20 Sep 2017

Human Rights Court sets limits on right to monitor employees

By Anne-Morgane Devriendt

On 5 September 2017, the Grand Chamber of the European Court for Human Rights (ECtHR) ruled on the Bărbulescu v. Romania case. It found that there was a breach of the right to family life and correspondence (Article 8 of the European Convention on Human Rights), as claimed by Mr Bărbulescu. Mr Bărbulescu was fired after his employer monitored his communications and found that he had used company property to exchange messages with family members. Although the ruling does not forbid employee monitoring, it clarifies how this can be done respecting fundamental rights.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The Grand Chamber questioned the earlier national court decisions. It noted that national courts did not properly assess whether Mr Bărbulescu had been warned that he might be monitored, and to what extent he would be monitored. The Court also clarified the limits regarding legal monitoring of an employee by their employer and the ways national courts should assess them.

First, one of the key aspects that the Court pointed out was the lack of information given to Mr Bărbulescu on the monitoring to which he might be subject. Second, the Court ruled that, in addition to the obligation of providing information, monitoring of employees always needs to be done for a legitimate aim, and in a way that is proportionate to that aim and that does not breach their privacy more than necessary to achieve the goal. None of these safeguards had been followed in this case, as the Court pointed out in the paragraph 140 of its ruling: “the domestic courts failed to determine, in particular, whether the applicant had received prior notice from his employer of the possibility that his communications on Yahoo Messenger might be monitored; nor did they have regard either to the fact that he had not been informed of the nature or the extent of the monitoring, or to the degree of intrusion into his private life and correspondence. In addition, they failed to determine, firstly, the specific reasons justifying the introduction of the monitoring measures; secondly, whether the employer could have used measures entailing less intrusion into the applicant’s private life and correspondence; and thirdly, whether the communications might have been accessed without his knowledge”.

It needs to be stressed that the ruling does not find monitoring of employees’ communications illegal in all situations, but that the power to monitor employees is limited. The judgement limits the employers’ right to monitor employees’ communications by limiting the scope and degree of intrusion, legitimate justification and proportionality of the monitoring. All of these should have been done in this case and should be in any similar cases in the future. The Court clarified that an employee keeps enjoying his right to private and family life also in the workplace.

Press release for the Grand Chamber judgement (05.09.2017)

Romanian whose messages were read by employer “had privacy breached” (05.09.2017)

Privacy International response to Grand Chamber of the European Court for Human Rights Bărbulescu v. Romania judgement (05.09.2017)

(Contribution by Anne-Morgane Devriendt, EDRi intern)



18 Sep 2017

Cross-border access to data: EDRi delivers international NGO position to Council of Europe


Today, 18 September 2017, a global coalition of civil society organisations, led by European Digital Rights (EDRi), submitted to the Council of Europe its comments on how to protect human rights when developing new rules on cross-border access to electronic evidence (“e-evidence”). The Council of Europe is currently preparing an additional protocol to the Cybercrime Convention. EDRi’s Executive Director Joe McNamee handed the comments over to Mr. Alexander Seger, the Executive Secretary of the Cybercrime Convention Committee (T-CY) of the Council of Europe.

Joe McNamee, Executive Director of EDRi presents Alexander Seger with his contribution on the forthcoming Cybercrime Protocol. (Photo: Candice Imbert / Council of Europe)

Over the next two and a half years, the work on the new protocol needs to incorporate the civil society principles presented today,

said Joe McNamee, Executive Director of European Digital Rights.

Global civil society is engaging in this process to ensure that any harmonisation in this crucial policy area is up to the highest human rights standards, in line with the ethos of the Council of Europe,

he added.

We are a group of 14 civil society organisations from around the world. We submitted our comments and suggestions on the Terms of Reference for drafting a Second Protocol to the Cybercrime to the Council of Europe. Our aim is to make sure that human rights are fully respected in the preparation of the new protocol. In this global submission, we emphasise the importance of an inclusive, open and transparent drafting process. To facilitate the Council of Europe’s and the State-Parties’ work, we have elaborated key principles that will serve to guide the work of the Drafting group and allow us to engage constructively in the coming two and a half years.

It is vital that the new protocol, if adopted, include and respect three basic principles:

  1. Enforcement of jurisdiction by a State or State agency on the territory of another State cannot happen without the knowledge and agreement of the targeted State.
  2. State-parties must comply with human rights principles and requirements, including under any powers granted or envisaged in or under the Cybercrime Convention and the proposed additional protocol.
  3. Unjustified forced data localisation should be banned. Data transfers between jurisdictions should not occur in the absence of clear data protection standards.

We remain open to work with other civil society organisations in integrating these principles.

Background information:

Electronic evidence (“e-evidence”) refers to digital or electronic evidence, such as contents of social media, emails, messaging services or data held in the “cloud”. Access to these data is often required in criminal investigations. Since in the digital environment the geographical borders are often blurred, investigations require cross-border cooperation between public authorities and between public authorities and the private sector.

The new optional protocol aims to address three areas of activity:

  1. the direct gathering of electronic evidence online by law enforcement agencies in one State, from ICT infrastructure and devices in another State;
  2. closer cooperation between designated bodies in different states in relation to cross-border investigations and transnational collecting of evidence;
  3. the direct requesting and obtaining of possibly highly sensitive personal information by law enforcement agencies in one State from private sector companies in another State, without the knowledge or consent of the latter country, bypassing its laws and potentially violating its sovereignity.

Read more:

New legal tool on electronic evidence: Council of Europe welcomes civil society opinion (18.09.2017)

Global Civil Society Submission to the Council of Europe: Comments and suggestions on the Terms of Reference for drafting a Second Optional Protocol to the Cybercrime Convention (08.09.2017)

Access to e-evidence: Inevitable sacrifice of our right to privacy? (14.06.2017)

EDRi position paper on the Cybercrime Convention – cross-border access to electronic evidence (17.01.2017)

EDRi letter to the Council of Europe on the report of the T-CY Cloud Evidence Group (2016)5 (10.11.2016)

Professor Douwe Korff’s comments on the T-CY report (2016)5 (09.11.2016)


13 Sep 2017

Five things the online tracking industry gets wrong

By Diego Naranjo

The Interactive Advertising Bureau (IAB) Europe, one of the loudest enemies of the e-Privacy Regulation, is the association of online tracking and adverting companies. On 7 September, IAB Europe published a report titled: “Europe Online: An experience driven by advertising”.

In the report, some of the key issues are clearly displayed, but some are hidden behind the large misleading headlines and graphics. The IAB Europe Report says:

1) “In the online world most users’ experience is predominantly free.”

The report conveys the message that online users are using services without paying for the services in cash. This is true in many cases. However, it cleverly creates a false dichotomy that the only alternative to massive, untransparent profiling and tracking is unspecified costs for users.

It is clear that they are unknowingly “paying” with their data, without any clarity about the financial value or security cost of handing over their data nor, indeed, the actual cost of providing the “free” services. In the online world, companies offering “free” services live from insights into how to manipulate their users. Often the “free” websites have no idea about (nor control over) where their visitors’ data goes, what other data it is merged with, and what uses that data are put to.

To provide the best services for their actual customers (the companies paying to place advertisements or cookies), advertisers sometimes get access to the content of your emails, track your physical movements, analyse your browsing habits, or listen to the interactions of your children with their toys.

Even though the way online tracking happens is not immediately obvious, the results of the Eurobarometer on e-Privacy show clearly what matters to people: 92% of EU citizens said that it is very important that the personal information (such as their pictures, contact lists, etc.) on their computer, smartphone, tablet or any other device is only accessed with their permission. The same percentage highlighted the importance of protecting their online communications (e-mails and online instant messaging).

2) “Nine in ten online users (92%) would stop accessing their most-used free news, content or service site or app if it switched to paid access only.”

Here again, a false dichotomy was presented to users, to generate the response requested by IAB. The approach misleads readers by implying that no innovation is possible, no solutions other than the status quo exist. However, it is not true that different business models cannot be created – we do not have to rely on a model that has created a quasi-duopoly for Google and Facebook. For example, there are successful micropayment models for quality news sources. Also, innovation around contextual advertising is increasingly successful to achieve its goals, without engaging in invasive profiling and tracking of individuals. Such innovation has the capacity to generate a level playing field, as an alternative to the current duopoly stranglehold of the online advertising market.

The statement closes the door to alternative ways of payment. Furthermore, it ignores the fact that a majority of EU citizens think it is “unacceptable to have their online activities monitored in exchange for unrestricted access to a certain website (64%) or to pay in order not to be monitored when using a website (74%)”, as shown by the Eurobarometer.

3) “Most users are either positive or neutral about online advertising.”

Another misrepresentation. Online advertising is online advertising. Advertising based on tracking and profiling is advertising based on tracking and profiling. Asking about one and suggesting that the answer is about the other is blatantly misleading. This is demonstrated when report admits that 58% of users are not happy with their browsing data being shared as the basis for advertising. Later on in its “research”, the IAB admits that 80% would not like to see their data shared with third parties for advertising purposes.

The use of ad-blockers increased up to 30% in 2016. Now 11% of internet users worldwide are using one. And yet the online advertising industry still refuses to acknowledge that innovation is even possible.

4) “Four in ten users (42%) are happy with their browsing data being shared as the basis for advertising, stating they don’t mind seeing personalised advertising based on their browsing data in exchange for free news, content or services.”

This suggests that 58% of online users do not feel comfortable with their browsing being analysed in htis way.

The Eurobarometer report on the e-Privacy Regulation says that six in ten respondents (60%) have already changed the privacy settings on their internet browser, for example, to delete browsing history or cookies. It also shows that 40% of respondents avoid certain websites because they are worried their online activities are monitored, and that 71% of them say it is unacceptable for companies to share information about them without their permission, even if it helps companies provide new services they may like.

5) “Continually approving the use of cookies as a precondition for accessing a site was the least popular and most divisive of the two options.”

Yet another false dichotomy: it has been done badly so the only option is not to do it at all. The way that the e-Privacy Directive was implemented led to the “cookie” pop-up notices that users often see. These cookie notices are sometimes intrustive, almost always demonstrably factually incorrect and therefore inefficient.However, there is no reason to believe that there is therefore no other – more efficient and informative – way to protect citizens’ privacy.

The study conducted for the IAB report gave respondents two options: that every app asks every time for consent for the use of their data, or that the apps only show how their data is being used, without asking for their consent. Obviously, most of the respondents chose the lesser of two evils. In reality, users want services to work differently: According to Eurobarometer, eight in ten (82%) said that it is important that tools for monitoring their activities online (such as cookies) can only be used with their permission, and 56% stated that this is very important to them.

The businesses that listen to consumers and hear their concerns about current tracking based models will have an advantage. They will understand the importance of earning the trust of their clients – an essential element of running a successful business – and develop towards less privacy intrusive business models. They will, as long as untransparent, trust-eroding practices are restricted by law – and this is exactly what the IAB “research” is designed to prevent.

Europe Online: An experience driven by advertising

e-Privacy Directive: Frequently Asked Questions (05.10.2016)

e-Privacy revision: Document pool (10.01.2017)

Your privacy, security and freedom online are in danger (14.09.2016)


06 Sep 2017

Controversial testing of facial recognition software in Germany

By Anne-Morgane Devriendt

At the end of August 2017, German police has been testing a facial recognition software at Südkreuz train station in Berlin. The system was tested on 300 volunteers. The goal was to evaluate the accuracy of the software in recognising and distinguishing them from the crowd – a feature that the police hopes to ultimately use to track and arrest crime and terrorism suspects.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

However, this testing has been subject to criticism regarding its parameters and its efficiency in the fight against terrorism. The experiment raises two concerns: the terms of the experiment and the relevance of such a measure against terrorism.

In the aftermaths of recent terrorist attacks, mass surveillance measures have been increasingly introduced in Europe, as a means to “fight against terrorism”. These measures might give citizens the impression that the government is taking action, but there is no evidence that they are efficient towards this goal.

By using facial recognition software, Thomas de Maizière, the German Minister of the Interior, aims at strengthening the public’s sense of security and help the fight against terrorism. He considers that it does not undermine civil liberties, but lawyers and civil society organisations disagree, first and foremost on the terms of the experiment. The facial recognition software was tested on volunteers, who carried around bluetooth sensors transmitting information about their location. German EDRi member Digitalcourage reported that these sensors provide information that is not useful for the results of the experiment and that it was not communicated to the volunteers. Furthermore, Digitalcourage affirms that this data is easily accessible by anyone.

Beyond the technical issues and the lack of consent, it has been denounced by lawyers as unconstitutional and uncalled for, because it costs more in terms of civil rights than it can bring to the fight against terrorism. The usefulness of mass surveillance in improving security is questionable, to say the least. The fact that those involved in recent terrorist attacks were known by the intelligence services and had previously been under surveillance did not stop the attacks. It would require immense resources to constantly follow all potential suspects. It is difficult to see how introducing tools such as facial recognition in public places to widen the scope of surveillance, and thus increasing the amount of data to be processed by law enforcement, could help preventing future terrorist attacks.

Facial recognition at the Südkreuz station: Federal police did not inform correctly – We request the end of the experiment

Berlin starts controversial test of facial recognition cameras at train station (02.08.2017)

German police test facial recognition cameras at Berlin station (01.08.2017)

Opinion: Facial recognition tech makes suspects of us all (31.08.2017)

Germany’s facial recognition pilot program divides public (24.08.2017)

Facial recognition software to catch terrorists being tested at Berlin station (02.08.2017)

Facial recognition cameras at Berlin station are tricking volunteers, activists claim (23.08.2017)

(Contribution by Anne-Morgane Devriendt, EDRi intern)



06 Sep 2017

Netherlands: Sharing of travel data violated students’ privacy

By Bits of Freedom

It was all over the news on 22 August 2017: Translink, the company responsible for the Dutch public transport card “OV-chipkaart” had been passing student travel data to the Education Executive Agency responsible for student finance in the Netherlands (DUO). DUO uses this data to figure out whether students who claim to live on their own – and therefore receive a supplementary grant – actually still live with their parents. A court ruled that this was violating students’ privacy. The same day, Dutch EDRi member Bits of Freedom called upon students to issue a right of access request to DUO and Translink. The students were encouraged to ask the following questions:

  1. Which data does DUO have on me and if I didn’t supply this data myself, how did DUO obtain it?
  2. Which data does Translink have on me and with whom has this data been shared?

Where and when we travel, whom we call, what we buy: sometimes it seems records are kept of every single thing we do. We are becoming more and more transparent and easier to influence for companies and governments. Based on the data that is gathered about us, conclusions are drawn with tangible, sometimes far-reaching consequences. Therefore it is important that we gain insight into who knows what about us. And of course, what is being done with that information.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Imagine: you live in a dorm room when one of your parents becomes seriously ill. You are at your parents’ home for weeks or even months on end. You don’t actually live there, but you do sleep over. Is it really possible for a DUO employee to make that distinction based on your public transport data? We don’t think so. You can interpret data in multiple ways and often it does not tell the whole story. Conclusions that someone else reaches by looking at your data are not always correct. But still, you are the one who has to deal with the consequences.

It is indeed important that fraud is addressed. However, it is also important that the tools used to do so are proportionate to the offence. In this case, the Dutch court ruled that DUO cannot request this kind of privacy-sensitive information just like that. And even Translink really does know better: in its terms and conditions, Translink states that it will only hand over data as part of a criminal investigation and therefore only to the police and judiciary. By deviating from its own commitment, the company undermines trust in its service.

The Dutch constitution states that everyone is entitled to respect of their personal environment. The Dutch Data Protection Act (Wbp) is the most important law regarding the collection and sharing of personal data. This law also gives citizens the right to gain insight into their own data and the right to correct it. By executing these rights, you can verify whether the processing of your personal data is correct, complete, relevant and lawful. Bits of Freedom’s Privacy Review Machine can help you with this.

DUO and the OV-chipkaart: Ask for clarification about your data! (only in Dutch, 22.08.2017)

Privacy Review Machine (only in Dutch)

(Contribution by Evelyn Austin, EDRi member Bits of Freedom, the Netherlands; Translation: Philip Westbroek)



23 Aug 2017

The privacy movement and dissent: Whistleblowing

By Guest author

This is the second blogpost of a series, originally published by EDRi member Bits of Freedom, that explains how the activists of a Berlin-based privacy movement operate, organise, and express dissent. The series is inspired by a thesis by Loes Derks van de Ven, which describes the privacy movement as she encountered it from 2013 to 2015.*

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Whistleblowing as a way of expressing dissent is tied to the privacy movement. To fully understand the act of whistleblowing, it is important to understand that whistleblowing encountered in the privacy movement is not only a form of dissent, but also shows qualities of civil disobedience and protest.

Two elements characterise whistleblowing as an expression of dissent: disagreement and complaint. Whistleblowing has a clear aim to enforce change within an organisation and is often done out of ethical considerations, but never under threat or under oath.

In addition to dissent, whistleblowing can also be seen as civil disobedience. For example, Edward Snowden said he did what he believed right and began a campaign to correct this wrongdoing. The aims Snowden tried to achieve by disclosing the NSA documents are politically motivated: he wanted to inform the public about government surveillance activities so that policies could be adjusted as the public wished. By turning to the press he addressed this issue openly, and by addressing this issue openly he forced the entire discussion out into the open and thereby turned it into a public discussion. What he wanted to achieve with his disclosures and the subsequent public discussion was clear, and the way in which he did this was deliberate and conscientious.

Contrary to whistleblowing, protesting is something that is done by a group and hardly ever by one single individual. Mobilisation is the most powerful element of protesting, because it is usually the mobilisation that brings organisations’ wrongdoings to light. Furthermore, whistleblowing and protest also differ in the sense that whistleblowers, in comparison to protesters, are more vulnerable to reprisals, operate solo, have an intra-organisational focus, have few strategic options, and only approach the media as a last resort. The boundary between whistleblowing and protest, however, can become vague as they are both a “morally propelled action”, involve “personal risk-taking”, are “change-focused”, are “vulnerable to name calling”, and involve “strategic planning”.

When looking at the way in which Edward Snowden blew the whistle, the differences between whistleblowing and protest become even smaller. Snowden’s actions already stopped being those of an individual the moment he contacted Glenn Greenwald and Laura Poitras, months before he gave them the entire set of documents and the subsequent moment of actual publication. It is also worth noting that the use of media was certainly not Snowden’s last resort but rather one of his first choices. Furthermore, Snowden did not solely focus on change within the organisation. Instead, he focused on a type of change that would entail a major social and political change, not just of the NSA but of a larger group of intelligence agencies and governments.

For a number of reasons, whistleblowers take up an exceptional place within the privacy movement. First, much of what the movement is concerned with is related to actions of intelligence services of which the exact conduct is not made public. Activists are therefore quite reliant on the information whistleblowers disclose to know what is really happening in the field of surveillance.

Second, once whistleblowers have decided to blow the whistle and make certain classified information public, their position often changes. By blowing the whistle they exclude themselves from the organisation they previously worked for, both physically and mentally. They often find a new home within the privacy movement. We can, again, turn to Edward Snowden to see how such a development unfolds.

The first year after his revelations Snowden kept a relatively low profile. Slowly, he started to accept awards and give public speeches, for example at the 2014 Dutch Big Brother Awards; took his first steps in writing articles, for instance in The New York Times; and became a member of the Board of Directors of the Freedom of the Press Foundation.

Last, because whistleblowing can have such drastic consequences, whistleblowers often receive respect and protection by the privacy movement. There is an enormous awareness among privacy advocates of the sacrifices whistleblowers make. A striking example is Glenn Greenwald’s keynote lecture at the 30th Chaos Communication Congress, six months after the first publications of the Snowden documents.

Greenwald stated that Snowden “has been utterly indispensable and deserves every last accolade and to share in every last award”, and this was followed by a loud applause from the audience. This respect for whistleblowers also shows in organisations that support whistleblowers. When whistleblowers leak classified information, there is much at stake for them and they largely depend on others for help. They are at risk of losing their freedom, either because they are given a prison sentence or because they are forced to live in exile. This is a high price to pay, and activists and organisations within the movement dedicate themselves to helping them.

Whistleblowers have an exceptional position within the privacy movement; both as valuable sources of information and as respected members. And although whistleblowing should not be seen as protest, in practice we see that for the privacy movement the two are intricately linked. In the next article, we will further explore how the privacy movement uses art to express dissent.

The series was originally published by EDRi member Bits of Freedom at https://www.bof.nl/tag/meeting-the-privacy-movement/.

Dissent in the privacy movement: whistleblowing, art and protest (12.07.2017)

(Contribution by Loes Derks van de Ven)

* This research was finalised in 2015 and does not take into account the changes within the movement that have occurred since then.



Jubb, Peter B. “Whistleblowing: A Restrictive Definition and Interpretation” Journal of Business Ethics 21 (1999): 77-94.
Scheuerman, William E. “Whistleblowing As Civil Disobedience: The Case of Edward Snowden.” Philosophy and Social Criticism 40.7 (2014): 609-628.
De Maria, William. “Whistleblowers and Organizational Protesters. Crossing Imaginary Borders.” Current Sociology 56.6 (2008): 865-883.

26 Jul 2017

Stalking is easy with Facebook, and now even easier with Snapchat

By Guest author

We seem to get more and more accustomed to using apps that can easily track our movements. It is convenient to simply share your location with friends, instead of sending messages or calling to arrange where to meet. But are you aware of when and how you are giving the companies an insight into our whereabouts, and with that, your life? Even though it is practically impossible to completely protect yourself from location tracking if you are using a smartphone, there are ways to avoid the most obvious and intrusive ones.

The most popular location-sharing tools are provided by Facebook, Google and now Snapchat. They all provide imperfect, but still efficient and widely used features for sharing your location, which bring about the privacy concerns of location tracking.

Two options apply to location sharing – the first one is to drop a pin on a map to share your current location, and the second one is to let others follow your location in real time as you move around. Apple, Facebook, Google and Snapchat all offer these options.

Apple’s locations sharing features are integrated into Apple Maps, Messages and Find my Friends apps. Google’s location sharing tool is built into Google maps and Facebook’s is embedded into its Messenger app. They all offer options for the time limit of your location sharing – it should come with no surprise that broadcasting a live update on your location indefinitely might not be the best thing to do, if you are even vaguely concerned about your privacy. Turning off the feature when you do not need to share your location any more is a basic precaution.

The latest app to join this location-sharing crowd is Snapchat. It might also be the most controversial one, to the point when even parents and law enforcement officials raised their concerns about strangers tracking children’s locations. Snap Map shares your location by placing your avatar – a cartoon figure called Bitmoji – on a map like a pin. Others can zoom in on it to get your specific location. Even if only your friends can access your location, it is fairly common to add people you do not actually know as friends on Snapchat. This raises concerns especially because the social platform is popular among teenagers, who might not be fully aware of privacy implications of the technology that broadcasts their location.

edri.org/wp-content/uploads/2015/09/Supporters_banner.png” alt=”—————————————————————–
Support our work – make a recurrent donation!
—————————————————————–” width=”600″ height=”50″ />

Snap Map is technically an opt-in app, which only takes effect after you update the app and follow the tutorial on how to use the feature. The app asks who you want to see your location – if you choose option “only me”, it activates the so-called Ghost Mode, which makes your avatar disappear from the map, while you can still see others. This feature has been described as plain creepy.

Similar to many other apps, even if you opt out from announcing your location to the world, Snapchat can still track you of course. It might be a good idea to turn off location data altogether on your phone and just take a moment to actually tell your friends where you are when necessary. That way, the number of people, private companies, and government agencies, who are given a shortcut to monitor your movements and your activities, are at least somewhat limited. It is a simple choice between incurring the entirely unnecessary privacy and security risk of being in numerous databases, any of which might suffer a data breach at any time, or choosing not to run that risk.

Parents can make sure that children are not sharing their location with specific tools and with advice. For everyone else, not broadcasting your location publicly is always a wise choice when it comes to privacy.

(Contribution by Zarja Protner, EDRi intern)



12 Jul 2017

Dissent in the privacy movement: whistleblowing, art and protest

By Guest author

This is the first blogpost of a series, originally published by EDRi member Bits of Freedom, that explains how the activists of a Berlin-based privacy movement operate, organise, and express dissent. The series is inspired by a thesis by Loes Derks van de Ven, which describes the privacy movement as she encountered it from 2013 to 2015.*

On 29 December 2013, digital activist, technologist, and researcher Jacob Appelbaum closes the year with a talk titled “To Protect and Infect, Part 2” at the 30th edition of the Chaos Communication Congress in Hamburg, Germany. He elaborates on the kind of surveillance activities the United States National Security Agency (NSA) deploys, and reveals, among other things, the existence of a dragnet surveillance system called TURMOIL. The information he shares originates from the set of classified documents that whistleblower Edward Snowden collected while working as an NSA system administrator. In June 2013, Snowden decided to share these documents with the press, explaining that he does not want to live in a world where we have no privacy and no freedom and that the public has the right to know what their government is doing to them and doing on their behalf. Later, at the 2014 Dutch Big Brother Awards, he adds that he considered the NSA’s surveillance programs such a severe violation of human rights that he felt it was his obligation to make the documents public. Snowden’s statements are related to a larger, ongoing public debate about surveillance: how much knowledge about citizens is just and necessary for governments to possess and what actions are legitimate to obtain that information?

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Four activists surfaced in the wake of the Snowden leaks and quickly took on leading roles in the debate: Jacob Appelbaum, Glenn Greenwald, Sarah Harrison, and Laura Poitras. Although these four individuals had shared beliefs, they do not share a common background. At the time of the first publications Glenn Greenwald worked as a journalist, Laura Poitras as a documentary filmmaker, Jacob Appelbaum as a technologist, and Sarah Harrison as a journalist and legal researcher for WikiLeaks. Although they are certainly not the only individuals who are relevant to the larger group of activists who work on privacy and surveillance issues, their diversity really is a reflection of the diversity of the group concerned with these issues.

The privacy movement is incredibly diverse, decentralised, and therefore complicated to define. In spite of this, expressing dissent is one of the key characteristics of the movement. It is where activists find each other and share their ideas with the rest of the world. So what does dissent look like in the privacy movement? There are three different ways in which the privacy movement seems to express dissent, namely through whistleblowing, through art, and through protest. Each contributes to the understanding of the privacy movement as a whole.

First, whistleblowing is interesting because its role is threefold. Besides the fact that whistleblowing is a means for the privacy movement to expresses dissent, whistleblowers are also a vital source of information to the movement and furthermore often become activists within the movement themselves. Second, activist art is a way for the privacy movement to communicate its ideas and goals to members of the movement as well as to the wider public. Although there is only a small group of activists involved in the process of creating the art, it does affect the movement in its entirety. Last, the privacy movement also expresses dissent through protest. This is done both through traditional types of protest such as street demonstrations, as well as through protest forms that can only exist online, for example the development, promotion, and use of tools that provide more anonymity for internet users.

Although dissent is an element that characterises the privacy movement, it is certainly not the only one. The untraditional role of leadership within the movement and the physical meeting place in Berlin also contribute to the unique character of the movement.

In the upcoming articles in this series, we will explore whistleblowing, art, and protest as expressions of dissent in more depth.

The series was originally published by EDRi member Bits of Freedom at https://www.bof.nl/tag/meeting-the-privacy-movement/

(Contribution by Loes Derks van de Ven)



* This research was finalised in 2015 and does not take into account the changes within the movement that have occurred since then.

14 Jun 2017

#ALTwitter privacy revelation: European parliamentarian goes bananas

By Guest author

Recently, Mr Dunston (of the “Dunston Checks In” fame) came to the EDRi Brussels office looking for help. He complained that somebody from the European Parliament is messing up with his “holy banana collection” that he has been preserving since decades after he inherited it from his forefathers. Other than that we had no information.

Being the defenders of human rights in the digital environment, we decided to help Mr Dunston. Coincidentally, we were working on a project called ALTwitter, where we had created Twitter-like profiles of the Members of the European Parliament (MEPs) based on their metadata. We thought, for once, let’s use metadata for social good.

Here is what we did:

Step 1: Data collection
We collected approximately 10000 publicly available tweets from the Twitter accounts of 617 MEPs.

Step 2: Metadata extraction
We stripped the metadata associated with these tweets – such as source of the tweet i.e. the device or service from which the tweet originated – for further analysis.

Step 3: Metadata analysis
We counted the number of times each of those devices or services were used by MEPs. Then we arranged them according to how frequently they had been used.

Step 4: Finding the anomaly or unique artifact
We then selected the few least commonly used devices or services. This was to find the sources which are used only by a few MEPs.

Step 5: Finding the culprit
We were surprised to see “Banana Kong” as one of the rarely used sources of tweets from MEPs. Apparently, it was used by only one MEP on her Apple (iOS) phone. That was none other than Angelika Niebler.

Step 6: Helping Dunston with the proof
Because we had seen this information in Ms Niebler’s metadata, we searched her chronology to see if she had ever mentioned her surprising pastime. Sure enough, evidence of Ms Niebler’s banana enthusiasm came to light.

(I’ve just reached 90 meters in “Banana Kong”. Download it from the App Store and try to beat me!)

Angelika has been stealing Mr Dunston’s bananas since August 2013, and she owes him compensation – big-time. We would never have found this proof, if metadata hadn’t pointed us in the right direction. This is the same metadata the advertisers are using to target her with more personalised ads, track her online activities, and undermine her privacy online, and possibly offline. And our privacy, too.

When signing up to use the app, Ms Niebler agreed, as a prominent Member of the European Parliament, to share a variety of personal information, including her device identifier, geo-location information and IP address data with the game supplier and fourteen other companies, mainly based in the United States.

We suggested to Mr Dunston that he should take legal action against Ms Niebler for banana theft. But, he says:
“Listen! I am a nice orangutan. I don’t need any monetary compensation, but I want her and every other MEP to understand the importance of privacy. Today it is my banana, tomorrow it could be yours. If not Ms Niebler, someone else will steal it. In fact, the advertisers have been already stripping our online privacy, with or without our knowledge. It’s time to put an end to this! Let’s try to understand why privacy matters and let’s defend it! Let’s help the parliamentarians to do the same! That is the best compensation I would expect.”

We believe that his demands are fair. If you agree, join us on our mission to defend everyone’s digital rights! We want to convince Ms Niebler and other MEPs to vote right on the e-Privacy Regulation, to make sure it guarantees privacy by design and by default for our online communications. We want to make sure that no one can be refused to access information because they oppose being tracked (no “tracking walls”), that groups can act on behalf of citizens when an infringement has occurred and that tracking can never be the default. Find out more about e-Privacy here!

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

ALTwitter #hakunametadata: Twitter metadata profiles of the Members of European Parliament

ALTwitter: The treasure trove behind 140 characters (31.05.2017)

Hakuna Metadata – Let’s have some fun with Sid’s browsing history! (03.05.2017)

Hakuna Metadata – Exploring the browsing history (22.03.2017)

New e-Privacy rules need improvements to help build trust (09.03.2017)

(Contribution by Siddharth Rao, Ford-Mozilla Open Web Fellow, EDRi)



14 Jun 2017

Access to e-evidence: Inevitable sacrifice of our right to privacy?

By Guest author

What do you do when human rights “get in the way” of tackling crime and terrorism? You smash those pillars of your democratic values – the same ones you are supposedly protecting. Give up your right to privacy, it is a fair price to pay for the guarantee of your security! This is the mantra that, during the past decades, we have heard populist politicians repeat over and over again – never mind that gambling with our rights actually helps very little in that fight.

One of the bargaining chips in the debate on privacy versus security is access to e-evidence.

E-evidence refers to digital or electronic evidence, such as contents of social media, emails, messaging services or data held in the “cloud”. Access to these data is often required in criminal investigations. Since the geographical borders are often blurred in the digital environment, investigations require cross-border cooperation between public authorities and private sector.

Thorough police investigations are indeed of utmost importance. However, the access to people’s personal data must be proportionate and necessary for the aim of the investigation and provided for by law.

In a similar way that the police cannot enter your home without a court warrant, they are not supposed to look into your private communications without permission, right? Not really.

The EU is working towards easing the access to e-evidence for law enforcement authorities. The plan of the European Commission is to propose new rules on sharing evidence and the possibility for the authorities to request e-evidence directly from technology companies. One of the proposed options is that police would be able to access data directly from the cloud-based services.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

This means that Facebook, Google, Microsoft, providers of messaging services, and other companies which collect and store data of millions of EU citizens, would be obliged to provide this data to the authorities, even when stored in the cloud in another EU Member State. The types of data that might fall within the scope of the law range from metadata (such as location, time, sender and recipient of the message and other non-content data) to the content of our personal communications.

But for sure there must be safeguards to protect people’s right to privacy, right? Not necessarily, especially when pushing for “voluntary” cooperation between companies and law enforcement. This kind of arrangements often lack in accountability and predictability. This is why any new measures on e-evidence must comply with international human rights and data protection standards. Member States must continue to be able to regulate access to data in their jurisdiction and on their citizens and residents, in particular by foreign law enforcement and national security agencies. Individuals must also be able to seek protection and redress in their own country.

Access to e-evidence is also being discussed beyond EU borders. The Council of Europe (CoE) is preparing to adopt a new protocol to the so-called Budapest Convention – the Convention on Cybercrime of the Council of Europe. The Convention covers not only CoE Member States, but all 53 countries that have ratified it. This means not all of them are bound by data protection or human rights conventions. EDRi is following this process attentively and has submitted input on several occasions.

The initiative from the European Commission is establishing the framework for a new legislative proposal, which is scheduled to be presented in the beginning of 2018. On 8 June 2017, the Commission presented the options for practical and legislative measures to the EU ministers. EDRi is participating in expert discussions on the suggested way forward.

It is crucial that safeguards to ensure data protection and the rule of law are applied to the new legislation. Otherwise, it will be imposed at the cost of the human rights of citizens.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

RightsCon session on cross-border access to e-evidence – key interventions (10.05.2017) https://edri.org/rightscon-session-on-cross-border-access-to-e-evidence-key-interventions/

EDRi’s position paper on cross-border access to electronic evidence in the Cybercrime Convention (17.01.2017)

EDRi’s letter to the Council of Europe on the T-CY Cloud Evidence Group Report on criminal justice access to evidence in the cloud (10.11.2016)

Professor Douwe Korff’s analysis on the T-CY Cloud Evidence Group Report on criminal justice access to evidence in the cloud (10.11.2016)

European Commission: e-evidence

(Contribution by Zarja Protner, EDRi intern)