France, Ireland, the UK and Sweden have made a joint proposal to the Council of the European Union to store the telecommunication data of all 450 million EU citizens for a period of 12 to 36 months, for law enforcement purposes.
If the ministers of the member states accept the proposal for a framework decision, all traces of telephony of internet usage of all EU citizens will be stored for a long time. These so-called traffic data reveal who has been calling and e-mailing whom, which websites they have visited, and even where people were with their mobile phones.
The draft framework decision addresses providers of telephony and internet, both networks and services. They will have to store the traffic data of all their users, not just those of suspects. Since there are only few people in Europe without a telephone, gsm or internet, in the newly enlarged Europe this decision would affect the privacy and freedom of expression of 450 million citizens.
The traffic data will be accessible for law enforcement authorities and intelligence services, not just nationally, but across all EU-borders. The member states decide themselves on the powers they grant to obtain access nationally.
Privacy and civil rights groups reject mandatory data retention of all citizens. By storing everybody's communication data, the principle is violated of being considered innocent until proven guilty. Companies are forced to store large amounts of highly sensitive personal data, even if there is not a single valid business purpose. Market parties thus become an extended arm of the law. With this proposal, Europe sets out a fundamental new course in law enforcement; from specific investigations to general surveillance of all citizens.
The alternative, specific preservation of data about suspects, is brushed off in the draft decision. "In investigations, it may not be possible to identify the data required or the individual involved until many months or years after the original communication." No further motivation is given concerning the necessity and efficiency of the proposed measure.
The proposal comes less than a month after the EU heads of state accepted a new list of measures against terrorism, including a new high priority to introduce mandatory data retention on 1 June 2005, described in EDRI-gram 2.6. Many experts believe the proposal was written a long time before the attacks on Madrid on 11 March 2004, following an earlier initiative by the Danish presidency of the EU to make an inventory of existing data retention schemes and seek a compromise. Currently, there is no legal obligation to store telecom traffic data for law enforcement purposes in Austria, Finland, Germany, the Netherlands and Sweden. In the UK providers were invited to find a self-regulatory solution to retain data, but government had an apparent lack of success in convincing the ISPs that this was in their best interest and is now working on a legal obligation. Both in Finland and in the Netherlands proposals for mandatory data retention are underway as well. The situation in the newly acceded EU-countries is not clear yet.
Draft framework on data retention (28.04.2004)
http://register.consilium.eu.int/pdf/en/04/st08/st08958.en04.pdf
EDRI-gram 2.6 (24.03.2004)
http://www.edri.org/?id=000100000143
Answers to EU questionnaire on data retention (16.09.2002)
http://www.bof.nl/docs/data_retention_answers.pdf
A last effort of the EU Council to reach agreement with the European Parliament about the transfer of airliner passenger's personal data (Passenger Name Record; PNR) to the U.S. failed on Tuesday 4 May. With a 343 to 301 majority, Parliament decided not to vote on the Council's proposal to treat the matter as an 'urgency procedure'. Having lost already two votes in the Parliament on the transfer, the Council had hoped it could make use of the singular historic situation where 162 non-elected observers to the Parliament from the new member states had gained member status for one single session, extending the plenary session to 788 members.
By bringing forward the urgency request, the Council tried to turn over the former votes. They hoped they could convince the presumedly inexperienced MEPs from the new member states that the transfer was necessary to ensure transatlantic travel, and that it was protected by sufficient safeguards.
However, it turned out the new MEPs did not have significantly different views from the 625 MEPs that sat in parliament before 1 May 2004. There was even a small shift to the transfer-critical side, compared to the vote on 21 April on the decision to take the EU Commission to the EU Court of Justice in Luxembourg, in order to get a ruling on the transfer.
Still, it must be recalled that the EU does presently grant the U.S. access to PNR data on what is most likely an illegal basis. It is now expected that the Council will go for yet another vote in September or October in the next European Parliament. Polls say that the Conservative PPE/DE, who is in favour of the PNR transfer, will then be even stronger than is now the case.
Statewatch: EP rejects EU-US PNR deal by an even bigger majority (04.05.2004)
http://www.statewatch.org/news/2004/may/04ep-eu-us-pnr-vote.htm
Edward Hasbrouck: No means no (...) (04.05.2004)
http://hasbrouck.org/blog/archives/000210.html
EUpolitix: MEPs reject new vote on EU-US air data deal (04.05.2004)
http://www.eupolitix.com/EN/News/200405/e1592d9c-5966-470c-a329-dc343d...
(Contribution by Andreas Dietl, EDRI EU affairs director
Ireland has cancelled the use of electronic voting machines for the upcoming European elections in June after an independent commission said the secrecy and accuracy of the voting could not be guaranteed. The Irish government has spent 40 million euros on voting machines from the Dutch manufacturer Nedap. The Irish opposition demands the resignation of the responsible minister for the Environment and Local Government, Martin Cullen.
There has been a fierce public debate in Ireland about the introduction of e-voting after technical experts raised concerns on the reliability of the voting machines and its software. In 2002 the Irish security firm Zerflow reviewed the Nedap machines and concluded that manipulation of the voting process was possible. Experts and civil society groups have since then pushed for an independent review of the source code and the implementation of a paper trail (Voter Verified Audit Trail). The paper trail should make it possible for voters to see the result of their voting on paper as they can't see what happens inside voting machines. The machine might display one vote to the voter and record something else internally. The paper ballot can also be used for a manual re-count if desired. The Nedap machines do not provide such a paper trail.
In March 2004 the Irish government set up the Independent Commission on Electronic Voting to review the secrecy and accuracy of the Nedap system. In its report the commission concludes "that it is not in a position to recommend with the requisite degree of confidence the use of the chosen system at elections in Ireland in June 2004". "(..) the Commission has not been able to satisfy itself as to the accuracy and secrecy of the system (..)".
One of the problems is that the software used, is not available for a full review: "The Commission did not obtain access to the full source code and there is not sufficient time before the June elections to allow a full code review of the final version of the software that would be necessary before it could be used in these elections".
The Nedap machines are being used in the Netherlands by approximately 80% of the voters. The source code is not publicly available in The Netherlands nor obtained by the Dutch government. The machines are tested but the test reports are confidential.
The Irish debate has prompted Dutch members of parliament to ask questions about the reliability of the Nedap machines used in the Netherlands. The responsible minister De Graaf answered that he sees no problem with the system, because it meets the requirements specified in a 1997 law. As the time of answering the Irish decision to cancel its e-voting plan was not yet known.
Interim report of the Commission on Electronic Voting (01.05.2004)
http://www.cev.ie/htm/report/V02.pdf
EDRi member Privacy International has published an Interim Report on the link between identity cards and the prevention of terrorism. The report, the first of its kind, was initiated following attempts by the UK and Canadian governments to introduce biometric ID cards.
The report analysed the 25 countries that have been most affected by terrorism since 1986 and concluded that the presence of an ID card appears to have made no significant impact on prevention of these attacks. The report notes that while a link between identity cards and anti-terrorism is frequently suggested, the connection appears to be largely intuitive. Almost no empirical research has been undertaken to clearly establish how identity tokens can be used as a means of preventing terrorism.
The report comments: "The presence of an identity card is not recognised by analysts as a meaningful or significant component in anti-terrorism strategies. Five criteria are generally used to assess and benchmark the level of terrorist threat within a particular country: motivation of terrorists, the presence of terror groups, the scale and frequency of past attacks, efficacy of the groups in carrying out attacks, and prevention - how many attacks have been thwarted by the country".
The detailed analysis of information in the public domain in the PI study has produced no evidence to establish a connection between identity cards and successful anti-terrorism measures. Terrorists have traditionally moved across borders using tourist visas (such as those who were involved in the US terrorist attacks), or they are domicile and are equipped with legitimate identification cards (such as those who carried out the Madrid bombings).
Of the 25 countries that have been most adversely affected by terrorism since 1986, eighty per cent have national identity cards, one third of which incorporate biometrics. The only two European countries listed in the PI study are Spain and France, both of which have national ID cards coupled with biometrics. Italy, also with an ID card, narrowly missed being included in the list as did Germany, which experienced the Baader- Meinhof terrorist attacks prior to the period covered by the PI study. The research was unable to uncover any instance where the presence of an identity card system was seen as a significant deterrent to terrorist activity.
Almost two thirds of known terrorists operate under their true identity. The remainder use a variety of techniques to forge or impersonate identities. It is possible, the report concludes, that the existence of a high integrity identity card would provide a measure of improved legitimacy for these people.
"Of the ten most frequently employed methods terrorists use to enter or operate within a country, only one would be combated by a national identity card. Most terrorists enter a country on tourist visas which because of their popularity are subject to low-level scrutiny".
The report refutes claims made by the UK Home Secretary that biometrics can foil terrorist attacks. "At a theoretical level, a national identity card as outlined by the UK government could only assist anti-terrorism efforts if it was used by a terrorist who was both eligible and willing to register for one, if the person was using their true identity, and if intelligence data could be connected to that identity. Only a small fraction of the ninety million crossings into the UK each year are supported by comprehensive security and identity checks".
PI report (April 2004)
http://www.privacyinternational.org/issues/idcard/uk/id-terrorism.pdf
Guardian report (27.04.2004)
http://politics.guardian.co.uk/attacks/story/0,1320,1204623,00.html
(Contribution by Simon Davies, Privacy International)
Romania has implemented the Cybercrime Convention with law nr. 64 from 24 March 2004. The law was published in the Official Monitor nr. 343, on 20 April 2004.
The main provisions of the Cybercrime Convention were already incorporated in Title III of the Anti-corruption law nr. 161/2003, published in the Official Monitor nr. 279 from 21 April 2003.
The Cybercrime Convention defines nine offences: illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and, notably, offences related to copyright and neighbouring rights. Signatory states have to establish a common minimum standard of relevant offences under their domestic law.
Under Romanian law, the first 2 offences are very broadly defined and will be punished severely: "The illegal access to a computer system is a crime and is punished with imprisonment from 6 months to 3 years. If access is gained by infringing security measures, the punishment is imprisonment from 3 to 12 years..
and: "Illegal interception of any transmission of computer date that is not published to, from or within a computer system is a criminal offence and is punished with imprisonment from 2 to 7 years..
Scary is the provision in article 47 that even the intent to commit the 2 offences described above, is a crime.
Already a student is being tried under the new cybercrime provisions. Dan Dumitru Ciobanu was arrested in January 2004 for releasing a modified version of the Blaster worm via the intranet of the Hydrotechnical University in Iasi, in September 2003. He faces between 3 and 15 years in jail for 'unlawful possession of a program and disturbing a computer system'.
The Cybercrime Convention will enter into force on 4 July 2004, following the necessary 5th ratification by Lithuania in March 2004.
Unofficial translation of the Romanian cybercrime law
http://www.legi-internet.ro/en/cybercrime.htm
Cybercrime Convention (23.11.2001)
http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm
Romanian Blaster trial kicks off Friday (19.01.2004)
http://www.theregister.com/content/56/34976.html
(Contribution by Bogdan Manolea, Romanian legal expert)
On 30 April 2004, the European Commission finally released the public policy for the new .EU top-level domain. The policy seems to have been written with 2 thoughts in mind: prevent endless disputes with governments about geographical and institutional names and make sure all trademark-related rights are served first.
Registration will take place in two phases, first giving governments and holders of registered national and Community trademarks the chance to claim their desired names. In the second phase, all 'holders of prior rights' get to register their names of choice. These 'prior rights' are defined as 'inter alia, registered national and community trademarks, geographical indications or designations of origin, and, in as far as they are protected under national law in the Member-State where they are held: unregistered trademarks, trade names, business identifiers, company names, family names, and distinctive titles of protected literary and artistic works..
During the pre-registration phase (the Sunrise), all contact information about claimants will be publicly accessible, such as full name, address of domicile, telephone number and e-mail.
When the public registration starts, maybe at the end of 2004, the WHOIS database will reveal many personal data about each registrant. The public policy specifies that this information 'should not be excessive in relation to the purpose of the database'. Natural persons will have to express unambiguous consent for their personal data to be made publicly available, but the public policy does not specify what the result of an objection would be: refusal to register or the possibility of hiding the contact details.
EU Commission regulation on public policy .EU domain (30.04.2004)
http://europa.eu.int/eur-lex/pri/en/oj/dat/2004/l_162/l_16220040430en0...
Eight Member States were referred by the Commission in December 2003 to the Court of Justice for failure to transpose the Copyright Directive (2001/29/EC) into national law. The deadline for implementation was 22 December 2002, but was only met by Greece and Denmark. Italy, Austria, Germany and the UK transposed the Directive into national law in 2003, while Ireland and Luxembourg implemented the Directive in 2004.
The remaining seven original states - Belgium, Spain, France, the Netherlands, Portugal, Finland and Sweden - have all published draft legislation. Controversy over the Directive has ensured a rocky ride for these laws, most of which have now been rewritten at least once after negative comment on the initial drafts. Implementation continues in the 10 new member states.
EDRi members FIPR and AEL have further information about the EUCD implementations on their websites. FIPR is organising a workshop on the future direction of European copyright law on 13 June in Berlin, directly following the Wizards of OS conference.
FIPR report about the EUCD-implementation (September 2003)
http://www.fipr.org/copyright/guide/index.htm
AEL wiki about implementation plans
http://wiki.ael.be/index.php/EUCD-Status
Copyright workshop (13.06.2004)
http://wizards-of-os.org/index.php?id=36&L=3
(Contribution by Ian Brown, FIPR
The Council of ministers of justice and interior affairs (JHA) accepted on 29 April 2004 the Spanish proposal to oblige European air carriers to transfer passenger data about non-EU passengers entering the EU. "At the request of the authorities responsible for carrying out checks on persons at external borders, carriers will be obliged to transmit, by the end of the check-in, information concerning the passengers they will carry to an authorised border crossing point through which these persons will enter the territory of a member state..
The European Parliament criticised the Spanish initiative severely for not taking data protection issues into account. Euractiv writes: "MEPs have done everything they could to make this initiative fall. Under rules set in the Amsterdam Treaty, the Council had until 1 May to adopt Member States' initiatives, after having consulted the Parliament. MEPs refused to deliver a formal opinion - despite being urgently requested by the Council to do so - in the hope that this would stop the Council from adopting the directive..
Council adopts Spanish initiative on transfer of data from non EU passengers (03.05.2004)
http://www.euractiv.com/cgi-bin/cgint.exe/940939-478?204&OIDN=1507...
Council provisional minutes (29.04.2004)
http://ue.eu.int/ueDocs/cms_Data/docs/pressData/en/jha/80112.pdf
Tomorrow, 6 May 2004, the French national assembly will have the final reading of the controversial digital economy law (Loi sur la confiance dans l'economie numerique, LEN), followed by a final reading in the Senate on 13 May 2004. This will conclude the French transposition process of the E-Commerce Directive (2000/31/EC) and part of the Directive on Privacy and Electronic Communications (2002/58/EC).
After the French Senate completed its second reading of the draft law on 8 April 2004, an inter-parliamentarian commission proposed a new text on 27 April 2004 to approximate the results of both the National Assembly and the Senate. The Senate and the commission have confirmed most of the very controversial provisions contained in the draft law (see EDRI-gram issue 2.1, 15 January 2004), but suppressed the provision obliging hosting providers to monitor the content of their customers, since this measure is explicitly forbidden by the E-Commerce Directive.
It is likely that the French socialist MPs will submit the final law to the Constitutional Council, following a joint request by EDRI member IRIS and the French Human Rights League (LDH) in an open letter sent on 23 April to the parliamentarian opposition. IRIS and LDH organised a press conference on 3 May 2004, where they outlined their objections against 4 specific provisions of the draft. They have also provided French socialist MPs with a detailed brief that can be used in the case for the Constitutional Council.
The 4 provisions that IRIS and LDH find unconstitutional are:
Major press organisations, specially for on-line press like GESTE, as well as civil liberties organisations like RSF and IRIS have strongly protested against the last provision, introduced by the Senate in their second reading. After IRIS made a counter proposal on this issue, Rene Tregouet, the French senator who introduced the time bar, declared to Le Monde that this counter proposal from the NGOs is 'better than his own'.
The French socialists announced today (5 May) that they will seriously object against these 4 provisions at the National Assembly and that they will decide next week to submit the law to the Constitutional Council or not. The French legislative procedure is such that only the President of the Republic, the Prime minister, the President of one of the parliamentarian assemblies, or a group of 60 MPs are allowed to submit a law to the Constitutional Council.
IRIS and LDH joint letter to socialist MPs (27.04.2004)
http://www.iris.sgdg.org/info-debat/lettre-ps-saisine0404.html
Reuters press wire on socialists MP decision (05.05.2004)
http://fr.news.yahoo.com/040505/85/3s7k9.html
On statutes of limitation for publication offences
RSF (14.04.2004): http://www.rsf.fr/article.php3?id_article=9779
IRIS (20.04.2004):
http://www.iris.sgdg.org/info-debat/comm-prescription0404.html
GESTE (04.05.2004):
http://www.geste.fr/communiques/comm_34.htm
Article by Le Monde (05.05.2004)
http://www.lemonde.fr/web/article/0,1-0@2-3236,36-363556,0.html
IRIS full dossier on the LEN
http://www.iris.sgdg.org/actions/len
(Contribution by Meryem Marzouki, IRIS)
The European Commission warned the 16 different organisations in Europe that collect the royalties on behalf of music-authors that they may be breaking EU competition rules. The collecting societies have closed a pan-European pact in the Santiago agreement, whereby each national organisation functions as the only shop for all European music licenses.
"The structure put in place by the parties to the Santiago agreement results in commercial users being limited in their choice to the monopolistic collecting society established in their own member state," the commission said.
If there was more competition between the societies, both music download providers and users would profit, according to the Commission.
The collecting societies have two and a half months to reply to the Commission's objections. They can also request a hearing at which it would be able to submit their arguments directly to the representatives of the national competition authorities.
European Commission warns music royalty collecting societies (03.05.2004)
http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&am...
The Union for the Public Domain is organising a survey about the way governments act in the preparation of the proposed WIPO Broadcasting Treaty. The draft stands to give broadcasters the power to regulate copying, reproduction, distribution and right of transmission. It would extend the length of these powers from 20 to 50 years, and some versions expand the powers to web-casting. The treaty would also make it illegal to circumvent technological protection measures like broadcast flags. All of this even if the broadcast is of a public domain work.
One of the major difficulties of protecting the public domain against these threats is that the positions of national representatives in these international forums are unknown, even to citizens of the country they represent.
The Union for the Public Domain calls on all interested citizens to first contact the co-ordinator and then use the questionnaire to collect information about national positions. The results will be posted on the unions website.
Union for the Public Domain Survey
http://www.public-domain.org/?q=node/view/30
Analysis of Yale fellow Ernest Miller of the WIPO broadcasting treaty
http://www.corante.com/importance/archives/002925.html
The Amsterdam institute for information law published a study (commissioned by Sybari software) about the impact of the new anti-spam regulations in the EU. Their conclusion is not encouraging. "An important limitation on the effectiveness of the E-Privacy Directive is the simple fact that most spam originates from outside the EU. (...) Beyond that, the effectiveness of the E-Privacy Directive depends on its implementation in national legislation. So far, implementation has been rather slow in a number of countries." The study warns about large differences in the EU in the legal protection of corporate users and users which are not subscribers. The most important recommendation is for the EU to take additional actions to promote effective enforcement mechanisms.
Regulating spam: Directive 2002/58 and beyond (April 2004)
http://www.solidground.nl/IViR-sybari/ivir-sybari-final.pdf
15 May 2004 - Call for privacy-papers
The Data Protection Authorities support a new award for privacy-papers, named in honour of the US privacy expert Barbara Wellbery (1948-2003). The award is granted annually by the Morrison & Foerster Foundation. The winning paper will receive a $3.000 cash award. In addition, the winner is invited to present his or her paper in Poland at the 26th International Conference of Data Protection and Privacy Commissioners (14-16 September 2004).
http://www.cbpweb.nl/downloads_overig/med_barbara_wellberry_2.pdf
19 May 2004, London, UK
Privacy International: Mistaken Identity
http://www.privacyinternational.org/conference/missingid/
3-4 June 2004, Vienna, Austria
Free Bitflows conference Conference and workshops about cultures of access and politics of dissemination, organised by Public Netbase (AT), in collaboration with Hull Time Based Arts (Hull, UK); V2_ (Rotterdam, NL); Bootlab (Berlin, DE); interSpace Media Art Center (Sofia, BG).
http://freebitflows.t0.or.at/
10-12 June 2004, Berlin, Germany
Wizards of OS
http://wizards-of-os.org/
13 June 2004, Berlin, Germany
WSIS panel Details to be announced at the wizards of os conference
http://waste.informatik.hu-berlin.de/Grassmuck/wos3-schedule.html
15-17 September 2004, Strasbourg, France
The Council of Europe is planning a major international conference on "The Challenge of Cybercrime", which will bring together senior politicians, computer industry leaders and experts from around the world. No online information yet..