09 Oct 2019

Why weak encryption is everybody’s problem

By Ella Jakubowska

Representatives of the UK Home Department, US Attorney General, US Homeland Security and Australian Home Affairs have joined forces to issue an open letter to Mark Zuckerberg. In their letter of 4 October, they urge Facebook to halt plans for end-to-end (aka strong) encryption across Facebook’s messaging platforms, unless such plans include “a means for lawful access to the content of communications”. In other words, the signatories are requesting what security experts call a “backdoor” for law enforcement to circumvent legitimate encryption methods in order to access private communications.

The myth of weak encryption as safe

Whilst the US, UK and Australia are adamant that their position enhances the safety of citizens, there are many reasons to be skeptical of this. The open letter uses emotive language to emphasise the risk of “child sexual exploitation, terrorism and extortion” that the signatories claim is associated with strong encryption, but fails to give a balanced assessment which includes the risks to privacy, democracy and most business transactions of weak encryption. By positioning weak encryption as a “safety” measure, the US, UK and Australia imply (or even explicitly state) that supporters of strong encryption are supporting crime.

Government-led attacks on everybody’s digital safety aren’t new. Since the 1990s, the US has tried to prevent the export of strong encryption and—when that failed—worked on forcing software companies to build backdoors for the government. Those attempts were called the first “Cryptowars”.

In reality, however, arguing that encryption mostly helps criminals is like saying that vehicles should be banned and all knives blunt because both have been used by criminals and terrorists. Such reasoning ignores that in the huge majority of cases strong encryption greatly enhances people’s safety. From enabling secure online banking, to keeping citizens’ messages private, internet users and companies rely on strong encryption every single day. It is the foundation of trusted, secure digital infrastructure. Weak encryption, on the other hand, is like locking the front door of your home, only to leave the back one open. Police may be able to enter more easily – but so too can criminals.

Strong encryption is vital for protecting civil rights

The position outlined by the US, UK and Australia is fundamentally misleading. Undermining encryption harms innocent citizens. Encryption already protects some of the most vulnerable people worldwide – journalists, environmental activists, human rights defenders, and many more. State interception of private communications is frequently not benign: government hacking can and does lead to egregious violations of fundamental rights.

For many digital rights groups, this debate is the ultimate groundhog day, and valuable effort is expended year after year on challenging the false dichotomy of “privacy versus security”. Even the European Commission has struggled to sort fact from fear-mongering.

However, it is worth remembering that Facebook’s announcement to encrypt some user content is so far just that: an announcement. The advertisement company’s approach to privacy is a supreme example of surveillance capitalism: protecting some users when it is favourable for their PR, and exploiting user data when there is a financial incentive to do so. To best protect citizens’ rights, we need a concerted effort between policy-makers and civil society to enact laws and build better technology so that neither our governments nor social media platforms can exploit us and our personal data.

The bottom line

Facebook must refuse to build anything that could constitute a backdoor into their messaging platforms. Otherwise, Facebook is handing the US, UK and Australian governments a surveillance-shaped skeleton key that puts Facebook users at risk worldwide. And once that door is unlocked, there will be no way to control who will enter.

EDRi Position paper on encryption: High-grade encryption is essential for our economy and our democratic freedoms (25.01.2015)

Encryption – debunking the myths (03.05.2017)

Encryption Workarounds: a digital rights perspective (12.09.2017)

(Contribution by Ella Jakubowska, EDRi intern)

25 Sep 2019

Why EU passenger surveillance fails its purpose

By Epicenter.works

The EU Directive imposing the collection of flyers’ information (Passenger Name Record, PNR) was adopted in April 2016, the same day as the General Data Protection Regulation (GDPR). The collection of PNR data from all flights going in and out of Brussels has a strong impact on the right of privacy of individuals and it needs to be justified on the basis of necessity and proportionality, and only if it meets objectives of general interest. All of this lacks in the current EU PNR Directive, which is at the moment being implemented in the EU.

The Austrian implementation of the PNR Directive

In Austria, the Austrian Passenger Information Unit (PIU) has processed PNR since March 2019. On 9 July 2019, the Passenger Data central office (Fluggastdatenzentralstelle) issued a response to inquiries into PNR implementation in Austria. According to the document, from February 2019 to 14 May, 7 633 867 records had been transmitted to the PIU. On average, about 490 hits per day are reported, with an average of about 3 430 hits per week requiring further verification. According to the document, out of the 7 633 867 reported records, there were 51 confirmed matches and in 30 cases there was the intervention by staff at the airport concerned.

Impact on innocents

What this small show of success does not capture, however, is the damage inflicted on the thousands of innocent passengers who are wrongly flagged by the system and who can be subjected to damaging police investigations or denied entry into destination countries without proper cause. Mass surveillance that seeks a small, select population is invasive, inefficient, and counter to fundamental rights. It subjects the majority of people to extreme security measures that are not only ineffective at catching terrorists and criminals, but that undermine privacy rights and can cause immense personal damage.

Why is this happening? The rate fallacy

Imagine a city with a population of 1 000 000 people implements surveillance measures to catch terrorists. This particular surveillance system has a failure rate of 1%, meaning that (1) when a terrorist is detected, the system will register it as a hit 99% of the time, and fail to do so 1% of the time and (2) that when a non-terrorist is detected, the system will not flag them 99% of the time, but register the person as a hit 1% of the time. What is the probability that a person flagged by this system is actually a terrorist?

At first, it might look like there is a 99% chance of that person being a terrorist. Given the system’s failure rate of 1%, this prediction seems to make sense. However, this is an example of incorrect intuitive reasoning because it fails to take into account the error rate of hit detection.

This is based on the rate fallacy: The base rate fallacy is the tendency to ignore base rates – actual probabilities – in the presence of specific, individuating information. Rather than integrating general information and statistics with information about an individual case, the mind tends to ignore the former and focus on the latter. One type of base rate fallacy is the one we suggested above called the false positive paradox, in which false positive tests are more probable than true positive tests. This result occurs when the population overall has a low incidence of a given condition and the true incidence rate of the condition is lower than the false positive rate. Deconstructing the false positive paradox shows that the true chance of this person being a terrorist is closer to 1% than to 99%.

In our example, out of one million inhabitants, there would be 999 900 law-abiding citizens and 100 terrorists. The number of true positives registered by the city’s surveillance numbers 99, with the number of false positives at 9 999 – a number that would overwhelm even the best system. In all, 10 098 people total – 9 999 non-terrorists and 99 actual terrorists – will trigger the system. This means that, due to the high number of false positives, the probability that the system registers a terrorist is not 99% but rather is below 1%. Searching in large data sets for few suspects means that only a small number of hits will ever be genuine. This is a persistent mathematical problem that cannot be avoided, even with improved accuracy.

Security and privacy are not incompatible – rather there is a necessary balance that must be determined by a society. The PNR system, by relying on faulty mathematical assumptions, ensures that neither security nor privacy are protected.


PNR – Passenger Name Record

Passenger surveillance brought before courts in Germany and Austria (22.05.2019)

We’re going to overturn the PNR directive (14.05.2019)

NoPNR – We are taking legal action against the mass processing of passenger data!

An Explainer on the Base Rate Fallacy and PNR (22.07.2019)

(Contribution by Kaitlin McDermott, EDRi-member Epicenter.works, Austria)

23 Jul 2019

Your family is none of their business

By Andreea Belu
  • Today’s children have the most complex digital footprint in human history, with their data being collected by private companies and governments alike.
  • The consequences on a child’s future revolve around one’s freedom to learn from mistakes, the reputation damage caused by past mistakes, and the traumatic effects of discriminatory algorithms.

Summer is that time of the year when parents get to spend more time with their children. Often enough, this also means children get to spend more time with electronic devices, their own or their parents’. Taking a selfie with the little one, or keeping them busy with a Facebook game or a Youtube animations playlist – these are examples that make the digital footprint of today’s child the largest in human history.

Who wants your child’s data?

Mobile phones, tablets and other electronic devices can open the door for the exploitation of the data about the person using that device – how old they are, what race they are, where are they located, what websites they visit etc. Often enough, that person is a child. But who would want a child’s data?

Companies that develop “smart” toys are the first example. In the past year, they’ve been in the spotlight for excessively collecting, storing and mis-handling minors’ data. Perhaps you still remember the notorious case of “My Friend Cayla”, the “smart” doll that was proved to record the conversations between it and children, and share them with advertisers. In fact, the doll was banned in Germany as an illegal “hidden espionage device”. However, the list of “smart” technologies collecting children data is long. Another example of a private company mistreating children’s data was the case of Google offering its school products to young American students and tracking them across their different (home) devices to train other Google products. A German DPA (Data Protection Authority) decided to ban Microsoft Office 365 from schools over privacy concerns.

Besides private companies, state authorities have an interest to record, store and use children’s online activity. For example, a Big Brother Watch 2018 report points that in the United Kingdom “Department for Education (DfE) demands a huge volume of data about individual children from state funded schools and nurseries, three times every year in the School Census, and other annual surveys.” Data collected by schools (child’s name, birth date, ethnicity, school performance, special educational needs and so on) is combined with social media profile or other data (e.g household data) bought from data brokers. Why linking all these records? Local authorities wish to focus more on training algorithms that predict children’s behaviour in order to identify “certain” children prone to gang affiliations or political radicalisation.

Consequences for a child’s future

Today’s children have the biggest digital footprint out of all humans in human history. Sometimes, the collection of a child’s data starts even before they are born, and this data will increasingly determine their future. What does this mean for kids’ development and their life choices?

The extensive data collection of today’s children aims at neutralising behavioural “errors” and optimising their performance. But mistakes are valuable during a child’s self-development – committing errors and learning lessons is an important complementary to receiving knowledge from adults. In fact, a recent psychology study shows that failure to provide an answer to a test is benefiting the learning process. Constantly using algorithms to optimise performance based on a child’s digital footprint will damage the child’s right to make and learn from mistakes.

Click to watch the animation

A child’s mistakes are not only a source of important lessons. With a rising number of attacks targeted at school’s IT systems, children’s data can get in the wrong hands. Silly mistakes could also be used to damage the reputation of the future adult a child grows into. Some mistakes must be forgotten. However, logging every step in a child’s development increases the risk that the past mistakes are later used against them.

More, children’s data can contribute to them being discriminated against. As mentioned above, data is used to predict child behaviour, with authorities aiming to intervene where they consider necessary. But algorithms portray human biases, for example against people of colour. What happens when a child of colour is predicted to be at risk of gang affiliation? Reports show that authorities treat children in danger to be recruited by a gang as if they were part of the gang already. Therefore, racial profiling by algorithms can turn into a traumatic experience for a child.

EDRi is actively trying to protect you and your beloved ones

European Digital Rights is a network of 42 organisations that promote the respect of privacy and other human rights online.

Our free “Digital Defenders” booklet for children (available in many languages) teaches in a fun and practical way why and how to protect our privacy online. EDRi is also working on the ongoing reform of the online privacy (ePrivacy) rules. This reform has a great potential to diminish practices of data exploitation online.

Read more:

Privacy for Kids: Your guide to Digital Defenders vs. Data Intruders (free download)

DefendDigitalMe: a call to action to protect children’s rights to privacy and family life.

Blogpost series: Your privacy, security and freedom online are in danger (14.09.2016)

e-Privacy revision: Document pool (10.01.2017)

17 Jul 2019

New privacy alliance to be formed in Russia, Central and Eastern Europe


Civil Society advocates from Russia, and Central and Eastern Europe have joined forces to form a new inter-regional NGO to promote privacy in countries bordering the EU.

The initiative also involves activists from the Post-Soviet countries, the Balkans and the EU Accession candidate countries. One of its primary objectives is to build coalitions and campaigns in countries that have weak or non-existing privacy protections. The project emerged from a three-day regional privacy workshop held earlier in 2019 at the Nordic Non-violence Study Group (NORNONS) centre in Sweden. The workshop agreed that public awareness of privacy in the countries represented was at a dangerously poor level, and concluded that better collaboration between advocates is one solution.

There has been a pressing need for such an alliance for many years. A vast arc of countries from Russia through Western Asia and into the Balkans has been largely overlooked by international NGOs and intergovernmental organisations (IGOs) concerned with privacy and surveillance.

The initiative was convened by Simon Davies, founder of EDRi member Privacy International and the Big Brother Awards. He warned that government surveillance and abuse of personal information has become endemic in many of those countries:

“There is an urgency to our project. The citizens of places like Azerbaijan, Kazakhstan, Kyrgyzstan, Turkmenistan, and Armenia are exposed to wholesale privacy invasion, and we have little knowledge of what’s going on there. Many of these countries have no visibility in international networks. Most have little genuine civil society, and their governments engage in rampant surveillance. Where there is privacy law, it is usually an illusion. This situation applies even in Russia.”

A Working Group has been formed involving advocates from Russia, Serbia, Georgia, Ukraine and Belarus, and its membership includes Danilo Krivokapić from EDRi member SHARE foundation in Serbia. The role of this group is to steer the legal foundation of the initiative and to approve a formal Constitution.

The initiative’s Moderator is the former Ombudsman of Georgia, Ucha Nanuashvili. He too believes that the new NGO will fill a desperately needed void in privacy activism:

“In my view, regions outside the EU need this initiative. Privacy is an issue that is becoming more prominent, and yet there is very little regional collaboration and representation. Particularly in the former Soviet states there’s an urgent need for an initiative that brings together advocates and experts in a strong alliance.”

Seed funding for the project has been provided by the Public Voice Fund of the Electronic Privacy Information Center (EPIC). EPIC’s president, Marc Rotenberg, welcomed the initiative and said he believed it would “contribute substantially” to the global privacy movement:

“We have been aware for some time that there is a dangerous void around privacy protection in those regions. We appreciate the good work of NGOs and academics to undertake this important collaboration.”

The Working Group hopes to formally launch the NGO in October in Albania. The group is presently considering several options for a name. Anyone interested in supporting the work of the initiative or wanting more information can contact Simon Davies at simon <at> privacysurgeon <dot> org.

The Nordic Nonviolence Study Group

SHARE Foundation

EPIC’s Public Voice fund

Mass surveillance in Russia

Ucha Nanuashvili, Georgian Human Rights Centre

17 Jul 2019

Microsoft Office 365 banned from German schools over privacy concerns

By Jan Penfrat

In a bombshell decision, the Data Protection Authority (DPA) of the German Land of Hesse has ruled that schools are banned from using Microsoft’s cloud office product “Office 365”. According to the decision, the platform’s standard settings expose personal information about school pupils and teachers “to possible access by US officials” and are thus incompatible with European and local data protection laws.

The ruling is the result of several years of domestic debate about whether German schools and other state institutions should be using Microsoft software at all, reports ZDNet. In 2018, investigators in the Netherlands discovered that the data collected by Microsoft “could include anything from standard software diagnostics to user content from inside applications, such as sentences from documents and email subject lines.” All of which contravenes the General Data Protection Regulation (GDPR) and potentially local laws for the protection of personal data of underaged pupils.

While Microsoft’s “Office 365” is not a new product, the company has recently changed its offer in Germany: Until now, it provided customers with a special German cloud version hosted on servers run by German telecoms giant Deutsche Telekom. Deutsche Telekom served as a kind of infrastructure trustee, putting customer data outside the legal reach of US law enforcement and intelligence agencies. In 2018, however, Microsoft announced that in 2019 this special arrangement will be terminated and German customers are offered to move to Microsoft’s standard cloud offer in the EU.

Microsoft insists that nothing changes for customers because the new “Office 365” servers are also located in the EU or even in Germany. However, legal developments in the US have put the Hesse DPA on high alert: The newly enacted “US Cloud Act” empowers US government agencies to request access to customer data from all US-based companies no matter where their servers are located.

To make things even worse, Germany’s Federal Office for Information Security (BSI) recently expressed concerns about telemetry data that the Windows 10 operating system collects and transmits to Microsoft. So even if German (or European) schools stopped using the company’s cloud office, its ubiquitous Windows operating system also leaks data to the US with no control or stopping it for users.

School pupils are usually not able to give consent, Max Schrems from EDRi member noyb told ZDNet. “And if data is sent to Microsoft in the US, it is subject to US mass surveillance laws. This is illegal under EU law.” Even if that was legal, says the Hesse DPA, schools and other public institutions in Germany have a “particular responsibility for what they do with personal data, and how transparent they are about that.”

It seems that fulfilling those responsibilities hasn’t been possible when using Microsoft Office 365. In a next step, it is crucial that European DPAs discuss those findings within the European Data Protection Board to come to an EU-wide rule that protects children’s personal data from unregulated access by US agencies. Otherwise European schools would be well-advised to switch to privacy-friendly alternatives such as Linux, LibreOffice, and Nextcloud.

Statement of the Commissioner for Data Protection and Freedom of Information of the Land of Hesse regarding the use of Microsoft Office 365 in schools in Hesse (only in German, 09.07.2019)

Microsoft Office 365: Banned in German schools over privacy fears (12.07.2019)

Microsoft offers cloud services in new German data centers as of 2019 in reaction to changes in demand (only in German, 31.08.2018)

(Contribution by Jan Penfrat, EDRi)

04 Jul 2019

Real Time Bidding: The auction for your attention

By Andreea Belu

The digitalisation of marketing has introduced novel industry practices and business models. Some of these new systems have developed into crucial threats to people’s freedoms. A particularly alarming one is Real Time Bidding (RTB).

When you visit a website, you often encounter content published by the website’s owner/author, and external ads. Since a certain type of content attracts a certain audience, the website owner can sell some space on their website to advertisers that want to reach those readers.

In the earlier years of the web, ads used to be contextual, and the website would sell its ad space to a certain advertiser in the field. For example, ads on a website about cars would typically relate to cars. Later, ads have become more personalised, and they now focus on the unique website reader. They have become “programmatic advertising”. The website still sells its space, but now it sells it to advertisement platforms, “ad exchanges”. Ad exchanges are digital marketplaces that connect publishers (like websites) to advertisers by auctioning the attention you give that website. This automated auction process is called Real Time Bidding (RTB).

How does Real Time Bidding work?

Imagine auctions, stock exchange, traders, big screens, noise, graphs, percentages. Similarly, RTB systems facilitate the auction of website ad space to the highest bidding advertiser. How does it work?

A website rents its advertising space to one (or many) ad exchanges. In the blink of an eye, the ad exchange creates a “bid request” that can include information from the website: what you’re reading, watching or listening to on the website you are on, the categories into which that content goes, your unique pseudonymous ID, your profile’s ID from the ad buyer’s system, your location, device type (smartphone or laptop), operating system, browser, IP address, and so on.

From their side, advertisers inform the ad exchange about who they want to reach. Sometimes they provide detailed customer segments. These categories have been obtained by combining the advertisers’ data about (potential) customers, and the personal profiles generated by data brokers such as Cambridge Analytica, Experian, Acxiom or Oracle. The ad exchange has now a complex profile of you, made of information from the website supplying the ad space, and information from the advertiser demanding the ad space. When there is a match between a bid request and the advertiser’s desired customer segment, a Demand Side Platform (DSP) acting on behalf of thousands of advertisers starts placing bids for the website’s ad space. The highest bid wins, places its ad in front of a particular website viewer, and the rest is history.

Click to watch the animation


Every time you visit a website that uses RTB, your personal data is publicly broadcasted to possibly thousands of companies ready to target their ads. Whenever this happens, you have no control over who has access to your personal data. Whenever this happens, you have no way of objecting to being traded. Whenever this happens, you cannot oppose to being targeted as Jew hater, incest or abuse victim, impotent, or right wing extremist. Whenever this happens, you have no idea whether you are being discriminated.

Whenever this happens, you have no idea where your data flows.

EDRi’s members suing against RTB

Real time bidding poses immense risks for our human rights in the digital space, specifically for the rights recognised in the EU General Data Protection Regulation (GDPR). More, it puts you at high risks of being discriminated. For these reasons, several EDRi members and observers have taken action and filed lawsuits against RTB in different EU countries. Privacy International, Panoptykon Foundation, Open Rights Group, Bits of Freedom, Digitale Gesellschaft, digitalcourage, La Quadrature du Net and Coalizione Italiana per le Libertà e i Diritti civili are taking part in a wider campaign that urges the ad tech industry to #StopSpyingOnUs.

Support their effort in fighting for your rights and spread the word!

Read More:

Privacy International full timeline of complaints

GDPR Today: Ad Tech GDPR complaint is extended to four more European regulators

Prevent the Online Ad Industry from Misusing Your Data – Join the #StopSpyingOnUs Campaign

The Adtech Crisis and Disinformation – Dr Johnny Ryan

Blogpost series: Your privacy, security and freedom online are in danger (14.09.2016)

22 May 2019

Why should we vote in the EU elections?


What are your plans for the coming days? We have a suggestion: The European elections will take place – and it’s absolutely crucial to go and vote!

In the past, the EU has often defended our digital rights and freedoms. This was possible because the Members of the European Parliament (MEPs) – who we, the EU citizens, elected to represent us in the EU decision-making – are open to hearing our concerns.

So, what exactly has the EU done for our digital rights?


The EU has possibly the best protection for citizens’ personal data: the General Data Protection Regulation (GDPR). This law was adopted thanks to some very dedicated European parliamentarians, and it enhances everyone’s rights, regardless of nationality, gender, economic status and so on. Since the GDPR came into effect, we now have for example the right to access our personal data a company or an organisation holds on us, the right to explanation and human intervention regarding automated decisions, and the right to object to profiling measures.

You can read more about your rights under the GDPR here: https://edri.org/a-guide-individuals-rights-under-gdpr/

Net neutrality

Europe has become a global standard-setter in the defence of the open, competitive and neutral internet. After a very long battle, and with the support of half a million people that responded to a public consultation, the principles that make the internet an open platform for change, freedom, and prosperity are upheld in the EU.

In June 2015, negotiations between the three European Union institutions led to new rules to safeguard net neutrality – the principle according to which everyone can communicate with everyone on the internet without discrimination. This principle was put at risk by the ambiguous, unbalanced EU Commission proposal, which would have undermined the way in which the internet functions. In 2016, the Body of European Regulators for Electronic Communications (BEREC) was tasked with publishing guidelines to provide a common approach to implementing the Regulation in the EU Member States. In June 2016, BEREC published the draft guidelines that confirm strong protections for net neutrality and open internet.


In 2012, the MEPs voted against an international trade agreement called the Anti-Counterfeiting Trade Agreement (ACTA), which, if concluded, would have likely resulted in online censorship. It would have had major implications for freedom of expression, access to culture and privacy, it will harm international trade and stifle innovation. Therefore, people decided to demonstrate and there were protests against this draft agreement in over 200 European cities calling for a rejection. In the end, the Parliament listened to the concerns of the people and voted against ACTA.

Protecting whisteblowers

Whistleblowers fight for transparency, democracy and the rule of law, reporting unlawful or improper conduct that undermine the public interest and our rights and freedoms. In 2017, the European Parliament called on legislation to protect whistleblowers, making a clear statement recognising the essential role of whistleblowers in our society. This Resolution started the process of putting into place effective protections for whistleblowers throughout the EU. In April 2019, the Parliament adopted the new Directive, which is still to be approved by the EU Council.

Your vote matters for digital rights

In many occasions, the EU Parliamentarians have stood for our rights and freedoms. It’s important that also the new EU Parliament will be a strong defender of our digital rights – because there are so many important fights coming up.

The European elections are one of the rare occasions where we can take our future and the future of Europe into our own hands. Your vote matters. Please go and vote for digital rights on 23-27 May!

You can find more information about the elections online, for example at https://www.european-elections.eu, https://www.thistimeimvoting.eu/ and https://www.howtovote.eu/.

13 Mar 2019

The art of dodging questions – Facebook’s privacy policies

By Chloé Berthélémy

Remember in April 2018, after the Cambridge Analytica scandal broke, we sent a series of 13 questions to Facebook about their users’ data exploitation policy. Months later, Facebook got back to us with answers. Here is a critical analysis of their response.

Recognising people’s face without biometric data?

The first questions (1a and 1b) related to Facebook’s new facial recognition feature which scans every image uploaded to search for faces and compare them to those already in their database in order to identify users. Facebook claims that the identification process only works for users that explicitly consented to have the feature enabled and that the initial detection stage, during which the photograph is being analysed, does not involve the processing of biometric data. Biometric data is data used to identify a person through unique characteristics like fingerprints or facial features.

There are two issues here. First, contrary to what Facebook declared, the first batch of users for whom face recognition was activated received a notice, but were not asked for consent. All users were opted in by default, and only a visit to the settings page allowed them to say “no”. For the second batch of users, Facebook apparently decided to automatically opt-in only those accounts that had the photo tag suggestion feature activated, simply assuming that they wanted face recognition, too. Obviously, this does not constitute explicit consent under the General Data Protection Regulation (GDPR).

Second, even if Facebook does not manage to identify users who disabled the feature or people who are not users, their photos might still be uploaded and their faces scanned. No technology can determine whether an image contains only users who gave consent, without actually scanning every uploaded photo to search for facial features.

Facebook has been presenting this new feature as an empowerment tool for users to control which pictures of them are being uploaded on the platform, to protect privacy and to prevent identity theft. However, EU officials and digital rights advocates denounced this communication practice as manipulating user consent by promoting facial recognition as an identity protection tool.

Privacy settings by default

One of our questions related to the initial settings every Facebook user has when creating an account and their protection levels by default (question 3). Facebook responded that it has suspended the search for people by phone number in the Facebook search bar. Since Facebook responded to our questions in August 2018, it seems that it reinstated this function, set on “Everyone can look you up using your phone number” by default (see below Belgian account settings consulted lastly on 24 January 2019).

This reinstatement is probably linked to the upcoming merging between Facebook-owned messaging systems: Facebook Messenger, WhatsApp and Instagram messaging. Identification requirements for each messaging applications are different: a Facebook account for Messenger, a phone number for WhatsApp and an email for Instagram. The merging gives Facebook the possibility to intersect information and to connect several profiles under a single, unified identity. What is worse, Facebook now reportedly makes searchable phone numbers that users had provided for two-factor authentication, and there is no way to switch this feature off.

Other default privacy settings on Facebook are not protective either. The access to a user’s friend list is set to “publicly visible”, for example. Facebook justified the low privacy level by repeating that users join Facebook to connect with others. Nonetheless, even if users want to limit who can see their friend lists, people can see their Facebook friendships by looking at the publicly accessible friends lists of their friends. Some personal information will simply never be fully private under Facebook’s current privacy policies.

The Cambridge Analytica case

Facebook pleaded the misuse of its services and shifted the entire responsibility of the Cambridge Analytica scandal on the quiz application “This Is Your Digital Life” (our questions 4 and 5). The app requested permission from users to access their personal messages and newsfeed. According to Facebook, there was no unauthorised access to data as the consent was freely given by users. However, accessing one user’s newsfeed and personal messages also meant that the application could access received posts and messages, that is to say from users who did not consent. Once again, individual privacy is highly dependent on others’ carefulness. Facebook admitted that it wished it had notified earlier affected users who did not give consent. To our question why the appropriate national authorities were not notified of the incident immediately, Facebook gave no answer.

“This Is Your Digital Life” is just one application, but there may be many more that harvest similar amounts of personal data without the consent from users. Facebook assured that it made it harder for third parties to misuse its systems. Nevertheless, the limits to the processing of collected data by third parties remain unclear, and we received no answer about the current possibilities for other applications to share and receive users messages.

Facebook’s ad targeting practices

“Advertising is central not only to our ability to operate Facebook, but to the core service that we provide, so we do not offer the ability to disable advertising altogether.” If advertisement is non-negotiable (our question 9), Facebook explained that through its new Ad Preferences tool (our question 6) users can nevertheless decide whether or not they want to see ads that are targeted at them based on their interests and personal data. The Ad Preferences tool gives users control over the criteria used for targeted advertisement: data provided by the user, data collected from Facebook partners, and data based on the user’s activity on Facebook products. Users can also hide advertisement topics and disable advertisers with whom they interacted.

But if Facebook was treating ads settings the same way as privacy settings, as it claims to do, the default settings for a new user would look very different: For this article we created a new Facebook account and found that Facebook does not guide new users through the opt-in and opt-out options for privacy and ad settings. On the contrary, Facebook’s default ad settings involve the profiling of new users based on their relationship status, job title, employer and education (see new account settings below). Those defaults are clearly incompatible with the GDPR’s “privacy by default” requirement.

Ads are also based on the activity on Facebook products, present on “websites, apps and devices that use [Facebook’s] advertising services”. This includes everything from social media plugins such as “Like” or “Share” buttons to Facebook Messenger, Instagram or even Whatsapp, which has stand-alone terms of service and privacy policy. If a third party website uses Facebook Analytics, traces left by the user on that third-party website will be used as well. Since Facebook is acquiring more and more applications, the list goes on and on. “Data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviours and routines, some of which can reveal special category data, including information about people’s health or religion.”

In the same vein, EDRi member Privacy International found that Facebook collects personal information on people who are logged out of Facebook or don’t even have a Facebook account. The social media company owns so many apps, “business tools” and services that it is capable of tracking users, non-users and logged-out users across the internet. Facebook doesn’t seem to be willing to change its business practices to respect people’s privacy. Privacy is not about what Facebook users can see from each other but what information is accessed and used by third parties and for which purposes without the users’ knowledge or consent.

Profiling and automated decision-making

Article 22 of the GDPR introduces a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or “similarly significant” effects for the user. We asked Facebook what measures it takes to make sure its ad targeting practices, notably for political ads, are compliant with this provision (question 7). In its answer, Facebook considers that its targeted ads based on automated decision-making do not have legal or similarly significant effects yet. In light of the numerous scandals the company has been facing around the manipulation of the 2016 U.S. elections and the Brexit referendum, this answer is quite surprising. Even though many would argue that the way Facebook targets voters with ads based on automated decision-making has indeed “similarly significant”, if not legal effects for its users and societies as a whole. But Unfortunately, Facebook doesn’t seem to consider it should change its ad targeting practices.

Special categories of data

Article 9 of the GDPR defines special categories of particularly sensitive data that include racial or ethnic origin, political opinions, religious beliefs, health, sexual orientation and biometric data. Facebook says that without the user’s explicit consent to use such special categories of data, they will be deleted from respective profiles and Facebook’s servers (our question 2.a).

What Facebook doesn’t say, is that users don’t even need to share this information in order for the platform to monetise it. Facebook can simply deduce religious views, political opinions and health data from based on which third-party websites they visit, what they write in Facebook posts, what they comment on and share: Facebook does not need users to fill in their profile fields when it can infer extremely sensitive information from all other data users generate on the platform day in day out. Facebook can then assign different ad preferences (such as “LGBT community”, “Socialist Party”, “Eastern Orthodox Church”) based on each user’s online activities, without asking for consent at all, and exploit it for advertising purposes. Researchers argue the practice of labelling Facebook users with ad preferences associated with special categories of personal data may be in breach of Article 9 of the GDPR because no other legal basis than explicit consent could allow this form of use. In its reply to our questions, Facebook voluntarily omitted their use of sensitive data derived from user behaviour, posts, comments, likes and so on to feed its marketing profiles. It is too easy to focus on the tip of the iceberg.

Right to access

Replying to our request on the right to access, download, erase or modify personal data, Facebook described its three main tools, Download Your Information (DYI), Access Your Data (AYD) and Clear History (our question 8). According to Facebook, DYI provides the user with all the data each user provided on the platform. But as explained above, this does not include information inferred by the platform based on user behaviour, posts, comments, likes and so on, nor information provided by friends or other users, such as tags in photos or posts.

Lastly, Facebook confirmed that it was not using smartphone microphones to inform ads (our question 12). This might even be true, because Facebook has already a lot of surveillance tools at hand to gather enough information about users to produce disconcerting advertisements.

Questions left without answers

  1. What was the cut-off date before Facebook started deleting information users added to their profile and did not give explicit consent for their processing?
  2. Will Facebook offer a single place where people who have no Facebook account can control every privacy aspect of Facebook?
  3. If Facebook apps were to use smartphone microphones in any way, would you consider that lawful?
  4. You claim to offer a way for users to download their data with one click. Can you confirm that the downloaded files contain all the data that Facebook holds on each user?

Written Responses to EDRi Questions (22.06.2018)

Privacy International’s study on ‘How Apps on Android Share Data with Facebook – Report’ (29.12.2018) https://privacyinternational.org/report/2647/how-apps-android-share-data-facebook-report

Facebook Use of Sensitive Data for Advertising in Europe

Facebook Doesn’t Need To Listen Through Your Microphone To Serve You Creepy Ads (13.04.2018)

(Contribution by Chloé Berthélémy, EDRi)

08 Mar 2019

Women’s rights online: tips for a safer digital life

By Chloé Berthélémy

The internet is an incredible tool and has empowered women to speak up, react and organise to face patriarchy and oppression. But the internet is not a neutral place – sexist, racist, homophobic and other violent types of behaviour and content are disproportionately affecting women. This International Women’s Day, we would like to celebrate positive stories and provide practical tips, accessible tools and material for women’s digital safety, security and privacy.

This article covers:

  1. Browsing safely and anonymously
  2. Securing accounts and communications
  3. Gaming safely
  4. Facing and recovering from online harassment
  5. More resources

Women are more likely to be subject to online harassment and violence, massive campaigns of abuse and intimidation, or exploitation and manipulation of private data. An Amnesty International report found that women of colour, women with disabilities, lesbian, bisexual, trans women and women at the intersection of forms of oppression are even more targeted. Factors are manifold: little accountability of malicious attackers leading to a feeling of impunity, or the lack of knowledge of companies and developers about violence and abuse on their infrastructures. Victims are left with little support for the violence they’ve encountered. This leads women to self-censor, restrict their freedom of expression and their meaningful participation online.

Browsing safely and anonymously

When browsing the web, personal data and internet activity are being collected and recorded. Websites collect data such as demographics, intimate interests and tastes, personal habits and hobbies. This enormous amount of personal data includes sensitive information like credit card data, physical location, sexual preferences, religion, health and others. This information is extremely valuable to companies, governments and malicious actors alike and can be exploited and facilitate targeted attacks on women. One part of the solution is to use encryption. Using encryption is not as hard as it seems: Start with HTTPS Everywhere, a browser add-on that tells websites you visit to use encryption when available (a browser add-on is a small programme that customises your browser’s behaviour).

The infamous cookies are small pieces of data stored by websites on your devices and originally designed to remember your previous choices on a website such as form fields, shopping card items and language choice. Today, they are often used by third parties to assign you a unique identifying number which helps advertisement companies to follow you around across the web. While you probably want to allow some of the useful cookies on shopping portals and other websites, it’s definitely a good idea to block all third party cookies. This can be done directly in your browser settings.

Other forms of snooping include website trackers which are mostly used by advertisement companies. Trackers are little snippets of computer code often invisibly embedded in advertisement on all kinds of websites including your favourite newspaper, shopping site and social network. Trackers are often served by a third-party such as Google or Facebook rather than by the original owner of a website. You know those “Like” buttons you find all over the web? That’s actually a tracker telling Facebook which sites you’ve visited and which newspaper articles you’ve read. Luckily, two simple browser add-ons will help you block undesired trackers: Install Privacy Badger and Ublock Origin and you’re good to go.

Alternatively, in order to increase anonymity, you can use the Tor network or a Virtual Private Network. Those tools are particularly tailored and recommended for politically active women, human rights defenders or even women fearing for their safety. More information can be found here and here.

For women especially, the collection of data for commercial purposes can be very intrusive. Many doubts have been cast on menstruapps, which are very popular health-related mobile applications helping women to monitor their menstrual cycles. Not only do these apps know about the time period, but also invite users to share very intimate details about their periods like symptoms or sexual drive. Menstruation, pregnancy, online dating and many more aspects of women’s lives are turned into marketing targets. Another advice: never blindly trust mobile apps.

Lastly, it is important to note that websites often request too much information about users in order for us to be allowed to use of the service. More than just an email address and a password, websites may require a name, a location, and other unnecessary details. A good rule to follow is to only give personal information that is absolutely necessary – an email address to receive a registration confirmation or to retrieve a password for example. The rest is up to one’s imagination and creativity: fake address, fake birth date, etc. Faking means lowering the risk of having personal information possibly compromised.

Securing accounts and communications

Staying safe online also means protecting your communications and accounts against identity theft and hacking. When it comes to securing personal accounts, strong passwords are key. Here are the latest rules to create super strong passwords. Don’t use the same password across websites and services, and if you have more passwords than you can remember, use a password manager that keeps them all in one secure place for you. Another good practice to reduce the risk of hacking is to activate two-factors authentication when it is available: after entering a password, you will receive a second code on a different device or service.

As for browsing, encryption is good practice for communication, too, in order to avoid data mining by marketers and surveillance agencies. Pretty Good Privacy (PGP) for emails and messaging apps like Signal offer end-to-end encryption and are good starting points.

Intimate communications such as explicit pictures are particularly vulnerable content that can be used for all kinds of harassment practices such as “doxxing” (blackmail) or “revenge porn”. Specific advice on how to do sexting safely can be found here.

Gaming safely

When it comes to gaming, and especially multiplayer games, the experience for women can be less than enjoyable. In order to stay safe from harassment or sexism, there are a couple of things that you can put in place: You can make use of games’ reporting systems, mute an individual player in the chat function, don’t use your real name but instead register with a pseudonym that does not hint to your gender, don’t use a gamertag that you already use in other social media profiles, don’t use a real photo of yourself for your profile, and don’t give away any personal information in chats, such as your phone number or location.

Facing and recovering from online harassment

Women – and in particular women of colour, women with disabilities and lesbian, bisexual or trans women – represent the majority of harassment and violence targets. As a consequence, many women’s experience on social media leads them to self-censor what they post, and sometimes even delete their account. If you’re experiencing harassment on social media platforms such as Twitter, there are possibilities to cope with the situation and fight back. For example, victims can ask platforms to delete, suspend or send a warning to harassing accounts. HeartMob is a supportive tool where people can document the harassment they are experiencing on social media and request the support they need from an online community.

For women who are human rights defenders or political activists, taking action on this issue may include developing fully-fledged security and protection strategies for human rights defenders. Threats, incitement to rape or any form of violence is illegal and can be notified to law-enforcement authorities. Victims-support NGOs and services can assist you.

More resources


19 Feb 2019

EDRi’s Press Review 2018


During the past year, our work to defend citizens’ rights and freedoms online has gained an impressive visibility – we counted more than three hundred mentions! – in European and international media. Below, you can find our press review 2018.


01/01 EU i linedans mellem desinformation og censur (Mandag Morgen)
10/01 Does Software Piracy Hurt Sales? The $431,000 Buried EU Study Says ‘No’ (PC Steps)
16/01 O francês Macron poderá vencer a guerra contra as fake news? (Veja)
19/01 El RGDP: nueva normativa europea a partir de 2018 (1&1Digital Guide )
20/01 GDPR: Harmonization or Fragmentation? Applicable Law Problems in EU Data Protection Law (Berkley Technology Law Journal)
22/01 Šmírování zuby nehty (České noviny)
22/01 Kampf gegen Hate SpeechDie EU setzt weiterhin auf Freiwilligkeit (Deutschlandfunk)
23/01 Youtube scannt “hunderte Jahre” Videomaterial am Tag (Süddeutsche Zeitung)
31/01 Net neutrality in Europe: will the US case change the way our telecom suppliers provide internet services? (EU Logos)


03/02 Neutralité du net : “Certains voudraient faire d’internet un nouveau minitel” (Sciences et Avenir)
09/02 Commission lobbies for police access to website owners list (Euractiv)
12/02 Logan Paul: Following the YouTube controversy, should social media have the same regulations as journalism? (Independent)
13/02 EU-Kommission will Plattformen die Löschung von illegalen Inhalten ohne Netz und doppeltem Boden empfehlen (Netzpolitik.org)
13/02 Tutto quello che Tinder sa di te. Da leggere prima di San Valentino (Cyber Security)
13/02 Bruxelles passe à la vitesse supérieure contre les contenus illégaux en ligne (document) (Contexte)
14/02 Auf Facebook kommt in Europa eine Lawine an Verfahren zu (Radio fm4)
14/02 Germany: Flawed Social Media Law (No Comment Diary)
14/02 EU adds pressure on online platforms with plan for fast removal of terrorist content (EURACTIV)
14/02 L’UE durcit le ton sur les contenus à caractère terroriste en ligne (EURACTIV.fr)
14/02 Germany: Flawed Social Media Law (World Justice News)
14/02 Dating online, Garante Ue Buttarelli ‘L’uso dei nostri dati non è chiaro’ (Privacy Italia)
15/02 Netizen Report: In Leaked Docs, European Commission Says Internet Companies Should Self-Regulate on Harmful Speech (Slate)
15/02 Commission suggestions for speeding up removal of illegal online content in keeping with the voluntary approach (Agence Europe)
15/02 Europa will mehr löschen lassen (Spiegel)
15/02 EU-Kommission: Nutzer können gegen Facebook & Co in ihrem Herkunftsland klagen (HeiseOnline)
15/02 Leak: Online-Plattformen sollen illegale Inhalte innerhalb einer Stunde löschen (EurActive)
16/02 Tweets of the Week: Dutch minister resigns, Boris Johnson’s credibility, and Bad Valentines (EURACTIV)
16/02 De la neutralité du net à celle des terminaux (Le Monde)
18/02 «Echaríamos a todo gobierno que nos pidiera los datos que le damos a Facebook» (El Correo)
18/02 Terror als Vorwand der EU-Kommission für Copyrightfilter (Radio fm4)
17/02 Netzpolitischer Wochenrückblick KW7: Daten minimieren mal anders (Netzpolitik)
19/02 Keine Ent­schä­d­i­gungs­re­ge­lung für Ato­m­aus­s­tieg / BVerwG prüft Fahr­ver­bote / Deniz Yücel frei (Legal Tribune Online)
20/15 Rapport Netizen: Selon un document fuité de la Commission européenne, les entreprises de technologie devraient s’auto-réguler sur les discours offensants (Global Voices)
22/02 Une messagerie sécurisée, privée et chiffrée ? Voici Mailfence ! (GeekHebdo)
23/02 Explained: what the EU’s major new data protection rules mean for you (EuroNews)
23/02 The Rise of the Namibian Surveillance State: Part 2 (The Namibian)


01/03 EU Commission’s Recommendation: Let’s put internet giants in charge of censoring Europe (EUbusiness.com)
01/03 EU gives Facebook and Google three months to tackle extremist content (The Guardian)
01/03 EU piles pressure on internet giants to remove extremist content (The Jerusalem Post)
02/03 /EU Tells Internet Firms to Delete Terrorist Content Within One Hour (PCMag)
07/03 General Data Protection Regulation: new laws from 2018 (1&1 Digital Guide)
08/03 Es duro ver a España en la misma lista que Turquía al hablar de respeto los derechos digitales y la privacidad (Publication)
08/03 Council of Europe takes world-leading step towards protecting online rights (EUbusiness.com)
08/03 EU ‘Recommends’ 1 Hour Takedown on Terrorist Content (Find VPN)
09/03 #failoftheweek: Es lebe das Flugtaxi / Die neuesten Tricks der Tracker / Dillon zu Gast im Studio / Interview mit den Young Fathers / Auf ARD-Alpha startet “Respekt” (1:05:30) (Radio Bayern 2)
15/03 EU Pushes More Censorship… To “Protect” You (Zero Hedge)
13/03 ‘Insidious’ and ‘Dangerous’: Digital Privacy Groups Issue Urgent Warning Over CLOUD Act (Common Dreams)
20/30 CLOUD Act Could Repeal Fourth Amendment Rights by March 23 (Trillions)
22/03 Interview: The ethics of big data, Facebook & Cambridge Analytica (WikiTribune)
23/03 Facebook under scrutiny in the the U.S. and the UK over Cambridge Analytica scandal, users in Iran blocked from Apple’s App Store, U.S. Congress urged to consider “implications” of CLOUD Act (Ranking Digital Rights)
26/03 Rushed US Cloud Act triggers EU backlash (EU Observer)
28/03 CLOUD Act puts Fourth Amendment at Risk (Liberty Nation)
30/03 Upload Filter: Das Ende des freien Internets? (Undogmatisch.net)
31/03 Europe is dealing with Facebook in a way the U.S. hasn’t (NY Daily News)


02/04 GOOGLE E FACEBOOK: espionagem no tempo de internet – Por Estevam Dedalus (Polêmica Paraíba)
02/04 Google och Facebook lägger miljoner på att påverka EU-politikerna (Expressen)
03/04 Contra el filtrado de contenido en Internet y el impuesto a la cita: paremos la #CensorshipMachine (Publico)
03/04 Retro: Ústavní soud zrušil protiústavní šmírovací zákon (Almanach)
04/04 Around 100 organisations urge Council of Europe to show greater transparency in negotiations on cybercrime (Agance Europe)
04/04 “Not Transparent”: NGOs Hit Out at Cybercrime Convention Talks (Computer Business Review)
05/04 Cos’è la General Data Protection Regulation (GDPR), la nuova legge UE per la privacy (EuroNews)
06/04 Forze dell’ordine e Ministeri italiani in balia dell’antivirus… di Mosca (EuroNews)
07/04 Russia e Cina monopolizzano la sicurezza informatica europea (Gli Occhi Della Guerra)
09/04 EU: Více cenzury pro vaše „dobro“ (Tadesco)
09/04 Websites Worry EU May Seek Heavy Copyright Monitoring (Big Law Business)
10/04 Gafa : «Les géants du Net ont compris qu’il faut composer avec l’UE» (La Croix)
11/04 Contra el filtrado de contenido en internet (Avanguardia)
12/04 L’activisme digital alça la veu contra la directiva europea que vol protegir els drets d’autoria a Internet (Directa)
12/04 Internet Censorship – Guess What’s Coming Next? (True Publica)
16/04 EU to give judges power to seize terror suspect emails and texts (Financial Times)
17/04 Proposal Gives EU Judges Power To Demand Data Across Borders (Silicon UK)
17/04 Brussel wil bedrijven buiten EU dwingen data te overhandigen (NU.nl)
17/04 Η Κομισιόν θα αναγκάσει τους τεχνολογικούς κολοσσούς να παραδίδουν άμεσα τα ηλεκτρονικά μηνύματα υπόπτων τρομοκρατίας (Lifo)
17/04 Europa dwingt techbedrijven data van terreurverdachten vrij te geven (Demorgen)
17/04 Europa dwingt techbedrijven data van terreurverdachten vrij te geven (HLN)
17/04 EU to force tech firms to hand over terror suspects’ messages (The Guardian)
17/04 Tech companies to be forced to give police overseas data under EU proposal (Reuters)
17/04 EU proposes ‘revolutionary’ fast-track system for police data access (EURActive)
17/04 The EU may order tech firms to hand over terror suspects’ data inside 6 hours (Technology review)
17/04 Europese Commissie wil dat techbedrijven data sneller gaan overhandigen (Dutch IT Channel)
17/04 EU “e-evidence” proposals turn service providers into judicial authorities (EU Business)
17/04 Kritik mot EU-förslag om utlämning av data (Ny Teknik)
17/04 Kritik mot EU-förslag om utlämning av data (Sydvenskan)
17/04 EU kräver snabbare hjälp från Facebook och Apple (BreakIt)
17/04 EU vil tvinge techgiganter til at udlevere data hurtigt (Berlingske Business)
17/04 Perusahaan Teknologi Wajib Serahkan Data Pengguna ke Otoritas UE (Kabar24)
18/04 EU proposal to force tech firms to give overseas data to police (EJ Insight)
18/04 Title (Publication)
18/04 EU plans to increase access to electronic evidance in court cases (EU Policies)
18/04 Tech titans could be forced to give police overseas data under new proposal (ARN)
18/04 L’UE s’achemine vers l’obligation de partage de données avec la police (EurActive)
18/04 EU: Mere censur for at “beskytte” (Dokument)
18/04 EU wil bedrijven buiten Europa gaan dwingen data te overhandigen (Numrush)
18/04 Unia chce dać policji łatwiejszy dostęp do naszych danych online (Onet Wiadomości)
18/04 Proposals on electronic evidence perceived as hasty response to US CLOUD Act (Agance Europe)
19/04 Szykują się pierwsze skargi na podstawie RODO (Gazeta Prawna)
23/04 Tarifários zero rating em Portugal criticados por organizações internacionais (SapoTek)
23/04 “Portugal tem as piores violações da neutralidade da internet” (Pais ao Minuto)
23/04 Associações europeias pedem à Anacom medidas para “internet livre e aberta” (Expresso)
23/04 Associações europeias pedem à Anacom medidas para “Internet livre e aberta” (Diario de Noticias)
Associações europeias pedem à Anacom medidas para “Internet livre e aberta”
(Dinheiro Vivo)
23/04 Organizações de diversos países pedem à ANACOM que defenda a neutralidade da Internet (Ardina)
23/04 Perusahaan Teknologi Harus Serahkan Data Luar Negeri di bawah Proposal U (Saru Harapan)
24/04 Portuguese NGOs urge Anacom to block zero-rating offers (Telecom Paper)
24/04 Organizações internacionais pedem à ANACOM o fim do zero-rating (Aberto até de Madrugada)
24/04 Facebook is about to get hit with regulation, just not from the U.S. (The Informer)
25/04 Männer in der digitalen Welt (Volksblat)
25/04 Net neutrality death delayed (Capacity Media)
26/04 Tech Companies to Be Forced to Give Police Overseas Data under EU Proposal (OMG News)
26/04 Over 145 organisations representing a broad spectrum of stakeholders join forces to call upon the EU Member State Ambassadors to continue technical discussions on the copyright reform and to not grant the Bulgarian Council Presidency a mandate to negotiate with the European Parliament (CopyBuzz)
26/04 EU pritišće Facebook i Google da pojačaju borbu protiv lažnih vijesti (Lider)
26/04 EU piles pressure on social media over fake news (Reuters)
26/04 EU-Kommissar für Sicherheitsunion fordert Klarnamen-Registrierung im Internet (NetzPolitik)
26/04 EU tells platforms to sort fake news by October or face new law (EU Observer)
26/04 “Fake news” strategy needs to be based on real evidence, not assumptions (EU Business)
26/04 Organizações de diversos países pedem à Anacom que defenda a neutralidade da Internet (Ardina)
26/04 EU jača pritisak na društvene mreže zbog širenja lažnih vijesti (AlJazeera Balkans)
26/04 EU tells social media giants to combat fake news or face new regulations (BrinkWire)
26/04 EU jača pritisak na društvene mreže zbog širenja lažnih vijesti (Publication)
26/04 EU piles strain on social media over faux information (Mining for news)
26/04 Europska komisija sastavlja Kodeks za sprječavanje širenja lažnih vijesti (Index.hr)
26/04 EU piles pressure on social media over fake news (UsamaTech)
26/04 EU Piles Pressure on Social Media Over Fake News (America News Portal)
27/04 EU piles pressure on social media over fake news (CGTN)
27/04 EU Piles Pressure on Tech Giants Like Facebook, Google Over Fake News (News18)
27/04 EU Piles Pressure on Social Media Over Fake News (NewsRains)
27/04 EU Piles Pressure on Tech Giants Like Facebook, Google Over Fake News (Newsnow)
27/04 Letzte Ausfahrt: Gesetzgeberische Maßnahmen (MDR.de)
27/04 Unión Europea no sede terreno ante noticias falsas (El Tiempo)
29/04 EU tells social media giants to combat fake news or face new regulations (ProNews)
30/04 Burgerrechtenbeweging bezorgd om e-privacywetten (Computable)


02/05 Why Europe’s privacy clampdown may not solve Facebook’s data scandal woes (Foxnews)
02/05 “Rights offline are valid online, laws offline are valid online”, says global Internet expert at World Press Freedom Day launch (DemerareWaves)
02/05 France, Spain, Italy and Portugal go beyond maximalist on © (CopyBuzz)
07/05 EU-Staaten arbeiten an neuen Ansätzen zur Vorratsdatenspeicherung (Heise Online)
08/05 Nowy model pozyskiwania danych cyfrowych w sprawach karnych (Publication)
10/05 Conoces tus derechos digitales (ElMundo)
15/05 EDRi calls on Parliament’s political groups to ban micro-targeting in their election campaigns (Agance Europe)
15/05 Offener Brief: Europäische Parteien sollen auf Microtargeting verzichten (Netzpolitik)
15/05 Title (DKE Chicago)
18/05 Netzpolitischer Wochenrückblick KW 20: Bayern kriegt Polizeigesetz, Berlin informiert über Funkzellenabfrage (Netzpolitik)
22/05 What Europe needs to ask Mark Zuckerberg (Politico)
22/05 Perusahaan-Perusahaan Teknologi Wajib Berbagi Data (NNews.id)
22/05 GDPR: How Europe’s new Internet rules could change your life (alJazeera)
22/05 Facebook CEO Mark Zuckerberg begins European leg of apology tour (Los Angeles Times)
23/05 Facebook’s Zuckerberg in Europe as tough data rules take effect (rfi)
23/05 European Union’s General Data Protection Regulation and Lessons for U.S. Privacy Policy (Competitive Enterprise Institute)
23/05 Cos’è la General Data Protection Regulation (GDPR), la nuova legge UE per la privacy (EuroNews)
24/05 Ons vier jaar durende gevecht voor de bescherming van jouw gegevens (HQ-Niews)
24/05 Com ens protegeix el nou reglament europeu de protecció de dades? (VilaWeb)
25/05 RODO: koniec z traktowaniem nas jak towar (Portal Pomorza)
25/05 Czy RODO oznacza koniec traktowania nas jak towarów? (DII)
25/05 Today, a new E.U. law transforms privacy rights for everyone. Without Edward Snowden, it might never have happened. (The Washington Post)
25/05 GDPR: European tech firms struggle with new data protection law (AlJazeera)
25/05 POLITICO Brussels Influence, presented by The GSMA: Facebook hearing mess — EU election countdown — In-house agencies (Politico)
25/05 Unión Europea implementa fuertes medidas de protección de privacidad en internet (LeRed21)
31/05 The latest EDRi-gram (Wired)
31/05 Proposed EU Copyright Law Could Drastically Change Internet Sharing and Publishing (ECW)
31/05 Industry groups amp up lobby campaign to topple ePrivacy bill (EurActive)


01/06 GDPR a EDSM: Od svobodného internetu na hlídaný EUnet? (PCtunning)
03/06 European Digital Rights Activists Warns About EU Censorship Machine (FreezeNet)
04/06 EU-US work on police access to data hits roadblocks (PoliticoPRO)
05/06 Compte rendu de la conférence du 24 mai 2018 – Conversations européennes #3 – Réguler l’internet, un enjeu politique européen (EU Logos)
08/06 EU GDPR Comes Into Force, But Reaction Is Divided (FreezeNet)
11/06 Internet se může zcela změnit. Kontroverzní zákon je o krok blíž (Svobodni Svet)
DD/MM Title (Publication)
06/06 Dok se mi “zabavljamo” GDPR-om, EU uvodi “porez na linkove” i filtriranje naših sadržajae (Netokracija)
11/06 Kodi CLAMPDOWN: New piracy laws could change the face of illegal streaming FOREVER (Express)
12/06 Will EU copyright law ‘carpet bomb’ the digital world? (New Internationalist)
13/06 Will US net neutrality repeal be felt around the world? (WikiTribune)
14/06 What’s really behind the EU law that would ‘ban memes’ – and how to stop it before June 20 (TheNextWeb)
15/06 What’s in actuality within the help of the EU law that can perchance “ban memes” – and cease it before June 20 (Multinews)
14/06 L’Internet libre et ouvert est en danger : vous pouvez arrêter ce désastre (Linuxfr)
15/06 Europe’s Proposed “E-Evidence” Package Draws Fire (FreezeNet)
20/06 EU birokrati izglasali cenzuru interneta i zabranu memea, što sada? (Index)
20/06 EU takes first step in passing controversial copyright law that could ‘censor the internet’ (The Verge)
20/06 EU Copyright Reform Proposal Clears Lead Legislative Committee, To Cheers And Jeers (Intellectual Property Watch)
20/06 New EU Rules Could Ban Memes and Destroy the Internet as We Know It (AntiMedian)
20/06 EU Committee Approves Copyright Directive (Computer Business Review)
20/06 Internet Pioneers Warn New EU Rules Would Turn Web Into “Tool for Automated Surveillance and Control” (Common Dreams)
20/06 Joe McNamee: «Cette directive renforce la domination des géants du web» (Le Soir)
20/06 MEPs ignore expert advice and vote for mass internet censorship (EU Observer)
20/06 Europe takes another step towards copyright pre-filters for user generated content (TechCrunch)
20/06 Europe Slams the Door on Free Speech and Passes Article 13 (Freezenet)
20/06 EU-Urheberrecht: Weichenstellung für Upload-Filter und Presse-Leistungsschutzrecht (iRight info)
20/06 Europe takes another step towards copyright pre-filters for user generated content (Blogramo)
20/06 Europe Slams the Door on Free Speech and Passes Article 13 (FreezeNet)
20/06 Europe takes another step towards copyright pre-filters for user generated content (TopTechz)
20/06 Europe takes another step towards copyright pre-filters for user generated content – TechCrunch (Tech News)
20/06 Copyright: la commissione giuridica del Parlamento europeo ha votato per la censura di massa su Internet (Virtual Blog News)
20/06 La red se moviliza contra la propuesta europea de copyright que pretende convertir a las empresas en policías de contenidos (Publico)
20/06 Pioneros de Internet advierten que las nuevas normas de la UE convertirán la web en una “herramienta para la vigilancia y el control automatizados” (Steemit)
20/06 Europe takes another step towards copyright pre-filters for user generated content (Tech News Park)
20/06 Europe takes another step towards copyright pre-filters for user generated content – TechCrunch (Tech Snaq)
20/06 https://www.curtisryals.com/2018/06/20/eu-parliamentary-committee-votes-to-put-american-internet-giants-in-charge-of-what-speech-is-allowed-online/ (Curtis Ryals Reports)
20/06 EU Parliamentary Committee Votes To Put American Internet Giants In Charge Of What Speech Is Allowed Online (Give info)
20/06 https://netzpolitik.org/2018/schlag-gegen-die-netzfreiheit-eu-abgeordnete-treffen-vorentscheid-fuer-uploadfilter-und-leistungsschutzrecht/ (NetzPolitik)
21/06 Como uma nova legislação europeia de direitos autorais pode arruinar a internet como a conhecemos (Gizmodo Brasil)
21/06 Internet Pioneers Warn New EU Rules Would Turn Web Into “Tool for Automated Surveillance and Control” – Jessica Corbett (Wall Street Window)
21/06 Europe takes another step towards copyright pre-filters for user generated content – TechCrunch (Tech News)
21/06 European Parliament’s Legal Affairs Committee Goves green Light to Harmful Link Tax and Pervasive Platform Censorship (Censored Today)
21/06 Филтри и данък върху линковете – какво означават те за нас? (Conservative)
21/06 Пагубни решения за свободното разпространение на информация (Terminal3)
22/06 #LaRéplique – L’approbation par le parlement européen de la directive Copyright suscite des inquiétudes (EurActive Blogs)
22/06 Schlag gegen die Netzfreiheit:EU-Abgeordnete treffen Vorentscheid für Uploadfilter und Leistungsschutzrecht
(Demokratisch Links)
24/06 “Copyright protection in the EU”: the new reform can affect not only the media platforms (Habrahabr)
24/06 The new reform can affect not only the media platforms / IT-GRAD / Habr company blog (TechOrt)
24/06 Die große Filterphobie (Taz)
24/06 European Parliament’s Legal Affairs Committee Gives Green Light to Damaging Link Tax and Pervasive Platform Censorship (SCAm Channel)
25/06 Zivilgesellschaft: EU-Kommission muss gegen Vorratsdatenspeicherung vorgehen (Heise Online)
25/06 La commission des affaires juridiques du Parlement européen a voté pour les robots-censeurs de l’article 13 : quelle sera la suite ? (My tiny Tool)
26/06 La direttiva europea sul copyright minaccia internet? (World News netwoek Italy)
28/06 The latest EDRi-gram (Wired)
29/06 Segons European Digital Rights (EDRi) Espanya destaca “vergonyosament” en llibertat d’expressió (Català Digital )
29/06 EU-Copyright-Eklat: Dorothee Bär und Netzpolitiker gegen Upload-Filter (Heise Online)
29/06 Otra ONG de defensa de los derechos civiles pide derogar la ‘ley mordaza’ (El Nacional)
28/06 Directive Copyright : le vote du Parlement européen fixé au 5 juillet (Numerama)
28/06 La direttiva dell’UE sul copyright: una minaccia per la rete? (Buongiorno Slovachia)
29/06 Otra ONG de defensa de los derechos civiles pide derogar la ‘ley mordaza’ (Niews Reporter)
30/06 Europe takes another step towards copyright pre-filters for user generated content (TYoungSystems)


02/07 Interview zur DSGVO: Mit so krassen Reaktionen wurde wirklich nicht gerechnet (TreffPunktEuropa)
02/07 MEPs’ email says Article 13 “will not filter the internet”; JURI MEP’s tweet says it will (CopyBuzz)
02/07 https://unita.news/2018/07/02/i-danni-che-la-direttiva-sul-copyright-fara-alle-nostre-liberta-e-cosa-possiamo-fare-per-contrastarla/ (Unità News)
03/07 Italian Wikipedia ‘goes dark’ in protest over proposed EU copyright laws (NewsTalk)
03/07 Title (Heise Online)
03/07 EDRI Publishes Legal Analysis of Upload Filter Legislation, Article 13 (FreezeNet)
03/07 Copyright Filter: EU Rapporteur Voss accuses opponents of “Fake News” before (Techwarf)
03/07 Folgenschwere Abstimmung: EU-Parlament entscheidet über Zukunft des Urheberrechts (NetzPolitik)
04/07 Copyright: Wikipedia dopo Italia, al buio anche Spagna, Lettonia ed Estonia (Radio Roseto)
04/07 Όταν το όραμα γίνεται ψευδαίσθηση: Η Πρόταση Οδηγίας για τα δικαιώματα πνευματικής ιδιοκτησίας στην ψηφιακή ενιαία αγορά (Lawpost)
04/07 Es geht um Fairness – nicht um Zensur (Frankfurter Allgemeine Zeitung)
04/07 Folgenschwere Abstimmung: EU-Parlament entscheidet über Zukunft des Urheberrechts (Kein Feiwild)
05/07 European MEPs Saves the Internet and Rejects Article 11 and Article 13 (FreezeNet)
05/07 Im nächsten Kampf um die Netzfreiheit (Sichtplaz)
05/07 Im nächsten Kampf um die Netzfreiheit (Sichtplaz)
05/07 Chi vuole e chi no la direttiva europea sul copyright (Wired)
05/07 Direttiva Ue sui diritti d’autore, quali conseguenze sull’informazione digitale (Due Righe)
05/07 “Todesdrohungen”: Klagen über Lobbying überschatten EU-Copyright-Entscheid (Heise Online)
05/07 Im nächsten Kampf um die Netzfreiheit (Sichtplaz)
05/07 Article 13 rejected by MEPs: What you need to know about the law that could have killed internet culture (alphr)
05/07 European Parliament Rejects Starting Negotiations On Copyright Reform Proposal (Intelectual Property Watch)
05/07 EU Parliamentarians support an open and democratic debate around the Copyright Directive (EUbusiness)
06/07 European Union rejects controversial copyright reforms (PCfind)
06/07 Europe takes another step towards copyright pre-filters for user generated content (VivalTopFeeds)
06/07 EU-Urheberrechtsreform: Das sind die Reaktionen auf die Entscheidung des Europäischen Parlaments (Cancom)
06/07 Alleged “meme ban” stalls in Europe; internet celebrates with memes (Salon)
06/07 Reform des Urheberrechts – Zwischen Todesdrohungen und Begeisterung – Reaktionen auf EU-Entscheid (Gamestar)
10/07 MEPs send copyright reform proposal back for rethink (EUbusiness)
11/07 Council of Europe cooperation against cybercrime — human rights Octopus or fishy deals? (FinTechLog)
14/07 Privacy Rights Organization Zwiebelfreunde Raided by German Police (FreezeNet)
16/07 Ceta, si crede ancora che porterà guadagni miracolosi. Ma i numeri dicono altro (Il Fatto Quotidiano)
16/07 Get to Know Berlin’s Hottest Female Entrepreneurs for 2018 (The Culture Trip)
18/07 What will it take to #savetheinternet in Europe? The view from Romania (Globam Voices)
23/07 Schutz gegen Tracking unerwünscht: Österreich verschiebt ePrivacy-Reform auf den St. Nimmerleinstag (Netzpolitik)
24/07 YouTube patzt beim Löschen von Terrorvideos (Heise Online)
27/07 Digitaler Binnenmarkt – here we come? (UdL Digital)
31/07 EFF Pioneer Awards 2018 an Netzaktivisten Joe McNamee, Fair-Use-Kämpferin Stephanie Lenz und Forscherin Sarah T. Roberts (Netzpolitik)
31/07 Cosa bisogna fare per #salvareinternet in Europa? Punti di vista dalla Romania (Global Voices)


14/08 How to file a copyright infringement complaint on YouTube (Pleaders)
15/08 3 ways to ensure the internet’s future is creative, collaborative, and fair (BigThink)
19/08 El Internet Freedom Festival 2019 buscará consolidar València como la “capital mundial de los derechos digitales” (EuropaPress)
20/08 Internet Freedom Festival torna per a consolidar València com a “capital mundial dels drets digitals” (Valencia Extra)
21/08 EU aiming at early removal of extremist content (China Daily)
21/08 EU to force removal of extremist content (Ecns.cn)
23/08 #SaveYourInternet: Europljani izlaze na ulice 26. kolovoza, pridružite se i vi! (Netokracija)
30/08 I’m back in Europe just in time for the latest EDRi-gram (Wired)


03/09 Curtain up for the next round (Web Schauder)
03/09 La guerra del copyright vuelve a la Eurocámara sin consenso a la vista (El Diario)
04/09 How the EU will force all artists to use Youtube, forever (BoingBoing)
04/09 Tech Firms Brace for Salvo of European Privacy Rules (National Jpurnal)
05/09 La UE abre la puerta a garantizar el anonimato de los alertadores de corrupción (La Vanguardia)
05/09 New European Copyright Proposal Blasted As Internet Threat (Freezenet)
05/09 Lobbyismus per Mail-Lawine (Frankfurter Allgemeine)
05/09 How the EU will drive all artists to make use of Youtube, endlessly (WakaJobs)
06/09 YouTube Chief Says Article 13 “Undermines Creative Economy” (TorrentFreak)
0709 YouTube’s CBO speaks out against Article 13 of EU’s controversial copyright law (PacktHub)
07/09 YouTube Chief Says Article 13 “Undermines Creative Economy” (Dimitrology)
11/09 The continental rift: Two pieces of EU legislative reform that could have ‘substantial effect’ on freedom of expression rights for media and public alike (Press Gazette)
12/09 Here Comes Another EU Law Threatening Google and Facebook With Enormous Fines (Fortune)
12/09 European Parliament Approves Negotiating Stance On Copyright Reform (Intelectual Property Watch)
12/09 EU lawmakers back controversial copyright reforms (EuroNews)
12/09 Juncker goes to war against disinformation and online terrorist content (EurActive)
12/09 EU Parliament flip-flops backwards on copyrigh (EUBussines)
12/09 Here Comes Another EU Law Threatening Google and Facebook With Enormous Fines (Yahoo)
12/09 EU-Kommission will Terrorismus mit Upload-Filtern und automatischen Systemen bekämpfen (Netzpolitik)
12/09 Tout comprendre sur la directive européenne sur le droit d’auteur (Konbini)
12/09 EU-Parlament stimmte für Uploadfilter und Linksteuer (Der Standard)
12/09 La riforma sul Copyright è passata (StartUp Italia)
12/09 Perché l’approvazione della riforma del copyright non è un buona notizia (Wired Italia)
12/09 La Comisión Europea quiere que las webs borren los comentarios relacionados con terrorismo en menos de una hora (El Diario)
12/09 União Europeia dá sinal verde para nova lei de direitos autorais que pode arruinar a web (Gizmodo)
12/09 European Parliament Approves Catastrophic Copyright Bill That Threatens the Internet (Gizmodo)
12/09 Here Comes Another EU Law Threatening Google and Facebook With Enormous Fines (Yahoo News)
12/09 Today, the EU will vote on the future of the internet (again) (The Verge)
12/09 Internetbedrijven riskeren miljardenboete bij te laat verwijderen terreurpropaganda (RTL Z)
12/09 EU Government Rejects Internet Rights and Passes Copyright Laws (FreezeNet)
12/09 Google: Nytt direktiv kan strypa de kreativa (Svenska Dagbladet)
13/09 https://www.gizmodo.com.au/2018/09/european-parliament-approves-catastrophic-copyright-bill-that-threatens-the-internet/ (Gizmodo)
13/09 Il Parlamento europeo minaccia Internet con una catastrofica legge sul copyright (Il Corriere Nazionale)
13/09 New Copyright Powers, New “Terrorist Content” Regulations: A Grim Day For Digital Rights in Europe (IT Security News)
13/09 EU Introduces New Law Forcing Tech Firms to Censor Unwanted Speech in 24 Hours (Breibart)
13/09 Ξετυλίγοντας το κουβάρι: Μεταρρύθμιση στο Δίκαιο της Πνευματικής Ιδιοκτησίας (The Press project)
13/09 Title (MaeketWatch)
13/09 EU Copyright Reform Meets Resistance From Stakeholders, Some Governments (ip-watch.org)
13/09 EU Introduces New Law Forcing Tech Firms to Censor Unwanted Speech in 24 Hours (Breitbart)
15/10 Facebook-Datenleck: Drei Fehler, 30 Millionen erbeutete Profile (Netzpolitik.org)
16/09 Security and migration proposals dominate Juncker`s `State of the Union` announcements (NoRacism.net)
17/09 Europe Doubles Down, Now Demands 1 Hour Removal of Terrorism (FreezeNet)
18/09 Ξετυλίγοντας το κουβάρι: Μεταρρύθμιση στο Δίκαιο της Πνευματικής Ιδιοκτησίας (Ipyxida)


01/10 Tu DNI electrónico por fin servirá de algo en la Unión Europea, aunque surgen dudas sobre la privacidad (Genbeta)
03/10 Öffentliches Geld? Öffentliches Gut! (Netzpolitik)
05/10 Los trabajadores tendrán desconexión digital en 2019 (ibercampus.es)
06/10 YouTube chief warns EU Copyright Directive could ‘undermine’ the creative economy (IPP Pro)
12/10 > The European Commission’s E-evidence Proposal: Toward an EU-wide Obligation for Service Providers to Cooperate with Law Enforcement? (European Law Blog)
15/10 Wie Europa den Schutz gegen Tracking im Netz aufs Abstellgleis manövriert (netzpolitik.org)
19/10 Civil society warns Commission about a binding solution to online misinformation (Agence Europe)
25/10 The EU call it copyright, but it is massive Internet censorship and must be stopped (Open Democracy)
30/10 Nicht nur die üblichen Verdächtigen: Breites Bündnis fordert von Altmaier Einsatz für Anti-Tracking-Gesetz [Update] (netzpolitik.org)


01/11 European NGOs Launch GDPR Campaign (Michigan Standard)
13/11 EU DPAs Receive Thousands of Complaints Under the GDPR (Lexology)
14/11 Censure antiterroriste : Macron se soumet aux géants du Web pour instaurer une surveillance généralisée (ewb.one)
16/11 RGPD: l’autorité belge de protection des données a du mal à tenir le rythme (Le Soir)
22/11#SaveYourInternet : l’Union Européenne va-t-elle tuer la création artistique sur le web ? (Moustique)
23/11Is The Internet Under Threat? Interview With #SaveYourInternet Member On EU’s Copyright Directive (Forbes)


05/12 E-Evidence: A threat to people’s fundamental rights? (Euractiv)
05/12 Alertan de que Europa frena su propuesta de privacidad ‘online’ mientras avanza hacia un mayor control policial de las redes (Publico)
06/12 EU-Staaten stimmen für Upload-Filter im Kampf gegen Terrorpropaganda (Heise Online)
06/12 Civil society invites Council to review its copy of proposal for a Regulation on electronic evidence (Agence Europe)
07/12 Los Estados paralizan el plan de la UE para vetar las cookies abusivas y blindar los metadatos (El diario)
07/12 e-Evidence: EU-Staaten beschließen umstrittenen Entwurf zu elektronischen Beweismitteln (Netzpolitik)
12/12 Alerta por el JEFTA, el controvertido tratado entre la UE y Japón aprobado este miércoles (Cuarto Poder)
14/12 The UN airs ‘serious concerns’ about an EU bid to control ‘terrorist content’ online (The Canary)
17/12 French privacy watchdog tells Whatsapp to stop sharing data with Facebook (RFI)
19/12 E-Privacy: Österreich legte neue EU-Datenschutzregeln auf Eis (Der Standard)
20/12 Europe and USA Face Off on Data Protection Rules (Courthouse News Service)
22/12 What does the repeal of net neutrality mean for development? (Devex)
30/12 Réseaux sociaux, données personnelles, algorithmes… comment inventer un futur numérique plus radieux ? (Le Monde)

EDRi’s Press Review 2017

EDRi’s Press Review 2016

EDRi’s Press Review 2015

EDRi’s Press Review 2014