Freedom of expression is one of the key benefits of the digial era. The global information society permits interaction on a scale that was previously unheard of – promoting intercultural exchange and democracy. Consequently, the protection of this freedom is central to much of EDRi’s work.
On 24 June, the European Commission published the Communication reviewing of the two years of application of the General Data Protection Regulation (GDPR) The Communication received input from the multistakeholder expert group on the application of the GDPR, of which EDRi members Access Now and Privacy International belong to. EDRi welcomes the publication of the review at a time where data protection needs to be reinforced and not only celebrated.
The GDPR is considered one of the “crown jewels” of the European legislation. However, 2 years after the Regulation entered into force, the GDPR has been increasingly receiving criticism from data protection activists (citing the lack of “teeth” of the Regulation) or, from the Big Tech side, because of accusations that GDPR stifles innovation.
What’s the GDPR Impact Assessment?
review report highlights many of the similar analysis that civil
society groups have raised during the last two years, namely:
There are not
enough joint operations or investigations for cross-border cases
which could have led to a more harmonised enforcement.
need to allocate “sufficient human, financial and technical
resources to national data protection authorities”.
“harmonised” legislation, different implementations still exist
in areas such as the age of children consent for processing data,
balancing freedom of expression and information with data protection
rights, as well as derogations from the general prohibition to
process certain categories of personal data.
not fully empowered yet, for example in the case of the right to
It is unclear
how to adapt the GDPR to “new” technologies, such as contact
tracing apps and facial recognition.
Alexa, tell me
where to go from here
EDRi welcomes the
request from the Commission’s Communication to ask for stronger
enforcement by asking DPAs and member states to ensure harmonised
enforcement, the need for adequate funding for DPAs , as well as the
creation of specific guidelines when needed. If there is no adequate
progress, we agree with the Commission that infringement procedures
to ensure that Member States comply with GDPR are an adequate tool at
GDPR was the best possible outcome we could achieve during its contemporary political scenario. Now it is the time to ensure that all the work from activists, policy makers and academics were worth their efforts. We must ensure that GDPR’s complementary legislation, the ePrivacy Regulation, is strengthened and adopted during the German Presidency of the Council of the EU.
On 25 June, EDRi sent an open letter to the CEO of IBM in response to their 8 June statement on racial equality and facial recognition in the US.
EDRi asked IBM to provide more information about what will change as a result of their commitment to end general purpose facial recognition, and whether these issues will lead to changes in IBM’s contracts and work in the EU.
In May 2020, EDRi’s 44 civil society organisations launched the first European coalition to call on the EU for a “Ban on Biometric Mass Surveillance” including public facial recognition. We agree with IBM that biometric surveillance technologies can have seriously damaging impacts on our rights and societies and have no place in a democratic society.
We are European Digital Rights (EDRi), a coalition of 44 digital rights organisations across Europe, working to protect fundamental rights in the digital environment. We read your recent statement on facial recognition with great interest and hope, and were pleased to see Amazon and Microsoft follow suit.
We, too, have been advocating for protections against the harms caused by invasive, discriminatory facial recognition and other forms of biometric mass surveillance, and are heartened to see influential companies such as IBM stepping up to take action. Our own call to action has urged the EU to ban biometric mass surveillance, and our members are working at a national level to increase awareness and drive positive changes to protect people from the threats of surveillance.
We would greatly appreciate the opportunity for a dialogue between IBM and EDRi to better understand the specific actions that you will be taking to act upon your recent commitments. It would be very powerful if we could show IBM as an example for other companies.
We will make this letter and your response public, and therefore would like to ask for your written reply by 10 July. We would also like to suggest a call to discuss the details of our questions in the meantime.
In particular, we are seeking insight into the following:
Which existing contracts will be stopped/cancelled as a result of IBM’s new position?
Which applications specifically will IBM stop developing and selling in response to the new position? Are there other applications that IBM would consider within the remit of this position, but which have already been stopped? When and why were they stopped?
What are the features of the applications that will be stopped?
Does IBM have government contracts at the moment that fall into these categories in the United States and elsewhere? Which governments are IBM’s business partners for facial (or other biometric) recognition, analysis or processing software products?
In the statement, IBM states that it opposes use of technology “mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency.” Are these values and principles reinforced in IBM’s contracts with clients/customers or in a human rights policy or statement? How is compliance with these values and Principles ensured?
What are IBM’s structures, policies and processes to meet and demonstrate human rights compliance? Does IBM conduct human rights impact assessments or human rights due diligence on its products, in particular taking into account privacy concerns? Which stakeholders are included in IBM’s analyses?
Was the recent statement developed in conjunction with human rights experts, and are any human rights experts supporting IBM with its implementation? Did IBM consult communities most impacted by use of its technology?
In the statement, IBM speaks of “general purpose” technology. How do you define this, and does this mean that IBM anticipates that there will be exceptions? How are exceptions being justified, given the similarly violatory nature of both general purpose and specific purpose tools?
Also linked to the “general purpose”, what specific purposes would IBM not support with your technology and by what criteria? What specific purposes would IBM therefore support?
In the statement, IBM refers to “IBM facial recognition and software analysis”. Does IBM continue to (re)sell general purpose software from others?
In the statement, IBM talks about “domestic law enforcement agencies”. What about military, border police, intelligence, security services etc?
IBM places the statement in the context of federal policing, national policy and other US-specific areas. Is IBM taking action outside of the US context, recognising that such technologies are equally harmful in the EU and other regions?
Will IBM apply the commitments in this statement to other areas of business or technologies such as smart city and smart policing projects?
Around 2 billion people in 60 countries are able to use the internet securely and without risks of being surveilled or censored. And all of this, thanks to the work done by a non-profit called Open Tech Fund (OTF) for only 15 million dollars a year. However, all of this may be over soon.
WTF is OTF?
OTF is an independent non-profit grantee of the United States Agency for Global Media (USAGM). OTF has supported crucial projects such as the security technology behind encryption in WhatsApp and Signal, discovering software vulnerabilities and creating censorship circumvention technologies that enable us to communicate securely. These secure technologies, although important for everyone, are obviously even more important for those who are at risk, such as human rights defenders, independent journalists, and individuals subject to censorship.
According to Save Internet Freedom Tech, there is a real risks (derived from corporate lobbying) that the new leadership at USAGM will “seek to dismantle OTF and re-allocate all of its US government funding to support a narrow set of anti-censorship tools without a transparent and open review process”. An open letter calling to ensure the work of OTF is open for signatories.
sovereignty: a critical resilience strategy in Europe
For most of the critical infrastructures and services we use everyday, public funding is essential. As renown economist Mariana Mazzucato explains the Internet itself, GPS, the touchscreen display in your device, as well as the voice-activated personal assistant (Siri) are all a result of public funding. Same is the case for Google’s algorithm, that was funded by the National Science Foundation.
The European Union has taken some positive steps in this direction recently, especially with the FOSSA pilot project and the Next Generation Internet initiative. The threats on OTF, whether they materialise or not, should be a wake-up call for a European Commission that has set “digital sovereignty” as one of the key goals for the current term. If digital sovereignty means something, it means building the infrastructures, helping to create services, funding research and supporting critical civil society that make Europe resilient towards the security risks that an increasingly interconnected environment with growing remote work that a post-pandemic society will need. If with a very humble budget of 15 million dollars OTF could do all of that, what could we the EU do with a similar, or increased, budget? If digital sovereignty is to be a serious goal and not a buzz word, we need to direct resources to make that happen, sooner than later.
In EDRi’s series on COVID-19, COVIDTech, we explore the critical principles for protecting fundamental rights while curtailing the spread of the virus, as outlined in the EDRi network’s statement on the pandemic. Each post in this series tackles a specific issue at the intersection of digital rights and the global pandemic in order to explore broader questions about how to protect fundamental rights in a time of crisis. In our statement, we emphasised the principle that states must “defend freedom of expression and information”. In this fifth post of the series, we take a look at the issue of drone surveillance in Greece, and the legal provisions that has allowed it to emerge.
The COVID-19 pandemic has given rise to conventional and unconventional technologies deployed by public authorities across the EU to combat its spread. Some of these technologies have raised serious concerns as regards privacy and data protection of individuals. The use of drones for surveillance purposes is one of such technologies.
In October 2019, Greek law-makers reformed, via the Presidential Decree 98/2019, the applicable rules on police drones. The new legislation allows for the Hellenic Police to broadly use drones in policing and border management activities. We must bear in mind that before the adoption of these new provisions, the Hellenic Police could not deploy drones for such activities. Instead, police drones were allowed to be used in activities such as the prevention of forest fires or in search & rescue activities in the event of a natural disaster or in the aftermath of an accident.
few months after the adoption of these new rules, in spring 2020, the
Hellenic Police already managed to use them to their full extent, in
order to ensure compliance with the lockdown measures against
A brief assessment of the new legal rules on police drones
Decree 98/2019 consists of only one (!) paragraph and provides that
the police may use drones to facilitate air support to policing,
surveillance and transmission of information to ground police forces.
This information may regard various police duties, such as:
and combating crime”,
illegal migration in border regions”, and
order and traffic”.
cases are described in the law rather vaguely, which, in addition to
the broad scope of the duties itself, leaves a wide interpretation
the hands of
the police for the cases they may employ drones and the information
they may collect and share. ThePresidential
Decree does not specify, for example, that drones could be used only
to fight serious crime subject to prior judicial authorisation. Thus,
the new rules allow for an indiscriminate and blanket use of drones
for any kind of policing and border management activities, opening
the way for drone operations even for petty theft crimes without any
Moreover, it is highly possible that during drone operations, images and video footage of identifiable individuals will be captured. Given the indiscriminate permission of the use of drones, the state surveillance in public spaces is likely to increase and create a serious interference with human rights such as privacy, data protection, freedom of expression and freedom of assembly. Thus, such a use could lead to a massive increase in the capabilities for omnipresent state surveillance, and catalyse human rights abuse.
Additionally, the applicable European and national data protection legislation shall be in force when personal data are processed and form part of a filing system or are intended to form part of a filing system. However, the Presidential Decree 98/2019 does not provide any details regarding data processing activities related to the use of drones. Moreover, it does not provide any safeguards or specific control mechanisms protecting against the abusive use of drones by the Hellenic Police (such as the retention period of the data collected, information to be made available to the data subjects, records of processing activities, logging, designation of a data protection officer, etc.). Finally, articles 27-28 of the Law Enforcement Directive and articles 65 & 67 of the Greek Law 4624/2019 foresee that the Hellenic Police shall, prior to any processing activities that use new technologies, consult the Hellenic DPA and carry out a data protection impact assessment. However, the Presidential Decree omits any reference to such obligations.
The use of drones during the COVID-19 lockdown measures
In April 2020, numerous news media reported that the Hellenic Police would deploy drones during the Easter holidays to ensure compliance with the lockdown measures against COVID-19. In addition to this, in April 2020 the Hellenic Deputy Minister of Citizen Protection, Mr. Oikonomou, confirmed that the Hellenic Police aimed to deploy drones during the Easter holidays in order to ensure compliance with the movement restriction measures related to COVID-19. These drones were used in urban areas, such as Athens and Thessaloniki, aiming at monitoring population’s movement.
In April 2020 Homo Digitalis filed an official query with the Ministry of Citizen Protection requesting more information about this deployment and notified the Hellenic DPA on this regard. The reply to this query is still pending. Moreover, Homo Digitalis published a related report analysing in depth all the aforementioned legal issues and highlighting the serious risks that arise from the deployment of drones by the Hellenic Police.
On 18 June, the French Constitutional Council, the constitutional authority in France, declared the main provisions of the “Avia law” unconstitutional. France’s legislation on hate speech was adopted in May despite being severely criticised from nearly all sides: the European Commission, the Czech Republic, digital rights organisations and LBGTQI+, feminist and antiracist organisations. Opposed to the main measures throughout the legislative process, the French Senate brought the law before the Constitutional Council as soon as it was adopted.
Court’s ruling represents a major victory for digital freedoms, not
only for French people, but potentially for all Europeans. In past
years, France has been championing its law enforcement model for the
fight against (potentially) illegal online content at the European
Union (EU) level, especially in the framework of the Terrorist
Content Regulation, currently in hard-nosed negotiations. The setback
received after the Constitutional Court’s decision will likely
re-shuffle the cards in the current and future European content
Avia law is “not necessary, appropriate and proportionate”
decision, the Constitutional Council held that certain provisions
infringe “on freedom of speech and communication, and are not
necessary, appropriate and proportionate to the aim pursued”.
Looking at the details of the ruling, the following legal measures in
the law that were used to strike down seemingly illegal content were
quashed by the Court:
sort of “notice-and-action” system by which any user can
flag “manifestly illegal” content (among a long pre-set list of
offenses) and the notified online service provider is required to
remove it within 24 hours,
reduction of the intermediary’s deadline to remove illegal terrorist
content and child sexual abuse material to one hour after the
receipt of a notification by an administrative authority.
the best-efforts obligations linked to the unconstitutional removal
measures above such as transparency obligations (in terms of access
to redress mechanisms and content moderation practices, including
the number of removed content, the rate of wrong takedowns,…)
power given to the Conseil supérieur de l’audiovisuel (ie.
French High Audiovisual Council) with an oversight mandate to
monitor the implementation of those best-efforts obligations.
The Court’s decision will have a decisive impact on the European negotiations on the draft Regulation against the dissemination of terrorist content online. The European Commission hastily published the draft legislation under pressure from France and Germany in 2018 looking towards a quick adoption to serve the Commission’s electoral communication strategy. However, since the trilogues started, the European Parliament and the Council of Member States have been facing a persistent deadlock regarding the proposal’s main measures.
this context, the
Constitutional Council’s ruling
comes as a massive blow in the
Commission’s and France’s
In particular, France
has been pushing to expand
the definition of what constitutes a “competent authority”
(institutions with legal
authority to make content determinations)
under the Regulation
administrative (aka law
law enforcement agents
would be allowed to issue
orders to remove or disable
access to illegal terrorist content within an hour. The
declared this type of measure as a clear breach of the French
Constitution, pointing out the lack of judiciary involvement in the
decision to determine
whether a specific content published is illegal or not,
and the incentives (in the
form of strict deadlines and
heavy sanctions) to over
zealously block perfectly
legal speech. It
draws similar conclusions for the legal arrangements that address
potential hate speech.
general, the Council
underlines that only the
removal of manifestly illegal
content can be ordered
without a judge’s prior
that a certain piece of
content is manifestly
illegal requires a minimum of analysis, which
is impossible in such a
short time frame.
Inevitably, this decision
weakens the pro-censorship hardliners’ position in European
Ahead of the Digital Services Act, a legislative package which will update the EU rules governing online service providers’ responsibilities, the European legislators should pay particular attention to this ruling to guarantee the respect of fundamental rights. EDRi and its members will continue to monitor the development of these files and engage with the institutions in the upcoming period.
After a massive leak of the voter’s list showing the voting preferences, addresses, phones and dates of birth of a majority of the Maltese population, EDRi member noyb.eu will assist the Daphne Foundation and Repubblika in their class action and file complaints about the data breach in various EU Member States.
Colossal privacy violations of voters’ data
At the end of March 2020, independent Maltese media reported that a database containing 337,384 records of Maltese voters’ personal information had been freely accessible online for at least a year. The data did not only include the fields available in the published electoral register but also included mobile and fixed telephone numbers, dates of birth, polling booth and polling box numbers, and a numerical identifier indicating an individual’s political affiliation.
How could this happen?
Maltese voters are enrolled in the Maltese electoral register, which is maintained by the Electoral Commission – a body set up by the Maltese Constitution and whose role it is to maintain the register and organise local, national and European Parliament elections. Around the end of March it was discovered that, C-Planet IT Solutions, an IT company connected to the Labour Party to have stored a copy of the electoral register in an open directory, which was indexed by Google. The database was unprotected and accessible to anyone with a web browser, reported the Times of Malta.
Data protection and democracy
After the Cambridge Analytica scandal, everyone understands the fundamental role of data protection in a democracy, especially when the data at stake includes political opinions. As a principle, the GDPR prohibits the processing of data revealing political opinions. What is even more worrying is the total lack of protection of these data which were publicly accessible by everyone.
In a democracy, we cannot accept the processing of political data spiraling out of control. Political parties in particular should not be using voters’ information for purposes other than what the law permits them to do. Could you imagine your political preferences being used to deny you access to a public service or an employment opportunity?
Romain ROBERT, data protection lawyer at noyb.
Civil society in Malta reacts.
Against this context, two NGOs – the Daphne Foundation and Repubblika –have teamed up and organised a platform that allows citizens affected by this data breach to sue C-Planet IT Solutions Limited and any other entity involved. An investigation has been launched by the Maltese DPA, but the class action targets civil damages, including moral damages. The Daphne Caruana Galizia Foundation set up a tool that allows everyone to check what information was collected on them. They invite everyone wanting to join the collective action to visit the FAQ. Also, if you want to join a complaint filed by noyb outside Malta, please contact them at firstname.lastname@example.org.
Last year, the South African parliament adopted a progressive new copyright bill that would have drastically improved access to educational materials, introduced a fair use exception, implemented the Marrakesh treaty for the benefit of people who are blind or print disabled, and strengthened the negotiating positions of authors and performers in their negotiations with publishers. On Friday, the South African President decided to send the bill back to Parliament, citing constitutional concerns1. While civil society had waited for over one year for the President to sign the bill into law, entertainment industry associations IFPI, MPA and others had lobbied foreign governments to intervene in South Africa’s democratic process and compel the President to refer the bill back to Parliament – apparently with success.
The role of the United States (US) in trying to get South Africa to abandon the reform has been a matter of public record ever since the US Trade Representative started an investigation late last year that could have led to South Africa losing trade benefits when importing goods to the US. But details of the EU Commission’s intervention on behalf of the entertainment industry have only become known in recent days, following a freedom of information request to DG Trade2.
According to the documents, entertainment industry groups approached DG Trade in 2019 with the initial idea that the European Commission should send a “demarche”, a letter submitted by the EU Ambassador to South Africa “to the highest levels of the South African government” in order “to eliminate the negative impact that the Bills would have on the creators they aim to support”. Actual creators’ associations, meanwhile, had no problems with the bill and wrote to DG Trade shortly thereafter, urging them to let the South African copyright reform go ahead, which would drastically improve the position of the original authors and performers vis-à-vis their much more powerful international publishers. In their letter, they pointed out that “performers and other creative workers in South Africa have been subsidizing the industry for far too long. The overwhelming majority live a very precarious life.”
income inequality in South Africa is the highest in the world and the
publishing industry caters mostly to the wealthy – majority white –
elite in the country. The copyright bill tries to address this income
inequality on several fronts, by allowing the copying of textbooks
that are not offered at affordable prices, and by improving the
negotiating position of, majority low income and majority Black,
authors and performers. The contractual protections proposed in the
South African copyright bill are not unlike those included in the
2019 EU copyright Directive.
Despite the authors’ and performers’ explicit support for the bill, the European Commission decided to follow the entertainment industry’s call for intervention. On 20 March 2020, a month after a lobby meeting between DG Trade and representatives of the MPA and IFPI, the EU Ambassador to South Africa sent a letter to the South African President, urging him not to sign the copyright bill into law. The letter contains thinly veiled threats that European businesses would pull investments from South Africa should the copyright law go ahead, although DG Trade’s interactions that led to sending the letter were primarily with US-based entertainment companies such as the Hollywood studios organized in MPA. In other words, the European Commission was intervening on behalf of US entertainment companies to deny Black South African authors and performers the same contractual rights that it recently granted European authors. Despite its claims towards the South African government that it was “consulting widely”, the internal documents show that the European Commission did not consult with European civil society at all. If civil society had been consulted, the European Commission would know that there is broad support for the introduction of fair use and the rapid implementation of the Marrakesh treaty.
European Commission’s intervention in South Africa’s democratic
process is not just worrying from corporate
lobbying perspective. It also highlights
the extreme hypocrisy in its international copyright policy. In
negotiations on international copyright treaties, the Commission has
long been opposed to any global standards on copyright exceptions.
Even in the case of the Marrakesh treaty, designed to provide access
to knowledge for the blind, the EU had to be dragged to the
negotiating table kicking and screaming. It has rebuffed recent
initiatives to draft a treaty for global exceptions for libraries and
educational institutions, arguing that the cultural differences
between countries are too significant to have a one-size-fits-all
approach and that countries should be free to adopt the copyright
exceptions that fit their specific circumstances. South Africa was
trying to do just that – to introduce fair use provisions and
educational exceptions specific to the post-Apartheid democracy that
is still struggling with huge income inequality and structural
The European Commission’s hypocrisy in intervening to bring this reform to a halt is perhaps only surpassed by that of the US government, which is denying another country the same fair use provision that has supported the US economy for decades. While we may not expect any better from the US government, we should hold the European Commission to a higher standard. This is why EDRi is calling upon the European Parliament’s Trade committee to put the issue on the agenda and question the Commission about its aggressive lobbying on behalf of the entertainment industry. EDRi is also preparing a letter to Trade Commissioner Hogan to bring accountability to the European Commission’s international copyright policies.
In EDRi’s series on COVID-19, COVIDTech, we explore the critical principles for protecting fundamental rights while curtailing the spread of the virus, as outlined in the EDRi network’s statement on the pandemic. Each post in this series tackles a specific issue at the intersection of digital rights and the global pandemic in order to explore broader questions about how to protect fundamental rights in a time of crisis. In our statement, we emphasised the principle that states must “defend freedom of expression and information”. In this fourth post of the series, we take a look at the issue of immunity passports, their technological appeal and their potentially sinister consequences on social inequality and fundamental rights
The dangerous allure of science fiction
Early in the
coronavirus outbreak, pandemic guilty-pleasure film, Contagion,
skyrocketed to the top of streaming sites’ most watched lists. One
of the film’s most interesting plot points (mild spoiler alert) is
the suggestion of a simple form of immunity passport. Wristbands for
people who have been vaccinated are presented as an obvious solution
– and why wouldn’t they be? Various forms of immunity passport
are a compelling idea. It sounds as if they could allow us to get
back to a more normal life. But the reality is not as clear-cut as in
the movies, and the threats to how we live our lives – in
particular, the people that could be most harmed by such schemes –
mean that we must be incredibly cautious. Consequently, as it
stands now, the lack of evidence, combined with the size of
the threat that these schemes pose to fundamental rights and
freedoms, reveal that – digital or otherwise –
immunity passports must not be rolled out.
Immunity passports – science fact says “no”
In the last few weeks, “digital immunity passports”, certificates, apps, and other similar ideas have become prominent in discussions about how to exit from global lockdowns, with proposals popping up in Germany, Italy, Colombia, Argentina and the US to name a few. It is a legitimate policy goal to help people find safe ways to exist in this “new normal”. Yet these proposals are all founded on the dangerous fallacy that we know and understand what coronavirus “immunity” looks like.
The WHO have been clear in their assessment that there is “currently no evidence” for immunity, and that such schemes may in fact incentivise risky behaviour. Medical journal The Lancet adds that such proposals are “impractical, but also pose considerable equitable and legal concerns even if such limitations [due to our lack of knowledge about immunity] are rectified.” And science journal Nature warns that immunity passports can actually harm public health. If public health experts are warning against immunity passports – even once we know more about COVID-19 immunity – then why are governments and private actors still pushing them as a silver bullet?
Like with controversial tracking and contact tracing apps, there are a host of privacy and data protection concerns when such schemes become “digital”. Individual health data is very sensitive, as is data about our locations and interactions. As it is often with private companies that are aggressively pushing proposals (hello TransferWise and Bolt in Estonia), there are serious concerns about transparency, accountability, and who really benefits. EDRi has warned that public health tools should be open for public scrutiny, and limited in scope, purpose and time. With private companies rushing to profit from this crisis, can we be confident that this will happen? The lessons learned from digital identification programmes suggests we have reasons to be very sceptical.
A new generation of “haves” and “have nots”
The crux of the problem with immunity passports is that they will likely be used to decide who is and who is not allowed to participate in public life: who can go to work – and therefore earn money to support themselves and their family; who can go to school; and even who can stay in hotels. By essence, these “passports” could decide who can and who cannot exercise their fundamental rights.
Biometric surveillance and the risks of hyper-connected data
In a wider sense, digital immunity passports – especially those linked to people’s sensitive biometric data – are part of a growing mass surveillance infrastructure which can watch, analyse and control people across time and place. Such systems rely on holding mass databases on people (which in itself comes with big risks of hacking and unauthorised sharing) and are damaging to the very core of people’s rights to dignity, privacy and bodily integrity. The combining of health data with biometric data further increases the ability of states and private actors to build up highly detailed, intrusive and intimate records of people. This can, in turn, have a chilling effect on freedom of expression and assembly by disincentivising people from joining protests, suppressing political opposition, and putting human rights defenders and journalists at risk. As Panoptykon Foundation have explained, such systems are ripe for abuse by governments looking to control people’s freedoms.
Discrimination and unequal impacts creating a segregated society
It is foreseeable that the introduction of immunity passports will have unequal and disproportionate impacts upon those that already face the highest levels of poverty, exclusion and discrimination in society. Those with the smallest safety nets, such as people in precarious and low-waged jobs, will be the ones who are least able to stay at home. The pressure to be allowed outside – and the impacts of not being allowed to do so – will therefore be unequally distributed. We know that some people are more at risk if they do contract the virus: those with underlying health conditions, older people and in the UK,black people. This inequality of who suffers the most will replicate the already unequal distribution in our societies. And if immunity passports are administered digitally, then those without access to a device will be automatically excluded. This stratification of society by biological and health characteristics, as well as access to tech, is dangerous and authoritarian.
Digital immunity passports are no longer the preserve of science fiction. There is a very real risk that these schemes are putting innovation and appearance over public health, in a move often called “technosolutionism”. Digital and biometric immunity passports not only threaten the integrity of our sensitive bodily and health data, but create a stratified society where those who can afford to prove their immunity will have access to spaces and services that the remainder will not– de facto becoming second class citizens. The New York Times calls this “immunoprivilege”.
When the time comes that we have solid scientific evidence about immunity, it will be up to public health officials to work out how this can translate into certification, and for data protection and privacy authorities and experts to help guide governments to ensure that any measures strictly respect and promote fundamental rights and freedoms. Until then, let’s rather focus on improving our national health systems, ensuring that research goes into preventing this and future pandemics (despite the push-back from Big Pharma) and that we build a new society free of virus such as COVID-19 and surveillance capitalism.
Would you like your local government to judge you by your Facebook activity? In a recent study, we investigated how local authorities (Councils) in Great Britain are looking at social media accounts as part of their investigation tactics on issues such as benefits, debt recovery, fraud, environmental investigations, and children’s social care.
Social media platforms are a vast trove of information about individuals and collectives, including their personal preferences, political and religious views, physical and mental health and the identity of their friends and families. Social media monitoring or social media intelligence (SOCMINT) are the techniques and technologies that allow the monitoring and gathering of information on social media platforms such as Facebook and Twitter.
Life-changing decisions could be made on the basis of this intelligence but yet no quality check on the effectiveness of this form of surveillance is in place as of now. This has particular consequences and a disproportionate negative impact on certain individuals and communities.
significant number of local authorities are now using ‘overt’
social media monitoring as part of their intelligence gathering and
investigation activities. This substantially out-paces the use of
‘covert’ social media monitoring
you don’t have good privacy settings, your data is fair game for
overt social media monitoring.
is no quality check on the effectiveness of this form of
surveillance on decision making.
social media profile could be used by a local
without your knowledge or awareness, in a wide variety of their
functions; predominantly intelligence gathering and investigations.
The UK Surveillance Commissioner’s Guidance defines overt social media monitoring as looking at ‘open source’ data, that is, publicly available data, and data where privacy settings are available but not applied. This may include: “List of other users with whom an individual shares a connection (friends/followers); Users’ public posts: audio, images, video content, messages; “likes”, shared posts and events”. According to the Guidance, “[r]epetitive examination/monitoring of public posts as part of an investigation” constitutes instead ‘covert’ monitoring and “must be subject to assessment.”
Who is being targeted?
Everyone is potentially targeted as at some point in our lives we all interact with local authorities as we go through some of the processes listed above. The difference, however, is that we all are affected differently.
As in many other instances when it comes to the digitalisation and use of new technologies, those belonging to already marginalised and precarious groups and who are already subject to additional monitoring and surveillance, are once again experiencing the brunt of such practices.
There are particular groups of the populations which are being impacted dramatically by the use of such techniques because they are dependent and subject to the functions of local authorities such as individuals receiving social assistance/welfare as well as migrants.
We have seen similar developments in the migration sector where for immigration enforcement purposes governments are resorting to social media intelligence. Some of these activities are undertaken directly by government themselves but in some instances, governments are calling on companies to provide them with the tools and/or know-how to undertake these sort of activities.
How to protect those most vulnerable
As local authorities in Great Britain and elsewhere seize on the opportunity to use this treasure trove of information about individuals, use of social media by local authorities is set to rise and in the future we are likely to see more sophisticated tools used to analyse this data, automate decision-making, generate profiles and assumptions.
The collection and processing of personal data obtained from social media as part of local authority investigations and intelligence gathering, must be strictly necessary and proportionate to make a fair assessment of an individual. There needs to be effective oversight over the use of social media monitoring, both overt and covert, to ensure that particular groups of people are not disproportionately affected, and where violations of guidance and policies do occur, they are effectively investigated and sanctioned.
It is urgent to ensure that the necessary and adequate safeguards are in place to protect those in the most vulnerable and precarious positions where such information could lead to tragic life altering decisions such as the denial of welfare support.
we urge local authorities to:
Refrain from using social media monitoring, and avoid it entirely where they do not have a clear, publicly accessible policy regulating this activity
Local authorities should use social media monitoring only if and when in compliance with their legal obligations, including data protection and human rights.
Every time a local authority employee views a social media platform, this is recorded in an internal log including, but not limited to, the following information:
Date/time of viewing, including duration of viewing of a single page
Reason/justification for viewing and/or relevance to internal investigation
Information obtained from social platform
Why it was considered that the viewing was necessary
Pages saved and where saved to
Local authorities should develop internal policies creating audit mechanisms, including:
The availability of a designated staff member to address queries regarding the prospective use of social media monitoring, as well as her/his contact details;
A designated officer to review the internal log at regular intervals, with the power to issue internal recommendations
Whilst we may post publicly, we don’t expect local authorities to look at our photos and screenshot our thoughts, and use this without our knowledge to make decisions that could have serious consequences on our life.
The growing intrusion by government authorities’ – without a public and parliamentary debate – also risks impacting what people say online, leading to self-censorship, with the potential deleterious effect on free speech. We may have nothing to hide, but if we know our local authority is looking at our social media accounts, we are likely to self-censor.
Social media platforms should not be reframed as spaces for the state to freely gather information about us and treat people as suspects.
This article was originally published by Metamorphosis in Global Voices.
Scammers using fake Forbes articles and anti-EU disinformation as bait continue to target Facebook users across Europe, the EDRi member Metamorphosis Foundation has warned.
The Skopje-based Metamorphosis Foundation is a civil society
organisation from North Macedonia promoting digital rights and media
Its monitoring of social networks has revealed that scammers
continue to use Facebook advertisements masked as links to articles
from the respectable Forbes.com, continuing disinformation trends
involving not only China, but also European Union members like
On 19 May, the Ministry of Interior Affairs of North Macedonia warned citizens that scammers use social networks and e-mail to distribute links misrepresented as articles from Forbes.com to promote the purchase of a supposed new Chinese cryptocurrency.
Citizens who click on the links and provide personal data to the
scammers are then targeted by phone calls persuading them to start
‘investing’ by paying installments of $250 dollars.
Other manipulation techniques are then deployed to make users
increase the fee.
The anti cyber-crime unit of the Macedonian police claimed the malicious links lead to a website hosted in Ukraine, allegedly run by a Russian citizen in a manner similar to the debunked OneCoin Ponzi scheme run by Bulgarian fraudster Ruja Ignatova, which inflicted damage worldwide of over $4 billion.
Data publicly provided by Facebook about the geographic reach of
the advertisements promoting these links suggest they go far beyond
the borders of North Macedonia, activists warn.
Manipulative ads help scammers gather
personal data from victims
Metamorphosis identified several similar ads that are active on social networks. Users who click on these ads are redirected to addresses such as this one instead of pages on the Forbes.com website.
Bardhyl Jashari, Executive Director of Metamorphosis, explained:
“Misleading advertisements continue to target social network users
across the world. Using the public data provided by Facebook about
the ads targeting the audience based in North Macedonia as a starting
point, the Metamorphosis team revealed that the same ads are served
in almost all European countries, as well as countries in the Middle
East. Scammers use pages about culture, even about cookies (the
edible ones), to launch ads that lead the users to web pages and
blogs that look almost the same as the ones the Macedonian police
This dangerous trend also touches upon another of Metamorphosis’ areas of involvement. Since its founding in 2004, Metamorphosis has been working on promoting serving and promoting child safety online.
Jashari also noted:
“A very worrisome development is that these organised
crime networks also use pages aimed at children and teenagers to
camouflage their malicious content. For instance a page branded as
community for the popular game MineCraft (titled Minecraft) had been
running ads that continue to disseminate disinformation about Sweden,
aimed at users in Russia, Austria, Belgium, but also in Singapore,
Qatar and United Arab Emirates, and dozens of other countries.”
Users clicking on these ads are taken to a page providing an incentive for them to leave their personal data. In the case of Sweden this was disguised as a discount coupon.
While MineCraft has a huge adult following, it is a particularly
popular game among children aged between 9 and 11. This practice
helps condition future audiences particularly susceptible to both
disinformation and scamming.
What is Metamorphosis
doing to combat these tactics?
In November 2019, Metamorphosis’ Critical Thinking for Media-wise Citizens (CriThink) project warned that scammers benefit from established disinformation narratives about Sweden.
Sponsored Facebook posts lure people who had been previously primed through right-wing populist propaganda media networks based in North Macedonia to believe media manipulations about unrest in the country and the European Union (EU), originally published by pro-Kremlin media.
In the same manner, these articles promoted fake news that Sweden
has introduced a cryptocurrency opposing the Euro.
To launch these geo-targeted ads, scammers used a series of pages
with general interest topics, including some branded as unofficial
fan clubs of Western celebrities like actors Liam Neeson and Anthony
CriThink, which is an initiative supported by the EU Delegation in
North Macedonia, educated local social media users on how to use the
transparency features of Facebook pages used by the scammers, in
order to flag and report the suspicious pages using the mechanisms
provided by the platform.
In order to boost citizen engagement in raising media literacy
levels, CriThink articles related to social networks provide
instructions on how users can use reporting features to alert
administrators about harmful content, ranging from hate speech to
Several weeks later, in December 2019, Facebook informed some of its users who participated in the online action that they had removed the ads reported as scams.