29 Nov 2017

e-Privacy: What happened and what happens next

By Anne-Morgane Devriendt

With the vote on the mandate for trilogues in the European Parliament Plenary session of 26 October 2017, the European Parliament confirmed its strong position on e-Privacy for the following inter-institutional negotiations, also called trilogues.

The e-Privacy Regulation aims at reforming the existing e-Privacy Directive to complement the General Data Protection Regulation (GDPR) regarding communication data and metadata, as well as device security. In order for the text to efficiently protect European citizens’ privacy, some key issues needed to be addressed in the Commission’s proposal.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

In October 2017, we encouraged citizens to contact Members of the European Parliament (MEPs) to make sure the entire e-Privacy proposal will not be watered down. We (very exceptionally) asked them to support the mandate being granted to continue the negotiations on the proposal text in the trilogues. Here is the outcome of our campaign:

Protection of communications in transit and at rest (Art. 5)

Communications data is always sensitive. This is why, for instance, there is no point in protecting your email while it is being sent if any company hosting your email can read it once it arrives to your inbox, for example to target you with advertising. Therefore EDRi supports the protection of communication data both when it is in transit and at rest. The proposed Article 5 in the European Parliament (EP) version of the e-Privacy Regulation proposal protects “any interference with electronic communications”, including “data related to or processed by terminal equipment”. This is an important step in the right direction.

Consent as the only legal basis for processing (Art. 6)

Informed and free consent should be the sole legal basis for non-necessary processing of such data. Because of the intricate way online tracking works, only users who are fully informed (and free to make the choice) could allow that by consenting to that feature, if it is in their interest.

Privacy and devices protected by design and by default (Art. 10)

As happens with any other device that may create risks for the user, safety and security need to be part of the design and not an after-thought.This is why we need privacy by design and by default. Article 10 of the proposal states that all software allowing electronic communication should, “by default, have privacy protective settings activated to prevent other parties from transmitting to or storing information on the terminal equipment of a user and from processing information already stored on or collected from that equipment”.

The security of devices are also covered by Article 8 that restricts the use of end-users’ terminal equipment to what is strictly necessary, subject to consent.

Restrictions of users’ rights (Art. 11)

Article 11 limits restrictions to vague general public interests such as national security, defence and public security, but the EP has done a better job at being specific in the three sub-articles. Furthermore, Article 11 also contains provisions to ask for mandatory documentation on the requests to access communications by Member States.

Protection of encryption (Art. 17)

In order to protect citizens’ privacy and the safety of their electronic communications, it is fundamental to ban any attempts to undermine encryption. Article 17, on security risks, states that Member States cannot weaken encryption, for example by forcing companies to include ”back-doors” in their products.

The European Parliament has done a good job with its improvements to the text. Thanks to the strong position of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) and citizens’ mobilisation, the European Parliament voted for a strong text that will protect citizens’ privacy and communication. However the fight is not over yet: the Commission, the Council and the Parliament have yet to reach an agreement during the obscure process called trilogues. The final text will be passed in the Plenary of the European Parliament in 2018, tentatively after the summer.

Tell the European Parliament to stand up for e-Privacy! (25.10.2017)

Report on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (23.10.2017)

EDRi’s position on the proposal of an e-Privacy regulation (09.03.2017)

Trilogues: the system that undermines EU democracy and transparency (20.04.2017)

(Contribution by Anne-Morgane Devriendt, EDRi intern)



15 Nov 2017

High time: Policy makers increasingly embrace encryption

By Bits of Freedom

Encryption is of critical importance to our democracy and rule of law. Nevertheless, politicians frequently advocate for weakening this technology. Slowly but surely, however, policy makers seem to start embracing it.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Encryption is essential for the protection of our digital infrastructure and enables us to safely use the internet – without it, our online environment would be a more dangerous one. Thanks to encryption, companies can better protect our personal data online and internet users can safely communicate and exchange information. This makes encryption of the utmost importance not only for our democratic liberties, but also for innovation and economic growth.

Our governments should therefore stimulate the development and implementation of encryption, more than they currently do. It is without doubt undesirable when governments force companies to create backdoors in their encryption technologies, or to incorporate other ways of weakening it. Policy makers generally grapple with this position though, as they face pressure from police and security services.

Fortunately, in 2016, the Dutch government came to the same conclusion. It rightfully determined that “cryptography plays a key role in the technological security of the digital domain”. It further stated that there were “no viable options to weaken encryption technology in general without compromising the safety of digital systems that utilise it”. Put differently, creating a backdoor for the police also creates a backdoor for criminals. Because of this, the Dutch cabinet argues that it is “undesirable to implement legislative measures that would hamper the development, availability and use of encryption in the Netherlands”.

Then again, the Netherlands is only a small country and much of its legislation is determined by the decisions made at the European level. It is therefore heartening to see that the European Parliament passed a resolution in early November 2017, calling on the European Commission and the member states to “enhance security measures, such as encryption and other technologies, to further strengthen security and privacy”. The Parliament also explicitly asked EU Member States to refrain from “enforcing measures that may weaken the networks or services that encryption providers offer, such as creating or encouraging ‘backdoors’”.

The European Commission has also spoken out on the issue. It recently published “Eleventh progress report towards an effective and genuine Security Union”, which lists measures meant to make Europe safer. One of these measures entails supporting law enforcement in dealing with encrypted information. However, the report immediately adds that this should be done “without prohibiting, limiting or weakening encryption”, since “encryption is essential to ensure cybersecurity and the protection of personal data”.

This definitely does not mean it will be smooth sailing from here on. Political positions change rapidly. The Dutch government, for example, states explicitly that weakening encryption is undesirable “at this moment in time”. All it takes for our political leaders to collectively lose their resolve is one serious terrorist attack after which law enforcement and security services investigations are hindered by encryption. It is also hard to predict how Dutch and European lawmakers will respond when pressure mounts from France, Germany or the United States.

The biggest threat, however, is probably far more subtle. Businesses are often pressured to “take their social responsibility” in fighting whatever is seen to be evil at that particular time. They are told: “You don’t want to be seen as a safe haven for terrorists, do you?” The consequence of this is that far too often, these businesses agree to make their digital infrastructure more vulnerable, without any checks or balances. This cooperative attitude is of course adopted “willingly” – but not without pressure from legislation or fear of damage to their reputation. The proposal of the European Commission in its recent policy document to create a “better and more structured collaboration between authorities, service providers and other industry partners” should be read in this light.

The European Commission struggles to find a position on encryption (31.10.2017)

EU’s plans on encryption: What is needed? (16.10.2017)

EDRi delivers paper on encryption workarounds and human rights (20.09.2017)

EDRi position paper on encryption (25.01.2016)

Encryption – debunking the myths (03.05.2017)

(Contribution by Rejo Zenger, EDRi-member Bits of Freedom, the Netherlands; translation by David Uiterwaal)



31 Oct 2017

The privacy movement and dissent: Protest

By Guest author

This is the fourth blogpost of a series, originally published by EDRi member Bits of Freedom, that explains how the activists of a Berlin-based privacy movement operate, organise, and express dissent. The series is inspired by a thesis by Loes Derks van de Ven, which describes the privacy movement as she encountered it from 2013 to 2015.*

In order to describe, analyse, and understand the ways in which the privacy movement uses protest, it is important to bear in mind the internet plays an all-encompassing role. First, we can distinguish between actions that are internet-supported and actions that are internet-based. Protests that are internet-supported are traditional means of protest that the internet has made easier to coordinate and organise, whereas protests that are internet-based could not have happened without the internet. Second, there is the height of the threshold for people to become involved. A high threshold means that participating entails a high risk and level of commitment, while a low threshold means a low risk and level of commitment. In the privacy movement, internet-supported protest with a low threshold and internet-based protest with a high threshold are the most common forms of protest.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

Internet-supported protest with a low threshold

The most common types of internet-supported protest with a low threshold that we find in the privacy movement are asking for donations and organising legal protest demonstrations.

The internet has given an impulse to donations: whereas in the analogue age the costs to coordinate such actions would outweigh the benefits, in the digital age collecting money has become much more accessible and easier. The Courage Foundation, for instance, collects donations for the legal defense of whistleblowers such as Edward Snowden and Lauri Love. Many other European organisations similarly offer their members and supporters the opportunity to make donations. However, it is worth noting that specifically in the case of the privacy movement, the threshold for donating money is higher than usual, as whistleblowing is a politically sensitive subject and community members have a heightened knowledge of privacy concerns associated with online payments. It is not surprising that donating via the anonymous digital currency Bitcoin is an option many organisations offer.

When it comes to demonstrations, the internet has also been an enhancing factor, as it has made the spreading and exchanging of information about the goal and practical details of a demonstration much easier. This also proves to be the case for demonstrations organised by the privacy movement. A fitting example of how the internet can help rapidly spread information and the effect that has on protest is the Netzpolitik demonstration held in Berlin on 1 August 2015. The announcement by Netzpolitik, a German organisation concerned with digital rights and culture, that two of their reporters and one source had been charged with treason, made thousands of people gather in the streets of Berlin to protest for the freedom of the press.

Here, too, it is worth considering how low the threshold for demonstrating actually is for activists within the privacy movement. In the analogue age it was difficult for governments to get a clear image of who exactly took part in a demonstration. Modern technology, however, has changed and continues to change the game. For instance, after participating in a protest, protesters in the Ukraine received a text message from their government that stated, “Dear Subscriber, you have been registered as a participant in a mass disturbance”. Something similar happened in Michigan, USA, in 2010. After a labour protest the local police asked for information about every cellphone that had been near the protest. Thus, the height of the risk that is involved in these sorts of protest is definitely worth reconsidering, especially when reflecting on a movement with so much awareness of (digital) surveillance.

Internet-based protest with a high threshold

Internet-based actions with a high threshold include protest websites, alternative media, culture jamming, and hacktivism.

Protest websites are websites that “promote social causes and chiefly mobilise support”. The privacy movement is involved in a number of these sorts of websites, for example edwardsnowden.com and chelseamanning.org, which are dedicated to whistleblowers and explain how supporters can help them, and savetheinternet.com, which asks supporters to take action in protecting net neutrality.

Alternative media have proven to be a crucial part of how the privacy movement voices dissent and “bears witness”, as the internet has made it possible to circumvent mass media and has reduced the effort to spread information to a large audience. A well-known example of alternative media, emerging from the privacy movement, is The Intercept, an online news organisation co-founded by Glenn Greenwald, Laura Poitras, and Jeremy Scahill. This newspaper aims, according to its website, to “[produce] fearless, adversarial journalism” and focuses on stories that provide transparency about government and corporate institutions’ behaviour.

Culture jamming is a form of protest where corporate identity and communications is appropriated for the protesters’ own goals, using tactics such as “billboard pirating, physical and virtual graffiti, website alteration, [and] spoof sites”. An example for spoof sites is the Twitter account: @NSA_PR, or NSA Public Relations in full, a reaction to the actual official Twitter account the public relations department of the US National Security Agency that was launched at the end of 2013. The spoof account often responds to recent surveillance and security issues in a humorous way. For example, when WikiLeaks published documents about the NSA’s interception of French leaders, NSA Public Relations posted, “Parlez-vous Français?”.

Hacktivism is the last form of internet-based protest with a high threshold. It is defined as “confrontational activities like DoS attacks via automated email floods, website defacements, or the use of malicious software like viruses and worms”. These activities are not commonly used within the privacy movement. Instead a “”digitally correct” form of hacktivism is practised. Digitally correct hacktivism designs computer programs that help confirm and accomplish their political aims. Of the many programs that exist, two of the most well-known and widely used programs for this kind of protest are the Tor Project web browser and Pretty Good Privacy. Both programs are designed to secure the user’s privacy. Whereas it is debatable whether direct action hacktivism is legal or not, the use of the Tor browser and email encryption are, of course.

The digital age has undeniably affected the way in which social movements protest. Traditional forms of protest have become internet-supported, but additionally there are also forms of protest being used that cannot even exist without the internet. This is even more the case for the privacy movement. For a movement that is so intertwined with the internet, we see that it is difficult to even make the distinction between online and offline protest, and that it comes up with its own specific alterations to already existing forms of protest.

The series was originally published by EDRi member Bits of Freedom at https://www.bof.nl/tag/meeting-the-privacy-movement/

Dissent in the privacy movement: whistleblowing, art and protest (12.07.2017)

The privacy movement and dissent: Whistleblowing (23.08.2017)

The privacy movement and dissent: Art (04.10.2017)

(Contribution by Loes Derks van de Ven; Adaptation by Maren Schmid, EDRi intern)

* This research was finalised in 2015 and does not take into account the changes within the movement that have occurred since then.

Della Porta, Donatella, and Mario Diani. Social movements. An Introduction. Malden: Blackwell Publishing, 2006.
Van Aelst, Peter, and Jeroen van Laer. “Internet and Social Movement Action Repertoires. Opportunities and Limitations.” Information, Communication & Society 13:8 (2010): 1146-1171.



25 Oct 2017

Tell the European Parliament to stand up for e-Privacy!

By Diego Naranjo

On 26 October, the European Parliament (EP) will decide on a key proposal to protect your privacy and security online. This step consists in confirming (or not) the Parliament’s mandate to negotiate the e-Privacy Regulation with the Council of the European Union.

This vote has been demanded as part of an effort to either water down or completely destroy the proposal. As a result, we (very exceptionally) support the mandate being granted.

Do you want to protect the privacy of millions of people in the next generations? Then take action now and contact the Members of the European Parliament (MEP) from your country in order to be able to make sure that the European Parliament approves the mandate. You can:

  1. Call your MEP using the free call system (developed by La Quadrature Du Net) and ask them to vote on Thursday 26 October to support the mandate for the e-Privacy trilogues.
  2. Tweet to the MEPs from your own country now (and also other MEPs, ideally in their own language). Use the hashtag #ePrivacy! You could tweet for example along the lines:

Dear <@MEP>, please vote for a mandate for the #ePrivacy #trilogues. Good for citizens, for trust, for innovation, for competition!

You can find below the list of MEPs’ Twitter handles for each Member State:

The Regulation applies to confidentiality of communications, online and offline tracking and device security. It has been the subject of a huge lobbying campaign by industry associations peddling a range of outlandish claims including that the Regulation would ban advertising and would even be responsible for “killing the internet” (seriously).

e-Privacy Directive: Frequently Asked Questions

e-Privacy Mythbusting (25.10.2017)

Quick guide on the proposal of an e-Privacy Regulation (09.03.2017)

Last-ditch attack on e-Privacy Regulation in the European Parliament (24.10.2017)

Dear MEPs: We need you to protect our privacy online! (05.10.2017)


24 Oct 2017

Last-ditch attack on e-Privacy Regulation in the European Parliament

By Joe McNamee

The ECR, the right-wing, Eurosceptic political group in the European Parliament has joined forces with German Conservatives, Axel Voss and Monika Hohlmeier, as well as the Danish Liberal Morten Løkkegaard to try to overturn progress made on the e-Privacy Regulation.

The Regulation applies to confidentiality of communications, online and offline tracking and device security. It has been the subject of a huge lobbying campaign by industry associations peddling a range of outlandish claims including that the Regulation would ban advertising and would even be responsible for “killing the internet” (seriously).

As the myths and mythology that Members of the European Parliament (MEPs) are being confronted with every day are getting more and more ridiculous, on 24 October, we wrote to all 751 MEPs. However, to avoid the e-mail getting too long, we restricted ourselves to the six most outlandish myths:

  1. that e-Privacy bans online advertising (advertising existed before online surveillance)
  2. that e-Privacy is bad for democracy (tracking has manipulated elections)
  3. that e-Privacy is bad for media pluralism and quality of journalism (tracking is the business model of fake news)
  4. that e-Privacy prevents the fight against illegal content (the telecoms companies made this false argument about net neutrality. It wasn’t true and still isn’t)
  5. that e-Privacy helps Google and Facebook (no, seriously, the lobbyists are actually saying this)
  6. that we need a level playing field (actually that one is true, we need everyone to be regulated fairly)

You can read our letter here.

Tell your MEPs you want a strong e-Privacy Regulation – as agreed by the European Parliament Committee on Committee on Civil Liberties, Justice and Home Affairs (LIBE). Find your MEPs here.


18 Oct 2017

Extending the use of eID to online platforms – risks to privacy?

By Anne-Morgane Devriendt

On 10 October 2017, the European Commission published the “draft principles and guidance on eID interoperability for online platforms” on the electronic Identification And Trust Services (eIDAS) observatory. Building on the eIDAS Regulation, the Commission would like to extend the scope of use for the eIDs to online platforms, in addition to public services. This raises a number of issues, particularly on the protection of privacy.

The eIDAS Regulation, adopted in 2014, is part of the “European eGovernment Action Plan 2016-2020”. It aims at making all Member State issued eIDs recognisable by all Member States from 28 September 2017. By extending the scope of use of eIDs to “online platforms” in general and not only public services, the Commission is trying to make authentication easier and more secure, as the eID itself would allow logging in. It would answer some of the issues raised by the use of passwords as main authentication method. It would also be more convenient for the users who could use the same eID across different platforms.

However, as are presented in the Commission’s document, the guidelines raise a number of issues, such as the lack of definition of “online platforms”. As the eIDAS Regulation concerns access to public services throughout the EU with the same, government approved eID, it appears that “online platforms” refers to the private sector. “Online platforms” are defined, to a certain extent, in the Commission’s Communication on Online Platforms. However, the characteristics that are used are so wide they encompass both online sales websites and social media platforms.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The second issue is protection of privacy. Indeed, the draft document states that “users should be able to preserve a level of privacy and anonymity, e.g. by using a pseudonym”. The failure to understand the basic notion that anonymity and pseudonymisation are fundamentally different is worrying. It is, or should be, obvious that using one’s eID to authenticate oneself would allow the platform to link the pseudonym to the real identity and personal information. Furthermore, while it might be useful for online sale platforms to make sure transactions are taking place between real people, it defeats the purpose of using a pseudonym on social media to separate online activities to be linked to one’s real identity.

Finally, if the Commission sets the direction to make authentication easier for both platforms and users with the use of the eID, they do not provide guidelines on the implementation of privacy by default. This would make sure that online platforms only have access to authentication information and do not use it for other purposes. One of the safeguards for the use of eIDs to access public services is the ability to monitor which public servant accessed the data and when. However, regarding the use of eIDs for authentication on online platforms, there is no provision in the draft guidelines that would make sure that data are properly secured.

Bearing in mind the huge and varied damage caused to Facebook users by its “real names” policy, the risks of this project being used by certain online platforms are real and significant.

All interested stakeholders can communicate their opinion on this draft to the Commission before 10 november 2017 through the eIDAS observatory post or by email.

Draft principles and guidance on eID interoperability for online platforms – share your views! (10.10.2017)

Workshop: Towards principles and guidance on eID interoperability for online platforms (24.04.2017)

Communication from the Commission – Online Platforms and the Digital Single Market: Opportunities and Challenges for Europe (25.05.2016)

(Contribution by Anne-Morgane Devriendt, EDRi intern)



06 Oct 2017

ePrivacy : Foire Aux Questions


Original version here (English)

Qu’est-ce que le Réglement vie privée et communications électroniques ?

Le Réglement vie privée et communications électroniques ou e-Privacy est un Réglement qui couvre des problèmes spécifiques de la vie privée et de la protection des données dans le domaine des communications. Elle a été adoptée en 2002 et révisée en 2009. Le texte officiel de la version actuelle peut être trouvé ici.


Pourquoi avons-nous besoin de cet instrument ?

Le Réglement e-Privacy a été crée pour garantir la vie privée et protéger les données personnelles dans le domaine des communications électroniques, en “complétant et détaillant” les sujets abordés dans l’outil juridique principal, c’est-à-dire la Directive sur la Protection des Données, désormais appelée Règlement Général sur la Protection des Données (RGPD). Par exemple, l’e-Privacy protège la confidentialité du contenu des communications, des informations stockées et de leur accès sur l’appareil d’un individu. Le RGPD ne couvre pas cela spécifiquement.

La confidentialité des communications est très complexe. Elle couvre non seulement votre droit à la vie privée et à la protection des données, mais aussi votre liberté d’expression et de communication. Sans une législation qui définit clairement le sens de ces droits fondamentaux dans cet environnement complexe, la protection de la confidentialité et la sécurité des communications seraient moins prévisibles et plus difficilement applicables. Un manque de règles précises rend aussi plus difficile pour les entreprises le développement de nouveaux services innovants.

Le Règlement Général sur la Protection des Données (RGPD) ne suffit-il pas?

Même si le RGPD couvre de nombreux sujets en lien avec la protection des données, il ne couvre pas directement et précisément le droit à la vie privée et, plus particulièrement, le droit à la liberté de communication, qui sont deux droits fondamentaux distincts. Ainsi, l’e-Privacy est un niveau de précision nécessaire pour assurer une protection efficace et prévisible des droits qui ne sont pas couverts par le RGPD avec une précision suffisante. De plus, la e-Privacy couvre également des activités où le traitement des données personnelles n’est pas le sujet principal, comme l’envoi non sollicité de messages (par exemple les pourriels ou marketing direct). Elle fournit aussi une base pour la protection des informations stockées sur l’appareil d’un individu. Il est important de se souvenir que le but de l’e-Privacy n’est pas de créer de nouveaux droits, mais de compléter des règles existantes, à la fois pour le bien des individus et des sociétés.

Le besoin d’une législation sur la vie privée et la sécurité des données personnelles dans le domaine des communications électroniques augmente. Le suivi en ligne et la surveillance des e-mails à des fins publicitaires sont des pratiques de plus en plus courantes ; alors que les entreprises télécom tentent de copier les entreprises en ligne en tirant des profits des masses de données des clients qu’elles possèdent (y compris des données de localisation). De plus, l’e-Privacy doit être mise à jour pour rester en adéquation avec les dernières innovations technologiques, comme l’utilisation d’applications de messagerie instantanée (chat) à la place des SMS ou mails.

Quels droits fondamentaux sont touchés par le Réglement e-Privacy ?

  • Le droit fondamental à la confidentialité des communications, entériné dans l’article 7 de la Charte des Droits Fondamentaux de l’Union Européenne. Le nouvel instrument qui va remplacer ou réviser l’e-Privacy devrait clarifier de façon précise que ce principe s’applique totalement aux données des activités en ligne et aux communications, incluant le trafic et les données de localisation, comme définis actuellement dans le Réglement e-Privacy. De plus, il devrait aussi s’appliquer à toute donnée similaire créé ou utilisée en ligne, comme les données de localisation, de navigation, d’utilisation des e-books, d’utilisation des applications mobiles, de recherche, etc. et à toute autre nouvelle donnée en résultant. Le nouvel instrument doit aussi apporter de la clarté sur les conceptions techniques et l’application par défaut de la protection de la vie privée dans ce contexte.
  • Les droits fondamentaux à la protection des données personnelles et à la liberté d’expression, comme entérinés dans l’article 8 de la Charte citée plus haut. Pour la plupart des personnes dans l’UE, la façon la plus facile d’accéder à l’information implique l’internet. Pour protéger cela, l’instrument révisé devrait bannir l’obligation d’accepter le suivi de leurs activités, ainsi que le profilage et la prise de décision automatique qui s’ensuivent (par exemple, en acceptant les cookies avant de pouvoir accéder à un site internet). Cela est particulièrement important pour l’accès à des informations sur des sujets liés à des données sensibles, ou lors de l’accès à des services du secteur public.

Quelles activités sont couvertes dans l’e-Privacy ?

  • la confidentialité et la sécurité des communications ;
  • le trafic et les données de localisation produits par les appareils personnels ;
  • le suivi des utilisateurs, y compris lors de l’utilisation d’appareils personnels (comme pour des publicités par analyse comportementale) ;
  • les cookies ;
  • les mesures de sécurité des appareils personnels ;
  • la facturation détaillée ;
  • l’identification des numéros d’appel ;
  • les annuaires publics et privés ;
  • les pourriels et appels non sollicités à but de prospection commerciale ;
  • les notifications de violation de données (spécifiées plus tard dans le Réglement de l’UE 611/2013).

Quels sont les éléments qui doivent être mis à jour?

Tout ce qui à trait aux activités en ligne dans l’e-Privacy (comme la confidentialité et la sécurité des communications et des appareils personnels, ainsi que le suivi des utilisateurs) doit être mis à jour pour correspondre aux innovations technologiques présentes et futures. Les réglementations sur la facturation détaillée, les registres d’utilisateurs, et les communications non-sollicitées doivent être réévalués, pour vérifier si elles sont en accord avec le RGPD. Certains de ses aspects, comme la façon dont on doit traiter les violations de données, ne requièrent pas une législation spécifique. Ils peuvent donc être supprimés. Ainsi on pourrait résoudre cela en faisant référence au RGPD, afin d’éviter toute redondance.

J’en ai assez de voir des bannières qui me demandent d’accepter les cookies. Est-ce que cela va encore en rajouter ?

L’e-Privacy essaye actuellement de donner aux utilisateurs un peu de contrôle sur le suivi en ligne. En revanche, elle le fait d’une façon plutôt brutale. Les enseignements tirés de l’expérience et des évolutions technologiques suggèrent que la disposition qui régule les cookies dans l’e-Privacy devrait être améliorée, afin de permettre des mécanismes de consentement plus faciles à utiliser.

Comme nous l’avons expliqué dans un article précédent, les cookies sont une des façons de laisser des traces numériques derrière vous lorsque vous naviguez. Ce sont des bouts d’information qui s’installent automatiquement sur votre appareil lorsque vous visitez des sites web. Les règles révisées sur les cookies dans l’e-Privacy devraient permettre une navigation plus agréable en supprimant l’obligation de consentement pour les cookies qui ne concernent pas la collecte et le traitement de données personnelles (comme le traçage avec des services tiers des utilisateurs et des appareils). Cela s’appliquerait par exemple aux statistiques qui comptabilisent quelles sont les pages d’un site web les plus visitées. Ces statistiques collectées par le propriétaire d’un site (“cookies de premier parti” ou “cookies internes”) n’impliquent pas de traitement des données personnelles inutile. Généralement, nous faisons référence aux lignes directrices sur les cookies du Groupe de travail Article 29 sur la protection des données à ce propos.

Quel est le lien avec la protection contre la surveillance de masse ?

Sans aucun doute nous pouvons nous attendre à un usage croissant des appareils personnels électroniques (smartphones, tablettes, ordinateurs) ainsi que des technologies liées qui sont connectées à Internet (comme dans l’internet des objets). Ces évolutions créent de nouvelles opportunités pour la communication en ligne, mais comportent aussi des risques pour la confidentialité et d’autres droits fondamentaux. La communication en ligne implique souvent de nombreuses personnes au delà des frontières nationales, sans que les utilisateurs en soient pleinement conscients.

Nous sommes d’accord avec le Contrôleur européen de la protection des données (CEPD) sur l’idée que le nombre et la fréquence des requêtes gouvernementales faites aux services internet (Twitter, Gmail et autres) devraient être rendus publics, de façon à donner aux individus une vision plus claire sur la façon dont ces pouvoirs gouvernementaux envahissants sont utilisés, en pratique. Si le public est au courant de la conduite du gouvernement, il sera dans une position plus à même de lui demander des comptes. Dans ce contexte, plus de transparence pourrait permettre de restaurer la confiance que les personnes accordent au secteur des communications électroniques.

Quel est le lien avec la sécurité de mes appareils électroniques, comme mon smartphone ?

Le RGPD inclut des obligations en matière de sécurité sur le traitement des données personnelles, alors que l’e-Privacy permet l’inclusion d’obligations en matière de sécurité qui sont plus spécifiquement adaptées à nos communications en ligne. Ces obligations en matière de sécurité devraient non seulement s’appliquer aux fournisseurs de communications électroniques (les télécoms), mais aussi couvrir les développeurs d’application et les fabricants d’appareils électroniques, par exemple. Les entreprises derrière les applications et les appareils ne sont pas toujours les principaux responsables légaux. Pourtant, en raison de leur rôle important dans la protection de la sécurité et la confidentialité des communications personnelles, ils devraient aussi être soumis à des normes de sécurité. Nous faisons plus particulièrement référence aux recommandations sur les normes de sécurité et de vie privée pour les fournisseurs de systèmes d’exploitation, les fabricants d’appareils et autres acteurs principaux formulés par le Groupe de travail Article 29 sur la protection des données dans son Opinion 8/2014 sur l’Internet des Objets.

Cette FAQ a été préparé par l’office d’EDRi à Bruxelles et des membres Open Rights Group, fIPR, Bits of Freedom, Access Now, Panoptykon and Privacy International.

Translation by volunteers Pierre, Florian and Gilles.

05 Oct 2017

Dear MEPs: We need you to protect our privacy online!


They’re hip, they’re slick and they follow you everywhere. They know you like new shoes, playing tennis and tweeting at odd hours of the morning. Do you know what that says about your health, your relationships and your spending power? No? Well, the online companies do. They follow you everywhere you go online, they have a perfect memory, they know the sites you visited last year even if you’ve forgotten… Look who’s stalking.

European legislation protecting your personal data was updated in 2016, but the battle to keep it safe is not over yet. The European Union is revising its e-Privacy rules. We welcomed the European Commission (EC) proposal as a good starting point, but with room for improvement. The online tracking industry is lobbying fiercely against it. Online tracking and profiling gave us filter bubbles and echo chambers. Yet the lobbyists lobby for it under the pretext of “saving the internet”, “protecting quality journalism” – even “saving democracy”.

The European Parliament is currently debating its position on the EC proposal. Some Members of the European Parliament (MEPs) support “tracking business, as usual” while others support a strong future-proof norm to protect the privacy, innovation and security of future generations of EU citizens and businesses.

Priorities for defending privacy and security:

1) Protect confidentiality of our communications – both in transit and at rest!
Confidentiality of communications needs to be protected both in transit and when it is stored. Lobbyists have been campaigning for a technicality that would allow them to read and exploit your emails stored in the cloud. (Art. 5)

2) Protect our privacy: Do not add loopholes to security measures!
A “legitimate interest” exception was not included in any version of the previous e-Privacy Directives. This would be a major weakening of the legislation compared with existing rules. Our member Bits of Freedom wrote about the problems with “legitimate interest” here. (several Articles and Recitals)

3) Do not let anyone use our data without asking for our consent!
It is crucial to keep consent as the legal ground to process communications data. Neither “legitimate interest” nor “further processing” should be allowed to weaken the security and privacy of European citizens and businesses (Art.6)

4) Privacy should not be an option – what we need is privacy by default!
Provisions about default privacy settings need to be strengthened and improved, certainly not watered down or deleted. e-Privacy must ensure “privacy by design and by default” and not, as in the EC proposal, “privacy by option”. You can find our specific proposals here. The European Parliament previously adopted a Directive that criminalises unauthorised access to computer systems. It would be completely incoherent if it were to adopt legislation that foresees default settings that do not protect against unauthorised access to devices. (Art. 10)

5) No new exceptions to undermine our privacy!
Exceptions for Member States cannot become a carte blanche rendering e-Privacy useless. Therefore, the safeguards established by the Court of Justice of the European Union on cases regarding the exceptions in the relevant sections of the e-Privacy Regulation should be diligently respected – the scope of the exception should not be expanded. (Art. 11)

6) Do not undermine encryption!
Imposing a ban on undermining or attacking encryption should be a priority.

7) Protect our devices (hardware+software) by design and by default!
Hardware and software security need to be protected by design and by default.

MEPs, protect our #ePrivacy – Support amendments that follow the principles listed above!

e-Privacy revision: Document pool

e-Privacy: Consent (pdf)

e-Privacy: Legitimate interest (pdf)

e-Privacy: Privacy by design and by default (pdf)

e-Privacy: Offline tracking (pdf)

Your privacy, security and freedom online are in danger (14.09.2016)

Five things the online tracking industry gets wrong (13.09.2017)

ePrivacy Regulation: Call a representative and make your voice heard!

Who’s afraid of… e-Privacy? (04.10.2017)


04 Oct 2017

ENDitorial: Tinder and me: My life, my business

By Maryant Fernández Pérez

Tinder is one of the many online dating companies of the Match Group. Launched in 2012, Tinder started being profitable as of 2015, greatly thanks to people’s personal data. On 3 March 2017, journalist Judith Duportail asked Tinder to send her all her personal data they had collected, including her “desirability score”, which is composed of the “swipe-left-swipe-right” ratio and many other pieces of data and mathematic formulae that Tinder does not disclose. Thanks to her determination and support from lawyer Ravi Naik, privacy expert Paul-Olivier Dehaye and the work of Norwegian consumers advocates, Judith reported on 27 September 2017 that she received 800 pages about her online dating-related behaviour.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Tinder did not disclose how desirable the company considered Duportail to be, though, even if it had disclosed it to another journalist. The 800 pages contained information such as her Facebook “likes”, her Instagram pictures (even if she had deleted her account), her education, how many times she had connected to Tinder, when and where she entered into online conversations, and many more things. “I was amazed by how much information I was voluntarily disclosing”, Duportail stated.

800 pages of personal data – surprising?

As a Tinder user, you should know that you “agree” to Tinder’s terms of use, privacy policy and safety tips, as well as other terms disclosed if you purchase “additional features, products or services”. These include the following:

  • “You understand and agree that we may monitor or review any Content you post as part of a Service.”
  • “If you chat with other Tinder users, you provide us the content of your chats.”
  • “We do not promise, and you should not expect, that your personal information, chats, or other communications will always remain secure.”
  • “By creating an account, you grant to Tinder a worldwide, transferable, sub-licensable, royalty-free, right and license to host, store, use, copy, display, reproduce, adapt, edit, publish, modify and distribute information you authorize us to access from Facebook, as well as any information you post, upload, display or otherwise make available (collectively, ‘post’) on the Service or transmit to other users (collectively, ‘Content’).”
  • “You agree that we, our affiliates, and our third-party partners may place advertising on the Services.”
  • “If you’re using our app, we use mobile device IDs (the unique identifier assigned to a device by the manufacturer), or Advertising IDs (for iOS 6 and later), instead of cookies, to recognize you. We do this to store your preferences and track your use of our app. Unlike cookies, device IDs cannot be deleted, but Advertising IDs can be reset in “Settings” on your iPhone.”
  • “We do not recognize or respond to any [Do Not Track] signals, as the Internet industry works toward defining exactly what DNT means, what it means to comply with DNT, and a common approach to responding to DNT.”
  • “You can choose not to provide us with certain information, but that may result in you being unable to use certain features of our Service.”

Tinder explains in its Privacy Policy – but not in the summarised version of the terms – that you have a right to access and correct your personal data. What is clear to the company is that you “voluntarily” provided your information (and that of others). Duportail received part of the information Tinder and its business partners hold, no doubt partly because she is a journalist. Her non-journalist friends have not experienced the same benevolence. Your personal data has an effect not only on your online dates, “but also what job offers you have access to on LinkedIn, how much you will pay for insuring your car, which ad you will see in the tube and if you can subscribe to a loan”, Paul-Olivier Dehaye highlights.

Worse still, even if you close your account or delete info, Tinder or its business partners do not necessarily delete it. And the worst, you’ve “agreed” to it: “If you close your account, we will retain certain data for analytical purposes and recordkeeping integrity, as well as to prevent fraud, enforce our Terms of Use, take actions we deem necessary to protect the integrity of our Service or our users, or take other actions otherwise permitted by law. In addition, if certain information has already been provided to third parties as described in this Privacy Policy, retention of that information will be subject to those third parties’ policies.”

You should be in control

Civil society organisations fight this kind of practices, to defend your rights and freedoms. For instance, the Norwegian Consumer Council successfully worked for Tinder to change its terms of service. On 9 May 2017, EDRi and its member Access Now raised awareness about period trackers, dating apps like Tinder or Grindr, sex extortion via webcams and the “internet of (sex) things” at the re:publica 17 conference. Ultimately, examples like Duportail’s shows the importance of having strong EU data protection and privacy rules. Under the General Data Protection Regulation, you have a right to access your personal data, and companies should provide privacy by default and design in their services. Now, we are working on the e-Privacy Regulation to ensure you have real consent instead of a tick on a box of something you never read, to prevent companies from tracking you unless you provide express and specific consent, among many other things.

Now that you know about this or have been reminded of this, spread the word! It does not matter whether you are on Tinder or not. This is about your online future.

I asked Tinder for my data. It sent me 800 pages of my deepest, darkest secrets (26.09.2017)

Getting your data out of Tinder is really hard – but it shouldn’t be (27.09.2017)

Safer (digital) sex: pleasure is just a click away (09.05.2017)

Tinder bends for consumer pressure (30.03.2017)

(Contribution by Maryant Fernández Pérez, EDRi)



04 Oct 2017

The privacy movement and dissent: Art

By Guest author

This is the third blogpost of a series, originally published by EDRi member Bits of Freedom, that explains how the activists of a Berlin-based privacy movement operate, organise, and express dissent. The series is inspired by a thesis by Loes Derks van de Ven, which describes the privacy movement as she encountered it from 2013 to 2015.*

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

Although there are relatively few privacy movement members involved in the actual process of creating art, it does affect the movement as a whole. Art reflects the movement’s beliefs and is used as a weapon of resistance against injustice.

The two art projects of the privacy movement which will be introduced in this article are Panda to Panda and Anything to Say?. They both share a number of features that belong to activist art in general. One of these features is the way activist art comes into being; the art activists create almost always comes from personal experiences and wants to draw attention to and gain recognition for those experiences. In addition, it problematises authority, domination, and oppression and seeks to alter the current situation. Moreover, activists like their work to evoke emotion and provoke intellectually, and they aim to form a community among those who share a similar aversion to oppression.

Panda to Panda (2015) is part of a larger project called Seven on Seven, a project initiated by Rhizome, the influential platform for new media art affiliated with the New Museum in New York City. Each year, Rhizome matches seven artists with seven technologists. In 2015, one of the pairs Rhizome invited to participate were Ai Weiwei and Jacob Appelbaum. The result of their collaboration, Panda to Panda, consists of twenty stuffed pandas from which the stuffing has been replaced with shredded documents that Glenn Greenwald and Laura Poitras received from Edward Snowden. In addition, a micro SD card with the documents on it has been placed inside each panda. By distributing the pandas to as many places as possible, the pandas function as a “distributed backup” that is difficult to destroy, since that would mean destroying all twenty objects. The project was documented by Ai, who shared the images with his followers on social media. Laura Poitras was invited to film the process and eventually published the film in the online edition of The New York Times.

Panda to Panda is an example of ethico-political subversion, in which authority is undermined in a number of ways. First, the project in its totality is a complaint against government surveillance and state power. As Ai, Appelbaum, and Poitras were working on the project, they continuously filmed each other. With the constant filming they emphasise and visualise the surveillance they are under: while they film each other, they are also watched by the surveillance cameras placed in front of Ai’s studio by the Chinese authorities. There is a constant awareness of always being under watch.

Second, the pandas also have a symbolic meaning. From Appelbaum’s frame of reference, Panda to Panda is a variation on peer-to-peer communication, a means of communication in which there is no hierarchy and that allows all peers to interact in an equal way. This system is seen as a philosophy of egalitarian human interaction on the internet. This reference also materialises the goals of the movement. From Ai’s frame of reference, the pandas satirically reference popular culture: in China, the secret police, the “government spies” that also monitor Ai, are often referred to as pandas.

Anything to Say? A Monument of Courage (2015) is a life-size bronze sculpture by American author Charles Glass and Italian artist Davide Dormino. The sculpture portrays three people: Julian Assange, Edward Snowden, and Bradley Manning (who is now Chelsea Manning). The three each stand on a chair, a fourth chair is left empty. This fourth chair is meant for other individuals to stand on, to enable them to stand with the whistleblowers and freely express themselves. Anything to Say? has its own Twitter account where followers can follow the realisation, unveiling, and journey of the sculpture. The sculpture has never been placed in a typical museum context: it was unveiled at Alexanderplatz in Berlin in and has been travelling since.

An analysis of Anything to Say? demonstrates a number of ways in which art functions to strengthen the privacy movement. Taking a stand and expressing your thoughts does not come naturally to everyone; it takes a certain amount of courage – as the sculpture’s subtitle A Monument of Courage indicates. By inviting individuals to stand on the fourth, empty chair, the sculpture encourages them to do the same as whistleblowers: to step out of their comfort zone and become visible. Young or old, rich or poor, German or not, part of the movement or not: the sculpture gives the audience a reason to connect. Furthermore, here as in the case of Panda to Panda, the sculpture carries out some of the beliefs of the privacy movement, informing individuals within as well as outside of the movement.

Anything to Say? not only highlights the importance of freedom of speech and freedom of information; it also comes from the personal experiences of whistleblowers and it shows great respect for them. It encourages the audience to show the same courage as Assange, Snowden and Manning have shown, but the sculpture in itself is also a sign of gratitude towards them. Furthermore, the sculpture in itself represents movement ideas and values, but by asking members of the audience to stand on the chair and express themselves, it actually practices free speech and thereby practices one of the privacy movement’s aims.

Activist art is a valuable way for the privacy movement to express what it stands for. Although there is only a relatively small group of activists within the movement that actually creates art, it affects the entire movement; it encourages members within the movement, allows them to experience both their own and the group’s strength, and the personal character of the art reinforces the unity within the movement. In the next article of this series, protest as an expression of dissent of the privacy movement will be explored.

The series was originally published by EDRi member Bits of Freedom at https://www.bof.nl/tag/meeting-the-privacy-movement/.

Dissent in the privacy movement: whistleblowing, art and protest (12.07.2017)

The privacy movement and dissent: Whistleblowing (23.08.2017)

(Contribution by Loes Derks van de Ven; Adaptation by Maren Schmid, EDRi intern)

* This research was finalised in 2015 and does not take into account the changes within the movement that have occurred since then.



Andelman, David A. “The Art of Dissent. A Chat with Ai Weiwei.” World Policy Journal 29.3 (2012): 15-21.
Goris, Gie. Art and Activism in the Age of Globalization. Ed. Lieven de Cauter, Ruben de Roo, and Karel Vanhaesebrouck. Rotterdam: NAi Publishers, 2011.
Reed, T.V. The Art of Protest. Culture and Activism from the Civil Rights Movement to the Streets of Seattle. Minneapolis: University of Minnesota Press, 2005.
Simonds, Wendy. “Presidential Address: The Art of Activism.” Social Problems 60.1 (2013): 1-26.