The UK civil liberties group Privacy International, in co-operation with European Digital Rights, the Foundation for Information Policy Research and Statewatch, has published an analysis of the EU-US negotiations on the transfer on passenger information (PNR). The report titled 'Transferring Privacy' describes how the European Commission leaves European privacy rights at the mercy of the U.S. Department of Homeland Security.
According to the report the European Commission has 'not assured adequate protection requirements, clear purpose limitation, non-excessive data collection, limited data retention time, and insurance against further transfers beyond the Department of Homeland Security'. The report also points to the insufficiently independent privacy officers on the US side that will process complaints from EU passengers and a retention period of 3.5 years.
Privacy International is concerned that other countries under pressure from the U.S. to weaken their privacy regimes will have lost an ally in Europe, and will be forced to transfer data under similar, if not worse, conditions. "The result will be to a race to the bottom for global privacy protection."
In an included commentary the American Civil Liberties Union worries about the developments in Europe: "When it comes to privacy protections, we want to join Europe, not have them join us."
The report describes in detail how the Commission under the leadership of Bolkestein has agreed in secret that the US may use the PNR data in the Computer Assisted Passenger Pre-Screening System (CAPPS-II). This system will profile all passengers using various sources of information including private sector databases and intelligence information.
The report shows that the conflict over PNR transfer has supporters and opponents on both sides of the Atlantic: "we are not witnessing a battle between Europeans and Americans, but a battle between those in Europe and America who would like to construct an infrastructure for the global tracking and surveillance of individuals' movements, and those in Europe and America who believe that such a course is dangerous to freedom and an unpromising means of stopping terrorists."
The European Data Protection Authorities have published an opinion on the latest agreements between the EU and the US. The so-called Article 29 Data Protection Working Party calls the agreement inadequate. Any future and final agreement should at least limit the use of PNR to fighting acts of terrorism, the retention period should be shorter and passengers' data should not be used for implementing and/or testing CAPPS II or similar systems. The Working Party also calls for a 'truly independent redress mechanism' instead of the current Privacy Officer at the Department of Homeland Security.
Transferring Privacy: The Transfer of Passenger Records and the Abdication of Privacy Protection (02.2004)
http://www.privacyinternational.org/issues/terrorism/rpt/transferringp...
Article 29 Data Protection Working Party: Opinion 2/2004 (29.01.2004)
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2004/wp8...
Commission Staff Working Paper on PNR (21.01.2004)
http://www.statewatch.org/news/2004/feb/comm-capps-5589.en04.pdf
Draft undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (12.01.2004)
http://www.statewatch.org/news/2004/jan/EUUSAG2.pdf
Documents and analysis: Statewatch observatory on the exchange of data on passengers (PNR) with USA
http://www.statewatch.org/pnrobservatory.htm
News and analysis on PNR and CAPPS-II from the US: Edward Hasbrouck's blog
http://hasbrouck.org/blog/archives/cat_privacy_and_travel.html
During the OECD workshop on spam, held in Brussels on 2 and 3 February, the consumer unions of Europe and the USA (united in the Trans Atlantic Consumer Dialogue) presented the results of a survey amongst 21.102 consumers on both sides of the Atlantic Ocean. 96 percent of the people said that either they hated spam or that it annoyed them. 82% of the respondents said that governments should only allow commercial e-mails to be sent if the recipient has agreed in advance to receive them (opt-in).
In spite of this apparent massive wish for opt-in, representatives from the US Federal Trade Commission defended the new opt-out legislation in the United States. This invoked polite criticism from Commissioner Liikanen and less politely worded responses from representatives from ISPs and consumer associations.
The different approach taken on either side of the Atlantic "doesn't help" in developing an international approach to combat spam, said Erkki Liikanen, the European Commissioner for the information society. According to another spokesperson from the Commission, 80% of all the countries united in the OECD already have an opt-regime or are busy implementing it, making the US the big exception.
George Mills from Eurocauce calculated that with approximately 23 million companies in the United States, even if only 1% of these companies would spam, he would have a full time job in sending opt-out requests, even with his high average speed of 2 opt-outs per minute.
According to statistics presented by the CEO of the company Brightmail 60% of all e-mail in the world is spam. This level will reach its top later this year at 65%. Brightmail uses millions of decoy addresses to detect and analyse spam. According to these inboxes, 90% of all spam mails contains some kind of fraudulous or deceptive sender or routing information.
These statistics supported the claim from the FTC that independent of the opt-in / opt-out debate, the Can-Spam act is effective. Hugh Stevenson from the FTC explained they had already dealed with 55 cases, mostly scams. 'Follow the money', was the best advice he could give to his audience, even if it takes an average of 10 to 15 subpoena's to trace an average spammer through different providers and network parties. The new criminal sanctions on spoofing, false headers and misleading routing information enabled the FTC to deal with spam-cases that were otherwise difficult to prosecute.
More than a 100 experts from Europe, the US, Australia, Korea and Japan attended the workshop, mostly focussed on statistics and practical solutions for cross-border enforcement. One of the more hilarious verbal battles took place between Charles Prescott from the Direct Marketing Association and Marc Rotenberg from the USA based civil liberty group EPIC. They presented completely different conclusions about research on spam in the Pew Internet Project.
Though both agreed that 70% of the interviewed users in the USA said that spam made being online unpleasant or annoying, Prescott concluded that people that complain about spam complain about everything. According to him, all these people also complain about the noise of lawn blowers. Most attendees of the workshop fell completely silent after this insult, but burst out in cheerful laughter when Marc Rotenberg compared spammers to factories that pollute the environment, with governments advising citizens to carefully wash their hands, and if necessary, wear gas masks inside.
The workshop did not produce any clear conclusions, other than a confirmation of the recommendations of the European Commission to combat spam in many different ways; both with legal and technical means, as well as socially and commercially, in educating all internet users about the need to secure networks.
TACD survey on spam (02.02.2004)
http://www.tacd.org/docs/?id=225
Annotated program of the workshop (with links to presentations by speakers)
http://www.oecd.org/document/47/0,2340,en_2649_37441_26514927_1_1_1_37...
Pew Internet report on spam (22.10.2003)
http://www.pewinternet.org/reports/toc.asp?Report=102
On 4 February 2004 the French Big Brother Awards were presented in a movie theatre in Paris. In the category 'Government' a double award was given to the Ministers of Justice and Internal Affairs, Dominique Perben and Nicolas Sarkozy, for their joined efforts in changing the law on organised crime. The new adaptation (Perben II) introduces a form of plea-bargaining to the French legal system. The law also stretches the interception and remote monitoring powers of law enforcement agencies, allowing them to secretly place microphones and camera's in cars and private homes. According to the jury, the new powers are not limited to the investigation of networks of organised crime, but can also be used on small delinquents and groups like 'young people in cities', 'immigrants' and 'travellers'. The law thus seriously erodes civil liberties and fundamental human rights.
In the private sector the negative award was presented to the French Federation of Insurance Companies (FFSA), for their long-time lobby to broaden the access to medical records, stop anonymising such data and stimulate a close 'partnership' between patients and insurance companies.
Two catholic schools in the city of Angers were given a Big Brother Award for their use of biometrics to control children. They installed fingerprint readers in the school canteens in order to be able to charge every parent for every meal, thus excluding children on financial grounds.
A 4th Big Brother Award was given to the technology of RFID-tags, mini spy-chips that can be hidden in all kinds of consumer products. The company 'Societe Inside Contactless', based in Aix en Provence, was named for selling special long-range RFIDs to China, officially to counter fraud in public transport, but ultimately ending up inside students cards. Related to similar objectionable trade with China was the Lifetime Menace Award presented to the French conglomerate Thales (previously Thomson CSF). In 2002 they were already nominated for a contract with the Chinese government to deliver smart cards for the next generation IDs in China.
Thales now earned the special grand menace award for specialising in internet surveillance schemes, smart video systems, biometric devices, and for its last 'SHIELD' concept - a homeland security 'package', unveiled at the last MILIPOL trade show in Paris. Furthermore, Thales was very proud on having been elected to implement the cyber police network of Brazilian city Porto Alegre, where anti-liberal contestants met last year, in January 2003.
According to the French privacy-watchers, of all European institutions, the Council of Justice and Home Affairs was the most damaging to privacy-rights. A European Orwell will be presented soon to the present President of the Council, the Irish Minister for Justice, Equality and Law Reform, Michael McDowell.
Overview of nominees and winners (in French)
http://nomines.bigbrotherawards.eu.org/index.php?gng=1
Overview of all international big brother awards
http://www.bigbrotherawards.org/
The IFPI, the international representative of the recording industry, has instigated legal proceedings against the Belgian ISP Telenet for the unauthorised distribution of music via Usenet (newsgroups). Telenet refuses to block the access to certain newsgroups in its newsservice 'Bommanews'. The ISP argues that providing Usenet services is a 'mere conduit' activity, and under the E-Commerce Directive (2002/58/EC) a provider cannot be held liable for just passing bits. The ISP states: "Telenet does not control the content of data that are being transported over the network by its customers. Telenet acknowledges the right to privacy and the freedom of speech of its customers."
It is the first time that the recording industry attacks an internet provider for offering usenet services, testing the strict non-liability guarantees in the E-Commerce Directive. In a press release about the case, the Belgian ISPA supports Telenet. "As ISPs we don’t initiate the transmission, we don’t select the recipients, and we also don’t select or modify the newsgroup content which is being transmitted." But the ISPA also suggests that it is possible to reach an agreement outside the court. It proposes to set up a joint meeting with IFPI and the FCCU (and/or representatives of the Ministry of Justice). "The outcome of this debate could be a Protocol that describes how the IFPI, FCCU/ the Ministry of Justice and ISPA will handle future manifestations of illegal content in newsgroups."
Press release Telenet (Dutch) and ISPA (English) (09.01.2004)
http://www.telenet.be/overtelenet/persberichten/telenet_wil_klare_taal...
The European Court of Justice in a recent judgement has underlined the rights to freedom of information. If a governmental document cannot be disclosed in full for reasons of public security or institutional confidentiality, it should at least be made available in part.
To promote freedom of information and grant 'the widest possible access' to relevant governmental documents, the European Council and Commission adopted a Code of Conduct in December 1993, later both translating that Code into (legally binding) Decisions. According to those Decisions, access can only be refused if disclosure could undermine "the protection of the public interest (public security, international relations, monetary stability, court proceedings, inspections and investigations) or to protect the institution's interest in the confidentiality of its proceedings."
In a case that started in March 1999, the Fin Olli Mattila demanded access to a number of documents relating to negotiations about co-operation between the EU and Russia. Both the Council and the Commission's Directorate-General for External Relations refused to give Mr Mattila the requested documents, invoking the public interest exception in the Code of Conduct and referring to the need to keep discussions between the European Union and non-member countries confidential.
In September 1999 the Court of First Instance dismissed all of Mattila's access requests (for different reasons). Partial access would have been a breach of the principle of proportionality according to this first judgement, because examination of the documents in question shows that partial access would be meaningless because the parts of the documents that could be disclosed would be of no use to the applicant.
Appealing this decision, Mattila demanded at least partial access, "after cancelling or editing the sections which may justifiably qualify as liable to prejudice the international relations of the European Community." Mattilla argued that "it is for the person requesting access to decide whether the information in a document has any relevance for him and not for the Court of First Instance to decide this solely on the basis of the assertions of the institution in whose possession the document is." The Council replied that it would be absurd and contrary to the principles of sound administration and proportionality to disclose edited versions of the documents consisting almost entirely of blank pages.
The Court does not except this line of reasoning and rules that "institutions are obliged, under Decisions 93/731 and 94/90 respectively, and in accordance with the principle of proportionality, to examine whether partial access should be granted to the information not covered by the exceptions, in the absence of which a decision refusing access to a document must be annulled as being vitiated by an error of law."
Press release Court of Justice (22.01.2004)
http://www.curia.eu.int/en/actu/communiques/cp04/aff/cp040010en.htm
Judgement in case C-353/01 (available in 11 languages)
http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELE...
Statewatch observatory on EU public access cases
http://www.statewatch.org/caselawobs.htm
After a tour in the Future Store of the German Metro concern, privacy advocate Katherine Albrecht discovered spy-chips with unique numbers in the customer loyalty cards. She also found RFID tags on products sold in the store that were not completely de-activated after the purchase.
Albrecht, founder of CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) was invited by the German civil liberty group Foebud to lecture about RFIDs and visit the Future Store, that was opened last year to test experimental RFID applications on live shoppers. "We were shocked to find RFID tags in Metro's 'Payback' loyalty card," said Albrecht. "The card application form, brochures, and signage at the store made no mention of the embedded technology and Metro executives spent several hours showing us the store without telling us about it."
In addition to the tags in the loyalty cards, Albrecht discovered that Metro cannot deactivate the unique identification number contained in RFID tags in products it sells. The use of unique, item-level ID numbers is one of the key privacy concerns surrounding the use of RFID tags on consumer goods.
"Customers are misled into believing that the tags can be killed at a special deactivation kiosk, but the kiosk only rewrites a portion of the tag, while leaving the unique ID number intact," she said.
Foebud detailed analysis of the Metro RFIDs
http://www.foebud.org/rfid/
Website CASPIAN dedicated to RFIDs
http://www.spychips.com
The final vote on two of the most controversial information society Directives, the Directive on Software Patents and the Directive on the Enforcement of Intellectual Property Rights has been delayed once more. The IPRE directive was withdrawn last minute from the 9 February plenary agenda of the European Parliament. On 6 February the Council presented a compromise.
The IPRE directive was designed to prevent piracy and counterfeiting in the EU, but the scope and criminal sanctions were extended to infringement of any IP right, for example to peer-to-peer file exchangers. The new scope was strongly criticised by consumer organisations, telecoms operators and internet service providers. They claimed it would force them into endless legal proceedings with representatives from the music and film industry. They demanded more consumer safeguards to ensure that a court case has actually been filed and a judge has weighed evidence before personal information should be disclosed about an alleged infringer.
In order to buy the Irish Presidency more time to secure a majority, Parliament decided to withdraw the intellectual property directive from its 9 February plenary agenda. The pressure is high to agree in so-called First Reading by the European Parliament, before new Member States join the European Union in June.
The Council now proposes to limit the scope of the Directive, leaving it up to the Member States to decide about possible criminal sanctions and deleting Article 21 and its ban on technical devices. The Commission (and Parliament rapporteur Mme Fourtou) originally proposed broad DMCA-like "anti-circumvention" measures to apply to devices protecting any type of intellectual property right.
The Competitiveness Council of Ministers was supposed to have voted on the Software Patent Directive on 27 November, but due to continuing controversy over the text and heated disagreements between the Parliament and the Commission, some Member States (most notably France, which wants to conduct further consultations with stakeholders) called for the Council vote to be postponed. The Council Common Position is now expected on 17 May 2004. The vote in plenary already took place on 24 September 2003. Parliament adopted a large number of amendments that limited the possibility of patenting computer-implemented inventions (See EDRI-gram nr 18, 25.09.2003).
EU Council Proposal on IPRE Directive (06.02.2004)
http://www.ipjustice.org/CODE/020604EUIPED.html
IP Justice comparison of the different proposals (05.02.2004)
http://www.ffii.org.uk/ip_enforce/IPJ_analysis.html
Consolidated version of the SoftPat vote (24.09.2003)
http://swpat.ffii.org/papers/eubsa-swpat0202/plen0309/resu/index.en.ht...
On 4 December 2003, Hungary became the fourth country (along with Albania, Croatia and Estonia) to ratify the Cybercrime Convention. Lithuania is the latest country to have signed the Convention (26 June 2003). All 15 EU states have already signed it.
Hungary made an explicit reservation, reserving the right not to apply Article 9, paragraph 2, sub-paragraph b. This means they won't consider a photo to be child pornography if the person depicted only appears to be under 18, but is in fact older.
To enter into force, the Cybercrime Treaty only needs 1 more ratification from a CoE country.
COE overview signatures treaties
http://www.coe.int/T/e/Com/Press/Convention/default.asp
In January, Dutch police have arrested 52 people suspected of large scale internet fraud with the infamous 'Nigerian e-mail' scam.
The scammers sent spam e-mails asking for help in transferring a large sum of money out of their country (usually Nigeria), in exchange for a generous percentage. According to an AP news report, the gang had reaped millions of Euros. A task force of 80 officers raided 23 apartments, seizing computers, fake passports and 50.000 Euro in cash.
Jan Willem Broekema, board member of the Dutch Data Protection Authority explained during the OECD workshop on spam that he expected hundreds more to be arrested in the nearby future, presumably putting a worldwide stop to the Nigerian scam.
Arrests have been made in several countries in recent years, including Australia, Canada, and the United States, but the brunt seemed based in Amsterdam, in a remote high-rise area locally known as 'Bijlmer'. Six people, three from Nigeria and three from Benin, were convicted in a similar case in Amsterdam in May, receiving sentences of up to 4 1/2 years. They had robbed their victims for at least 4 million euros. The most spectacular victim of the gang, a Swiss professor, transferred almost half a million euro. The money was necessary to buy chemicals to clean banknotes with a total value of 36 million US Dollars, the gang told the gullible professor. He was promised 25% of that amount.
AP - Dutch police arrest 52 in e-mail scam (30.01.2004) http://www.salon.com/tech/wire/2004/01/30/scam/
Handbook of Legislative Procedures of Computer and Network Misuse in EU Countries - Study for the European Commission, Directorate-General Information Society, by Rand Europe.
The Handbook is designed to help European Computer Security Incident Response Teams (CSIRT) deal with incidents and operate in a European environment with divergent legal codes dealing with computer crime and misuse. Particular attention is devoted to the examination of the content of the Council of Europe's Cybercrime Convention and the proposed European Framework Decision on Attacks Against Information Systems.
The publication contains an analysis of legislation in each EU member state in the area of computer crime. A summary table is also provided together with the law enforcement points of contacts and reporting mechanisms.
http://europa.eu.int/information_society/eeurope/2005/doc/all_about/cs...
11 February 2004 - Start of nominations for Big Brother Award Bulgaria
The Bulgarian Internet Society has joined forces with the Access to
Information Program and the Global Internet Policy Initiative to organise
the Bulgarian Big Brother Awards. Nominations can be send to
bba@isoc.bg
29 February 2004 - Deadline Call for Papers
The Programme Committee of the conference eChallenges 2004 is looking for
papers or workshop proposals
The conference and exhibition take place in Vienna, Austria from 27 - 29
October. This will be the fourteenth in a series of annual conferences
supported by the European Commission,
This year's conference themes include eBusiness, eGovernment, eWork,
eEurope 2005 and ICT Take-up by SMEs, and International Collaboration.
http://www.echallenges.org/2004/default.asp?page=call-papers
25 March 2004 - Deadline Call for Papers
The European Black Hat conference 2004 will take place in the Krasnapolsky
Hotel in Amsterdam, the Netherlands, from 17 to 20 May 2004. Papers are
invited especially about the European perspective on privacy, anonymity
and DRM.
http://www.blackhat.com/html/bh-europe-04/bh-europe-04-cfp.html
26-27 March 2004, Warsaw, Poland
Pan-European Forum on safer internet-issues, organised by the Media
division of the Council of Europe Human Rights Directorate. Deadline for
funding applications is 20 February 2004.
http://www.safer-internet.net/pconference.asp
3-4 June 2004, Vienna, Austria - Free Bitflows conference
Conference and workshops about cultures of access and politics of
dissemination, organised by Public Netbase (AT), in collaboration with
Hull Time Based Arts (Hull, UK); V2_ (Rotterdam, NL); Bootlab (Berlin,
DE); interSpace Media Art Center (Sofia, BG).
http://freebitflows.t0.or.at