security & surveillance

While offering vast opportunities for exercising and enhancing fundamental rights, the digital environment also offers both opportunities to commit new offences and to impose new restrictions on our online rights. Measures such as filtering, blocking and untargeted surveillance are often easy to implement and extremely difficult to rectify. EDRi therefore works to ensure that all security and surveillance measures are necessary, proportionate and implemented based on solid evidence.

01 Jul 2015

Google admits it was wrong on “right to be forgotten”

By Joe McNamee

In the widely publicised “Google/Spain” ruling of the European Court of Justice (CJEU), it was decided that the results of Google searches sometimes infringe the rights of individuals. In such circumstances, individuals can complain – to Google in the first instance – and ask for searches involving their name to be de-linked from the unfair results.

Google reacted furiously to the ruling, arguing that “the balance that was struck was wrong”. This was followed by the publication of comparatively low (bearing in mind the huge amount of publicity) numbers of complaints to Google to de-link content. On 29 June 2015, the total number of requests received by Google was 276 580, which is approximately three percent of the total number of copyright-related removal requests that Google approves every week.

Subsequently, at a meeting of Liberal Member of European Parliament (MEP) Sophie In’t Veld’s “Privacy Platform”, Google’s Privacy Counsel Peter Fleischer got himself into a tangle where he simultaneously argued:

  • that it is “obvious” that Google should act on some of the complaints it receives, as it is clear that the rights of individuals are being undermined;
  • that Google should de-link only relevant results in the national search engines (such as or for instance), but not on and;
  • by implication, therefore, that the “obvious” damage to the individuals in question should be allowed to continue via searches carried out via its gobal .com domain.

On June 19, however, Google changed its policy and now grants a specific “right to be forgotten” to victims of “revenge porn” – and it does this on a global level. So, Google now agrees with basic principle that it argued against so passionately. Yes, there are obvious cases of individuals’ rights being damaged by Google search results. Yes, Google should react to complaints by those individuals and take measures to mitigate this damage. Yes, Google should implement its measures on its .com domain. The only question that Google hasn’t answered is whether and why it really believes that “revenge porn” is globally the only example of where this is true.

Eric Schmidt: Europe struck wrong balance on right to be forgotten (15.05.2014)

Online searching and privacy in the EU (19.11.2014)

Google Public Policy Blog: “Revenge porn” and Search

(Contribution by Joe McNamee, EDRi)



01 Jul 2015

WiFi tracking and the ePrivacy Directive in Denmark

By Guest author

Citizens are increasingly being monitored and tracked by public authorities and commercial interests. Many carry digital devices which, by design, emit a unique identifier, such as the WiFi Media Access Control (MAC) address of a smartphone. Even though the MAC address does not directly reveal the identity of a person, the fact that it is constant over time and easy to intercept (all you need is a WiFi network adapter), means that it can be used for recognising individuals between different sensor points and tracking their movements. With a sufficient number of sensors, an almost complete profile of a person’s movement in a city can be obtained without consent.

WiFi tracking can be used for a number of purposes, ranging from tracking repeat customers in a shop to measuring road congestion and travel times. At Copenhagen Airport, the technology is used for tracking the movement of passengers, including measuring waiting times at the security checkpoint. Vendors of this type of technology generally claim that they “encrypt” the MAC address in order to alleviate privacy concerns, for example by using a one-way hash function.

Ultimately, the privacy challenge is to give different data to each sensor. Even encryption does not provide a full solution; if the encryption algorithm is shared between two sensor points, citizens can still be recognised from previous sensors and tracked. Complete randomisation of MAC addresses at the collection point will defeat the purpose of tracking, so this will not be done by the vendors. However, certain smartphones can do this before their MAC address is broadcast in the first place. A compromise solution is to change the encryption algorithm regularly, which will allow for tracking within a limited time period only, assuming that information about the previous encryption algorithms is effectively discarded.

In Europe, WiFi tracking is regulated by the Data Protection Directive 1995/46/EC, to the extent that the collected data is regarded as personal data, and by the ePrivacy Directive 2002/58/EC. In Opinion 9/2014 on device fingerprinting from the Article 29 Working Party (WP29), accessing the MAC address of a WiFi device is considered to be covered by Article 5(3) of the ePrivacy Directive, the so-called cookie provision (see section 7.3 of the Opinion). Article 5(3) states that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user” is only allowed if informed consent has been obtained from the user. In the present context, the MAC address is the information stored in the user’s terminal equipment. The exceptions for consent in Article 5(3) do not cover the purpose of tracking, according to the WP29 Opinion.

The WP29 Opinion, published in November 2014, caused some concern among Danish municipalities which were using, or planning to use, WiFi MAC tracking for either traffic monitoring or “smart city” projects. The Danish Business Authority, which is the regulatory authority for the Danish transposition of the ePrivacy Directive, initially indicated in media comments that these systems were subject to Article 5(3) and that consent was required. There is no practical way that the required consent could be obtained, so this would effectively have forced the Danish municipalities to stop their traffic monitoring projects.

In January 2015, Blip Systems, a Danish company developing and selling tracking technology, submitted a formal request to the Danish Business Authority about the collection of MAC addresses in the Bliptrack system which is used for traffic monitoring by Danish municipalities. On 26 March 2015, the Danish Business Authority rendered a formal decision on the matter which reversed its initial position that the consent requirement of Article 5(3) applies to these systems.

The decision that Article 5(3) does not apply to the collection of MAC addresses is based on the following factors:

  1. The location data is collected in a way that makes it impossible for Bliptrack to monitor individual citizens. An analogy to anonymised data in the Data Protection Directive 95/46 is made here, but the decision does not mention that first-party cookies used for anonymous web statistics (web analytics) are not exempt from the consent requirement in Article 5(3);
  2. The MAC addresses are anonymised with a hashing algorithm which is changed every 24 hours, so citizens cannot be tracked for a period longer than 24 hours as the hash value of the MAC address has changed;
  3. It is not possible for the Bliptrack system to communicate with users in order to obtain consent.

Overall, the March 2015 decision by the Danish Business Authority seems fairly limited in scope, so that it would not necessarily apply to WiFi tracking over longer periods than one day and for other purposes than aggregated statistics like traffic monitoring.

The European Commission has recently published a study of the national transposition of the ePrivacy Directive, but the work for this study was completed before the WP29 Opinion 9/2014 was made. Interception of WiFi MAC addresses is only briefly mentioned in the study, and only in the context of breaches of confidentiality of communications, a separate issue from Article 5(3).

The cookie provision in Article 5(3) has been heavily criticised by the web industry and internet users alike, because of the annoying cookie popups which ask for consent to place tracking cookies on the user’s device, often with no possibility to refuse. Therefore, it seems likely that Article 5(3) will be changed in the planned revision of the ePrivacy Directive. Needless to say, this will also have implications for the legality of using WiFi tracking in the physical space.

How tracking customers in-store will soon be the norm, The Guardian (10.01.2014)

Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting, Article 29 Data Protection Working Party (25.11.2014)

Widely used system for traffic monitoring is illegal, Version2 (only in Danish, 26.01.2015)

Traffic monitoring system not covered by the cookie provision, Danish Business Authority (only in Danish, 26.03.2015)

ePrivacy Directive: assessment of transposition, effectiveness and compatibility with proposed Data Protection Regulation, The European Commission (10.06.2015)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



01 Jul 2015

AFET Committee adopts its Report on Human rights and technology

By Guest author

The European Parliament Committee on Foreign Affairs (AFET) adopted its Report on “Human rights and technology: the impact of intrusion and surveillance systems on human rights in third countries” on 26 May 2015. The Rapporteur, Marietje Schaake (ALDE, Netherlands) welcomed the adoption of the Report and stressed that “the European Union must assess the impact on human rights when it comes to the use and trade of harmful technologies, and where needed develop regulations urgently”. The Report will be voted at the plenary session of the European Parliament on 9 July.

The Report aimed at providing input in order to help create smart European legislation which deals adequately with all the concerns, but at the same time takes into account new technological solutions. Appropriate technology tools could generate enormous opportunities in helping to strengthen human rights. However, some of those tools can also be used to try to maintain or reinforce injustices. Thus, there is a growing need to ensure the safety and security of citizens, bearing in mind the fact we are living in a world of globalised surveillance. Specifically, human rights defenders and whistleblowers are usually the main targets of surveillance by state authorities, but also by non-state actors.

“Technologies can help advance human rights such as access to information and freedom of expression. Yet, too many surveillance and intrusion technologies are being produced in Europe and sold to enable human rights violations,” said Schaake. European companies are selling mass surveillance or censorship equipment to third countries, like Bahrain, Syria or Egypt, where their technology is being used to oppress human rights defenders and political activists. In 2014 Privacy International filed a complaint against Gamma International, a British-German company, calling for an urgent investigation of the unlawful surveillance of three Bahraini activists by Bahrain authorities using surveillance technology provided by Gamma International. Similarly, in 2012, a French company Qosmos was accused of selling surveillance products to the Syrian government, in a complaint lodged by International Federation for Human Rights (FIDH).

The Rapporteur invited a wide group of stakeholders including hackers, journalists, activists and lawyers to contribute to the Draft Report with their comments. EDRi was among this group of stakeholders. We provided input suggesting, among other things, the use of open source software, the need for net neutrality and clarifying the role of Internet intermediaries (privatised law enforcement). The Report, as adopted in the AFET Committee, presents a vital element in creating European regulatory and policy framework that controls the trade of surveillance technologies and prevents human rights violations related to it. Therefore, we are pleased to see that EDRi’s analysis and suggestions were included in the final text.

Report on ‘Human rights and technology: the impact of intrusion and surveillance systems on human rights in third countries’ (03.06.2015)

MEP Marietje Schaake calls for input on report Human rights and technology (09.02.2015.)

MEP: EU needs smart policies to strenghten human rights while technologies proliferate (26.05.2015)

Privacy International files criminal complaint on behalf of Bahraini activists targeted by spyware FinFisher (13.10.2014)

Surveillance technologies “Made in Europe”: Regulation needed to prevent human rights abuses, Position paper, FIDH

(Contribution by Morana Perušić, EDRi intern)



01 Jul 2015

An open letter to Mark Zuckerberg from suspended user Giz

By Guest author

I am confused. When your Chief of Personal Products, Chris Cox was speaking with the Sisters of Perpetual Indulgence he said that Facebook’s policy never required anyone to use their legal name. He said that Facebook wants users to use our authentic identities, the names our people call us, like Sister Roma and Little Miss Hot Mess.

Since I opened my account, that’s what I have done. I’ve been active for nearly a decade now, and I have been known to all of my friends as “Giz” since I was a teenager, for over 20 years now. When I told my mother about this her answer was “But you ARE Giz, that’s even how I have you in my phone!”

The only people who call me by my legal name are clients and the government. And I would rather not be added as a friend by clients, given the nature of my work and the fact that I am female. My female friends have enough trouble with unsolicited sexual advances on Facebook, I’ve been spared all of this because my name was gender neutral.

My legal name is my business name. I really don’t see why I need to use my business name on my profile when it’s not how my friends call me. It could also leave my livelihood at risk as my name is not particularly common. I have witnessed a public page being used in defamation of a friends character – they were accused of being a paedophile because they supported marriage equality. There is no way for my friend to know how many people saw that post, how many could have given it credence. He’s only lucky it didn’t find its way to his work as it would cost him his career working with vulnerable individuals.

So what can I do to ensure that my personal politics or beliefs are not used to defame me and destroy my livelihood? Simple! I use the name my friends call me on my personal profile, like I had been, until Facebook decided I was using what they consider a “fake name”.

I have to admit the irony of Facebook accusing me of being a fake user while sending me automated emails that pretend to be from a human is laughable. This is my connection to those I love. The very fact that I have attempted to engage should alert you to the fact that I am a real person. If I was a troll I doubt the deactivation of my account would matter, a troll will merely set up a new account – and they do not need government ID to do so. If they wish to circumvent the real name policy, then they will just use a real sounding name – because unless you have asked every single user to provide their ID then you cannot claim that every user is using their true name.

If Facebook were to require government ID for registration, or indeed to suddenly require it from all users, how do you think that would affect your site’s traffic? I would imagine it would lead to a massive defection from the platform, purely because Facebook has its chequered past with privacy issues, social experiments and there’s a sizable chunk of the population who would consider Facebook to be working for the NSA.

If I use my legal name on Facebook it makes me more likely to receive unwanted sexual advances from strangers, including graphic photographs, if my female friends experiences are anything to go by. It also makes my business vulnerable to attack by those who cannot seem to separate a difference of opinion from a reason for vengeful attack (they exist, although, at present, with a gender neutral name, the worst I get is generalised attacks, the abuse women receive online is quite different to that which men receive).

I would like my profile back, please. Or at least for someone in Facebook to engage with me. Like I said when you first asked for my ID, why would I want to prove my identity to a company that can’t even do me the basic courtesy of engaging with me as a human?

Yours, Exiled.




01 Jul 2015

JURI Committee adopts disastrous Trade Secrets provisions

By Guest author

The proposed Trade Secrets Directive, previously reported in EDRi-gram, was adopted on 16 June by the European Parliament Committee on Legal Affairs (JURI). To put it briefly, this proposal would create a new pseudo-intellectual property right for businesses to protect information that is not covered by traditional intellectual property rights. Commercially sensitive information is now typically protected through non-disclosure agreements between business partners. Such agreements that do not extend to third parties to which information may have been leaked. This directive would change that by providing remedies against such third parties.

The adopted Draft Resolution pays at best lip service to the serious concerns raised about the impact on freedom of expression, transparency and the free flow of information necessary in a democratic society. By classifying goods whose conception is based on unlawfully acquired trade secrets, the JURI Committee has created a de facto pseudo-patent without much in the way of mitigating measures of the patent system. Moreover, the JURI Committee has accepted as a principle that access to trade secrets is by definition unlawful. This is harmful because even the fact that fundamental rights can preclude the application of the Directive’s remedies against the use of trade secrets does not preclude its chilling effects. Chilling effects will have a negative impact on whistleblowers, journalists, IT-security researchers, free software developers and competition in general. This principle taints any leaked or reverse engineered information used by anyone other than the original trade secrets holder. Anything that the original trade secrets holder considers to be contrary to their interest (legitimate or not, the text does not differentiate on this), becomes actionable under this proposal. Faced with the expense and difficulty of proving that information leaked or reverse engineered serves an overriding public interest, many actors in the fields affected will just stay away from any information that might turn the ire of (large) businesses on them. Especially in the field of IT-security, this has the makings of a great tool to suppress the disclosure of weaknesses in the products of large vendors.

The Committiee’s adoption of this Draft Resolution is in stark contrast to the new calls of the Parliamentary Assembly of the Council of Europe on more whistleblower protections. Thus, while the EP has made untouchable so-called “trade secrets”, regardless if those secrets are real efforts made by a company after investing, or if it is a cover up for human rights violations, the Council of Europe has taken a step forward in its Resolution by calling for new legally binding instruments for whistleblower protection. The step forward has been of such magnitude that Edward Snowden, who analysed the text and spoke at the PACE meeting, saw it as a “incredibly strong text”. At the time of writing, no vote in the Plenary of the European Parliament has been scheduled on this dossier yet.

EU trade secrets Directive: threat to free speech, health, environment and worker mobility (23.032015)

Improving the protection of whistle-blowers

(Contribution by Walter van Holst, EDRi member Vrijschrift, Netherlands)



30 Jun 2015

Blurry, ambiguous “net neutrality” deal is an abdication of responsibility

By Joe McNamee

Fifteen months after the European Parliament voted in favour of clear protection for net neutrality in Europe, a messy, ambiguous “deal” was reached around 2am in the morning on 30 June. In the coming days, negotiators will finalise explanatory notes (known as “recitals”) which may add some clarity. However, the apparently deliberate ambiguity of the text agreed so far does not create much hope.

If approved by the Member States in the Council and the European Parliament, we will have to wait for at least a full year before courts and regulators will start giving meaning to the agreement.

“What is the point of agreeing to adopt legislation that makes the legal situation less clear than it was before? Now we have text which could mean almost anything – we did not need more legal uncertainty,”

said Joe McNamee, Executive Director of European Digital Rights.

Key points of confusion:

  • Distinction between “specialised services” and the public internet. The “fast lane” services can only get this status if this is “necessary”. However, the current draft explanatory recital defines “necessary” so broadly that anything that is not a “general prioritisation” of traffic could, in principle, be covered. (Recital 11, Article 3.5)
  • The scope of the Regulation is defined in a way that does not fully cover the key issue of “specialised services”. (Article 1)
  • Not alone does the Regulation seek to define what a “legal obligation” for blocking/filtering might be (does this really need to be explained?), the definition is so badly drafted that it could cover activities that are not legal obligations – “measures giving effect to such Union or national legislation, in compliance with Union law, including [i.e. not limited to] with orders by courts or public authorities vested with relevant powers;” (Article 3.3.a). The current draft recital contains a 90-word sentence that has no obvious meaning.
  • Even though a draft recital explains that “specialised services” are only possible if they do not have a “negative impact of the provision of such services on the availability or quality of internet access services”, there is an obligation for Internet access providers to provide details of the “impact on the same end-user’s internet access services”. What is the agreement – that they can have an impact or they can’t? (Recital 11a and Article 4.3.c)

The “deal” was achieved after three months of “negotiations” between the EU Council (the Member States of the EU) and the European Parliament. At every stage, the Council simply refused to engage in a dialogue. Then, racing to meet the arbitrary deadline created by the end of the Latvian Presidency of the EU Council, this chaotic, sub-standard text was provisionally agreed.

Now that our political “leaders” have decided that they cannot make a decision, we must wait for unelected judges and regulators to do the hard work.

This is “just” a provisional agreement. First, the explanatory recitals need to be finalised. Then, the EU institutions need to decide if they are really prepared to create such legal uncertainty for European citizens and business. This will become clear in the coming weeks.

Please find our summary of recent developments here:


26 Jun 2015

Press release: Father of net neutrality warns EU’s proposals may “guarantee US dominance” online

By Heini Järvinen

Following high-level meetings with the European Commission this week, leading US Professor Tim Wu said he was “worried that the Internet in Europe will never recover if these proposals are adopted.” He added that, in relation to online services, the proposals may guarantee the dominance of US online services in Europe for years to come.

With regard to his meetings with the Commission, Professor Wu commented:

I don’t think the Commission should have a preference for a bad agreement rather than no agreement at all.

Joe McNamee, Executive Director of European Digital Rights said:

Professor Wu is a leading expert on the issue of net neutrality. It is crucial that European policy-makers take these warnings seriously.

The current situation in the European Union is critical. After the European Parliament adopted a strong first reading text in 2014, it is being subject to pressure from Member State governments represented in the Council and from the Commission. The Parliament has the democratic support not to concede to pressure and deliver net neutrality. You can help save the Internet through

Background information:

  • In 2013, Prof. Wu was named to National Law Journal’s “America’s 100 Most Influential Lawyers.”
  • In 2006 he was named one of Scientific American’s 50 people of the year.
  • In 2007, he was named one of Harvard University’s 100 most influential graduates by 02138 magazine.
  • From 2011 to 2012, Wu served as a Senior Advisor to the Federal Trade Commission.
  • Notably, Prof. Wu was the first person to coin the term “net neutrality”.

Photo by Sagmanbennettrobbins at English Wikipedia, CC BY-SA 3.0


25 Jun 2015

Democratic support for net neutrality is clear, as is Council’s stubbornness

By Maryant Fernández Pérez

All political groups in the European Parliament have made their support for net neutrality clear. Not alone did the European Parliament adopt a strong text in favour of non-discrimination on the Internet in 2014, but political groups representing the vast majority of the Parliament have made clear statements in favour of a neutral, innovative, democratic internet.

However, in three months of “negotiations” with 28 EU Member States represented in the Council of the European Union, the Council completely refused to show any openness to honest compromise. Even worse, in the last public Council meeting, nobody, either from the Commission or the Member States, was even prepared to say the words “net neutrality”.

Democratic support for net neutrality exists. It’s clear. Citizens want net neutrality, start-ups want net neutrality, civil society wants net neutrality, consumers groups want net neutrality, the youth wings of European political parties want net neutrality, online companies want net neutrality. And our representatives in the Council? The EU Council wants protectionist measures for a few ex-monopolies. Contact your MEPs to offer your support at and contact your national Telecommunications Ministry to find out why they are not representing you.



25 Jun 2015

General Data Protection Regulation: Document pool

By Diego Naranjo

In January 2012, the European Commission, following extensive consultations, published a draft Regulation. The initiative had three priorities – modernisation of the legal framework for the protection of personal data, harmonisation of the rules across the EU (proposing a single Regulation rather than a Directive that is implemented via 28 national laws) and maintaining existing levels of protection. These goals were to be underpinned by more efficient implementation measures.

After 3 years of discussion following the first proposal being made by the European Commission (and a first reading by the European Parliament that was finalised in 2014), the Council has decided to agree on a new text (a “general approach“) that will be the object of current trialogues.

The trilogue discussions between the three institutions officially started on 24 June 2015 with the first meeting in Brussels. In order to explain the process, we will be publishing information and analysis in this document pool. We will update this post as the negotiations advance.

If you would like to know more about specific parts of the Regulation, please go to EDRi’s detailed analysis on the original proposal made by the Commission at

Selected Documents (a more exhaustive collection of documents can be found on Carlo Piltz’ website):

The calendar of the negotiations is:

24.06.2015: Brussels  (subject to agreement with Commission and Council)
1st Trilogue Meeting on the Regulation
Draft Agenda:
Commitment for the Directive in Council
Agreement on the overall roadmap for Trilogue negotiations
General method and approach for delegated and implementing acts

– 14.07.2015: Brussels (subject to agreement with Commission and Council)
2nd Trilogue Meeting on the Regulation
Draft Agenda:
Territorial scope (Article 3)
International transfers (Chapter V)

– Further Trilogue roadmap
(All subject to agreement with Commission and Council)

Data protection principles (Chapter II)
Data subject rights (Chapter III)
Controller and Processor (Chapter IV)

Data Protection Authorities (Chapter VI)
Cooperation and Consistency (Chapter VII)
Remedies, liability and sanctions (Chapter VIII)

Objectives and material scope, flexibility public sector (Chapter I)
Specific regimes (Chapter IX)

Delegated and Implementing Acts (Chapter X)
Final provisions (Chapter XI)
Other remaining issues


22 Jun 2015

Net neutrality in critical danger in Europe. The time to act is NOW!

By Maryant Fernández Pérez

Last week, the European Parliament finalised its second compromise proposal on net neutrality, and sent it to the Member States (represented in the Council of the European Union) and the European Commission. This will now allow the Council and Commission to put pressure on the Parliament to accept a final compromise this week.

The new proposal is another major concession from the Parliament. It contains only the absolute minimum elements for net neutrality, while proposing incoherent, meaningless text on blocking of allegedly illegal content, and dangerous suggestions on “parental controls” (filtering of legal content).

The new compromise represents another surrender from the European Parliament, which continues to offer concessions to the Council, which continues to offer absolutely nothing in return. Everything appears to be building to the “end game”, where telecoms providers will be allowed to launch a new abuse (the end of net neutrality) in return for the end of an old abuse (mobile roaming charges).

So, what is the “score” in the negotiations so far?

What has the Parliament given up?

  • All of the proposed measures on radio spectrum;
  • The definition of (or even a reference to!) ‘net neutrality’, replacing it with a non-defined “open internet”, as the Council had suggested. Adding adjectives like “open” suggests there is a “non-open” Internet, which makes little sense outside countries like Iran;
  • The definition of specialised services;
  • Virtually all of the proposed measures on user rights;
  • Its proposal for the removal of irrelevant elements (like spam – unsolicited e-mails- or parental controls), which renders the scope of the Regulation unclear;
  • Its proposal to remove unclear text on blocking.

Ultimately, the Parliament has given up all of this in return for virtually nothing apart from minor concessions on roaming. Worse still, the Parliament has no strategy for the next round of negotiations – is this just another step towards giving up completely or is this is the final red line from the Parliament? We don’t know. We fear that they don’t know.

What has the Council given up?
Almost nothing, as all the Council’s proposals were virtually identical. Modifications made in the most recent texts went even further away the Parliament’s position and even worse than the Council’s initial position of 4 March 2015 in certain points.

What to do now?
Visit the campaign site. Through, anyone can contact her/his representative in the Industry committee of the European Parliament (ITRE) via phone, e-mail or social-media for free!

Technical meetings amongst the three institutions are scheduled for this week.
Contact your MEP: and remind him/her the four steps towards ensuring net neutrality: