security & surveillance

While offering vast opportunities for exercising and enhancing fundamental rights, the digital environment also offers both opportunities to commit new offences and to impose new restrictions on our online rights. Measures such as filtering, blocking and untargeted surveillance are often easy to implement and extremely difficult to rectify. EDRi therefore works to ensure that all security and surveillance measures are necessary, proportionate and implemented based on solid evidence.

06 Oct 2015

Fifteen years late, Safe Harbor hits the rocks

By Joe McNamee

Today, the Court of Justice of the European Union (CJEU) confirmed what the European Commission has been denying for the past fifteen years – the “Safe Harbor” agreement on transferring data to the United States is invalid.

“Safe Harbor was flawed in principle and flawed in practice” said Joe McNamee, Executive Director of European Digital Rights. “After last year’s data retention ruling, this is the second time in two years that the Court of Justice has struck down an instrument that the European Commission had spent years defending.”

The case was precipitated by revelations of mass surveillance in the United States, which led to the discovery of the National Security Agency’s abuse of both the judicial (“systematic misleading of judges”) and legislative (“unbounded interpretation of the [Patriot ] act that Congress never intended“) arms of the United States Government. While the US Mission to the EU has now confirmed that there is, apparently, “no mass surveillance of anyone“, there are some who may be sceptical.

In reality, however, the case is much deeper than “just” mass surveillance. The European Commission has never had the political courage to recognise that Safe Harbor was never safe. Even before the Snowden revelations, reports from the Commission itself and from independent research showed over and over again that the entire framework was inadequate. The European Commission and the businesses that used Safe Harbor to export data to the United States hoped that the open secret would remain a secret. Businesses that were using Safe Harbor could have done more than hope that a case would never be brought to the Court, businesses could have done more than pluck absurd numbers out of thin air as to the cost of abandoning this unsustainable agreement. Their choice was to take the risk that this unsustainable agreement could be sustained. They were wrong.

Read more:

Press release from the Court of Justice of the European Union (06.10.2015)

Safe Harbor: European Court Advocate General says Agreement should be declared invalid (23.09.2015)

Revelations on Safe Harbour violations go to hearing at EU Court (11.03.2015)

Finally! Safe Harbour Agreement under question by EU commissioner (31.07.2013)


06 Oct 2015

Unclear “net neutrality” proposal returns to European Parliament – civil society groups call for action

By Heini Järvinen



Following the conclusion of an unclear compromise on net neutrality and mobile phone roaming charges earlier this year, the Telecoms Single Market Regulation proposal has finally been submitted to the European Parliament for final approval.

Net neutrality is the principle that all Internet traffic should be treated equally by Internet access providers. By ensuring equal access to the full, unfettered Internet, net neutrality enables freedom of expression and of information online.

In the last week of October, the Parliament will be asked to vote on a text that contains positive principles prohibiting most – but not all – discrimination on the network. Several forms of discriminatory, restrictive behaviour could find refuge in the vagueness of the text. This is “policy-making-lite”: decision-making with key decisions removed.

“The European Parliament has a very simple choice,” said Joe McNamee, Executive Director of European Digital Rights. “Either it accepts amendments to give a real and predictable meaning to the text, or leave it to national regulators to decide if, how and when Europeans will get net neutrality,” he added.

For example:

  • The institutions agreed that “specialised services” (that are treated in a non-neutral way) would only be allowed if special treatment is “necessary”, but then agreed to define “necessary” as not necessarily meaning “necessary”.
  • While supporting “neutrality”, the text authorises different types of traffic to be treated differently. In practice, this could mean that encrypted data from especially smaller, less-established content providers may be communicated more slowly because encryption makes it difficult to tell that the data is, in fact, video data.
  • Part of the text appears to support the use of download limits to discriminate against some online services (blocking them when the download limit is reached) while another part clearly says that no content should be blocked.

“Together with our coalition partners, we are urging all European citizens to take action now via to help bringing these last missing pieces to the attention of the European Parliament,” continued Joe McNamee.



In September 2013, the European Commission produced a “not” neutrality proposal.

In April 2014, the European Parliament voted for a strong, clear text which defended the neutrality of the Internet, for the good of free speech, competition and innovation.

In June 2015, after months of total intransigence from the EU Council, that opposed net neutrality, a “compromise” was found through the adoption of unclear and unpredictable language.

Read more

Net Neutrality: Primary document pool

Net Neutrality: Document pool II


30 Sep 2015

Civil society calls for reform of trialogues in a letter to EU Commission, Parliament and Council

By Heini Järvinen

European Digital Rights (EDRi), together with 17 signatory organisations, today sent an open letter to European Parliament President Martin Schulz, Commission President Jean-Claude Juncker and Council Secretary-General Jeppe Tranholm-Mikkelsen, calling for a major reform of the so-called “trialogues”.

“Trialogues cannot be a means for EU institutions to circumvent their obligations with regard to transparency and good administration,” said Joe McNamee, Executive Director of European Digital Rights. “Almost all EU legislative files are now agreed using the trialogue system, often at an unacceptably early stage in the decision-making process. A major reform is necessary in order to enable proper public scrutiny of EU decision-making,” he added.

These informal inter-institutional meetings between the European Parliament, the Council of the European Union and the European Commission have become an established feature of EU decision-making. While they are originally aimed at increasing efficiency by means of achieving early agreements on legislation, trialogues undermine accountability and transparency of the EU legislative process. Very little information is available to the public because these meetings take place behind closed doors. Only well-resourced lobbies have access to trialogue documents. What about citizens? Ultimately, trialogues puts the European Parliament, the only EU institution which is directly elected by citizens, in a weak position and, in practice, actively discriminates against citizens.

The European Ombudsman launched an investigation on trialogues, and hosted an event on the “International Right to Know Day” where several stakeholders offered their points of view with the Ombudsman. We sent this open letter to support the European Ombudsman’s initiative for reform.

The letter call for public access to be granted to the trialogue meetings, and for the systematic and timely publication of all trialogue documents. The letter remains open to signatories.

Current signatories:
EDRi, Access, Access Info Europe, Bits of Freedom, Chaos Computer Club (CCC), Code Red, Digitale Gesellschaft, Electronic Frontier Finlad (EFFI), GONG (new), Initiative für Netzfreiheit, IT-Political Association of Denmark, IuRE, Kairos Europe, La Quadrature du Net, Panoptykon Foundation, Statewatch, Vrijschrift,, X-net.

Read more:

European Ombudsman’s inquiry on trialogues’ transparency

The Council challenges the right of the European Ombudsman to conduct an inquiry into secret “trilogues” (in which most EU legislation is decided)

The activist guide to the Brussels maze 2.0


30 Sep 2015

Civil rights groups condemn draft mass surveillance bill to be adopted in France

By Kirsten Fiedler

Today EDRi, together with 30 civil rights groups, sent the following letter to French parliamentarians to condemn a draft mass surveillance bill which is scheduled to be adopted on 1 October. You can download the letter in English (pdf) and in French (pdf). If your organisation wishes to sign, please contact us at brussels(at)

Dear Member of the Assemblée Nationale,

The undersigned civil and human rights organisations call on French parliamentarians to reject the draft law on surveillance measures for international electronic communications (“Proposition de loi relative aux mesures de surveillance des communications électroniques internationales”). The bill fails to defend and protect the right to privacy of individuals worldwide.

With this new bill, parliament is about to approve new disproportionate surveillance measures to monitor international communications. Based on the principle of massive collections of data, the bill seeks to legitimise the civil and human rights abuses revealed by Edward Snowden about the practice of intelligence agencies such as the ones in the US and the UK. As a crucial part of the global Internet traffic goes through French submarine cables, this law would put France in the list of countries with sweeping surveillance capabilities. This bill follows from the Surveillance Law passed in June, which allows the French government, among other measures, to monitor people’s phone calls and emails without judicial approval; and to install black boxes on internet service providers’ infrastructure to collect metadata on millions of innocent individuals. Earlier this year, the French Constitutional Council struck down one of the provisions of the Surveillance bill, and the new proposal seeks to re-authorise the international surveillance programme impacted. The draft law will be voted on 1 October by the French National Assembly.

In particular, we are deeply concerned that

  • the bill would allow for indiscriminate mass surveillance of millions of people in France and abroad;
  • independent oversight and control mechanisms are completely lacking. The massive data collection scheme would be conducted under the sole authority of the French Prime Minister, with only ex post control from the oversight authority. This does not sufficiently guarantee the protection of privacy and the respect for rights and freedoms;
  • clearly excessive and unjustified retention periods for data (content for one year, metadata for six years, encrypted content for eight years) are foreseen, in contradiction with the principles laid out by the Court of Justice of the European Union (CJEU) in its ruling on 8 April 2014 invalidating the Data Retention Directive;
  • the justification of the measures is so broad as to be meaningless, such as the defence of “major interests of foreign policy” and “major economic and scientific interests of France”;
  • the broad language leaves room for the future use of undefined surveillance technologies which could lead to an extension of the scope of the bill without any involvement of democratic institutions;
  • only lawyers, journalists, representatives and magistrates established in France would theoretically be granted some form of protection, although, for instance, the private or professional nature of their communications can only be established during the data processing, and in any event the law does not protect them against bulk collection and exploitation of their communications.

We, the undersigned organisations urge the French Parliament to reject this international surveillance bill and protect the rights of individuals all around the world. The principle of universality of rights is a fundamental principle, especially the European Union. We call on you to strengthen civil liberties and human rights safeguards for all and reject this proposal. Thank you.


European Digital Rights (EDRi)
Electronic Frontier Foundation (EFF)
Chaos Computer Club (CCC)
Article 19
Code Red
Web We Want Foundation
Electronic Frontier Finland (EFFI)
FITuG (Working Group on Data Retention Austria)
Initiative für Netzfreiheit
Icelandic Modern Media Initiative (IMMI)
Global Voices
Amnesty International
Pen International
Digital Rights Foundation
Australian Privacy Foundation
CPJ (Committee to Protect Journalists)
Digitale Gesellschaft e. V.
Bits of Freedom
IT-Political Association
Panoptykon Foundation
Association for Progressive Communications
Privacy International
Reporters sans frontières (Reporter Without Borders)
Alternative Informatics Association
ACI-Participa (Honduras)


23 Sep 2015

ENDitorial: EU Commission ISDS proposal – a threat to democracy

By Guest author

The European Commission has published its investor-state dispute settlement (ISDS) reform proposal for the Transatlantic Trade and Investment Partnership (TTIP), the EU-US trade agreement currently under negotiation, and future trade agreements between the European Union and third countries.

On the positive side, the reform proposal removes unfair procedural advantages for the United States and tries to address some of the concerns raised by the responses to the public consultation.

................................................................. Support our work - make a recurrent donation! .................................................................

On the negative side, the reform proposal does not represent a rejection of ISDS. It replaced the ISDS acronym with a new one, ICS, which stands for Investment Court System. In fact, the proposal contains several loopholes.

First, the reform proposal discriminates amongst investors, as it gives foreign investors, and only foreign investors, the right to circumvent domestic legal systems and use supranational adjudication to challenge government decisions. Supranational adjudication places the development of law outside democratic oversight.

Secondly, the reformed ISDS proposal contains procedural loopholes. If adopted, the proposal would create perverse incentives. The adjudicators would be paid per day worked and would be able to receive outside remuneration. This creates incentives to give foreign investors value for the money, as only foreign investors can start cases, leaving domestic investors in a less advantageous position.

Thirdly, reform still fails to protect EU policy making. Democratic societies have to be able to change course, for instance to reform their copyright laws, or to effectively protect the privacy of their citizens. The proposal would place for-profit supranational investment adjudicators above democracies. The adjudicators would assess whether democratic decisions are arbitrary from the point of view of the protection of foreign investments. This creates major risks for democracies and civil rights.

Finally, the European Commission undermines any possible positive element in its reform proposal, as it still intends to keep the “old ISDS” in trade agreements whose negotiations have been concluded, but not yet ratified, such as the trade agreements with Canada and Singapore. The result is that foreign investors would have the possibility to route their investments into the EU through these countries.

From a rule of law perspective, a more valid solution would be to to improve weak aspects of domestic legal systems. This would provide equal access to the law, and would not remove democratic oversight of the development of law. There are other ways for investors to achieve additional certainty for their investments than ISDS; they can for example take a political risk insurance.

European Commission’s ISDS reform proposal

EU Commission’s ISDS proposal a threat to democracy and civil rights (20.09.2015)

Vrijschrift letter to European Parliament’s international trade committee on Commission’s ISDS proposal (21.09.2015)

(Contribution by Ante Wessels, EDRi member Vrijschrift, The Netherlands)



23 Sep 2015

Two Danes arrested for publishing information about Popcorn Time

By Guest author

The Popcorn Time software has become a popular way of watching movies and TV shows online. The user is presented with an interface that has the look and feel of established streaming services, such as Netflix. In many cases, Popcorn Time is used to access content made available without the authorisation of the rights-holders, but stopping the copyright infringement is difficult due to the decentralised nature of the underlying Bittorrent network. The website for the Popcorn Time software contains no direct links to infringing material.

Rights-holders internationally have pursued a number of strategies against Popcorn Time. This includes web blocking at the internet service provider (ISP) level (eg. court orders in UK, Italy and Israel) and legal actions against individual Popcorn Time users. Since the underlying filesharing technology of Popcorn Time is Bittorrent, users’ IP addresses can easily be determined unless they protect their identity with a Virtual Private Network (VPN) connection. In Germany and Denmark, lawyers have unmasked the subscribers behind IP addresses with a court order, and subsequently sent letters demanding compensation for copyright infringement. In the Netherlands, the rights-holder organisation Brein has managed to close six Popcorn Time “fan pages” through private settlements with the operators of these websites.

................................................................. Support our work - make a recurrent donation! .................................................................

On 19 August 2015, the palette of legal strategies took a worrisome turn when two Danish citizens were arrested and charged with “distributing information and instructions about illegal content”, according to public statements given by the Danish Police. In both cases, the reason for the arrest was ownership of a website containing information about how to use the Popcorn Time software. The two websites, and, appear to have been created independently of each other. Prior to the arrest the domains were seized as evidence in the case, and both websites currently display a notice that they have been seized by the the Danish State Prosecutor for Serious Economic and International Crime (SØIK). Strangely enough, the web servers hosting the real contents of the two Popcorn Time information websites are still running one month after the arrest, and they can be accessed if one knows the IP address of the server. The Domain Name System (DNS) records for the domains, of course, point to the server run by SØIK.

The specific charges against the two unnamed individuals are also mentioned on the seized websites. They are charged for contributing to copyright infringement of a serious nature (Section 299 b of the Danish penal code, which carries a maximum punishment of six years in prison). Section 23 of the Danish penal code contains a fairly broad provision on contributing to crimes committed by others through instigation or advice.

Neither of the websites contained any links to infringing material, only general information about the Popcorn Time software, all of which is available throughout the internet. The first hit when searching for “Popcorn Time” on Google is the website where the Popcorn Time software can be downloaded. Moreover, both websites contained a fairly clear warning to their readers that the use of Popcorn Time could be illegal, and that the material on the website should not be regarded as an encouragement to commit copyright infringement. One of the websites contained a link to the English website, which is still running, and which essentially has the same content as the now seized Danish website.

The prosecutor could perhaps argue that Popcorn Time is mainly used for copyright-infringing activities, and that the information on the website is advice to commit copyright infringement. In this case, the contributing act would be towards unknown persons (that have read the information on the website) and unspecified copyrighted works (as none are mentioned). If Section 23 of the penal code can be interpreted this broadly, it would have a seriously negative impact on freedom of speech. Any public discussion of software that could be used illegally or where the main use of the software is likely to be illegal, could potentially lead to a charge for contributing to the crimes of others. This could also affect internet intermediaries or their owners, as they could be charged with contributing to any illegal activities by their user base.

The two Danes are charged with contributing to copyright infringement of a serious nature, which usually involves activities on a commercial scale. Immediately after the arrest, the Danish Rights Alliance, which has close ties with SØIK, issued a press release claiming that both websites had substantial advertising revenue. This seems highly unlikely as the two websites were hosted on shared web servers with, respectively, 50 and 500 other domains. Websites with a large number of users generally run on dedicated servers in order to sustain the traffic. There were some banner advertisements on the two websites, but it is clearly worrying if minor advertising revenue by itself can be considered “commercial-scale” in connection with claims of alleged copyright infringement.

Police Arrest Men for Spreading Popcorn Time Information, Torrentfreak (19.08.2015)

Popcorn Time “Fan Pages” Nuked By Anti-Piracy Outfit, Torrentfreak (24.02.2015)

EDRi-gram: Ex parte domain name seizures in Denmark (08.10.2014)

Press release from the Danish Rights Alliance about the arrest (in Danish only, 20.08.2015)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



23 Sep 2015

Generali, the health insurer who wants to know everything about you

By Kirsten Fiedler

On 20 May 2015, we published a collection of science fiction stories for the 300th edition of EDRi-gram newsletter – the premise of the collection was scenarios that we envisaged happening in 2025. We did not imagine that one of the stories on data collection practices by health insurers would be getting closer to reality already in 2015.

In July 2015, the Italian insurance company Generali revealed the details of its “Vitality Programme”, which is planned to be rolled out in Germany, France and Austria in 2016. The goal is the programme is to find out what clients are buying, eating, and how often they go to the gym. On its website, Generali describes the programme as follows:

To begin with, clients are encouraged to find out their personal health and fitness levels. Then they decide on personal objectives during the programme. The second step is to work towards these goals. Points are awarded for the achievement of the milestones that clients can use – depending on how many they’ve accumulated – to reach a new level. According to the level, clients receive various discounts and vouchers. Points can be collected through various options, such as going to preventive medical appointments (…), fitness and movement as well as buying healthy food.

In an interview with the German edition of the Technology Review, the head of Generali Giovanni Liverani stated that “some basic data can be entered into an App by clients themselves, such as age, weight, and height. In addition, they can decide: Do I allow my gym to tell Generali Vitality how often I went to the training sessions, or certain supermarket chains to tell what type of food I bought. This data will then be transmitted to the legally separate Generali Vitality company.”

................................................................. Support our work - make a recurrent donation! .................................................................

Some clients, however, might be more reluctant to share their data – along the lines of the Federal Trade Commission (FTC) Chairwoman Edith Ramirez Thus who stated in 2013 that “information that is not collected in the first place can’t be misused.” According to Liverani, clients who are concerned about their privacy and decide not to participate in the programme will not be “punished”. So, the good news is, the fact that you are not getting benefits that others are getting is not, in Generali’s logic, a comparative disadvantage for you.

Technology Review: Tracking by insurance companies: We will not punish you (only in German, 27.08.2015)

EDRi-gram 300: Neuro-implant hack reveals secret deals between health insurers and employment agencies (20.05.2015)

Generali: Vitality programme

(Contribution by Kirsten Fiedler, EDRi)



23 Sep 2015

AVG starts selling personal data to third parties

By Guest author

The Czech Republic based security software vendor AVG Technologies recently updated its privacy policy. The objective of the changes, according to the company, was to explain in a more transparent manner to their users how it intends to use what it calls ”non-personal information”. The new privacy policy will take effect on 15 October 2015.

The company defines “non-personal data” as data that cannot be linked to the identity of users in any way. The new privacy policy explains that the company might collect and sell this information to third parties, to allow their anti-virus product to stay free or charge to the users. AVG also notes that it might anonymise and aggregate data that could otherwise identify individual users. The text assures that the company does not sell or rent its clients’ personal data to third parties, but the next paragraph warns that certain personal data may be shared with any of their “affiliated AVG companies, search providers, selected AVG resellers, distributors and other partners”.

................................................................. Support our work - make a recurrent donation! .................................................................

The changes for the final user are not significant from the previous version of AVG’s privacy policy which stated that the company could collect data on “the words you search”, but did not make it clear whether browser history data could also be collected and sold to third parties.

The reactions to the new privacy policy are diverse. Data protection and IT law expert Orla Lynskey from the London School of Economics welcomed the improved wording, but said that users can be justifiably concerned by the implications to their privacy. “Its privacy policy is written in clear and simple language,” adding that users might expect an anti-virus provider to be “more respectful” of their privacy and data security. Alexander Hanff, security expert and chief executive of Think Privacy, stated that AVG’s potential ability to collect and sell browser and search history data places the company “squarely into the category of spyware”.

AVG’s new privacy policy is on the one hand more transparent than its previous ones that intentionally blurred the line between collecting data for malware tracking and using it for profit, which can be considered as a step in the right direction. On the other hand, by making its privacy policy easier to understand, the company shows more openly how it is collecting and re-selling the data – which is an activity that many would consider unethical for a security software company with elevated privileges to the personal and “non-personal” data of its clients.

AVG Privacy Policy

AVG can sell your browsing and search history to advertisers (18.09.2015)

AVG’s new privacy policy is uncomfortably honest about tracking users (17.09.2015)

Is AVG planning to sell user data to advertisers following privacy policy change? (17.09.2015)

(Contribution by Pierre Christopher, EDRi intern)



23 Sep 2015

Germany: The secret service’s 300-million-euro surveillance plan

By Guest author

This is a shortened English version of the German article originally published by Andre Meister on Translation and changes by Kirsten Fiedler and Nikolai Schnarrenberger.

Fibreoptic surveillance, scanning of Internet traffic in real time, cracking encryption, hacking computers: Germany’s foreign intelligence agency “Bundesnachrichtendienst” (BND) is massively expanding its internet surveillance capabilities. On 21 September, the German blog published the classified 300 million euro investment programme “Strategische Initiative Technik” (Strategic Initiative Technology – SIT). Members of the German Bundestag and civil society have criticised the agency’s new powers and demand an end of the programme.

In May 2014, shortly after the German Parliament’s US National Security Agency (NSA) inquiry committee began its work, German media reported that the BND was investing in a 300 million euro programme called “Strategic Initiative Technology” (SIT). The official timetable of the BND indicates that in 2014, preparations for the launch of SIT were undertaken. The actual launch of the programme is under way right now.

In the document, it is explained that:

With its technical modernisation programme, the BND intends to respond to the technological developments as indicated. The last technical modernisation programme ran out in 2008, and subsequent single measures could not prevent an investment backlog which has grown huge by now.

It is not entirely clear what kind of “technical modernisation” expired in 2008. The operation Eikonal, the joint initiative of BND and NSA to route and scan internet traffic massively at the Telekom in Frankfurt terminated in 2008, as we know. At that time, the BND received hardware and software from the NSA, while the BND offered access to the Internet node DE-CIX in Frankfurt: surveillance technology in exchange for data. But the NSA wanted more spying capabilities than the BND initially intended to grant. Therefore, 38 000 selectors were allegedly used, which officially violate ”German and European interests”. As a result, the BND stopped the transfer to the NSA to end the project.

................................................................. Support our work - make a recurrent donation! .................................................................

The BND now wants to be able to perform wiretapping on its own. The Snowden revelations about skills and financial resources of the Five-Eyes Intelligence Services, an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States, aren’t seen as a warning but rather transformed into a wish-list for the BND: The German agency wants to play “on an equal level with the western partner services”:

The BND’s plans are in synchronicity with those of other intelligence services. To avoid losing important intelligence capabilities and to encounter novel security threats, our partner countries have made substantial investments in their intelligence services. The US has gradually increased the NSA budget by more than fifty percent to nearly eleven billion dollars since 2004. The main partners in Europe, France and the UK, invested several hundred million euro in technical modernisation programmes since 2009 and 2011 (500 million euro, respectively 650 million pounds sterling) and significantly increased the budget of its intelligence services step by step in the last few years. If the BND can not keep its capabilities in step with the state of the art, it is endangered to fall back behind countries like Italy or Spain, causing negative consequences for the knowledge exchange within the Community and the risk of isolation.

The technical wish-list as requested by the BND is divided into five areas:

  1. SIGINT (Signal Intellicence): Similarly to the intelligence services of the Five Eyes, the BND invests a major part of its resources in ”signals intelligence” (SIGINT). BND explains that ”technical intelligence“ can only be ”the cornerstone of a modern and efficient Federal Intelligence Service, aligned to future challenges”. The search for “a needle in a haystack” is only successful if the search is carried out in a targeted manner and in real-time.
  2. Internet operation skills (CYBER) are to be increased. The technical possibilities to explore the Internet as a public information space are used extensively for the investigation of communications and content that are directed against Germany.
  3. In the field of sensor technology, technological progress is used for the investigation of atomic, biological and chemical etc. weapons on mission areas.
  4. The increasing use of biometrics and the consequent risk of human intelligence (HUMINT) operations are to be responded with new methods and systems.
  5. With the expansion of integrated data analysis (AIDA) programme, new kinds of analytic tools will be put in place. According to the BND, traditional intelligence methods are ”not up to the new requirements both in terms of the amount of data, and to the content of the individual particles”. Therefore, the BND wants to develop new approaches to monitor social media.

Data protection experts criticised the programme, in particular the plans for AIDA, and believe that the storage and processing of self-published data represents a new designated use, which needs a new legal basis. Despite this uncertain legal situation, the BND is moving ahead with the project and has commissioned a feasibility study. According to the BND documents, this study should include the “launch of the observation and analysis of selected information channels” – i.e. the observation of social networks such as Facebook and blogs. These should be analysed “with regard to simple, defined issues”. The result is to be “incorporated into the production process of the BND and be evaluated there”. Strategic Initiative Technology: We Unveil the BND Plans to Upgrade its Surveillance Technology for 300 Million Euros (23.09.2015)




23 Sep 2015

State of play of internet freedom in the Netherlands

By Guest author

Dutch EDRi member Bits of Freedom is diligently watching a set of broad tendencies, such as the dominant positions of a handful of tech giants, the Internet of Things, and the idea that technology cannot be neutral. Bits of Freedom is also working hard to prevent the occurrence of a number of very real threats to your internet freedom. Here’s an update on three topics currently debated in the Netherlands.

The dragnet for the Dutch secret service

On 2 July 2015, Minister of the Interior Ronald Plasterk published a bill for a new Intelligence and Security Services Act. This bill will give the most far-reaching power to the intelligence and security services to tap citizens’ communications, not only listen to their telephone conversations, but also to monitor chat and email messages, as well as the websites visited. It’s true that the current Intelligence and Security Services Act already allows the security services to tap specific individuals for monitoring purposes, but the new law would allow them to collect such data in bulk. This way innocent people would end up in the dragnet, too.

................................................................. Support our work - make a recurrent donation! .................................................................

Another problem concerning this bill is that the exchange of data with foreign security services will not be limited. This means that the data collected can be handed over to other intelligence and security services without the Dutch security service even knowing the content of the dataset they provide.

Finally, there’s no independent, legally binding oversight. If the oversight committee concludes that the minister has unjustly allowed the application of such a dragnet, the minister can simply overrule the oversight committee, he can only be held accountable by Parliament. Oversight over intelligence and security services should not be left to politicians, because this gives politicians power without any counterbalancing transparency or accountability.

Reintroduction of data retention law

On 11 March 2015, the Dutch data retention law was thwarted by a ruling of the District Court of The Hague. Under that law, everybody’s location and communication behaviour would have been stored for up to a year, which would have had a massive impact on our freedom. Unfortunately the minister of Security and Justice, Ard Van der Steur, has already indicated that he will introduce a new data retention bill.

Hacking Criminal Investigation Departments

Van der Steur also wishes to grant the Dutch law enforcement the power to hack citizens’ computers and other device, such as tablets and smartphones. Ironically this will only make the Dutch internet user more unsafe. Imagine the police has the ability to enter a suspect’s Outlook via a existing vulnerability in the software. The police would then want that vulnerability to remain open a little longer, rather than getting it fixed as soon as possible. Unfortunately, the police isn’t the only party that can use this vulnerability to get access. So that will mean that all other Outlook users are vulnerable to cyber criminals too.

Demystifying the algorithm: Who designs your life? (26.06.2015)

EDRi-gram: Dutch Minister of the Interior reveals plans for dragnet surveillance (15.07.2015)

Data retention law struck down – for now (11.03.2015)

How your innocent smartphone passes on almost your entire life to the secret service (30.07.2014)

Dutch government: Let’s keep data retention mostly unchanged (16.12.2014)

Dutch hacking proposal puts citizens at risk (2.05.2013)

(Contribution by Daphne van der Kroft, EDRi member Bits of Freedom, The Netherlands – translation into English by Jay Achterberg)