self-regulation

A measure which would be illegal if implemented by a government should also be illegal if implemented by industry as a “voluntary” measure, as a result of government pressure or for public relations or anti-competitive reasons. However, as key international legal instruments, such as the European Charter of Fundamental Rights and the European Convention on Human Rights, as well as national constitutions are binding for states and governments, they are not directly applicable to other entities, such as private companies. As a result, there is a major trend towards governments persuading or coercing companies to impose restrictions on fundamental freedoms under the guise of “self-regulation,” thereby circumventing legal protections.

27 Jul 2015

EU PNR document pool

By Diego Naranjo

nopnr

The proposal for a EU PNR Directive  (Fight against terrorism and serious crime: use of passenger name record (PNR) data (procedure file 2011/0023(COD) ) was adopted by the European Parliament’s Civil Liberties Committee on 15 July 2015. The narrow vote (32 in favor, 26 against, no abstentions) in favour happened despite the rejection of this same EU PNR proposal by same Committee in 2013, despite the Court of Justice of the European Union (CJEU) despite the ruling invalidating the Data Retention Directive last year and despite the referral to the CJEU of the EU Canada PNR agreement.

EDRi has repeatedly reported , in line with the opinions presented by a range of independent experts of EU law, that this profiling measure presents serious risks for fundamental rights, that it is not necessary, that it is not proportionate to the aims that seeks to achieve and that it is not even effective. The rapporteur of the proposal, Timothy Kirkhope (UK, ECR) brought the proposal back to the European Parliament (EP) despite the number of criticisms coming from MEPs, civil society organisations, the Article 29 Working Party, the EU Fundamental Rights Agency and the European Data Protection Supervisor.

The votes per political group were (according to data shared with MEPs by the LIBE Committee secretariat):

EPP: 18 in favour

In favour: Heinz K. Becker, Michal Boni, Anna-Maria Corazza Bildt, Rachida Dati, Frank Engel, Mariya Gabriel, Esteban González Pons, Kinga Gál, Monika Hohlmeier, Barbara Kudrycka, Jeroen Lenaers, Monica Macovei, Roberta Metsola, Artis Pabriks, Csaba Sógor, Traian Ungureanu, Axel Voss, Tomáš Zdechovský.

Socialists and Democrats: 2 in favour 11 against

In favour: Claude Moraes, Marju Lauristin

Against: Tanja Fajon, Monica Flašíková Beňová, Anna Gomes, Sylvie Guillaume, Iliana Iotova, Sylvia-Yvonne Kaufmann, Kashetu Kyenge, Norbert Neuser, Péter Niedermüller, Soraya Post, Birgit Sippel

ECR: 6 in favour:

In favour: Daniel Dalton, Jussi Halla-aho, Timothy Kirkhope, Helga Stevens, Michał Ujazdowski Kazimierz, Branislav Škripek

ALDE: 4 in favour, one against

In favour: Louis Michel, Cecilia Wikström, Nathalie Griesbeck, Filiz Hyusmenova,

Against: Sophia In’t Veld

EFDD: One in favour, three against

In favour: Cristina Winberg

Against: Gerard Batten, Ignazio Corrao, Laura Ferrara

GUE/NGL: 4 against

Against: Malin Björk, Cornelia Ernst, Barbara Spinelli, Marie-Christine Vergiat

Greens/EFA: 4 against

Against: Jan-Philipp Albrecht, Eva Joly, Judith Sargentini, Valero Bodil

ENF: 2 against

Against: Lorenzo Fontana, Vicky Maeijer

Non-aligned: 1 in favour, 1 against

In favour: Juan Fernando López Aguilar

Against: Udo Voigt

When the LIBE Committee of the EP adopted the proposal, it also approved the initiation of trialogue discussions with the Council, which will start next September. The EP negotiating team is composed as follows: Mr Moraes (S&D), LIBE Chair; Mr Kirkhope (ECR), rapporteur, and the shadow rapporteurs Mr Voss (EPP), Ms Sippel (S&D), Ms In’t Veld (ALDE), Ms Ernst (GUE/NGL), Mr Albrecht (Greens/EFA), Ms Winberg (EFDD) plus an ENF Member to be confirmed.

In this document pool we will add the documents that will be used during the trialogues:

European Commission proposal (02.02.2011)

– Council document: Background information for the trialogues (20.07.2015)

– Council document: 5 column table with the proposal for the trialogues (20.07.2015) (pdf).

close
22 Jul 2015

EU Commission – finally – confirms that its promise on data protection will be respected

By Joe McNamee

Last April, EDRi, supported by other sixty-five NGOs from the European Union, North, Central and South America, Africa, Asia and Australia sent a letter (PDF) to the European Commission. The letter asked if the Commission would respect the “absolute red line” that the protection levels in the 1995 Data Protection Directive would be maintained.

This commitment is now critically important, as the EU institutions are currently involved in “trialogue discussions” (infographic), which are expected to finalise the data protection reform process started five years ago with a Commission Communication. A clear position from the leadership of the Commission on the protection of existing standards is crucial to ensure that some of the more extremist policies (PDF) proposed by some Member States can be definitively taken off the table, for the benefit of the coherence, trust and credibility that all stakeholders need from the final Regulation and Directive.

Today, we received a positive answer (PDF) from the European Commission, confirming that they will respect the commitment to respect the levels protection set in the Directive 95/46/EC:

The Commission has been and will continue to be true to this commitment.

Ahead of the next trialogue meetings starting again in September, this commitment sets important boundaries on what is, and what is not, acceptable as this process moves forwards.

All actors involved in these negotiations need not to be distracted with siren calls from a small number of private actors who, as they historically always do, mistake good regulation for constraints on business. As Paul Nemitz, Director for Fundamental rights and Union citizenship in the Directorate – General for Justice of the European Commission, explained to the Wall Street Journal: “The path toward trust through high levels of protection is good for the economy, good for growth and employment.”

Read the Commission’s response:
17072015-eudatap-Commission-95

close
15 Jul 2015

Remembering Caspar Bowden

By Guest author

We are sad to report the death of EDRi member FIPR’s first Director, Caspar Bowden. Caspar was one of the people who met in 1998 to set up the Foundation for Information Policy Research (FIPR), in response to the introduction of what later became the Regulation of Investigatory Powers Act. Caspar was FIPR’s Director from 1998-2002, when his main achievement was leading a lobbying campaign against the Bill as it went through Parliament. He secured the “Big Browser” amendment which defined traffic data as the information required to identify the machine participating in a communication; the government had actually wanted it to mean the whole URL that you visit, but Caspar argued forcefully that that would entitle the police to get your search history with a production order rather than requiring a warrant. His early clarification of the boundary between “communications data” and “content” has had a substantial impact on privacy since.

Caspar helped secure a large donation (of GBP100k from Microsoft) which got FIPR’s initial fundraising campaign off to a running start; he also attracted many prominent technology people to FIPR’s advisory council. Caspar was also involved in the discussions that led to the foundation of EDRi.

Caspar moved to Microsoft in 2002 and worked for them for nine years as their Chief Privacy Adviser for Europe, the Middle East and Africa. What that actually entailed he described in a talk at the The 31st Chaos Communication Congress (31C3) that is linked at the bottom of this article; he was responsible for briefing and coordinating some of the activities of about forty executives, each of which managed the company’s relationships with some particular country. He pointed out to them that the The United States Foreign Intelligence Surveillance Court’s (FISA Court’s) powers meant that governments entrusting their data to US clouds were giving unfettered access to the US intelligence services. He was subsequently fired.

For the last four years of his life he was a strong critic of US surveillance and the failure of European institutions to do anything effective about it. He was a gifted communicator who could explain complex technical issues around wiretaps, surveillance and cryptography to policy and lay audiences.

The Snowden revelations completely vindicated him. He worked tirelessly to explain their policy significance, providing a rapid and learned response to the disclosures in a major report for the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (LIBE), “The US surveillance programmes and their impact on EU citizens’ fundamental rights”. He was on the board of the Tor project as well as in the FIPR advisory council, and helped to promote the Qubes, a security-focused desktop operating system.

He told friends and colleagues some months before his death that he had been diagnosed with cancer. He is survived by his wife Sandi.

31C3: Caspar Bowden: The Cloud Conspiracy 2008-2014
https://youtu.be/d7TyBK-gMgk

EU Parliament Report: Impact of NSA Surveillance Programs on EU Citizen’s Fundamental Rights
https://publicintelligence.net/eu-nsa-surveillance/

Pro-privacy titan Caspar Bowden dies after short cancer battle (09.7.2015)
http://www.theregister.co.uk/2015/07/09/caspar_bowden_dies_cancer_battle/

Obituary: Caspar Bowden, privacy campaigner (09.07.2015)
http://www.computing.co.uk/ctg/feature/2417143/obituary-caspar-bowden-privacy-campaigner

Data Protection Activist Caspar Bowden died (09.07.2015)
https://netzpolitik.org/2015/datenschutz-aktivist-caspar-bowden-ist-gestorben/

Caspar Bowden obituary (13.07.2015)
http://www.theguardian.com/world/2015/jul/13/caspar-bowden

(Contribution by Ross Anderson, EDRi member FIPR, United Kingdom)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
15 Jul 2015

Remembering Özgür Uçkan

By Guest author

Özgür Uçkan, one of the pioneers of the digital rights and free Internet movement in Turkey, passed away on 10 July. He was 54 years old, and had been battling with cancer for two years.

He was one of the founders of the Turkish EDRi member Alternative Informatics Association (AIA) and his contribution to the AIA and to the struggle against surveillance and censorship in Turkey was enormous. He held the post of the EDRi representativeness of AIA, but had to leave this post due to his illness.

Özgür was an multi-faceted person and successfully combined activism with his academic life and art criticism. He was a well-known personality in Turkey who frequently appeared in conferences and media.

He will be dearly missed.

Özgür Uçkan
http://www.ozguruckan.com/

Dr. Özgür Uçkan passed away (only in Turkish)
http://www.ozguruckan.com/kategori/kategorilenmemis/63029/dr.-ozgur-uckan-i-kaybettik

(Contribution by Melih Kirlidog, EDRi member Alternatif Bilisim, Turkey)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
15 Jul 2015

Dutch Minister reveals plans for dragnet surveillance

By Guest author

Ronald Plasterk, the Dutch Minister of the Interior, wants to make sure that the Dutch secret services have the powers to spy on the behaviour of all citizens and gain insight in all of their communications: phone calls, emails, chat messages and website visits. This much is clear after he published an update of the 2002 secret services bill and put it into online consultation on 2 July.

Dutch digital rights organisation, EDRi member Bits of Freedom will scrutinise the bill and provide input for the consultation. Three things immediately jump out as very worrying on a first inspection:

The secret services will gain the power to use a dragnet form of surveillance. The Minister has given assurances that the dragnet will only be used for specific purposes, but has not provided adequate safeguards limiting the mass surveillance of unsuspected citizens. There is no guarantee that these powers will only be used to target a specific group of people instead of a much broader and ill-defined group, like all persons in the Netherlands who are in contact with, for example, Syria. What if the services want to do the same for Morocco, France, or the United States? And do this all at the same time?

If there is a suspicion that someone wants to do harm, then it’s already possible to put them under surveillance, if necessary and proportionate. The Dutch services currently have the option to wiretap all communications of their targets. Using this dragnet to identify or monitor possible threats for the Dutch national security will inevitably ensnare many innocent people, breaching their rights in the process. There hasn’t been any discussion in the Netherlands about the necessity of these powers.

A second issue in the proposed bill is access to this bulk data by foreign services. Data which has been intercepted in bulk by the Dutch secret services can be shared in bulk with foreign services, even before the data has been evaluated. Anybody can be put under surveillance as soon as the Dutch secret service learns that they have previously been under surveillance by a foreign service, regardless of whether this person would be considered dangerous under Dutch law.

A final issue is the expansion of the hacking powers of the secret services. Since 2002, they have been allowed to hack into devices of a subject (which could also mean the servers of a forum). In this proposal, this power will be expanded to include subjects that are in some way, even if only technically, connected to the actual subject, in order to get to the actual subject. This could mean that an unsuspecting user of a server might be hacked to gain access to another user of that same server.

The proposed bill obviously also affects non-Dutch citizens and does not provide any answers to the global problem of state surveillance. Rather, it could be seen as an attempt to bring the Netherlands into the surveillance game. Instead of making an effort to end mass surveillance this bill only increases the number of mass surveilling states.

The online consultation will be open till 1 September 2015.

The online consultation for the law (only in Dutch)
https://www.internetconsultatie.nl/wiv/reageren/

Dutch intel bill proposes non-specific (“bulk”) interception powers for “any form of telecom or data transfer”, incl. domestic, plus required cooperation from “providers of communication services” (02.07.2015)
https://blog.cyberwar.nl/2015/07/dutch-intelligence-bill-proposes-non-specific-bulk-interception-powers-for-any-form-of-telecom-or-data-transfer-incl-domestic/

(Contribution by Ton Siedsma, EDRi member Bits of Freedom, Netherlands)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
15 Jul 2015

ICANN considers banning privacy services

By Guest author

The Internet Corporation for Assigned Names and Numbers (ICANN) is proposing a new Internet policy which comes at the expense of human rights, especially privacy and freedom of speech. The proposed rules are addressed to companies that provide WHOIS privacy/proxy services (which restrict access to domain registrant information) and limit their availability to individuals only, denying this service to organisations.

Why is this a problem?

When you register a domain on the Internet, you are asked for a set of information which will appear in the WHOIS database – a public registry with all the domain names.

Under the terms of the ICANN proposal, domain name registrants who will register commercial sites will not have the possibility to make the registration via companies that offer the service of de-listing personal information from the WHOIS registry. This policy would be unfair and discriminatory for vulnerable groups, organisations and entrepreneurs who wish to exercise their right to freedom of expression on the Internet. Is it even in ICANN’s remit to decide what is a commercial activity and what is not? And what is a commercial site? Is it a non-governmental organisation (NGO) selling personalised merchandise via a commercial site? What about a humanitarian website asking for donations? Or a blog that sells advertisement space?

It is important to understand that there are actors such as political groups, religious organisations, ethnic groups, gender orientation groups, and others engaged in freedom of expression activities who have a clear need for protection.

EDRi member ApTI has prepared a comment for ICANN’s public consultation expressing firm disapproval regarding the proposal. Below are some of the reasons why greater confidentiality and privacy are needed in the WHOIS directory:

1. ICANN’s anti privacy domain registration = the new Stop Online Piracy Act (SOPA)

The copyright industry’s pressure on ICANN to take action against domains being used for infringing purposes is well known. However, the domain name industry should not be asked to play any part in policing the Internet by being forced to suspend Internet domain names based on accusations of copyright or trademark infringement by a website. The effort to restrict the privacy of domain name registrants is part of this wider lobbying effort to push ICANN into an enforcement role.

2. Privacy and anonymity are fundamental for the open use of the Internet

The argument that criminals use proxy and privacy registrations to hide their identities has been intensively used in the WHOIS privacy debate. However, illegal uses represent a small minority of cases and privacy registrations do not contribute to a wide-spread criminal behaviour. The vast majority of domain owners are not criminals, so why put everyone at risk just for catching few perpetrators? This measure is disproportionate and unjustified and it resembles the deeply flawed reasoning behind adopting mass surveillance decisions.

3. The proposal violates the Internet’s core values

The proposal closes up the free and open use of the Internet. Certain categories of people will be left with no guarantees that their message will be delivered without abuse and repercussions. Website owners with less popular content or presenting dissident views will fear becoming easy targets. With their sensitive data displayed in the public registry, more and more people will refrain from making their voice heard online. Self-censorship is not going to contribute to a free and open Internet.

Several privacy campaigns opposing ICANN’s proposal, such as savedomainprivacy.org and respectourprivacy.com, were launched, and a total of 11510 comments were sent to the public consultation. The comments are publicly available and a report based on the inputs received is expected on 21 July 2015.

ApTI’s full comment for ICANN’s public consultation (07.07.2015)
http://www.apti.ro/sites/default/files/WHOISprivacy-ICANNpubliccomment7JULY2015_0.pdf

ICANN: Initial Report on the Privacy & Proxy Services Accreditation Issues Policy Development Process (05.05.2015)
https://gnso.icann.org/en/issues/raa/ppsai-initial-05may15-en.pdf

Save domain privacy
https://www.savedomainprivacy.org/with-without-privacy/

Changes to domain name rules place user privacy in jeopardy (23.06.2015)
https://www.eff.org/deeplinks/2015/06/changes-domain-name-rules-place-user-privacy-jeopardy

MPAA & RIAA demand DNS action against “pirate” domains (14.05.2015)
https://torrentfreak.com/mpaa-riaa-demand-dns-action-against-pirate-domains-150514/

GNSO privacy & proxy services accreditation issues working group initial report (05.05.0215)
https://www.icann.org/public-comments/ppsai-initial-2015-05-05-en

Comments to the public consultation
https://forum.icann.org/lists/comments-ppsai-initial-05may15/threads.html

(Contribution by Valentina Pavel, EDRi member ApTI, Romania)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
15 Jul 2015

Surveillance technology company Hacking Team hacked

By Heini Järvinen

On 5 July, Italian surveillance technology company Hacking Team was hacked. 400GB of data from its servers was shared on BitTorrent, and Hacking Team employees’ emails, invoices and other documents posted publicly via the company’s own Twitter feed (that was renamed “Hacked Team” for the occasion). The authenticity of the documents has not been independently verified, but based on the scale of the breach and the data that the files contain, few experts are questioning the legitimacy of the documents.

Hacking Team is best known for its surveillance software Remote Control System (RCS, also known as Galileo, DaVinci and Ornella), which can be installed on a computer or a mobile phone without the user’s knowledge and is used to monitor the phone or Skype calls, text messages and emails.

Even though Hacking Team has repeatedly denied that its technology is being sold to repressive regimes, and has declared that they are not doing business with governments that are blacklisted by the EU, the US, NATO and other similar international organisations, invoices and contracts included in the hacked documents suggest that it has been selling its spyware to government agencies in countries such as Bahrain, Uzbekistan, Sudan, Azerbaijan, Saudi Arabia, Morocco, the United Arab Emirates, and Ethiopia. However, the company has also been in negotiations with Western countries like Germany and Poland. Last week, the head of the Cyprus Intelligence Service resigned following revelations that the island’s secret service had purchased Hacking Team’s software. The company has previously been accused of assisting repressive regimes in spying on their own citizens and of targeting human rights activists – for example, a 2013 report by Reporters Without Borders named Hacking Team as one of the “Corporate Enemies of the Internet”.

The company also claims that it is providing tools to “government agencies that can prevent crimes or terrorism”. The hacked data suggest, however, that the software may have been provided to non-state actors as well.

Spy Tech Company “Hacking Team” Gets Hacked (05.07.2015)
http://motherboard.vice.com/read/spy-tech-company-hacking-team-gets-hacked

For Arab Human Rights Defenders, Hacking Team Files Confirm Suspicions of State Surveillance
https://advocacy.globalvoicesonline.org/2015/07/08/for-arab-human-rights-defenders-hacking-team-files-confirm-suspicions-of-state-surveillance/

Hacking Team hacked: firm sold spying tools to repressive regimes, documents claim (06.07.2015)
http://www.theguardian.com/technology/2015/jul/06/hacking-team-hacked-firm-sold-spying-tools-to-repressive-regimes-documents-claim

Intelligence Service chief steps down (11.07.2015)
http://in-cyprus.com/intelligence-service-chief-steps-down/

In Light of Hacking Team Leaks, EFF and Latin American Civil Society Groups Call for Greater Oversight of Surveillance Technology (07.07.2015)
https://www.eff.org/deeplinks/2015/07/eff-join-latin-american-civil-society-calls-greater-oversight-surveillance

A detailed look at Hacking Team’s emails about its repressive clients (07.07.2015)
https://firstlook.org/theintercept/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
15 Jul 2015

Press release: European Parliament pushes for more surveillance and profiling of EU citizens

By Heini Järvinen

Civil Liberties Committee (LIBE) of the EU PNR proposal, European Digital Rights (EDRi) statement:

Today, the European Parliament’s Civil Liberties (LIBE) Committee adopted a proposal for the long-term storage of passengers on all flights entering and leaving the EU. The data will be used for profiling of innocent individuals as possible serious criminals. Two years after the rejection of the first proposal, the LIBE Commitee has now abandoned its position on the establishment of an EU Passenger Name Record (PNR) system.

“Sadly, the Civil Liberties Committee appears unable to resist the temptation to reject its own considered views. It rejected illegal telecoms data retention, it then approved illegal telecoms data retention, it rejected PNR data profiling, it then adopted PNR data profiling. It approved bilateral deals to store PNR data for 15 years and for five and a half years and now a Directive with a storage period of five years. Meanwhile the European Court ruled that storage of personal data for arbitary periods is illegal, but respect for the law appears not to be a concern when adopting law enforcement measures,”

said Joe McNamee, Executive Director of European Digital Rights.

After the terrorist attacks in France and Denmark and months of pressure from national governments for increased access to personal data, the legislation was brought back to be voted on again. Since the Committee rejected the draft Directive in 2013, the European Commission has distributed 50 million euro for the establishment of several national PNR systems. In doing this, the Commission ignored the concerns previously raised by the LIBE Committee as well of those of data protection and human rights expert bodies. More importantly, the development of national PNR programmes helped to generate a harmonisation problem that the Commission now claims needs to be solve.

The proposal that was passed today by the LIBE Committee of the European Parliament foresees the blanket retention of all passengers’ data flying in and out of the EU, storing the data for the entirely arbitrary period of five years. To date, and despite countless requests, the Commission has not been able to show that an EU PNR scheme (nor, indeed, any of the chaotic, mishmash of bilateral PNR agreements currently in place) would meet the standards of proportionality and necessity established by the Charter of Fundamental Rights. In the aftermath of the EU Court of Justice (CJEU) ruling invalidating the Data Retention Directive, it is hard to imagine how the proposed arbitrary period of maximum five year retention for every citizen’s travel data could be considered necessary and proportionate.

Read more:

EU PNR: Unproven, ineffective strategies are not security (14.07.2015)
https://edri.org/eu-pnr-unproven-ineffective-strategies-are-not-security/

EU Parliament to vote on indiscriminate collection and storage of travel data on 15 July (13.07.2015)
https://edri.org/eu-parliament_to_vote_on_pnr/

“We still need to watch you, really”: PNR back in the Parliament (02.04.2015)
https://edri.org/pnr-back-in-the-ep/

Twitter_tweet_and_follow_banner

close
15 Jul 2015

Press release: EDRi asks for more clarity on net neutrality

By Heini Järvinen

This morning, the Committee on Industry, Research and Energy of the European Parliament (ITRE) formally accepted the text of the informal trialogue negotiations on the “Telecommunications Single Market” Regulation, which covers net neutrality and roaming.

The text represents a significant improvement on the incoherent, contradictory and destructive approach promoted by the EU Council and European Commission. However, the provisional agreement still needs further crucial improvements, as key parts of the text, such as on ‘traffic management” and “specialised services” are extremely unclear.

The biggest problem of the current text is that “price discrimination” – where Internet users pay for a certain volume of download capacity, but get unlimited access to some websites but not all the internet, resulting in unequal rights to send and receive information – is not explicitly addressed. Furthermore, the right of individual Member States to ban such abuses of net neutrality is not definitively protected.

“The European institutions should not leave it to national telecoms regulators and courts to make the law. While we welcome the Parliament’s final efforts, the Parliament should use its second reading to resolve outstanding issues to ensure clear net neutrality protections,”

said Joe McNamee, Executive Director of European Digital Rights.

The European Parliament adopted a clear first reading text on net neutrality, with effective definitions of “net neutrality” and “specialised services”. Following negotiations with the EU Council, we are left with a text that is sometimes potentially workable, sometimes unclear and sometimes contradictory. If this text is adopted, we face at least a year of uncertainty as we wait for regulators and courts to decide what the text might mean.

Please find the analysis of the text here:
https://edri.org/files/NN_analysis_20150715.pdf

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
14 Jul 2015

EU PNR: Unproven, ineffective strategies are not security

By Diego Naranjo

“When people are scared, they need something done that will make them feel safe, even if it doesn’t truly make them safer. Politicians naturally want to do something in response to crisis, even if that something doesn’t make any sense.”

Bruce Schneier, Security expert

The proposal for a EU PNR Directive (Fight against terrorism and serious crime: use of passenger name record (PNR) data 2011/0023(COD)) will be put to a vote on Wednesday 15 July, in the Civil Liberties Committee (LIBE) of the European Parliament. Timothy Kirkhope, the Rapporteur (Member of the Parliament in charge of the proposal) has pushed during the last weeks to have this proposal voted on as soon as possible, despite the opposition from civil society groups, from experts including the European Data Protection Supervisor (EDPS) and the Fundamental Rights Agency, and the scepticism shown by many Parliamentarians and political groups in Brussels.

As we presented in our infograph, the (il)logical steps behind the EU PNR proposal are the same ones that are increasingly used in the “fight against terrorism”. After tragic terrorist attacks happen, politicians feel obliged to do “something” to show that “something” is being done – even if that something is useless, even if it generates new risks, even if it is counterproductive.

PNR is a profiling measure. It intends to guess, using algorithms, who is likely to pose a terrorist threat according to the patterns created by mixing different types of passenger data (nationality, flight routes, paying method used…) obtained by the airlines when a person books a flight. As Emeritus Professor of International Law Douwe Korff has noted in his recent Report on PNR presented at the Council of Europe, profiling “poses a serious threat of a Kafkaesque world in which powerful agencies (like the DHS and the NSA – or in the near future European agencies? ) take decisions that significantly affect individuals , without those decision-makers being able or willing to explain the underlying reasoning for those decisions, and in which those subjects are denied any effective individual or collective remedies. That is how serious the issue of profiling is: it poses a fundamental threat to the most basic principles of the Rule of Law and the relationship between the powerful and the people in a democratic society.” These issues were highlighted by the New York Times on 9 July in an article entitled “When algorithms discriminate”.

Creating lists of people with alleged similar characteristics seems in theory useful for law enforcement purposes, but in fact it usually produces mismatches which end up with serious consequences for those who are wrongly profiled. Korff provided examples of this, such as the case of Maher Arar: “The case of Mr Arar was in fact one of the most scandalous instances of an innocent person being classified as a terrorist on a US watchlist. Amnesty International summarises the case as follows: Maher Arar, a Canadian citizen, was travelling home to Canada from visiting relatives in Tunisia in 2002. While changing planes at New York City’s JFK airport, he was detained by U.S. authorities and then transferred secretly to Syria, where he was held for a year and tortured.” Other serious cases (although not as extreme as that of Mr Arar) have been raised in other parts of the world.

The EU PNR proposal adds nothing more than the insecurity of another set of unnecessary databases, the risk of an unaccountable algorithm putting innocent people at risk of suspicion, of delays, of denied boarding or arrest and indiscriminate mass surveillance. If the European Parliament goes down the same road than it used for the Data Retention Directive, it is likely to find the same result – a failed, ineffective placebo for security fears. The European Parliament should be a strong institution that produces durable, evidence-based coherent policies for the benefit of EU citizens, and not as a reactionary body that over-reacts, adopting rules based on false assumptions.

Additional reading:

Bruce Schneier: Is aviation security mostly for show? – (29.12.2009)
http://edition.cnn.com/2009/OPINION/12/29/schneier.air.travel.security.theater/index.html

Douwe Korff and Marie Georges: Passenger Name Records, data mining & data protection: the need for strong safeguards (15.06.2015)
https://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD%282015%2911_PNR%20draft%20report%20Douwe%20Korff%20&%20Marie%20Georges_15%2006%202015.pdf

Statewatch: Protests in the EU: “Troublemakers” and “travelling violent offenders [undefined] to be recorded on database and targeted (16.04.2010)
http://www.statewatch.org/analyses/no-93-troublemakers-apr-10.pdf

Statewatch: Schengen Information System Article 99 report: 33,541 people registered in SIS for surveillance and checks
http://www.statewatch.org/news/2008/feb/08SISart99.htm

Council of the European Union, 8570/10: Draft Council Conclusions on the use of a standardised, multidimensional semi- structured instrument for collecting data and information on the processes of radicalisation in the EU (16.04.2010): http://www.statewatch.org/news/2010/apr/eu-council-info-gathering-uardicalisation-8570-10.pdf.

Twitter_tweet_and_follow_banner

close