about Danish citizens, which DDIS has discovered “by chance”, can be shared freely with PET, and PET may use the information in criminal investigations and prosecutions.

Under the current rules (from 2006), DDIS is required to inform a supervisory committee if DDIS wants to retain information about a Danish citizen for more than six months. The number of cases in which DDIS retains information is kept secret. According to the annual report from the supervisory committee, it is only known that this number is increasing.

The report also says that roughly half of the information comes from DDIS’ own collection (mass surveillance), the other half from information sharing with other intelligence services. The information about Danish citizens mainly relates to terrorism, but computer hacking and organised crime are also mentioned in the annual report.

Because of the requirement that information has to be obtained “by chance”, DDIS cannot do targeted surveillance against Danish citizens. The new proposal, however, would allow DDIS to initiate targeted surveillance of Danish citizens outside Denmark as its own operation, and a court order would not be required for this. It is unclear how DDIS will do this in practice and it remains to be seen whether DDIS will be subjected to any real legal restrictions on the targeted surveillance of Danish citizens outside Denmark.

The new DDIS surveillance powers have been heavily criticised by legal experts in Denmark. A legal analysis from the Danish think tank Justitia concluded that the targeted surveillance powers of DDIS would exceed those of the US National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ) as the NSA is required to obtain a court order in order to target a United States citizen.

On 8 March 2015, the Danish newspaper Politiken reported that DDIS has been seeking extended powers for targeted surveillance without a court order for several years, but until recently the Ministry of Justice opposed the idea.

A strong guard against terror, The Danish Government (in Danish only, 19.02.2015)

Justitia Analysis: DDIS surveillance of Danes abroad without a court order (in Danish only, 26.02.2015)

Danish intelligence to get more power than NSA, The Local (25.02.2015)

Greater powers for the spies in the Danish defence, Politiken (in Danish only, 08.03.2015)

(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)



03 Mar 2015

Leaked documents: European data protection reform is badly broken

By Diego Naranjo

Brussels, Belgium. New leaked documents show that European countries, pushed by Germany, are systematically working to destroy the fabric of European privacy legislation. Under the current proposals, far from being provided with security fit for the digital age, Europe’s citizens right to data protection would be devoid of meaning.

The Regulation is becoming an empty shell”, said Joe McNamee, Executive Director of European Digital Rights. “Not content with destroying key elements of the proposal, the EU Member States are rigorously, systematically and thoroughly undermining the meaning of every article, every paragraph, almost every single comma and full stop in the original proposal.

Leaked documents from the Council
According to the leaked proposals, crucial privacy protections have been drastically undermined, including the right to be asked for consent, the right to know how your data are used and the right to object to your data being used, minimum standards of behaviour for companies exploiting individuals’ data. In several places, the text would not likely pass judicial scrutiny under Europe’s human rights framework.

In 2012, the European Commission made a proposal, which was amended and accepted by the European Parliament in 2014, to modernise and reform European privacy legislation. This update is urgently needed, due to the challenges of new technology.
Faced with profiling, digitisation of health data and online tracking, every corner of our lives is increasingly being invaded by “big data”. With enough data, a tracking company or government can know even more than we do about our own preferences, our motivations, our health, relationships and our politics than even our closest friends or family.

What happens next?
The Council is trying to complete its work by the summer, before negotiating with the Parliament on a compromise. Unless something is done urgently, the Council will simply complete its agreement, at which stage only an absolute majority of the European Parliament would be the only way of saving Europe’s data protection reform

Background documents:

Analysis produced by EDRi, Access, Panoptykon Foundation, and Privacy International of the leaked Council texts in one pagers highlighting the most problematic issues:


Direct download (pdf)

Comparison of European Parliament’s first reading text with Council document

Council documents:

6286/1/15 – The One-stop-shop mechanism 25.02.2015

6032/15 – Right to be forgotten – Dispute settlement 09.02.2015

17072/3/14 –  Further processing, consent 26.02.2015

17072/3/14 REV 3 ADD 1 – Information and right to object 26.02.2015

25 Feb 2015

Did GCHQ spy on you? Find out now!

By Guest author

Since its launch on 16 February 2015, over 25 000 people have joined an international campaign to try to learn whether Britain’s intelligence agency, GCHQ, illegally spied on them.

This opportunity is possible thanks to court victory in the Investigatory Powers Tribunal (IPT), a secret court set up to hear complaints against the British Security Services. As previously reported in the EDRi-gram, Privacy International won the first-ever case against GCHQ in the Tribunal, which ruled that the agency acted unlawfully in accessing millions of private communications collected by the US National Security Agency (NSA), up until December 2014.

Because of this victory, now anyone in the world can try to ask if their records, as collected by the NSA, were part of those communications unlawfully shared with GCHQ. We feel the public has a right to know if they were spied on illegally, and Privacy International wants to help make that as easy as possible.

Unfortunately, the IPT can’t act by itself, and that’s why it needs people to come forward and file complaints. Privacy International plans to assist as many people as possible in jumping through the hoops the process will probably entail. It is going to be a long fight, and it will likely take months for the IPT to process all the complaints. However, it is important to bear in mind that if the IPT find that your communications were illegally shared with GCHQ, they will be obligated to tell you.

Through their secret intelligence-sharing relationship with the NSA, GCHQ has intermittently enjoyed unrestricted access to PRISM, the NSA’s means of directly accessing data and content handled by some of the world’s largest Internet companies, including Microsoft, Yahoo!, Google, Facebook, Skype, and Apple. GCHQ has also had access to other parts of the NSA’s Upstream collections, through which telephone and internet traffic data is accessed as it flows through communications infrastructure, including CO-TRAVELER, which collects five billion mobile phone locational records a day, and DISHFIRE, which harvests 194 million text messages daily. The top five programs within Upstream created 160 billion interception records in one month alone.

Chances are, at some point over the past decade, your communications were swept up by one of the NSA’s mass surveillance programs and passed onto GCHQ. We think you have a right to know whether that’s the case, and if so, to try and demand that data be deleted. Privacy International wants to help you assert those rights.

Privacy International’s campaign “Did GCHQ illegally spy on you?”

FAQ: Did GCHQ Spy On You?

(Contribution by Eric King, Privacy International)



11 Feb 2015

Final push for our crowdsourcing campaign

By Heini Järvinen

European Digital Rights’ existence is at stake. Our main funding projects all end in 2015. In December 2014, we launched a campaign asking help to ensure we can continue our work to transform Europe into a free and open society, where your civil rights and freedoms are reliably guaranteed. Now, the last days of the campaign are here, and there is still work to be done to reach our goal.

The campaign: https://edri.org/campaign/support-digital-rights-europe/

In the past five years, EDRi has evolved from being a decentralised alliance with no staff to an influential organisation with a Brussels office and professional staff. Since it opened its office in Brussels in 2009, EDRi has become a strong voice for freedoms in the digital environment. It is often the first contact point for policy makers in the EU institutions on digital rights matters.

Imagine what the world would look like if EDRi didn’t exist! Would we have ACTA, EU-wide mandatory web blocking, a non-neutral Internet and more widespread censorship? EDRi is asking for support in order to be able to fund one advocate who will fight to keep private information private, to fight against surveillance and censorship measures.




11 Feb 2015

Digital Rights orgs call on world leaders to uphold human rights

By Guest author

Over 30 digital and civil liberties organisations from around the world have endorsed a joint statement calling on the world’s governments not to expand surveillance measures in the wake of the Charlie Hebdo attacks. In addition to European Digital Rights (EDRi), signatories include Article19, digitalcourage, IT-pol, Vrijschrift, La Quadrature du Net, Panoptykon, Initiative für Netzfreiheit, FITUG e.V., Alternative Informatics Association, ORG, EFF, Effi, APTi, and Access.

It seems that even while events were unfolding in Paris, proposals and measures restricting civil liberties have been put forward – from France, Belgium, Spain, the United States, Australia to Turkey and beyond. One of the most notable examples is in the very wake of the attacks, the French government convened an extraordinary EU Home Affairs summit, as several leaders were in Paris for the Unity March. There, it was decided to move several concrete proposals forward, two of which would drastically impact human rights: 1) a controversial EU Passenger Name Record agreement that has been discussed in Brussels since 2011; and 2) ad-hoc measures for internet platforms to monitor and remove alleged hate speech.

The signatories of this statement have seen this before —a tragedy that leads to a dramatic expansion of security measures, without proper democratic scrutiny, providing the necessary checks and balances to ensure that other rights, like privacy and free association, aren’t undermined.

The letter invites the French government to conduct a thorough evaluation of relevant policies, before enacting new laws and policies that can harm fundamental rights.

In addition, it calls on these political leaders to:

  • Ensure the protection and defence of national level human rights protections, particularly free expression and privacy online and offline;
  • Engage citizens and institutions in a public dialogue on targeted solutions that can help protect society while upholding human rights;
  • Defend a free and open society where human rights are not only protected, but celebrated, and where diverse viewpoints, including the satirical perspectives embraced by Charlie Hebdo, can be expressed online and offline.

There are no easy or quick solutions. In difficult moments like these, we must defend the values of the society that we want to live in, or we risk undermining those values in the name of saving them. The letter is still open for signatories: all are welcome to join us in working toward a better world where free expression, privacy, and other human rights can thrive.

Open letter to the world’s governments in the wake of attack on Charlie Hebdo:

Charlie Hebdo Tragedy Must Not Be Used by Governments to Expand Surveillance:

(Contribution by Raegan MacDonald, EDRi-member Access)




06 Feb 2015

How to deal with Facebook’s new tracking policies

By Joe McNamee

If you use Facebook, you may have noticed that they have unilaterally changed the rules again about how they use your data.

According to The Independent, the new change allows Facebook

to gather data from activity across the internet, as well as the normal data it gathers on information you and your friends have added to the site. It also allows the site to pass on that information with its other branches, including Instagram.

Facebook suggests one way of stopping them from stalking you. However, it isn’t the only way:

How to stop FB tracking?


28 Jan 2015

EDRi launches privacy trainings in the European Parliament

By Heini Järvinen

On 23 January 2015, EDRi organised its first series of privacy and IT security training sessions in the European Parliament (EP). Three Members of the European Parliament (MEPs) and their assistants from throughout the political spectrum – European Conservatives and Reformists Group (ECR), European United Left, Nordic Green Left (GUE/NGL) and the Greens, European Free Alliance (Greens/EFA) – participated in the individual, customised training sessions.

The goal of the training sessions is to give MEPs and their assistants an overview on why protecting their privacy is important, both from personal and political reasons. We explained the potential risks to their privacy in different environments, and how to assess probable threats. The objective was to also offer them a selection of practical tools to improve the privacy of their private and professional communications.

The training sessions were tailored according to each participant’s level of previous knowledge as well as their interests, and the topics included encryption, anonymous browsing, risks when using smart phones and instant messaging. Besides sharing theoretical knowledge and suggesting different solutions for the participants’ needs, some tools were explained to them also in practice. For example memory sticks with the Tails operating system were given out for “testing”, and email encryption tools installed and configured to personal computers. A “menu” of privacy options was offered to participants, including a big choice of starters, main courses and desserts, similar to the Privacy Cafés run by EDRi-member Bits of Freedom.

From the point of view of privacy and secure communications, there is a lot to improve in the EP; default solutions offered for browsing the Internet, sharing documents and sending internal emails are often not privacy friendly, and installing privacy enhancing software or plugins to the computers is made difficult or impossible – which the leads to MEPs using private devices and insecure solutions instead. To increase awareness of privacy issues within the EP, and to introduce better practices, training sessions have been planned with more MEPs, and EDRi will be following up, offering further support and advice to the participants of the trainings that already took place.

If you are working in the EU Parliament and interested in the training sessions, please contact us via: VIP-training(at)edri.org

Privacy training Menu:

Bits of Freedom’s Privacy Café