privacy

The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

20 Sep 2017

Should video-sharing platforms be part of the AVMSD?

By Maryant Fernández Pérez

The Audiovisual Media Services Directive (AVMSD) is currently being reformed. After going through several legislative stages, the AVMSD is now being negotiated in trilogues, that is, informal, secret negotiations between the European Parliament (representing citizens) and the Council (representing EU Member States), facilitated by the European Commission (representing EU interests). As part of the negotiations, a key question will have to be addressed: should some or all video-sharing platforms be covered by the AVMSD and, if so, how?

On the one hand, there are demands for holding video-sharing platforms like YouTube responsible for content (including legal content) that is published on their sites or apps because of the impact online content has on the public debate and our democracies. On the other hand, these platforms are not producing or publishing content, but only hosting it. The AVMSD covering platforms that are so radically different from those that the Regulation was originally created to regulate – cross-border satellite TV services – would not make sense, as EDRi’s position paper, published on 14 September 2017, argues.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Video-sharing platforms, and social media generally, are not traditional media. While their activities influence (and even manipulate) the population, regulating video-sharing platforms as traditional media is not the solution to undesired impacts on our societies. When two services – linear broadcasting of editorially-controlled content and non-linear hosting of content produced by others – are significantly different, achieving a level playing field through a “one-fits-all” approach is not always possible. The consequences of getting it wrong can have a damaging effect on freedom of expression, competition, the fight against illegal material online and the protection of children in the online environment. At the Council meeting, seven Member States made unusually impassioned pleas to reject the proposed approach, mainly on grounds of freedom of expression. For these reasons, the deletion of the provisions that extend the scope of the AVMSD would be the most rational option, as the EDRi’s position paper suggests.

Failing deletion, EDRi recommends to clarify the definition of what constitutes “video-sharing platforms” and “user-generated content”. In addition, EDRi’s position paper asks for more predictability when asking companies to take action, to avoid abuses, ensure predictability and defend freedom of expression. For instance, some proposals on the table in the trilogue negotiations ask video-sharing platforms to restrict incitement to hatred based on political opinions or “any other opinions”. Asking platforms to delete hate speech based on “any other opinions” is likely to lead to arbitrary restrictions, and affect how we express ourselves online. Another reason to be cautious is that certain provisions would ask these companies to have a “self-regulatory” role in the “moral” development of children. Do we really want companies to decide what is good for the “moral” development of our kids?

Fighting against illegal hate speech, terrorism and child abuse is very important. However, asking companies, to decide what should be acceptable or not in our society is worrisome. Numerous examples demonstrate that content is being restricted in video-sharing and social media platforms without accountability or real redress. Creating a situation where video-sharing platforms are forced to regulate more of our communications and give themselves more leeway to decide on what content we can access or not, despite what the law deems to be illegal, will not be beneficial for the EU.

EDRi position on AVMSD trilogue negotiations (14.09.2017)
https://edri.org/files/AVMSD/edriposition_trilogues_20170914.pdf

ENDitorial: AVMSD – the “legislation without friends” Directive? (14.06.2017)
https://edri.org/avmsd-the-legislation-without-friends-directive/

Audiovisual Media Services Directive reform: Document pool
https://edri.org/avmsd-reform-document-pool/

(Contribution by Maryant Fernández Pérez, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
06 Sep 2017

Denmark: Targeted ANPR data retention turned into mass surveillance

By IT-Pol

Since mid 2016, Denmark has a nationwide automatic number plate recognition (ANPR) system with stationary cameras at 24 locations and mobile cameras mounted on 48 police cars. The ANPR system is currently being integrated with POL-INTEL, the new Danish system for intelligence-led policing (predictive policing), which is supplied by Palantir Technologies. Expansion of the ANPR system with more cameras can be expected in the coming years.

Preparations for the ANPR system started in 2014. Besides the public tender and subsequent deployment of the ANPR equipment, a legal framework for using ANPR was also put in place. The Ministry of Justice decided in 2015 that it was sufficient to lay down rules for processing ANPR information in an administrative order. This meant that surveillance with ANPR was introduced in Denmark without ever being debated in the Parliament.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The legal framework for ANPR makes a distinction between hits and no-hits when a number plate of a vehicle is scanned by the ANPR equipment. Hits are number plates on the police hotlist – that is vehicles which are wanted by the police for reasons ranging from unpaid insurance, mandatory inspections skipped by the owner, vehicles reported stolen, to suspected involvement in criminal activities. Vehicles registered in the Schengen Information System (under Council Decision 2007/533/JHA) by other EU Member States for discreet checks (Article 36) or sought for purposes of seizure (Article 38) can also be put on the hotlist. No-hits are number plates with no match on the hotlist.

The ANPR system is designed to serve a dual purpose. If a police car with mobile ANPR equipment encounters a vehicle on the hotlist, the police officers get a signal from the ANPR device, so that they can decide whether to pursue the vehicle or not. This part of the ANPR system is actively promoted by the Minister of Justice and the Danish National Police as a huge help for police officers on the road. The second purpose of the ANPR system, which is rarely mentioned in public by the same authorities, is the passive retention of number plates encountered by either mobile ANPR in police cars or the stationary ANPR cameras. The location, timestamp, and a picture of the vehicle, which may include the driver and passengers, is also stored in the central ANPR database.

Retention periods for ANPR hits range from three months to two years, depending on the reason for being on the hotlist. If a vehicle is on the hotlist because of unpaid insurance or skipped mandatory inspections, the mobile ANPR equipment can be used to stop the vehicle and confiscate the number plates. Retention of location information in cases like this is neither necessary nor proportionate since any further processing of the ANPR data will be totally unrelated to the reasons for putting the vehicle on the hotlist.

However, the main controversy has been around the retention of no-hits, that is vehicles that are not even wanted for minor offences such as driving without insurance. The original plan of the Danish National Police was to retain all no-hits for 30 days and use this information for backward-looking investigations, such as using data mining (profiling) to determine persons of interest based on their proximity to the time and place where a crime was committed. The Danish Data Protection Agency (DPA) objected to the proposal to retain all ANPR no-hits. In an Opinion of 17 March 2015, the DPA concluded that blanket retention of all no-hits was not legal, and that retention of no-hits could only be done under certain conditions, for example in connection with targeted surveillance at the border.

Due to the opinion of the Danish DPA, the ANPR administrative order of December 2015 provides that no-hits can be retained for up to 30 days only if the no-hit is registered in connection with a targeted police operation, which must be limited in time and geographic area. These conditions bear some resemblance to paragraph 59 of the judgment on the Data Retention Directive (joined cases C-293/12 and C-594/12) by the Court of Justice of the European Union (CJEU) in April 2014. Accordingly, only targeted data retention, and not blanket data retention, is allowed for the Danish ANPR system. Unfortunately, the administrative order does not give any guidance as to how a limited time period and a limited geographic area should be interpreted, except that this will be specified in internal guidelines by the Danish National Police.

During the summer 2017, it was revealed through freedom of information (FOI) requests that most no-hits were actually retained in the ANPR system. Specifically, the Danish National Police decided in November 2016 that all 24 locations with stationary ANPR cameras are part of targeted police operations running until the end of 2017. This decision paved the way for retaining all no-hits from the stationary ANPR cameras for 30 days. No-hits from the mobile ANPR equipment are not covered by this decision, and hence not necessarily retained on a general basis for 30 days, but the mobile cameras account for less than 10% of the scanned number plates.

The FOI request further revealed that 830 000 no-hits are retained every day, and that the ratio between retained no-hits and hits is 90:1. The Danish National Police has repeatedly denied FOI requests for documents showing the location of the stationary ANPR cameras, but since the cameras are very visible in the landscape, their location has been mapped by activists. The unofficial map at the website www.anpg.dk shows that roughly half of the ANPR cameras are placed at border crossings (all intra-Schengen borders), whereas the other half covers major traffic intersections. The map indicates a strategic positioning of the stationary ANPR cameras in areas where lots of vehicles are encountered every day.

In essence, the ANPR system has become a tool for mass surveillance since 99% of the retained number plates are not of any interest to the police when the location of the vehicle is stored in the central database. The justification for storing no-hits is subsequent processing for unknown purposes and that the data may be useful for the police. Moreover, the opinion of the Danish DPA, that no-hits can only be processed in the ANPR system under certain conditions rather than generally as the police wanted initially, and the targeted data retention regime prescribed by the ANPR administrative order, have been completely subverted by the decision of the Danish National Police to include all stationary ANPR cameras all the time in “targeted” police operations where no-hits can be retained for 30 days.

After the story was reported in Danish news media, the police confirmed that all no-hits from the stationary ANPR cameras are retained. In a later interview with Dagbladet Information, the Danish National Police called the criticism misguided. The retention of no-hits is geographically limited to the locations where the police has decided to put up stationary ANPR cameras. Even though there are cameras throughout Denmark, as seen on the unofficial map, not every road in Denmark is covered by ANPR, and in that sense, only a limited geographic area is subject to surveillance. According to the police, the requirement of “a limited time period” is satisfied by putting an end date on the targeted police operation allowing no-hits to be retained. This end date can, however, be extended with a later decision by the police.

On 13 August 2017, EDRi member IT-Pol Denmark and Bitbureauet filed a complaint with the Danish DPA about the retention practices for ANPR no-hits. The complaint is currently being investigated by the DPA.

EDRi: New legal framework for predictive policing in Denmark (22.02.2017)
https://edri.org/new-legal-framework-for-predictive-policing-in-denmark/

EDRi: Denmark about to implement a nationwide ANPR system (02.07.2014)
https://edri.org/denmark-implement-nationwide-anpr-system/

Unofficial map with the location of Danish ANPR cameras
https://anpg.dk/

Danish car owners subject to extensive surveillance even though they are not suspected of anything, Dagbladet Information (only in Danish, 25.07.2017)
https://www.information.dk/indland/2017/07/danskere-bil-udsat-omfattende-overvaagning-politiet-mistaenkt

Complaint to the Danish Data Protection Agency about retention practices for ANPR no-hits (only in Danish, 13.08.2017)
https://itpol.dk/sites/itpol.dk/files/anpg-klage.pdf

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
01 Aug 2017

Italy plans to extend telecoms data retention and increase censorship powers

By Hermes Center

On 19 July 2017, the Chamber of Deputies of the Italian Parliament approved two amendments to existing laws. One of the amendments aims at extending telecommunications data retention to six years, while the other gives Agcom, the communications regulator, powers to order takedown and blocking of online content without judicial oversight.

Data retention in Italy is governed by Art. 132 of the Privacy Law – 24 months for phone communications metadata, 12 months for Internet metadata, 30 days unanswered phone calls. The amendment will extend the retention period for all categories of the above data to six years.

The Data Retention Amendment (Art. 12-Ter of DDL 4505-A) was written by Walter Verini (Democratic Party, PD), and Giuseppe Berretta (Democratic Party, PD) as an amendment to a law that regulates the safety of lifts, which led to many members of Parliament (MPs) voting it without even reading the amendment. Later, several MPs issued public statements of regret, admitting their mistake.

After the public criticism, one of the co-signatories of the Data Retention Amendment, Ms Mara Mucci (Mixed Group) acknowledged that she had not really realised the sensitivity of the issue and that she is now available to foster a wider debate to change the law in the Senate.

Antonello Soro, the President of the Italian Data Protection Authority, condemned Mr Verini’s amendment arguing that it does not clearly guarantee the principles of proportionality as defined by the EU regulatory framework and the rulings of the Court of Justice of the European Union (CJEU) – there have been two separate CJEU rulings against indiscriminate telecommunications data retention.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The Italian Association of Internet Providers (AIIP) also criticised the Data Retention amendment as too broad and as being in contradiction with EU case law. It also criticised the fact that the amendment was introduced without involving the key stakeholders impacted by the bill for contribution and opinions.

With regard to the “Takedown Power” amendment, currently in Italy only a court order can mandate Internet Service Providers (ISPs) to takedown a website or restrict access to specific content, by IP address or domain name. Under the new law, an administrative authority Agcom will be given the power do so without any kind of judicial oversight.

The Takedown Power Amendment (Amendment n. 1022 published in Annex A of parliamentary sitting 19/07/2017) sparkled an immediate reaction again by AIIP, which sharply criticised it due to the excessive powers it gives to the Agcom.

The amendment further gives Agcom the mandate to issue a technical regulation that will define the requirements for the implementation of permanent blocking infrastructure to be implemented by ISPs, de-facto requiring the deployments of Deep Packet Inspection system.

These amendments have been approved by the Chamber of Deputies of the Italian Parliament in the context of the process to implement European Union legislation, “Disposizioni per l’adempimento degli obblighi derivanti dall’appartenenza dell’Italia all’Unione europea — Legge europea 2017 (DDL 4505-A)”.

The two amendments had a total amount of parliamentary debate of less than 2 minutes (video).

The Law, including the two amendments, still has to be approved by the Senate, likely to happen in early September.

Indiscriminate Retention of data for 6 years – keeping updated track on all resources on the topic (only in Italian 23.07.2017)
https://www.hermescenter.org/conservazione-indiscriminata-dei-dati-per-6-anni/

Data retention: President Soro, 6 years data retention term for telephony metadata are too much (only in Italian, 26.07.2017)
http://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/6651715

From elevators to Massive Surveillance (only in Italian, 22.07.2017)
https://popinga.it/dalla-sicurezza-degli-ascensori-alla-sorveglianza-di-massa-4eac2144c6d7

6 years as terms of data retention on all phone and internet data just approved in a directive on elevator’s safety (only in Italian, 21.07.2017)
http://fulviosarzana.nova100.ilsole24ore.com/2017/07/21/6-anni-e-il-termine-di-conservazione-dei-dati-telefonici-e-telematici-di-tutti-i-cittadini-appena-approvato-alla-camera-in-una-direttiva-sugli-ascensori/

Italian ISPs say new copyright amendment infringes human rights (28.07.2017)
https://torrentfreak.com/italian-isps-say-new-copyright-amendment-infringes-human-rights-170728/

The full text sent to the Senate
http://www.senato.it/service/PDF/PDFServer/BGT/01036793.pdf

(Contribution by Fabio Pietrosanti, EDRi observer Hermes Center, Italy)

Twitter_tweet_and_follow_banner

close
26 Jul 2017

Oversight Board report: Illegal surveillance of Danish citizens

By IT-Pol

The annual report from the Danish Intelligence Oversight Board (TET) was published on 7 July 2017. Under Danish law, TET is tasked with overseeing the data collection and data processing practices of the Danish Security and Intelligence Service (PET) and the Danish Defence and Intelligence Service (DDIS). Both intelligence services operate mostly outside European Union (EU) law because of the national security exemption in the EU Treaties.

The previous annual reports for activities in 2014 and 2015 contained substantial criticism of especially PET. In a large number of cases, PET retained personal data which was no longer necessary, and in the opinion of TET, further processing of that data was therefore unlawful. PET disagreed with this interpretation of the PET law, and the matter was referred to the Minister of Justice in May 2016. His solution was to propose an amendment of the PET law which essentially removed the requirement to erase personal data that was no longer necessary, and this amendment was swiftly adopted by the Danish Parliament in December 2016.

This year, the most interesting revelations are in the report covering the activities of DDIS, which is the foreign intelligence service. Under Danish law, DDIS can collect any information for essentially any foreign intelligence purpose, as long as the operations are abroad. DDIS can also process information about Danish citizens and foreign residents in Denmark (collectively referred to as “Danish persons”), if this occurs as incidental collection in connection with an operation that is directed against developments abroad. The only real legal restriction for DDIS is that targeted collection against Danish persons is not allowed.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

An amendment of the DDIS law in 2015 introduced an exception to this rule: if a Danish person is believed to be travelling abroad and is suspected of involvement in terrorist activities against Denmark or Danish interests (which includes Danish allies), DDIS can obtain a court order for targeted collection against that person. The required level of suspicion is lower than in regular criminal investigations of terrorist cases by the Danish police. Association with “radicalised individuals” is mentioned in the comments of the law as sufficient grounds for DDIS to obtain a court order for targeted collection of intelligence information. This information can be shared with the Danish police and used as evidence in a criminal prosecution.

In summary, the DDIS law represents an extensive data collection regime with very few restrictions that only pertain to Danish persons. Nonetheless, TET found several cases of data protection violations by DDIS during its oversight activities in 2016.

First, TET criticised that some mass collection activities contained a disproportionately large fraction of Danish persons. Mass collection, called “raw data”, is allowed under the DDIS law as long as the mass surveillance is directed against developments abroad, and as long as DDIS does not actively search for (“target”) Danish persons in the collected raw data. However, there is an upper limit on the allowed fraction of Danish persons in the collected raw data, presumably for compliance with the “directed against developments abroad” requirement. The TET report does not say anything about the type of collection, except that it is signals intelligence, SIGINT, which generally means electronic communications. A plausible example could presumably be international telephone calls from or to Denmark, or internet traffic which terminates in Denmark, rather than transiting through Denmark.

Secondly, in a sample of searches of SIGINT raw data by DDIS analysts, TET found that 12 percent of the searches unlawfully targeted Danish persons. Specifically, in these cases, the DDIS analysts should have known beforehand that the search results would mainly contain information about Danish persons. Targeted collection against Danish persons is only allowed with a court order, which was not obtained for these searches. The total number of searches in SIGINT raw data by DDIS is not mentioned in the report, so the estimated number of Danish persons affected by these unlawful searches remains unknown.

Thirdly, TET also found irregularities in the targeted collection against Danish persons that was authorised with a court order. In 11% of the cases surveyed by TET, the targeted searches of raw data did not respect the time limitations of the court order. What this means is not entirely clear. It could simply refer to searches done before the court order was obtained or after it has expired. Alternatively, the court order for targeted collection could potentially impose time-related limits on the raw data that can be searched, for example a prohibition on searching SIGINT raw data collected before the date of the court order. In this way, the court order would only authorise future interception of the electronic communications of the target.

The unlawful searches of SIGINT raw data by DDIS highlight the massive privacy problems inherently associated with the mode of operation of defence intelligence services. Law enforcement authorities generally only intercept communications of specific persons subject to prior approval by an independent judicial authority, and the targeted interception (“collection”) is done by the electronic communications provider, typically a private company. Defence intelligence services, on the other hand, collect electronic communications of everyone on their own accord, often referred to as the “collect it all” principle. The privacy and data protection safeguards provided for by law are solely implemented as internal policy restrictions on how these massive databases of electronic communications can be searched and analysed. Independent oversight of compliance with these restrictions is difficult, at best, and the oversight relies on accurate access logging of all searches by analysts. The TET report also criticised the lack of access logging in several cases, again without providing specific details.

The public reaction in Denmark to the unlawful searches of raw data by DDIS in 2016 has been very limited so far. On the day the TET report was published, the head of DDIS gave a short interview to Danish media and explained that the unlawful searches were all done by mistake since there was no systematic pattern in the various searches. The chairwoman of TET seems to agree with this rather odd explanation, but she also told Danish media that TET would intensify the future oversight of DDIS after the discovery of the unlawful searches.

The political reaction has been even more limited than the media coverage, probably owing to the fact that most Danish politicians are on holidays in July. However, the Minister of Defence will be asked to appear before a parliamentary committee later in the year. In previous years, the reports from TET were published in May, while Parliament is still in session. It is not clear why the publication of the annual report was delayed to July in 2017. TET submitted the report to the Danish government on 16 May 2017. The government must then present the report to the intelligence committee of the Danish Parliament before the report is published. For unknown reasons, this process took almost two months in 2017, compared to 2-3 weeks in earlier years, pushing the publication of the TET report into the month of July and the political holiday period.

Homepage of the Danish Intelligence Oversight Board, annual reports (only in Danish)
http://www.tet.dk/en/

EDRi: Denmark: Weakening the oversight of intelligence services (05.04.2017)
https://edri.org/denmark-weakening-the-oversight-of-intelligence-services/

EDRi: Danish anti-terror proposal expands surveillance (11.03.2015)
https://edri.org/danish-antiterror-proposal-expands-surveillance/

Spy service on illegal searches: it happened by mistake, DR Nyheder (only in Danish, 07.07.2017)
http://www.dr.dk/nyheder/indland/spiontjeneste-om-ulovlige-soegninger-der-er-tale-om-fejl

Watchdog intensifies oversight of intelligence service after repeated breaches of law, Jyllands-Posten (only in Danish, 14.07.2017)
http://jyllands-posten.dk/indland/ECE9725723/vagthund-intensiverer-kontrol-med-efterretningstjeneste-efter-gentagne-lovbrud/

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
28 Jun 2017

An end to copyright blackmail letters in Finland?

By Heini Järvinen

On 12 June, the Finnish Market Court ruled in a case Copyright Management Services Ltd vs. DNA Oyj that Internet Service Providers (ISPs) are not obliged to hand out the personal data of their clients based only on the suspicion of limited use of peer-to-peer networks. Stronger proof of significant copyright infringements need to be presented in order to obtain the data.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Law firms have been sending letters to demand payments as damages for distribution of copyright-protected contents, and to threaten the people suspected of copyright infringement with legal proceedings. The ruling will put an end to this practice.

The Finnish Market Court has previously interpreted even the distribution of minor amounts of data in peer-to-peer networks as a “significant copyright infringement”. However, thanks to the case law of the Court of Justice of the European Union (CJEU), the court has now changed its interpretation. The CJEU has emphasised in its recent rulings that when evaluating the significance of the infringement, the concrete harm caused by the distribution done through a single IP address has to be taken into account.

The compensation claim brought to the court was based on approximately a thousand observations of cases in which films had been made available in BitTorrent peer-to-peer network. The court did not consider these cases to constitute a “significant amount”, because it was not possible to draw conclusions on the repetitiveness, duration, number of distributed works, and the concrete impact on other peer-to-peer users.

The seven judges decided unanimously to refuse obligation for the ISPs to hand out their clients’ personal data. Another important aspect of the decision was that the burden of proof for a “significant copyright infringement” was considered to be on the plaintiff, not the defendant.

On the other hand, on 14 June 2017, the Market Court gave its decision in a case Copyright Management Services Ltd vs. Elisa Oyj, another Finnish ISP. The court stated in its decision that the ISP is obliged to retain its clients’ data for the purpose of releasing it later. The decision, however, emphasised that the purpose of retaining the data is not to grant the plaintiff the access to it, but to avoid the loss of the data until the possible release. This requirement to store consumer data is hard to reconcile with two Court of Justice of the EU rulings prohibiting suspicionless retention of communications data (the Digital Rights Ireland case and the Tele2 ruling) and one explaining the requirement to have a specific law when imposing restrictions such as data retention (the Bonnier Audio case).

Finnish Parliament argued over the copyright initiative (21.05.2014)
https://edri.org/finnish-parliament-argued-over-the-copyright-initiative/

Finland: Common Sense in Copyright Law (24.04.2013)
https://edri.org/edrigramnumber11-8finland-copyright-blackout/

Finnish Big Brother Award goes to intrusive loyalty card programme (07.09.2017)
https://edri.org/finnish-big-brother-award-goes-intrusive-loyalty-card-programme/

Copyright letters facing headwinds – Market Court changed its line (only in Finnish, 12.06.2017)
https://www.turre.com/markkinaoikeus-muutti-linjaansa-tekijanoikeuskirjeista/

Farewell to the blackmail letters? Market Court decision makes it more difficult to claim compensation from peer to peer users (only in Finnish, 15.06.2017)
http://www.hs.fi/talous/art-2000005256360.html

Lawyers are sending blackmail letters to ask for compensation for downloading TV series and movies – “It’s useless to ask a lawyer about moral” (only in Finnish,19.01.2017)
http://www.hs.fi/talous/art-2000005052577.html

(Contribution by Heini Järvinen, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
28 Jun 2017

Denmark allows massive retention of location data for mobile internet

By IT-Pol

On 24 May 2017, the Danish telecom regulator announced its decision concluding that the retention of location data for mobile internet usage is lawful. With the decision, the regulator allowed for massive data retention, which seriously undermines citizens’ right to privacy, since it means they can be tracked at all times and the data is being stored.

Under the Danish data retention law, mobile communications service providers must retain location data (cell ID) for telephone calls and SMS/MMS messages. There is no requirement to retain location data in connection with mobile internet usage. Smartphones generate internet traffic more or less constantly even when the device is not actively used, for example with updates from social media services. Therefore, a formal obligation or informal practice to retain location data for internet traffic effectively means that every movement in physical space of the citizen is registered and stored for a long period (12 months in Denmark).

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The e-Privacy Directive 2002/58 only allows for providers of electronic communication services to retain traffic data, including location data, without consent from the subscriber if the data is required for billing or if there is a data retention requirement in national law. Location data for mobile internet traffic is not needed for billing, and there is no specific data retention requirement for this data in Denmark. The logical assumption would be that Danish mobile operators are not allowed to retain this information, even if they wanted to do so voluntarily for commercial reasons. However, in a somewhat surprising decision of 24 May 2017, the Danish telecom regulator concluded that the retention of location data for internet traffic is lawful.

A Danish citizen discovered, through a subject access request under the Data Protection Act, that his mobile operator retained a substantial amount of location data for internet traffic. In February 2016, this citizen filed a complaint with the Danish Business Authority, the telecom regulator responsible for the enforcement of the data protection rules of the e-Privacy Directive.

In its response to the complaint case, the mobile communications service provider TDC confirmed that location data is stored for so-called “state changes” in the network, which include start/end of an internet session, after 60 minutes of an uninterrupted session, after a certain volume of traffic, and when changing between different radio technologies (2G, 3G and 4G). TDC argued that this practice is necessary in order to comply with the data retention requirement for MMS traffic where the cell ID of sent and received messages must be retained. In the TDC mobile network, MMS messages are sent as data traffic, and the MMS traffic cannot be separated from the ordinary internet traffic. The cell IDs for internet traffic are retained based on pre-defined criteria related to data and network usage patterns, so the actual cell ID used when sending or receiving an MMS message is not directly available.

When law enforcement seeks access to communications metadata for a subscriber, TDC will match timestamps for MMS messages with the closest timestamp for the retained cell IDs for internet traffic in order to generate approximate cell IDs for MMS traffic. Law enforcement can also seek access to the full location data for internet traffic. Under Danish law (the Administration of Justice Act), law enforcement access to mobile location data, even if detailed in a way that it effectively records every movement of the citizen, is not restricted to investigation and prosecution of serious crime. Any offence that is subject to public prosecution is a legal ground for access to location data by the police. TDC was asked by the Danish Business Authority whether it would be possible to crosslink the cell IDs with MMS traffic immediately after collection and erase the records which are not related to MMS traffic. TDC responded that this procedure would compromise the data quality since the original location data (described as “raw data”) is no longer available.

The Danish Business Authority also asked the Ministry of Justice for an opinion on the interpretation of the Danish data retention rules. According to the Ministry of Justice, the obligation to retain location data (cell ID) for MMS traffic applies even if the mobile network is designed so that location data for other traffic types will have to be retained as well. This broad interpretation is hard to reconcile with data retention being an exception to the main rule in the e-Privacy Directive of erasure of traffic data. The Danish data retention law includes a provision similar to Article 1(1) and recital 13 of the now annulled Data Retention Directive 2006/24. The Directive limited the retention requirement to traffic data that is accessible (generated or processed) when supplying a communication service. In the present case, it could certainly be argued that location data for the MMS communication service is not accessible for the provider, especially as the procedure followed by TDC does not necessarily deliver the actual cell ID from which an MMS message is sent or received.

Based on the information received from TDC and the Ministry of Justice, the Danish Business Authority decided that the retention of location data for internet traffic by TDC is not in violation of the Danish law transposing the e-Privacy Directive. Retaining this data can be allowed, since there is a retention requirement for MMS traffic, and it would be disproportionate to require that TDC modifies its systems so that MMS and internet traffic are physically separated in the mobile network. In this regard, the Danish Business Authority accepted the argument from TDC that erasing the internet location records not related to MMS traffic – most likely all but a small fraction of the total set of location data – would compromise the traffic data that can be made available to law enforcement. The legal basis for this part of the decision seems somewhat questionable since the data retention law has no provisions on data quality or documentation for the retained data. All retained traffic data is presumably filtered or processed from a larger pool of traffic data that only exists temporarily in the network.

In the proportionality assessment of the decision, the Danish Business Authority also took into account that a revision of the Danish data retention rules is being planned, and that the Ministry of Justice intends to propose new requirements to retain location data for internet traffic. The decision mentions a pre-draft proposal for retention of location data for internet traffic which coincidentally is very close to what TDC is currently doing on the company’s own accord. However, this preliminary proposal by the Ministry of Justice for blanket retention of location data for internet traffic predates the Tele2 judgment of 21 December 2016, where the Court of Justice of the European Union (CJEU) clearly ruled that a blanket data retention requirement is illegal under European Union law. In March 2017, the Ministry of Justice accepted that the Danish data retention law would have to be changed as a consequence of the CJEU judgment. While a targeted data retention scheme could potentially include new requirements with location data for internet traffic, the overall setup would have to be distinctly different from the current practices of TDC which are based on retention of location data for all subscribers.

Decision by the Danish Business Authority on the processing and storage of mobile location data by TDC (only in Danish, 24.05.2017)
https://erhvervsstyrelsen.dk/sites/default/files/media/tdc_as_behandling_og_opbevaring_af_lokaliseringsdata_vedroerende_mobildatatrafik.pdf

EDRi: Denmark: Our data retention law is illegal, but we keep it for now (08.03.2017)
https://edri.org/denmark-our-data-retention-law-is-illegal-but-we-keep-it-for-now/

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
31 May 2017

EU discusses future of data retention: “Indiscriminate retention no longer possible”

By Guest author

This is a translation of an article originally written by Anna Biselli on netzpolitik.org. Translation: Anna Biselli, Kirsten Fiedler.

The German government is maintaining its unswerving commitment to make communications data retention obligatory from July 2017 onwards. Meanwhile, different EU level groups and institutions are discussing if or how data retention measures are compatible with EU law. The reason for this is a ruling of the European Court of Justice (CJEU) in December 2016. It ruled the implementation of data retention in Sweden and the UK to be contrary to EU law, following its decision to invalidate the former EU Directive in 2014. According to the ruling, a “general and indiscriminate” retention is impossible – be it at the EU or the national level. The retention of communications data (who communicates, when, with whom and where) would only be permitted if there is a connection between the data and a specific purpose. Furthermore, data can only be retained for a specific time period and/or geographical area and/or a group of persons likely to be involved in a serious crime.

Photo: Luis Marina

In January 2017, the EU’s interior ministers tried to find a solution to make data retention measures compatible with these restrictions. Then, in February, the Legal Service of the Council of the EU delivered an assessment of the ruling’s consequences on national data retention schemes and how traffic data can be used for law enforcement in the future. The Legal Service concluded that Member States can still retain data for the protection of national security or law enforcement after Article 15 of the current e-Privacy directive.

General and indiscriminate retention obligation no longer possible

This conclusion is included in the version that is publicly accessible. However, two relevant paragraphs of the Legal Service’s assessment are missing and only available in the classified version published by netzpolitik.org. The Legal Service states unambiguously

[…] that a general and indiscriminate retention obligation for crime prevention and other security reasons would no more be possible at national level than it is at EU level, since it would violate just as much the fundamental requirements as demonstrated by the Court’s insistence in two judgements delivered in Grand Chamber.

This means national laws for indiscriminate data retention will no longer be possible. The Legal Service also points out that the Commission’s proposal for a new e-Privacy Regulation would still allow providers to retain communications data for billing reasons.

Currently, a Council working group, the Working Party on Information Exchange and Data Protection (DAPIX), is working on an evaluation – according to their agenda for 10 April 2017 published by netzpolitik.org. One of the questions discussed was: “What kind of measures could satisfy the Court’s criteria on access to data to meet the requirement of limiting the intervention of competent authorities to what is ‘strictly necessary and justified within a democratic society’?”

The working group wants to discuss which limitation factors could be considered regarding the geographical region and the time period of data retention and how independent oversight, demanded by the CJEU, could be implemented.

No analysis from the EU Commission yet

The Council of the EU is not the only institution discussing the future of data retention at EU level. Following the CJEU ruling in December 2016, the EU Commission asked the Member States to submit descriptions of the current situation in their countries. But according to a summary by the German Permanent Representation of a meeting of the Coordinating Committee in the area of police and judicial cooperation in criminal matters (CATS), the Commission was unable to indicate a date when their analysis would be ready and when it could issue specific guidelines on how to proceed further.

In 2015, EDRi contacted the Commission after the initial CJEU ruling and asked to investigate the data retention laws in EU Member States which appeared to be illegal. But, at that time, the Commission did not act and stated in a meeting with EDRi representatives that the CJEU ruling was too ambiguous to allow it to take legal action against specific Member States. This argument is hardly tenable after the second ruling.

Member States do not want to abandon illegal data retention practices

According to the German Permanent Representation’s summary, Slovenia and Austria assume that the only possibility for legal data retention would be the “quick freeze” method. According to this method, communications traffic data is not retained preventively but only after a judicial warrant. Usually, providers delete data in a timely manner, but if they receive a warrant they would “freeze” this data to make it available for law enforcement purposes.

The document highlights that most Member States do not want to abstain from data retention and now try to find a solution that cannot be instantly declared invalid by a court again. The options currently discussed are “quick freeze” and data retention through the back door.

German solo run

Germany did not wait for the consultations at EU level to introduce preventive and indiscriminate data retention. The German government is ignoring the fact that all indicators suggest that the German text is incompatible with EU law. The German implementation neither contains a time or geographical references, links to to serious crime nor does it limit the number of persons affected – which is why the Research Services of the German Bundestag already concluded that it is in violation of EU law.

Nevertheless, the German government claims that the law is constitutional and in line with EU law. This is rather puzzling because it also states that the assessment of the consequences of the CJEU ruling was not completed in February. And it still isn’t completed today – one month before the start of the retention obligation for providers in Germany.

Despite all concerns, the German Minister of the Interior Thomas de Maizière demanded to expand data retention to online messaging services and other media services. However, this is unlikely to happen during the remaining legislative term. The will to continue indiscriminate and patently illegal data retention appears to be strong both at the German and the EU levels.

Twitter_tweet_and_follow_banner

close
08 Mar 2017

Is Telefónica offering real transparency and control?

By EDRi

Our data is extremely precious for technology companies. Internet and telecommunications services host and process huge amounts of personal data of their clients, based on often vague and confusing terms of service. The clients are rarely properly informed on what their data are being used for.

On 27 February, at the Mobile World Congress (MWC), Spanish telecommunications service provider Telefónica presented its project AURA, which it hopes to use to grab its share of data. AURA is an app that gives Telefónica’s clients “the possibility of managing their relationship with the company based on cognitive intelligence”. It processes personal data of the telecoms service provider’s clients and creates profiles of them. According to Telefónica, its clients will be able to access their data through the AURA app to check it and to decide whether they want to give a permission to share it with other internet giants.

The fact that clients can access their data and consult on it is something positive. However, according to the Spanish data protection law, we should also be able to demand that such data is not being processed at all without our consent.

As a telecommunications service provider, Telefónica collects data on its clients’ bills, messages and calls, payments, and so on. It also has access to the data of the masts to which clients’ devices connect when they are using their mobile (thereby producing location data), which web pages and services they visit and for how long, how many and what devices are connected to their router, and in some cases also which TV channels they are watching, and which series and movies they prefer. By processing the collected data with the artificial intelligence it has developed in collaboration with Microsoft, Telefónica can build profiles of its clients. By combining and analysing this data, it can create completely new data and draw new conclusions on its clients’ potential and probable behaviour.

Telefónica claims that its clients have the power to choose whether to share their data with third parties or not. It is yet to be seen how it will ask for this consent: in a clear and transparent manner, or pushing aggressively to accept the terms under which the data is shared, in exchange for attractive features or services. There is also a huge difference between sharing and having access to raw data and having access to the outputs of the analysis of that data.

Telefónica tries to, naturally, highlight the benefits of AURA. However, much will depend on the real choices being offered to individuals, the transparency that will be provided to them and control that can be exercised by them.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

Aura: Telefónica process and trade with your data while proclaims itself “warden” of your personal information
https://xnet-x.net/aura-telefonica-procesa-negocia-tus-datos/

Telefónica presents AURA, a pioneering way in the industry to interact with customers based on cognitive intelligence
https://www.telefonica.com/es/web/press-office/-/telefonica-presents-aura-a-pioneering-way-in-the-industry-to-interact-with-customers-based-on-cognitive-intelligence

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
08 Mar 2017

Denmark: Our data retention law is illegal, but we keep it for now

By Guest author

On 2 March 2017, the Danish Minister of Justice appeared before the Legal Affairs Committee of the Danish Parliament to answer questions about the implications of the Tele2 data retention ruling (joined cases C-203/15 and C-698/15) from the Court of Justice of the European Union (CJEU).

In his statement to the committee, the Minister started by noting that the Danish government is still analysing the consequences of the judgment, but two conclusions are clear. First, EU law precludes a general and undifferentiated data retention scheme covering all subscribers. Secondly, EU law does not preclude a targeted data retention scheme for the purpose of fighting serious crime. The Minister of Justice then noted that the Danish data retention law covers all subscribers, similar to the data retention laws in the other Member States that currently have data retention. The unavoidable implication of this is that the current Danish data retention law does not comply with EU law, which the Minister of Justice admitted before the committee.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

It is definitely noteworthy that this conclusion comes from the Danish Ministry of Justice after two months of undoubtedly very intensive internal analysis of the Tele2 judgment and presumably consultations with other Member States. In June 2014, there was also a meeting in the Legal Affairs Committee of the Danish Parliament, two months after the CJEU ruled on 8 April 2014 that the Data Retention Directive (2006/24/EC) was invalid. However, at that meeting, the Minister of Justice was able to get away with presenting a legal analysis with a very narrow interpretation of the 2014 CJEU judgment that allowed the minister to conclude that there was no reason to assume that the Danish data retention law was in conflict with the Charter of Fundamental Rights. At the committee meeting on 2 March 2017, no doubt about the interpretation of the new Tele2 judgment was possible: blanket data retention is illegal in the European Union.

In this situation, a country committed to the rule of law would take immediate steps to repeal the illegal legislation. In Denmark, this can be done very easily, since the Danish data retention law authorises the Minister of Justice to lay down the specific data retention requirements in an administrative order. A simple executive decision by the Minister of Justice, repealing the illegal data retention administrative order (”logningsbekendtgørelsen”), would suffice to uphold the rule of law in Denmark.

However, this will not happen in the immediate future. Despite being unable – twice – to convince the Court of Justice of the EU of this, the Minister of Justice still argues that data retention is simply too valuable for the Danish police. Therefore, the current blanket data retention will simply continue without any change until new rules for targeted data retention have been fully implemented. The Minister of Justice claims that the EU Commission has not made any demands to the Danish government to repeal the current (illegal) data retention rules.

The projected timeline for the future process is somewhat unclear, although the next parliamentary year was mentioned tentatively at the meeting. Currently, the Danish government is consulting with the other Member States and the EU Commission on interpreting the Tele2 ruling and in particular how targeted data retention should be defined. Another requirement for the Minister of Justice is that the targeted data retention scheme is technically feasible for the telecommunications operators, and consultations with the telecommunications industry on this are ongoing. When a technically feasible targeted data retention plan is available, the Minister of Justice will present a legislative proposal to the Danish Parliament, which eventually will lead to replacing the illegal data retention scheme with a new, hopefully legal, scheme.

The Minister of Justice made it clear that the future targeted data retention rules will even include the extensions for internet traffic that were planned under blanket data retention until just prior to the Tele2 judgment, possibly including internet connection records (introduced in the United Kingdom with the Investigatory Power Act). Retention of internet connection records was a massive failure when used between 2007 and 2014 in Denmark (under the old name “session logging”). Just before the Tele2 judgment in December 2016, the working plan of the Ministry of Justice was to re-introduce internet connection records for subscribers with Carrier Grade Network Address Translation (CG-NAT) connections.

At the committee meeting on 2 March 2017, the Minister of Justice described the future process towards targeted data retention as an ”adjustment of the current data retention rules”, and he emphasised the importance of ensuring that the police and intelligence services would continue to have the necessary tools to protect the population, as had been the case for the past 10 years with data retention. Here, the Minister of Justice is clearly confusing the use of telecommunications metadata in police investigations with mandatory data retention. Danish police has systematically used available telecommunications metadata in investigations for the past 20 years, and mandatory data retention only took effect on 15 September 2007.

While the Minister of Justice repeatedly referred to the ongoing EU consultations and that the EU Commission is currently preparing guidelines for targeted data retention, there was also some informal discussion of the issue among the Members of Parliament (MPs) that participated in the committee meeting. MPs in favour of data retention were clear about their intentions: data retention should allow the police to look into the past for suspects that were unknown at the time of the crime. This sounds very much like blanket data retention, and the word targeted is only used because the CJEU has made it very clear that EU law only allows targeted data retention. There seems to be little doubt that the Danish government, backed by a clear majority in Parliament, will push the scope of targeted data retention, once this concept has been defined, to the legal limit of EU law in the future revision of the Danish data retention rules.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

EDRi: Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
https://edri.org/denmark-data-retention-stay-despite-cjeu-ruling/

Webcast of meeting in the Legal Affairs Committee of the Danish parliament (in Danish, 02.03.2017)
http://mobiltv.ft.dk/video/20161/reu/td.1380023

EDRi: Danish government postpones plans to re-introduce session logging (23.03.2016)
https://edri.org/danish-government-postpones-plans-to-re-introduce-session-logging/

Minister of Justice continues illegal surveillance, Information (in Danish, 03.03.2017)
https://www.information.dk/indland/2017/03/pape-viderefoerer-ulovlig-overvaagning

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
08 Mar 2017

German intelligence agency violates freedom of the press

By Guest author

EDRi observer Reporters Without Borders Germany is appalled by the apparently targeted surveillance of foreign journalists by the Bundesnachrichtendienst (BND), Germany’s foreign intelligence agency. As reported by the Spiegel, the BND spied on at least 50 telephone numbers, fax numbers and email addresses belonging to journalists or newsrooms around the world in the years following 1999.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

“We have long feared that the BND has monitored journalists as part of its massive filtering of communications data. The targeted surveillance revealed by the Spiegel investigation is a massive violation of the freedom of the press,” said Christian Mihr, executive director of Reporters Without Borders Germany. Press freedom “is not a right granted by the graciousness of the German government, it is an inviolable human right that also applies to foreign journalists.”

According to documents seen by Spiegel, among the targets were the British BBC in Afghanistan and London, the New York Times in Afghanistan, as well as mobile and satellite telephones of the news agency Reuters in Afghanistan, Pakistan and Nigeria.

In October 2016 the German Parliament (Bundestag) passed the new law governing the BND. Exemptions protecting journalists, such as those in paragraph 3 of Germany’s so-called G10 law – a law specifying the restrictions that can be placed on the constitutional right to the confidentiality of email and telecommunications – are completely absent from the law.

The BND law allows the German foreign intelligence agency to carry out mass surveillance and monitor Europeans, with certain restrictions, and citizens of third countries whenever this can ensure the “capacity for action” of Germany or bring “new findings of significance to foreign and security policy”. Foreign journalists can thus quickly be targeted by the German foreign intelligence – especially when they exchange information about politically sensitive issues. The bill allows, for example, the BND to place the New York Times under surveillance if the newspaper received confidential information that the German authorities regarded as sensitive. This means that the new BND law legalises what the foreign intelligence agency did illegally before, that is spying on foreign journalists, as revealed by the Spiegel. “The reform of the BND bill was already a clear breach of the constitution. It does not alter the current practice of monitoring journalists,” said Christian Mihr.

Together with other journalist associations and under the leadership of the Society for Civil Rights, Reporters without Borders is preparing a constitutional challenge to the new BND law.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

BND violates freedom of the press
https://www.reporter-ohne-grenzen.de/presse/pressemitteilungen/meldung/bnd-ueberwachung-ist-verstoss-gegen-pressefreiheit/

Documents Indicate Germany Spied on Foreign Journalists
http://www.spiegel.de/international/germany/german-intelligence-spied-on-foreign-journalists-for-years-a-1136188.html

(Contribution by EDRi observer Reporters Without Borders Germany)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close