In the digital era, copyright should be implemented in a way which benefits creators and society. It should support cultural work and facilitate access to knowledge. Copyright should not be used to lock away cultural goods, damaging rather than benefitting access to our cultural heritage. Copyright should be a catalyst of creation and innovation. In the digital environment, citizens face disproportionate enforcement measures from states, arbitrary privatised enforcement measures from companies and a lack of innovative offers, all of which reinforces the impression of a failed and illegitimate legal framework that undermine the relationship between creators and the society they live in. Copyright needs to be fundamentally reformed to be fit for purpose, predictable for creators, flexible and credible.

17 Aug 2017

The School of Rock(ing) EU Copyright 2017

By Diego Naranjo

What is the School of Rock(ing) Copyright?

The European Union (EU) is currently reforming its copyright legislation. Such reforms are rare, their effects intended to last for many years, with their consequences having a direct impact on the lives of all individuals.

In cooperation with Communia and Wikimedia, EDRi is organizing a series of workshops on the European copyright reform, its challenges, dangers and opportunities. This 2017 series is a continuation of our very first School of Rock(ing) Copyright in Warsaw in 2015.

How do you feel having all your memes, blogposts, private videos filtered by a European censorship machine? How do you feel when you cannot make copies of your own cultural content? How does copyright affect freedom of expression in our daily lives? And most importantly, what can we do together in order to change this situation where multinationals speak on behalf of authors and limit our fundamental rights? Our series of events will address these questions…

The objective is to form a copyfighter A-Team to push users rights to the top of the agenda of EU policy-making. We’ll discuss jointly the main concerns, and what can we do in order to bring such issues into the public debate, to allow us to better reach individuals and politicians, both at the European and the national levels.

The workshop is available for up to 20 participants and the working language is English. There is funding available for transport and accommodation.

The goals of the School of Rock(ing) EU Copyright are to:

  • inform the participants on the current state of play of the EU copyright reform;
  • provide the tools that can be used to campaign on national level;
  • deepen the understanding of copyright activists of the EU legal and decision-making frameworks;
  • inform participants on how it is possible to influence decision-making in the EU;
  • create networks (and develop existing ones) of civil society activists to work together on common goals to  in order to have a stronger voice and avoid duplicate efforts.

Our workshops

Slovenia, Ljubljana

Dates: 22-23 September
Partner: Inštitut za intelektualno lastnino
Applications: TBA
Deadline for applications: 4 September 2017
Info in local language: TBA
Number of funded places: 15-20

Hungary, Budapest

Dates: 6-7 October
Partner: Center for Independent Journalism
Applications: TBA
Deadline for applications: 15 September 2017
Info in local language: TBA
Number of funded places: 15-20

Portugal, Lisbon

Dates: 20-21 October
Partner: Direitos Digitais
Applications and information: Inscrições abertas! – The School of Rock(ing) EU Copyright
Deadline for applicatiosn: 8 September 2017
Number of funded places: 15-20

Want to know more?

Ask our partners directly about the specific workshops in each country. For general information on the School of Rock(ing) Copyright (potential future partners, media, etc.), you can write to (with “SORC” in the subject line).


01 Aug 2017

Italy plans to extend telecoms data retention and increase censorship powers

By Hermes Center

On 19th July, the Chamber of Deputies of the Italian Parliament approved two amendments to existing laws. One of the amendments aims at extending telecommunications data retention to 6 years, while the other gives Agcom, the communications regulator, powers to order takedown powers and blocking of online content without judicial oversight.

Data retention in Italy is governed by Art. 132 of the Privacy Law (24 months for phone communications metadata, 12 months for Internet metadata, 30 days unanswered phone calls). The amendment will extend the retention period for all categories of the above data to 6 years.

The Data Retention Amendment (Art. 12-Ter of DDL 4505-A) was written by Walter Verini [PD] and Giuseppe Berretta [PD] as an amendment to a law that regulates the safety of lifts, which led to many MPs voting it without even reading the amendment. Later, several MPs issued public statements of regret, admitting their mistake.

After the public criticism, one of the co-signatories of the Data Retention Amendment, Ms Mara Mucci [Mixed Group] acknowledged that she had not really realised the sensitivity of the issue and that she is now available to foster a wider debate to change the law in the Senate.

Antonello Soro, the President of the Italian Data Protection Authority, condemned Mr Verini’s amendment arguing that it does not clearly guarantee the principles of proportionality as defined by the EU regulatory framework and the rulings of the Court of Justice of the European Union (there have been two separate CJEU rulings against indiscriminate telecommunications data retention).

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

AIIP, the Italian Association of Internet Providers, also criticised the Data Retention amendment as too broad and as being in contradiction with EU case law. They also criticised the fact that the amendment was introduced without involving the key stakeholders impacted by the bill for contribution and opinions.

With regard to the “Takedown Power” amendment, currently in Italy only a court order can mandate an ISPs to takedown a website or restrict access to specific content (by IP address or domain name). Under the new law, Agcom, an administrative authority, will be given the power do so without any kind of judicial oversight.

The Takedown Power Amendment (Amendment n. 1022 published in Annex A of parliamentary sitting 19/07/2017) sparkled an immediate reaction again by AIIP, which sharply criticised it due to the excessive powers given to the Agcom.

The amendment further gives Agcom the mandate to issue a technical regulation that will define the requirements for the implementation of permanent blocking infrastructure to be implemented by ISPs, de-facto requiring the deployments of Deep Packet Inspection system.

These amendments have been approved by the Chamber of Deputies of the Italian Parliament in the context of the process to implement European Union legislation (“Disposizioni per l’adempimento degli obblighi derivanti dall’appartenenza dell’Italia all’Unione europea — Legge europea 2017 (DDL 4505-A)”)

The two amendments had a total amount of parliamentary debate of less than 2 minutes (Video).

The Law, including the two amendments, still has to be approved by the Senate, likely to happen in the first week of August or in early September.

Hermes Center: Indiscriminate Retention of data for 6 years (keeping updated track on all resources on the topic, in Italian 23.07.2017)

Italian Data Protection Authority: President Soro, 6 years data retention term for telephony metadata are too much (Italian 26.07.2017)

Popinga: From elevators to Massive Surveillance (In Italian 22.07.2017)

Sole24ore: 6 years as terms of data retention on all phone and internet data just approved in a directive on elevator’s safety (In Italian 21.07.2017)

Italian ISPa say new copyright amendment infringes human rights

The full text sent to the Senate:

(Contribution by Fabio Pietrosanti, EDRi observer Hermes Center, Italy)


26 Jul 2017

Norway introduces forced biometric authentication

By Electronic Frontier Norway

On 5 April 2017, the Norwegian government proposed an amendment to the Norwegian code of criminal proceedings to allow the police to compel the use of biometric authentication. After two quick debates, the Norwegian Parliament passed the proposition into law on 21 June.

Article 199 of the Norwegian code of criminal proceedings reads as follows after the change:

“When searching an electronic system the police can demand from anyone with connection to the system the necessary information to gain access to the system or open it by biometric authentication. If anyone refuses a demand for biometric authentication as proposed in the first sentence, the police may perform the authentication by force.

If anyone refuses a demand for biometric authentication as proposed in the first sentence, the police may perform the authentication by force.

The decision to use force by the second sentence is decided by the prosecutor’s office. If there is a risk that would be brought about by delaying the authentication, the decision can be made by the police on the spot. The decision shall immediately be reported to the prosecutor’s office.[…]”

The lack of specificity of an “electronic system” means this law has an extremely wide scope. We can, for example, envision that access to a personal device such as a mobile phone, which stores the access credentials to several cloud storage services, essentially gives away a more or less complete description of a person’s life. To entrust such decision to a single police officer with no due process means that an act with very far reaching consequences may be performed in a matter of seconds. EDRi member Electronic Frontier Norway (EFN) is exploring the possibility that this may violate the privacy protections afforded by Article 8 of the European Convention on Human Rights (ECHR) and the right to avoid self-incrimination afforded by Article 6.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

There is also no reference to proportionality of the use of force. Although there is no reason to suspect this would be used in a disproportionate way, the lack of such a limitation means that we don’t know how far the use force might be taken. While the use of torture is prohibited by the Norwegian constitution, such lack of specificity in an individual law risks creating a situation where an overzealous officer may deem it necessary to perform acts which are prohibited by other parts of the law. It is not obvious how the law may be applied for example when iris scanning is involved. Logically, force must be applied in close proximity to the eyeball and eye socket, which puts an individual at obvious physical risk.

It is also important to take note that the law is not limited to suspects but “anyone with connection to the system”. This means that someone with no connection to a crime may be subjected to the abovementioned uses of force.

EFN is worried about the development this and other changes to the law in the same direction represents. This law has been rushed through without proper justification, and the wording has been chosen with apparently little or no regard to proper scope.

Norwegian code of criminal proceedings (only in Norwegian)

Forced biometric authentication in Norway (26.07.2017)

(Contribution by Tom Fredrik Blenning, EDRi member Electronic Frontier Norway)



26 Jul 2017

Oversight Board report: Illegal surveillance of Danish citizens

By IT-Pol

The annual report from the Danish Intelligence Oversight Board (TET) was published on 7 July 2017. Under Danish law, TET is tasked with overseeing the data collection and data processing practices of the Danish Security and Intelligence Service (PET) and the Danish Defence and Intelligence Service (DDIS). Both intelligence services operate mostly outside European Union (EU) law because of the national security exemption in the EU Treaties.

The previous annual reports for activities in 2014 and 2015 contained substantial criticism of especially PET. In a large number of cases, PET retained personal data which was no longer necessary, and in the opinion of TET, further processing of that data was therefore unlawful. PET disagreed with this interpretation of the PET law, and the matter was referred to the Minister of Justice in May 2016. His solution was to propose an amendment of the PET law which essentially removed the requirement to erase personal data that was no longer necessary, and this amendment was swiftly adopted by the Danish Parliament in December 2016.

This year, the most interesting revelations are in the report covering the activities of DDIS, which is the foreign intelligence service. Under Danish law, DDIS can collect any information for essentially any foreign intelligence purpose, as long as the operations are abroad. DDIS can also process information about Danish citizens and foreign residents in Denmark (collectively referred to as “Danish persons”), if this occurs as incidental collection in connection with an operation that is directed against developments abroad. The only real legal restriction for DDIS is that targeted collection against Danish persons is not allowed.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

An amendment of the DDIS law in 2015 introduced an exception to this rule: if a Danish person is believed to be travelling abroad and is suspected of involvement in terrorist activities against Denmark or Danish interests (which includes Danish allies), DDIS can obtain a court order for targeted collection against that person. The required level of suspicion is lower than in regular criminal investigations of terrorist cases by the Danish police. Association with “radicalised individuals” is mentioned in the comments of the law as sufficient grounds for DDIS to obtain a court order for targeted collection of intelligence information. This information can be shared with the Danish police and used as evidence in a criminal prosecution.

In summary, the DDIS law represents an extensive data collection regime with very few restrictions that only pertain to Danish persons. Nonetheless, TET found several cases of data protection violations by DDIS during its oversight activities in 2016.

First, TET criticised that some mass collection activities contained a disproportionately large fraction of Danish persons. Mass collection, called “raw data”, is allowed under the DDIS law as long as the mass surveillance is directed against developments abroad, and as long as DDIS does not actively search for (“target”) Danish persons in the collected raw data. However, there is an upper limit on the allowed fraction of Danish persons in the collected raw data, presumably for compliance with the “directed against developments abroad” requirement. The TET report does not say anything about the type of collection, except that it is signals intelligence, SIGINT, which generally means electronic communications. A plausible example could presumably be international telephone calls from or to Denmark, or internet traffic which terminates in Denmark, rather than transiting through Denmark.

Secondly, in a sample of searches of SIGINT raw data by DDIS analysts, TET found that 12 percent of the searches unlawfully targeted Danish persons. Specifically, in these cases, the DDIS analysts should have known beforehand that the search results would mainly contain information about Danish persons. Targeted collection against Danish persons is only allowed with a court order, which was not obtained for these searches. The total number of searches in SIGINT raw data by DDIS is not mentioned in the report, so the estimated number of Danish persons affected by these unlawful searches remains unknown.

Thirdly, TET also found irregularities in the targeted collection against Danish persons that was authorised with a court order. In 11% of the cases surveyed by TET, the targeted searches of raw data did not respect the time limitations of the court order. What this means is not entirely clear. It could simply refer to searches done before the court order was obtained or after it has expired. Alternatively, the court order for targeted collection could potentially impose time-related limits on the raw data that can be searched, for example a prohibition on searching SIGINT raw data collected before the date of the court order. In this way, the court order would only authorise future interception of the electronic communications of the target.

The unlawful searches of SIGINT raw data by DDIS highlight the massive privacy problems inherently associated with the mode of operation of defence intelligence services. Law enforcement authorities generally only intercept communications of specific persons subject to prior approval by an independent judicial authority, and the targeted interception (“collection”) is done by the electronic communications provider, typically a private company. Defence intelligence services, on the other hand, collect electronic communications of everyone on their own accord, often referred to as the “collect it all” principle. The privacy and data protection safeguards provided for by law are solely implemented as internal policy restrictions on how these massive databases of electronic communications can be searched and analysed. Independent oversight of compliance with these restrictions is difficult, at best, and the oversight relies on accurate access logging of all searches by analysts. The TET report also criticised the lack of access logging in several cases, again without providing specific details.

The public reaction in Denmark to the unlawful searches of raw data by DDIS in 2016 has been very limited so far. On the day the TET report was published, the head of DDIS gave a short interview to Danish media and explained that the unlawful searches were all done by mistake since there was no systematic pattern in the various searches. The chairwoman of TET seems to agree with this rather odd explanation, but she also told Danish media that TET would intensify the future oversight of DDIS after the discovery of the unlawful searches.

The political reaction has been even more limited than the media coverage, probably owing to the fact that most Danish politicians are on holidays in July. However, the Minister of Defence will be asked to appear before a parliamentary committee later in the year. In previous years, the reports from TET were published in May, while Parliament is still in session. It is not clear why the publication of the annual report was delayed to July in 2017. TET submitted the report to the Danish government on 16 May 2017. The government must then present the report to the intelligence committee of the Danish Parliament before the report is published. For unknown reasons, this process took almost two months in 2017, compared to 2-3 weeks in earlier years, pushing the publication of the TET report into the month of July and the political holiday period.

Homepage of the Danish Intelligence Oversight Board, annual reports (only in Danish)

EDRi: Denmark: Weakening the oversight of intelligence services (05.04.2017)

EDRi: Danish anti-terror proposal expands surveillance (11.03.2015)

Spy service on illegal searches: it happened by mistake, DR Nyheder (only in Danish, 07.07.2017)

Watchdog intensifies oversight of intelligence service after repeated breaches of law, Jyllands-Posten (only in Danish, 14.07.2017)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



26 Jul 2017

Copyright Directive discussed in Romania


On 23 June 2017, EDRi member Asociația pentru Tehnologie și Internet (ApTI) along with The National Association of Librarians and Public Libraries of Romania (ANBPR) and the Center for Independent Journalism (CJI) organised a meeting on the topic of the proposed EU Copyright Directive. Member of the European Parliament (MEP) Victor Negrescu took part in the event.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The event aimed at discussing the potential damage that the proposed Directive threatens to inflict on human rights and on the internet in the EU, and Europe-wide efforts to mitigate it. The two main problems of the Proposal for the Copyright Directive are the Article 11, which would introduce a “link tax”, an ancillary right for press publishers, and Article 13, which would require all EU-based online platforms that host material for their users to implement upload filters. Both measures were proposed ostensibly to protect copyright.

Mr Negrescu shed light on the driving forces behind the EU Copyright Directive:

“Sadly, this directive didn’t start from the needs of the journalists. It started from the desire of some countries, and, implicitly, of the lobbies from these countries, to hurt their large American competitors. This proposal has been created as a deliberate attack against Google, YouTube and Yahoo. And you should be aware of the fact that this is their official position. I took part in meetings with European Commission representatives who were clearly stating that this is their official objective.”

Ironically, while the European Commission claims that the proposals attack Google, the reality is different. Google never paid ancillary copyright fees in Germany or Spain (the two countries that have ancillary copyright laws) and the upload filtering proposal would simply require everyone else to do what Google/YouTube is already doing.

Mr Negrescu continued by talking about the German ancillary copyright legislation:

“In Germany, what was tried was, indeed, to force the news aggregators to pay a levy to the publishers and newspapers for the content used as snippets. But at some point, there was talk about hyperlinks as well, because hyperlinks can contain a few words from the article. What happened ? The large aggregators, Google News in particular, shut down in Germany, causing a massive fall in the number of page views for these sites. However, they introduced in the law something that ended up disrupting their plans: the possibility for the content creator to freely provide access to their content. What happened immediately afterwards was that the large publishers offered Google free access to publish links to and snippets of their content. But they didn’t offer this to Yahoo or to the German competitors. Because there were German competitors on the market. What happens now? Google News exists and it’s offering links while their competitors, which were supposed to be helped by this law, are out of business.”

The laws failed exactly in the ways its detractors were warning they would fail. Aside from that, it is very interesting to note that ancillary copyright is, in its essence, the repeal of one of the most important exceptions to copyright law: the right of quotation. Eliminating crucial copyright exceptions such as the right to quotation create an interesting situation from legal point of view: What is going to happen when you will be able to quote a book or other type of written work, but you won’t be able to quote a news article? Or when journalists will be incentivised not to quote their sources, or to link to them. Or when a politician can ask a newspaper to withdraw consent for quotation of certain articles? This goes against basic journalistic good practices and the press as a whole will suffer for it. Instead of being the savior this Directive’s advocates claimed it would be, ancillary copyright might end up being the death knell of the freedom of the European press.

The German experience should have made everybody pay attention to the dangers of the concept of having to ask permission and to pay for quoting journalistic sources. Instead, the Spanish rushed forward and made the same mistakes.

Spain didn’t add the provision about the ability to allow free access to one’s content. Spain made payments obligatory. Google pulled out of the market. Yahoo pulled out of the market. Then, a new company appeared, and it provides just an Android application on which you can access news articles:

“It’s like Google News but in a form of a paid app. It’s being talked up as a new, interesting, innovative and dynamic company, a highly successful European startup. However, behind the scenes, it’s owned by a large German corporation, Axel Springer, that, coincidentally, is the main driver behind this type of legislation in Germany, as well as in Spain and at the European level.”

Springer, a huge German company is benefiting from the chaos in Spain, while smaller Spanish companies suffer. Maybe it is just a coincidence that a major German lobby is pushing this law. Maybe it is just a coincidence that the proposal was made under the authority of the German EU Commissioner. Maybe it is just a coincidence that the proposal has support of the German Parliamentarian that has been recently awarded responsibility for negotiating an agreement on the proposal. Maybe.

When it comes to the “link tax”, introducing a set of rules, that will be easy for citizens to bypass just by using news aggregators from outside the EU would simply mean the end of the European competitors of these services. Why Europe would want to hurt its news aggregation services and its smaller publishers is difficult for many people to understand. Failing to complete the European Copyright reform in a way that considers the point of views of all stakeholders is not only going to hurt citizens, but also artists, startups and small businesses.

Pushing the European Commission’s current proposal for the Copyright Directive through the legislative process will lead into a failure of a meaningful update of the European copyright rules.

Video of the entire event (only in Romanian)

Copyright reform: Document pool

Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market (14.09.2016)

(Contribution by Matei Vasile, EDRi member ApTI, Romania)



26 Jul 2017

#ValuesGap: Commercial interests win where all others fail

By Heini Järvinen

A European Parliament Committee decided that filtering all uploads to the internet as a method to prevent terrorism and “the most harmful content” is unacceptable. However, the same Committee decided that the same policy is acceptable for restricting use, including legal use, of copyrighted material.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

On 11 July 2017, the European Parliament Committee on Culture and Education (CULT) voted on its Opinion on European Commission’s proposal for a Copyright Directive. The Opinion adopted by the Committee proposes measures to filter all uploads to the internet to prevent the uploading of copyrighted material (including perfectly legal use of the material).

In April 2017, the same committee adopted a report on the Audiovisual Media Services Directive (AMSVD). Included in that report was a demand to prohibit the use of upload filtering for “the most harmful content”.

Indeed, the CULT Committee explicitly voted for an amendment that would even prohibit certain legal uses of copyrighted material. Proposals for increased liability of internet companies would also lead to even more restrictions of legal uses of content. The Committee have voted on stricter restrictions on legal use of copyrighted material than for illegal incitement to violence.

The highest court in the EU has already twice ruled against the use of filtering, based on the risk it poses to freedom of expression, privacy and freedom to conduct a business. Even this fact was not enough to stop the Committee from demanding illegal restrictions. According to some Parliamentarians, requiring internet companies to search for millions of individual pieces of copyrighted material is not a “general obligation to monitor” the internet. They argue that searching for millions of files is in line with the existing E-Commerce Directive, which permits an obligation to search “in a specific case”. This is also the official view of the European Commission.

The CULT vote on prohibiting upload filtering is logical and reasonable in the light of the clear danger it poses to citizens’ rights and freedoms, not least because automatic content recognition cannot understand context and because there is no evidence it would actually solve any current problems. The CULT vote in favour of upload filtering of legal uses of legal content is, on the other hand, entirely incomprehensible.

The mixed messages communicated to European citizens by the contradictions between the Committee’s positions are striking. It supports strong (entirely appropriate) restrictions on measures even when they are ostensibly to defend society. At the same time, it supports excessive, disproportionate, inappropriate restrictions on society’s freedoms when seeking to protect commercial interests. This sends a very disturbing message about the MEPs’ values.

These MEPs voted to ban upload filtering for “the most harmful content”, but in favour of upload filtering in the vote for copyright:
Svetoslav Hristov Malinov – EPP Bulgaria
Stefano Maullu – EPP Italy
Michaela Šojdrová – EPP Czech Republic
Sabine Verheyen – EPP Germany
Bogdan Andrzej Zdrojewski – EPP Poland
Milan Zver – EPP Slovenia
Giorgos Grammatikakis – S&D Greece,
Krystyna Łybacka – S&D Poland
Momchil Nekov – S&D Bulgaria
Helga Truepel – Greens Germany



26 Jul 2017

Stalking is easy with Facebook, and now even easier with Snapchat

By Guest author

We seem to get more and more accustomed to using apps that can easily track our movements. It is convenient to simply share your location with friends, instead of sending messages or calling to arrange where to meet. But are you aware of when and how you are giving the companies an insight into our whereabouts, and with that, your life? Even though it is practically impossible to completely protect yourself from location tracking if you are using a smartphone, there are ways to avoid the most obvious and intrusive ones.

The most popular location-sharing tools are provided by Facebook, Google and now Snapchat. They all provide imperfect, but still efficient and widely used features for sharing your location, which bring about the privacy concerns of location tracking.

Two options apply to location sharing – the first one is to drop a pin on a map to share your current location, and the second one is to let others follow your location in real time as you move around. Apple, Facebook, Google and Snapchat all offer these options.

Apple’s locations sharing features are integrated into Apple Maps, Messages and Find my Friends apps. Google’s location sharing tool is built into Google maps and Facebook’s is embedded into its Messenger app. They all offer options for the time limit of your location sharing – it should come with no surprise that broadcasting a live update on your location indefinitely might not be the best thing to do, if you are even vaguely concerned about your privacy. Turning off the feature when you do not need to share your location any more is a basic precaution.

The latest app to join this location-sharing crowd is Snapchat. It might also be the most controversial one, to the point when even parents and law enforcement officials raised their concerns about strangers tracking children’s locations. Snap Map shares your location by placing your avatar – a cartoon figure called Bitmoji – on a map like a pin. Others can zoom in on it to get your specific location. Even if only your friends can access your location, it is fairly common to add people you do not actually know as friends on Snapchat. This raises concerns especially because the social platform is popular among teenagers, who might not be fully aware of privacy implications of the technology that broadcasts their location.” alt=”—————————————————————–
Support our work – make a recurrent donation!
—————————————————————–” width=”600″ height=”50″ />

Snap Map is technically an opt-in app, which only takes effect after you update the app and follow the tutorial on how to use the feature. The app asks who you want to see your location – if you choose option “only me”, it activates the so-called Ghost Mode, which makes your avatar disappear from the map, while you can still see others. This feature has been described as plain creepy.

Similar to many other apps, even if you opt out from announcing your location to the world, Snapchat can still track you of course. It might be a good idea to turn off location data altogether on your phone and just take a moment to actually tell your friends where you are when necessary. That way, the number of people, private companies, and government agencies, who are given a shortcut to monitor your movements and your activities, are at least somewhat limited. It is a simple choice between incurring the entirely unnecessary privacy and security risk of being in numerous databases, any of which might suffer a data breach at any time, or choosing not to run that risk.

Parents can make sure that children are not sharing their location with specific tools and with advice. For everyone else, not broadcasting your location publicly is always a wise choice when it comes to privacy.

(Contribution by Zarja Protner, EDRi intern)



26 Jul 2017

Dutch Senate votes in favour of dragnet surveillance powers

By Bits of Freedom

On 11 July 2017, the Dutch Senate passed the bill for the new Intelligence and Security Services Act. With the Senate vote, a years-long political battle has come to an end: the secret services have been given dragnet surveillance powers.

It is beyond disappointing that a bill that faced such overwhelming opposition from experts, civil society and citizens alike has been passed. Traditionally, Senate concerns itself with the quality of legislation, compliance with the constitution and international treaties, and the question of whether citizens’ rights are upheld. The dragnet surveillance bill fails on all counts.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

Targeted surveillance is already within the powers of the secret services. The new law additionally allows for untargeted surveillance, for the systematic and large-scale interception and analysis of citizens’ online communications. Large numbers of citizens who are not suspected of any wrongdoing can be systematically monitored.

A line has been crossed. How did we arrive at this point?

2015: The internet consultation

Following a lot of speculation, the first version of the bill was finally published in the summer 2015, as part of an internet consultation. The intention was to fully update and replace the existing law for the Dutch secret services. The proposal faced massive opposition. A record number of 1100 consultation responses was received, of which 557 were public. The majority of the responses were submitted using our online consultation tool and focused on three topics: the dragnet surveillance power, exchange with foreign services, and oversight.

Following this outcry from citizens and industry alike, a new draft of the proposal was leaked in April 2016. The bill had been updated in some areas, but in general hardly anything was done to address the feedback on these three topics. Despite changing the wording, the dragnet surveillance, newly dubbed “research-oriented interception”, remained part of the bill.

2016-2017: The bill in Parliament

On 28 October 2016, the final draft of the bill was sent to Parliament by the Minister of the Interior and Kingdom Relations, Ronald Plasterk. During a committee meeting, experts, regulators and industry voiced harsh criticism of the proposal. EDRi-member Bits of Freedom also expressed its concerns to members of Parliament and to the media. Making use of the website, citizens, on a massive scale, contacted members of Parliament.

This was all to no avail. The government had clearly closed ranks and ignored nearly all feedback. The opposition tried to improve the proposal by tabling amendments, but only a fraction of the total of 40 amendments was adopted. On 14 February 2017, it was decided: a majority in Parliament voted for the dragnet surveillance bill.

2017: The bill in Senate

The bill then reached the Senate. A number of senators raised critical questions over two rounds of correspondence. The Minister’s answers arrived speedily, but raised more questions than answers. Although the bill was again met with a lot of criticism, a majority voted in favour, and passed the flawed bill, just before midnight, faced with an imagined deadline ahead of the summer recess.

What’s next?

During the debate in the Senate, the Minister of Interior announced that the law come into effect on 1 January 2018. Together with other NGOs, Bits of Freedom is exploring the possibilities of fighting the law in court.

Dutch House of Representatives passes dragnet surveillance bill (22.02.2017)

Dutch Parliament: Safety net for democratic freedoms or sleepnet? (08.02.2017)

Dutch dragnet surveillance bill leaked (04.05.2016)

Netherlands: New proposals for dragnet surveillance underway (06.10.2015)

Dutch Minister reveals plans for dragnet surveillance (15.07.2015)

(Contribution by EDRi member Bits of Freedom; translation by Philip Westbroek)



26 Jul 2017

ENDitorial: Draconian anti-terrorism measures instil terror

By Bits of Freedom

We are becoming more and more scared. Images of terror attacks influence our daily decisions. A friend of mine gets nervous when he has to travel past an airport by train, and another friend surprised me by telling me that this year he stayed home during gay pride. Several people have told me of times when they crossed the street to avoid a nervous looking man with a Middle-Eastern appearance carrying a backpack. According to recent research by Statistics Netherlands (CBS), more than 25% percent of Dutch citizens are occasionally scared of becoming a victim of a terror attack in the Netherlands.

During the past years, a number of terrifying attacks has taken place in Western Europe. From a rational point of view, the chances of dying in such an attack are negligible: infinitesimally smaller than dying in a traffic accident. But it feels different. The apparent randomness and landmark locations like London Bridge make us feel that it might as well have been us who were the victims.

It is understandable that politicians talk tough after a terror attack, especially since the legitimacy of the government, which is tasked with taking care of its citizens, is at stake. “Enough is enough”, said Prime Minister of the United Kingdom Theresa May after the third attack on their soil within a few months. According to her, internet companies can no longer be sanctuaries for extremist content, the police must have more extensive powers, and punishments for terrorism must be made more severe. Action is being taken in the Netherlands as well. The Senate approved a bill that gives the secret services a dragnet surveillance power. In the near future, the secret services will be able to eavesdrop on large numbers of innocent citizens. These measures and the usual call for vigilance appear to be aimed at reducing the symptoms instead of solving the problems. Everyone understands that it is impossible to always be able to prevent someone from driving into a crowd. Paradoxically, these measures claim victims of their own: innocent citizens are accused of crimes they did not commit and we restrict our own liberties.

Examples abound: The hipster-members of a Swedish beard club that were contacted by the police because they, like ISIS, had a black flag. The alleged explosives in the home of a terrorism suspect that turned out to be shoarma spices. Muslims, or rather people who look like they are from the Middle East, become suspects disproportionately more frequently. Ahmed Mohamed, a 14-year-old American high school student, proudly brought a self-made clock to his school, only to be removed from school in handcuffs because his teacher thought it was a bomb. Before the flight home from their holidays in Paris, Faisal and Nazia Ali were removed from the plane because they were transpiring and had used the word “Allah”. For each of these examples mentioned in the media, there are probably many more that don’t receive any attention.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

The recently approved dragnet surveillance powers will only increase the number of false accusations. “Data mining is probably an ineffective method for preventing terror attacks”, wrote the Dutch Scientific Council for Government Policy (WRR) in their 2016 report “Big data in a free and safe society” (“Big data in een vrije en veilige samenleving”). “Because each terror attack is unique, it is nearly impossible to create an accurate profile. Combined with the small number of attacks, this results in an unusably high error rate.”. If you don’t look Middle-Eastern, you might be able to convince yourself that it is better to be safe than sorry. However, a Norwegian philosopher Lars Svendsen demonstrated the short-sightedness of this argument already ten years ago in his book “A Philosophy of Fear”. According to Svendsen, Europe lives in a culture of fear: we believe that we are more and more often exposed to increasing danger, from epidemics to terrorism. In reality we are safer than ever, but precisely for this reason we can afford to be worried about dangers that will probably never materialise. Fear is a by-product of luxury.

Meeting each other in good faith lies at the core of human relationships. We depend on each other constantly, every day. From the train engineer getting us to work, to the restaurant employee serving our lunch. Without faith in other people our society would not function. Our permanent fear, however, undermines this faith. All new security measures have mistrust as their starting point. They undermine society and turn us into scared and isolated individuals. Caught in our fear, we have already become victims of terrorism.

Mistrust is also a self-fulfilling prophesy: if we avoid contact, we will also never learn that the other person is not dangerous. Human interactions that require trust will then be impossible, and non-standard behaviour will be tolerated less and less. Like this, we limit our own freedom and the freedom of other people.

At the end of the sixteenth century, Michel de Montaigne wrote an essay about fear. On the run from war and the plague, the French statesman clearly saw the effect fear has on people. According to Montaigne, the fact that people will hang or drown themselves as a result of fear proves that being afraid is in some cases less bearable than death. Therefore man is “most afraid of fear itself”, he writes. Words of wisdom. If we really want terrorism to claim fewer victims, we must invest less in “pseudo measures” against terrorism itself, and more in measures that tackle our fear of terrorism.

This article was originally published in Dutch at

Dutch Senate votes in favour of dragnet surveillance powers (26.07.2017)

(Contribution by Hans de Zwart, EDRi member Bits of Freedom; translation by Philip Westbroek)



26 Jul 2017

PNR: EU Court rules that draft EU/Canada air passenger data deal is unacceptable


Today, on 26 July 2017, the Court of Justice of the European Union (CJEU) confirmed that the EU/Canada deal on collection of air travellers’ data and sharing it breaches European law. This is the third time that the European Court has ruled against arrangements for mandatory storage of personal data.

This is good news for EU citizens, as the risks associated with massive and unnecessary databases of sensitive personal data are unacceptable. Blindly collecting data, hoping it will magically protect our society, is bad for security and bad for fundamental rights.

The law cannot be upheld by breaking the law

said Joe McNamee, Executive Director of European Digital Rights. “Reckless data retention and profiling have no place in a democratic, law-based society. Literally every independent body that has spoken out on the subject supports this analysis. The European Commission and EU Member States must now, at long last, take all necessary steps to abandon all illegal data retention laws and practices.”

On 25 November the European Parliament voted to refer the EU-Canada agreement on collection and storage of airline Passenger Name Records (PNR) to the CJEU. The Court ruled in 2014 that the the EU’s rules on telecoms data collection was illegal and did so again in 2016. Now the CJEU has again ruled that an EU deal on collection and sharing of personal data contravenes EU law. The purpose of PNR data collecting is the profiling of innocent individuals as possible serious criminals, despite the complete absence of evidence that this would be useful, let alone proportionate.

The European Data Protection Supervisor (EDPS), the EU’s Fundamental Rights Agency (FRA), the Article 29 Working Party of national data protection authorities, the European Parliament Research Service (EPRS) and the Meijers Committee of Experts on international migration, refugees and criminal law all explained that PNR data sharing does not respect the criteria of “necessity and proportionality” for a restriction of the fundamental right to privacy. The alleged benefits of the proposal have never been demonstrated, and the argument that it will help to prevent terrorism is not based on credible evidence.

The agreement between the EU and Canada allows for the transfer and processing of PNR data of passengers flying between the EU and Canada. This ruling should now also lead to an end to national laws transposing the EU PNR Directive, adopted in 2016.

The proposed EU/Canada PNR agreement was considered to be the least restrictive of all of the EU’s PNR agreements. To respect the ruling, the EU must now immediately suspend its deals with Australia and the United States.

CJEU: The Court declares that the agreement envisaged between the European Union and Canada on the transfer of Passenger Name Record data may not be concluded in its current form  (26.07.2017)

FAQ: Passenger Name Records (PNR)

EU-Canada agreement on PNR referred to the CJEU: What’s next? (03.12.2014)

CJEU hearing on the EU Canada PNR agreement: Still shady (06.04.2016)

The curious tale of the French prime minister, PNR and peculiar patterns (04.10.2016)

ECJ: Data retention directive contravenes European law (09.04.2014)

European Court confirms: Strict safeguards essential for data retention (19.07.2016)