Today, 21 April 2004, the European Parliament has voted to take the European Commission to court over the agreement with the United States Department of Homeland Security on the transfer of air passenger's personal data (PNR) to U.S. authorities. The Strasbourg Court is now to examine whether the Commission, when making the deal, exceeded its powers and acted in disrespect of EU Data Protection legislation.
After a major controversy, the project for a recommendation to ask the opinion of the European Court of Justice was adopted with a small majority of only 276 votes against 260. The Parliament's biggest Group - the centre-right wing PPE/DE, counting 232 of the House's 626 members -, opposed the recommendation, as well as the 29-strong delegation of the UK Labour Party and presumably a handful of German Social Democrats.
They were under heavy pressure from Member States' governments, who would not like to see the transfer challenged because they fear diplomatic complications with the U.S.
During the days and night preceding the vote, the Irish Presidency of the European Council had lobbied MEPs to drop their support for the recommendation. Ireland's EU minister Dick Roche himself intervened with select MEPs in order turn the ballot, arguing privacy concerns had been taken into account in the agreement. More bluntly, EU Foreign Affairs Commissioner Chris Patten had argued, addressing the Parliament on Tuesday, that the data transfer was going to take place, no matter what the Parliament's vote was going to be, because national governments had the power to authorise it themselves. Likewise, the U.S. has already signalled it expects the transfer to continue with the backing of EU institutions other than the Parliament.
EUpolitix: MEPs take on EU and US over air data deal (21.04.2004)
http://www.eupolitix.com/EN/News/200404/551b989b-4c99-4b3f-a057-cd9e7b...
EurActiv: Last ditch effort to iron out institutional clash over passenger data (20.04.2004)
http://www.euractiv.com/cgi-bin/cgint.exe/1046405-993?204&OIDN=150...
(Contribution by Andreas Dietl, EDRI EU affairs director)
Today, 21 April, the controversial Urbani decree will be discussed again by the Culture Commission of the Italian Parliament. This law (named after the Minister of Culture) puts heavy fines on the download of movies, music or other copyrighted works even when done without any commercial purpose. Downloaders and file-sharers also risk the seizure of their equipment and a humiliating publication of the verdict in the national press. Fines start at 154 euro for private use of a work that has been distributed illegally, and run up to 1.032 euro in case of a repeated offence.
The decree attempts to authorise surveillance of electronic communication, introducing an assumption of 'guilty by default' of all internet users. The debate in the Parliamentary Commissions only seems to cause temporary delay, since it has the support of most of the Italian government.
There are many reasons to stop the decree in its draft form. First of all, the reaction of the Italian community (35.000 signatures collected in a few days), and secondly the protest of many small and large ISPs. Even the press and music publisher associations protested - the decree at first only protected movies and not the music.
The decree also conflicts with the Constitution and other laws. Under privacy legislation, internet providers are forbidden to act as informers and law enforcers checking their customer traffic, but under the Urbani decree they risk heavy fines for not informing the police about potential illegal behaviour of their customers.
Quite curiously, the introduction of this law appears coincides with the launch of a new pay-per-download service named Rosso Alice and offered by former state-owned monopolist Telecom Italia. The timing feeds the public suspicion that the decree is not so much representing the general public interest, but only protects specific economical interests, most of them outside of the Italian borders. More than 400 people responded in a heated debate today on the website 'Punto Informatico', suggesting the entertainment industry only regrets that torture has not been added to the range of legal instruments to extract information from internet users.
The current draft of the decree (in Italian)
http://www.camera.it/_dati/leg14/lavori/stampati/pdf/14PDL0058180.pdf
The pay-per-download website by Telecom Italia
http://www.rossoalice.it
Debate about the Urbani decree (in Italian, 21.04.2004)
http://punto-informatico.it/p.asp?i=47874
(Contribution by Daniele and Odo, autistici.org)
1.600 protesters followed a call of the Foundation for a Free Information Infrastructure (FFII) for a demonstration in Brussels on 14 April 2004. The event, a protest against new plans to allow for direct and extensive 'patentability of computer-implemented inventions' in the EU, was followed by a one-and-a-half day conference at the European Parliament, co-organised by the Green/EFA political group and different Linux user-groups from 25 European countries. The European Parliament voted on 24 September 2003 against all proposals that would make software patentable and added additional safeguards, such as freedom of publication and interoperation. This outcome was unacceptable to both Commission and representatives from the Member States. They have been working on a new scheme since.
The Competitiveness Council of Ministers was supposed to have voted on the Software Patent Directive on 27 November 2003, but due to continuing controversy over the text and heated disagreements between the Parliament and the Commission, some Member States (most notably France, which wants to conduct further consultations with stake-holders) called for the Council vote to be postponed.
In January 2004, the Irish Presidency of the Council proposed a text deleting most of the amendments introduced by the Parliament and lifting restrictions to the direct patentability of computer programs, data structures and process descriptions. Under this proposed compromise, 'computer-implemented' algorithms and business methods, protocols and data formats would be inventions in the sense of patent law, and the publication of a functional description of a patented idea, even for interoperability purposes, would constitute a patent infringement.
On 6 April 2004, the Irish Presidency decided to refer the issue to the COREPER, the Committee of Member States' Permanent Representatives. The Presidency hopes that bringing the discussions to the 'political' level will make it possible to lift remaining objections and to reach an agreement in time for a common position to be adopted at the meeting of the Competitiveness Council on May 17-18. The draft Directive will then go back to the Parliament for a second reading.
Intellectual property for software in the EU is currently covered by copyright laws in the same way as written material. However, the European Patent Office (EPO) has been granting approximately 30.000 software patents over the years, thus deliberately infringing the European Patent Convention (EPC) provisions.
Foundation for a Free Information Infrastructure event site
http://plone.ffii.org/events/2004/bxl04/
Pictures of the Brussels demonstration
http://wiki.ael.be/index.php/Demo14and15aprilPictures
Battle resumes over EU plans on computer-related patents (15.04.2004)
http://europa.eu.int/ISPO/ida/jsps/index.jsp?fuseAction=showDocument&a...
EDRI-gram: 'European Parliament limits software patents' (25.09.2003)
http://www.edri.org/?id=000100000112
EDRI member Privacy International has filed complaints about Google's proposed new Gmail service with privacy and data protection regulators in 17 countries in Europe, Canada and Australia. The complaint identifies a large number of possible breaches of EU law. These include: stability of the contract, security of data, interception and disclosure of content, subject control over data, searching of e-mail content, indefinite retention, confidentiality, third party issues, offshore processing of data, consent issues and the treatment of sensitive data.
Privacy International is requesting from national data protection commissioners "to assess this type of service with a view to ensuring that all necessary protections and safeguards required by the EU Data Protection Directive and national laws have been implemented. While we understand that the Gmail contract may be freely entered into by customers, and that Google has provided a degree of openness about its intentions, the conditions must be in place to ensure that privacy rights are protected."
Privacy International points out a few disturbing articles in the Gmail privacy policy and terms of use. Google lets the user agree that they "will not copy, reproduce, alter, modify, or create derivative works from the Service". This means that users are not allowed to copy or extract their own e-mail. This would violate EU data protection principles that ensure that individuals have the ability to control their own data.
"Google may monitor, edit or disclose your personal information, including the content of your e-mails, if required to do so in order to comply with any valid legal process or governmental request". The term request remain undefined.
Privacy International writes: "We believe the Gmail service involves significant and far-reaching privacy implications. The precedent set by the service, its enhanced functionality and the likelihood of unexpected future changes to the system require serious consideration of data protection issues. We urge you to prospectively investigate this system with a view to establishing appropriate privacy safeguards."
Privacy International complaint (19.04.2004)
http://www.privacyinternational.org/issues/internet/gmail-complaint.pd...
Google: About Gmail
http://gmail.google.com/gmail/help/about.html
EU COMMISSION WANTS TO RFID EVERYTHING
The European Commission considers it to be part of the Lisbon Strategy - and therefore a top priority - 'to have smart dust and tag everything' with Radio Frequency Identification (RFID). The point was made by Rosalie Zobel, Director of the Information Society Technologies (IST) programme at the Commission, in her opening speech of a one-day workshop on 'wireless tags research needs' in Brussels on 20 April 2004. Mrs Zobel thinks this aim can be achieved and dreams of it being "the source of a new set of business models and creator of high quality tech jobs".
The workshop was part of a consultation process in relation to Work Programme 2005-06, which covers the second half of the EU's Sixth Research Framework Programme (FP6). The Work Programme will be officially published at the end of October, and is likely to contain three calls for projects that may be funded by the EU in the field of RFID technology with a total of 180 Million Euro.
The workshop dealt with a wide range of issues, from radio spectrum allocation and product life-cycle management to the protection of privacy. Though hardly any of the industry representatives present wanted to discourage Mrs. Zobel's hopes, they were generally more sceptic about a quick and large-scale roll-out of the technology.
Paul McCloskey, speaking for the Irish NMRC institute working on the so-called smart dust technology emphasised that Mark Weiser's 1991 vision of ubiquitous computing was still far from reality. His institute is still working with transponders the size of a cell phone, but miniaturisation is on the agenda and can be realised very swiftly, as other speakers pointed out. "In organic electronics, we are still in the 1970s, but the innovation process from the 1940s to the 1970s has taken place within the last three years", said Christian Pacha of Infineon on the technological approach of applying chips and antennas on items and packages already in the course of production.
Privacy issues in connection with RFID technology were brought up repeatedly, and the last panel consisted of three privacy experts warning against the industry's tendency to eliminate privacy-protective measures such as disabling options or encryption, in order to cut costs for the still-too-expensive technology.
Workshop website (20.04.2004)
http://www.cordis.lu/ist/directorate_d/ebusiness/workshop.htm
FP6 calls
http://fp6.cordis.lu/fp6/calls_open.cfm
(Contribution by Andreas Dietl, EDRI EU affairs director)
According to a press article published on 15 April 2004 in the Belgian daily boulevard paper 'La Dernière Heure', the Ministry of the Interior in Belgium will test new telecom interception hardware and software on the fiberlink used by ADSL broadband users in Belgium. The test will be done by the CTIF (under the federal control of the ministry of interior) during a non determined period (starting Sunday 25 April) on the fiberlink in Brussels. The main purpose seems to test the viability of the technical solution.
This kind of wiretapping is quite different from regular phone (or internet) interception. Those wiretaps require identifying a specific caller line or identity. The Belgian 'black box' will monitor all the traffic transmitted on the fiberlink. If we take the analogy of 'classical' phone interception, it's like monitoring all the in/out phone traffic of an entire city in the hope to find a specific call.
The 'black box' is a proprietary hardware and software solution called 'NiceTrack', manufactured in Israel by a company called NICE Systems. The solution seems somewhat similar to the FBI Internet Monitoring system called 'Carnivore'. Nor the ministry nor Belgacom (the national operator for the ADSL link) wish to make any comment on the subject but the federal police has made an official statement that the test regards only an internal police line.
EDRI-member AEL (Association Electronic Libre) is organising a campaign in order to inform internet users how to protect their privacy during the next few weeks. They don't only promote the use of technical internet tools but aim to increase awareness of general good practises to protect online privacy. AEL also invited the Belgian Data Protection Authority to make an official statement on the subject. The 'Ligue des Droits de l'Homme' (Human Rights League) also expressed serious concerns and reminds the police that global interception is illegal under the criminal code law and serious evidence must be shown before doing any interception.
'Un mouchard sur le réseau ADSL de Belgacom' (15.04.2004)
http://www.dhnet.be/dhinfos/article.phtml?id=98178
Statement Federal Police (in French - 16.04.2004)
http://www.fedpol.be/polfed/event/press/2004/26.htm
Nicetrack product information
http://www.nice.com/products/security/nicetrack.html
AEL information and campaign
http://wiki.ael.be/index.php/NoCompromiseOnPrivacyNews
(Contribution by Alexandre Dulaunoy, AEL Belgium)
On 29 April 2004 the French National Assembly will examine in second reading the draft law implementing the 1995 Directive on the protection of privacy and personal data. The transposition process started in July 2001 under the previous government. France is the last EU country where the implementation has not been completed, far beyond the deadline of October 1998.
French people have been however among the first EU citizens to enjoy a law on personal data protection, with the 'Computing and Freedom Law' (Loi informatique et libertes) adopted in January 1978. But this law only deals with protection against government activities, and the transposition is needed to reinforce protection against private and commercial activities. The long awaited implementation of the Directive is also supposed to empower the French Data Protection Authority (Commission nationale de l'informatique et des libertes or CNIL), giving it the power to impose financial sanctions on companies when they infringe the law.
However, it appears from the current draft law that the situation is likely to become worse. As recalled by the French coalition DELIS (Droits et libertes face a l'informatisation de la societe) in a free opinion published by Le Monde on 14 April 2004, many provisions may lessen the protection level of French citizens. Among them, two provisions are specially dangerous. The first one would authorise rightholders to keep in their files the identity of their offenders (or their IP numbers); this has been a clear request from IP rightholders.
The second one is the replacement of the necessary declaration prior to any collection and use of personal by the nomination of a 'CNIL intermediary' in any private or public entity, this person being an employee of the organisation. Proposed in the name of efficiency, this provision will obviously make independent control difficult.
The French situation is also made difficult by the fact that the draft law does not seem to raise a lot of concerns from the general public. 25 years ago the 1978 law was adopted, and the CNIL created, after a large scandal resulting from a government proposal to interconnect all files of the administration. Today, French e-government plans are being implemented without any debate.
Opinion by DELIS published in Le Monde (14.04.04)
http://www.iris.sgdg.org/info-debat/tribune-delis-0404.html
French National Assembly Dossier on the draft law
http://www.assemblee-nationale.fr/12/dossiers/cnil.asp
CNIL
http://www.cnil.fr
(Contribution by Meryem Marzouki, IRIS)
The European Commission has issued a Communication on the Management of Copyright and Related Rights. In the period since 1991, 7 Directives have entered into force on copyright law, but none of these specifically addressed the role and functioning of the collecting societies. The Commission now recommends a Community framework instrument regulating the 'establishment and status of collecting societies; their functioning and accountability subject to rules of good governance; as well as their internal and external control, including dispute settlement mechanisms."
The main problem with the collecting societies is the lack of common rules, and the problems for commercial users to obtain a community-wide license. Both users and rightholders have also complained about the tariffs and operating expenses, access to arbitration and general lack of transparency and flexibility.
The Commission hails Digital Rights Management (DRM) as the best way to solve these issues in the long run, ending the powerful role of the collecting societies.
For DRM to be effective, "the establishment of a global and interoperable technical infrastructure based on consensus among the stakeholders appears to be a necessary corollary to the existing legal framework (...)." The Commission therefore plans a Recommendation on interoperability, including publication of open standards. While acceptance among consumers is described as key to the success, "wider acceptance is yet to be reached".
The Communication briefly mentions the danger of a technological lock-up, when technological measures prevent users from enjoying legitimate exceptions to the copyright, such as making a private copy. In the upcoming (November) review of the Copyright Directive (2001/29/EC), the Commission will review those provisions in the different Member States.
European Commission Communication on collecting societies (16.04.2004)
http://www.europa.eu.int/comm/internal_market/en/intprop/docs/com-2004...
The organising committee of the Big Brother Awards Switzerland has published a map of more than 70 video surveillance cameras in a city district of Zurich (Switzerland). The map was presented on the occasion of a public camera-spotting walk on 10 April 2004, that was organised as part of the annual 'Spring surveillance' events.
Most of the cameras are installed by private entities, some of them are dummies. The cameras are categorised by a special typology. The map can also be downloaded as a PDF file. Previously, in Belgium, Germany and the Netherlands, several cities were mapped.
Online surveillance map Zurich
http://www.bigbrotherawards.ch/doc/cctv/
Map Brussels
http://www.constantvzw.com/survcam/
Map 13 German cities, including Berlin, Cologne, Frankfurt, Hamburg, Munich and Stuttgart
http://www.dergrossebruder.org/main.php?id=34000
Spotthecam (Innercity Amsterdam)
http://www.spotthecam.nl/camera.html
Map Heerlen (Netherlands)
http://www.irri.nl/cms/index.php?id=130
(Contribution by Christoph Mueller, Big Brother Awards Switzerland)
A district court in Munich, Germany granted a preliminary injunction against Sitecom Germany GmbH for violating a GNU General Public License (GPL).
Sitecom is offering a wireless access router product based on software developed by the netfilter/iptables project and licensed under GPL. The GPL offers a free license to software, but requires any re-distributor to provide the full source code. The GNU GPL is commonly used for many free software projects, such as the Linux Operating System Kernel.
According to the court, Sitecom did not fulfil the obligations imposed by the GNU General Public License covering the netfilter/iptables software. In particular, Sitecom did not make any source code offering or include the GPL license terms within their products.
Following a warning notice, Sitecom refused to sign a declaration to cease and desist. The netfilter/iptables project asked the court for a preliminary injunction, banning Sitecom from distributing its product, or comply with all obligations imposed by the public license.
In their press release Netfilter cite their representative, Dr. Till Jaeger, partner of the Berlin and Munich based law firm JBB Rechtsanwaelte. "To my knowledge, this is the first case in which a judicial decision has been decreed on the applicability and the validity of the GNU GPL".
Usually disputes about public licenses are solved behind closed doors. According to Eben Moglen, co-author of the GPL with Richard Stallman, preventing such enforcement costs was one of the leading concepts behind the license.
"I hear quite often that my license has not been tested in court. This puzzles me. It is, because of the structure of my license, the defendant's obligation affirmatively to plead it, if she wants to. After all, if she is distributing, it is either without license, in which case my license doesn't get tested - there's an unlicensed distribution going on and it's enjoinable - or the license is pled by the other side... how interesting. There, if I may put it to you briefly, is the trick. That's how it was done. That's how an enormous commons came into existence throughout the world, not just with zero cost of goods and movement and sales, but with near zero cost of enforcement."
Netfilter/iptables project
http://www.netfilter.org/
Speech Eben Moglen (29.06.2003)
http://emoglen.law.columbia.edu/publications/maine-speech.pdf
Adoption of the Directive on Measures and Procedures to Enforce Intellectual Property Rights - the infamous Fourtou Report - is a mere formality. The General Secretariat of the European Council has invited the Council's Committee of Permanent Representatives (COREPER) to suggest to the Council, at one of its forthcoming meetings, to adopt the Directive as an 'A'-item.
The Council is fully satisfied with the final version, as amended by Parliament on 9 March 2004. The vote was the result of a deal between the Rapporteur - French Conservative Janelly Fourtou - with the Council in order to allow for the Directive to be adopted in First Reading.
After adoption by the Council, the next step will be publication of the Directive in the EU's Official Journal. Member States then have to transpose it within 24 months.
Council Secretariat, 'I/A Item' note (07.04.2004)
http://register.consilium.eu.int/pdf/en/04/st08/st08285.en04.pdf
Provisional version of the Directive
http://www3.europarl.eu.int/omk/omnsapir.so/pv2?PRG=CALDOC&FILE=20...
Final version may be approximated by applying amendments on the right-hand column to initial Commission proposal at
http://europa.eu.int/eur-lex/en/com/pdf/2003/com2003_0046en01.pdf
(Contribution by Andreas Dietl, EDRI EU affairs director)
LogicaCMG has published a study on the adoption of RFID in six European countries. The report gives an outline of the technology and issues behind RFID such as costs, standardisation and software integration. The focus of the study is returnable transport items, such as pallets, crates and roll containers.
The number of RFID pilots has increases significantly in 2004. Out of the companies interviewed, almost 50 % will gain experience with RFID in a pilot project in 2004. The UK is ahead of the rest of Europe.
The report does not cover the use of RFID in consumer products. And although consumer privacy is not directly an issue with RFID on returnable transport items the report advises companies to develop a privacy policy and communicate this to their consumers.
Making Waves: RFID Adoption in Returnable Packaging
http://www.logicacmg.com/pdf/RFID.pdf
15 May 2004
Call for privacy-papers
The Data Protection Authorities support a new award for privacy-papers, named in honour of the US privacy expert Barbara Wellbery (1948-2003). The award is granted annually by the Morrison & Foerster Foundation. The winning paper will receive a $3.000 cash award. In addition, the winner is invited to present his or her paper in Poland at the 26th International Conference of Data Protection and Privacy Commissioners (14-16 September 2004).
http://www.cbpweb.nl/downloads_overig/med_barbara_wellberry_2.pdf
3-4 June 2004, Vienna, Austria
Free Bitflows conference
Conference and workshops about cultures of access and politics of dissemination, organised by Public Netbase (AT), in collaboration with Hull Time Based Arts (Hull, UK); V2_ (Rotterdam, NL); Bootlab (Berlin, DE); interSpace Media Art Center (Sofia, BG).
http://freebitflows.t0.or.at
10-12 June 2004, Berlin, Germany
Wizards of OS
http://wizards-of-os.org/
13 June 2004, Berlin, Germany
WSIS panel
Details to be announced at the Wizards of OS conference
http://waste.informatik.hu-berlin.de/Grassmuck/wos3-schedule.html
15-17 September 2004, Strasbourg, France
The Council of Europe is planning a major international conference on "The Challenge of Cybercrime", which will bring together senior politicians, computer industry leaders and experts from around the world. No online information yet.