The European Commission is proposing to integrate biometric identifiers into visas and residence permits for third country nationals. Later this year proposals will follow for biometrics in passports of EU citizens, likely to be similar to the visa proposal.
The Commission and member states want to store two types of biometric data into a contactless chip (RFID). A facial digital image will the 'primary biometric identifier in order to ensure interoperability'. As reported in EDRI-gram nr 13, facial images have been chosen by the International Civil Aviation Organisation (ICAO) as the primary biometric identifier. The US require facial images in passports for countries to be able to take part in the visa waiver program. Specifically, the US is demanding biometrics into EU passports from 26 October 2004 onwards.
The second biometric identifier in the chip will be digital images of two fingerprints. As all EU countries already have criminal databases with fingerprints this biometric identifier will make it possible to do automated one-to-many checks. The fingerprints taken for visa will be stored into a new Visa Information System (VIS).
The Commission proposal leaves a lot of choices open and seems the product of considerable time pressure. EU members states can choose freely if they want to use the facial image for facial recognition systems. The financial consequences of the proposal are unknown. The Commission states in its draft regulation that the price of the chip is not known but 'with the demand of chips needed for 25 Member States, the price will drop significantly'.
The chip will also have room for additional text. The proposal stresses the need for protection of privacy but gives no insight how this can be achieved when crossing borders. This problem is acutely visible in the recent disagreement between the EU and the US about passenger data. The proposal also lacks any information how the data in the chip can be protected against unauthorised access (read and write) and how third countries can be prevented from storing all biometric data from EU citizens when visiting that country.
Proposal for a Council regulation (COM 2003/558)
http://europa.eu.int/eur-lex/en/com/pdf/2003/com2003_0558en01.pdf
The French E-zine Transfert.net reports that the Slovakian domain registry Euroweb is threatening to wipe more than 40.000 domain-names ending on .sk, eliminating half of the Slovakian web-presence. Slovakian domain owners have been given one month extra, until 3 November, to renew their registration under new commercial conditions. The first deadline expired on 1 October, but less than half of the owners migrated to the new system.
Until 2002 domain registration under .sk was free and handled by Sanet, the main Slowakian university network. That way, 70.000 domain names were registered. On the first of January 2003 Euroweb, a subsidiary of the Dutch telecom firm KPN, took over. Euroweb charges 20 euro administrative costs per domain per year, plus the obligation to sign a contract through a notary and the obligation to hand over proof of identity. On top of that, owners of existing domain names have to pay a migration fee.
Reportedly, the Slovakian NIC often has technical problems. A number of addresses is still not migrated, starting with the site of the National Bank of Slovakia and several universities. Euroweb also handles domain registrations in the Czech Republic, Romania and Hungary.
Le web slovaque menacé d'extinction? (01.10.2003)
http://www.transfert.net/a9362
Euroweb
http://home.euroweb.sk
The French Data Protection Authority, the CNIL, considers the current use of chip-cards for public transport a serious danger for privacy. The cards combine identity-data with travel data like point of entrance to the subway, date and time, and even exact route in case the passenger switches route halfway.
In its recommendation of 16 September, the CNIL says: "In fact, the movements of persons using these cards can be reconstructed and thus they are no longer anonymous. This limits the fundamental and constitutional freedom of coming and going as well as the right to a private life, which also is a constitutional value."
The possibility of anonymous travelling should be maintained, according to the French DPA, independent of any card system. Alternatively, all data relating to itineraries should be anonymised, irrespective of central storage or only on the card itself, except in case of fraud control. However, even for the purpose of fraud control storage may never exceed a period of 2 days.
Another suggested measure to protect privacy is to create an electronic form with which passengers can object against the storage of their picture.
In 2001, the Parisian public transport authority (Ratp) received a Big Brother Award for the initiative to develop the track-and-trace technology. The use of these chip-cards is not limited to Paris though, in 2002 the CNIL has also researched the storage period of databases with passenger movements in Amiens, Lyon, Valenciennes, Marseille and Nice.
Earlier this summer in Finland a Big Brother Award was given to YTV, a firm that controls public transport in the Helsinki region, for storing individual passenger information including social security numbers. Similarly, in the Netherlands the company Translink is nominated this year for plans to introduce the same technology, putting a higher price on anonymous travelling.
CNIL recommendation (16.09.2003)
http://www.cnil.fr/textes/recomand/d03-038.htm
Big Brother Awards
http://www.bigbrotherawards.org
Last week in the Netherlands a legal proposal became public to introduce compulsory identification for all persons from the age of fourteen. People unable to immediately show a valid passport, drivers license or (cheaper) identity-card risk a fine with a maximum of 2.250 Euro. Every police-officer including military police, any extra-ordinary law enforcement agent and any police related supervisor/watcher may ask for proof of identity. According to the explanatory statement the police must have a reasonable cause related to her task to ask for ID, but there is no need for an actual suspicion of an offence.
Dutch people currently only have partial identification requirements, for example when opening a bank account or at the workplace. Like the Dutch Data Protection Authority before, the Council of State (an advisory body to the government) is very critical in her evaluation of the legal proposal to extend the requirement to everybody always. The proposal does not substantiate why mandatory ID is necessary, on what reasons the age of 14 is chosen and why such an extremely large number of officials should be granted this power.
"To justify introducing such a general obligation that limits the right to privacy, there must be well-founded reasons. An important element is the effect that the regulation may be expected to have on the suppression of crime and the improvement of law enforcement. The explanatory memorandum hardly contains any (empirical) material about that."
The Minister of Justice Piet Hein Donner admits the lack of empirical substantiation, but sees no possibility nor necessity to create a prognosis of the expected effects of the regulation. In defence, the minister refers to the fact that none of the neighbouring countries with compulsory identification have made any evaluations. Besides, the complaints about discrimination in France and Belgium, incidental according to the Minister, have not yet lead to a procedure for the European Court of Human Rights.
It is unknown when the legal affairs committee of the Lower House will discuss the proposal.
Human rights experts in Romania issued harsh criticism at the government resolution adopted last week to set up an Integrated Information System (SII), as they consider it as extremely dense, imprecise and giving room to arbitrary interpretation. The SII is a database that will centralise the information held by all public institutions regarding natural and legal persons, that may likely become the electronic arm of the Romanian Intelligence Service (SRI).
Manuela Stefanescu, representative of the Association for the Defence of Human Rights in Romania - the Helsinki Committee (APADOR-CH), said the government resolution referred to a decision of the Supreme Defence Council (CSAT), which could not be a substitute for the parliament. "Furthermore, this is not a public resolution, because if you take a look on the CSAT's web site, you will see that the latest resolutions of the council are from 2001", said Stefanescu. Consequently, the government resolution on the setting up of the SII refers to a CSAT decision which has not been published and therefore it does not exist and is also unconstitutional, said the APADOR-CH official.
She said her organisation agreed to the article published in "Evenimentul Zilei" daily which said the people who would control the SII would actually control everything. "We do not know to whom this integrated information system is subordinated, we do not know to whom it is of use, and it is extremely dangerous to create a superpower, especially without the slightest guarantee that the personal data will be protected (...) Furthermore, natural and legal persons lack any means of controlling the way in which the data centralised in this mammoth system is used (...)", said Manuela Stefanescu.
Evenimnetul Zilei (in English, 29.10.2003)
http://www.evz.ro/english/?news_id=132980
(Contribution by Bogdan Manolea, legal coordinator RITI - Romanian Information Technology Initiative)
In the UK an influential group of Members of Parliament has called for more anti-spam measures. In a report published last Monday, the MPs ask for greater enforcement powers for the government watchdog responsible for tackling spam, the information commissioner. The All Parliament Internet Group is also urging the Department of Trade and Industry to ban unsolicited e-mails sent to business addresses, not just to private ones. To be able to enforce the ban, the Department should encourage a 'super complaints' system. This would allow outside organisations to act on behalf of people with spam complaints to ensure the major culprits are stopped.
The chairman of the group, MP Derek Wyatt urged for more consistent global legislation and cooperation in tackling spam. Joint vice-chairman Richard Allan confidently added "If all the report's recommendations were implemented then our constituents could expect to see a significant reduction in the amount of spam they receive."
Apig report (06.10.2003)
http://www.apig.org.uk/spam_report.pdf
BBC: Spam watchdog 'needs more bite' (6.10.2003)
http://news.bbc.co.uk/1/hi/technology/3167658.stm
The appeal court of Zurich (Obergericht) recently published an interesting ruling about hyperlinks. Linking to an anti-racism page which contains links to hate sites does not breach Swiss anti-racism law. A former professor of computer science was accused of racism by setting a link to the site www.stop-the-hate.org. Both in first instance in 2000 and in this appeal he was fully acquitted on all charges.
This American-based website is online since 1992 and contains annotated hyperlinks to hate sites. The public prosecutor argued that the former professor had made the content of the site his own. To prove this, the prosecutor launched the remarkable theory that the web should be seen as a book, because of the 'forward' and 'back' buttons in browsers melting linked sites in unity.
The Swiss Internet User Group "finds the behaviour and the substantiation of the public prosecutor incomprehensible. All the more SIUG welcomes the rulings in first instance and from the appeal court, that both state that creating a link on a website does not automatically lead to identification with the contents.
Earlier this summer, the highest, Federal Court in Switzerland ruled that selling instructions on how to build viruses is illegal. According to the courts ruling, it's illegal to publish even partial instructions on how to build programs that harm data.
The case began in the spring of 1996, when a 33-year old man closed a license agreement with an American group to distribute the American version of a CD-ROM in Europe and consequently offered the CD for sale online. The disk did not contain an executable virus-program, but instructions and references to software that might infect or disrupt data or make them useless.
After a long legal procedure, the Federal Court confirmed an earlier judgement of the appeal court of Zurich, condemning the man to 2 months prison sentence and a fine of 5.000 Swiss franks (3.227 Euro).
SIUG press release 'Links auf Webseiten nicht strafbar' (30.09.2003)
https://your.trash.net/pipermail/siug-announce/2003-October/000087.htm...
Bedingt Gefängnis für gewerbsmässige Datenbeschädigung (10.09.2003)
http://www.nzz.ch/2003/09/10/il/page-newzzDKF3EE2Q-12.html
Ruling in CD-ROM case (06.08.2003)
http://wwwsrv.bger.ch/cgi-bin/AZA/JumpCGI?id=06.08.2003_6S.499/2002
(With the kind help of Felix Rauch, SIUG)
The UK police are coming to the end of their second phase trials on Automatic Number Plate Recognition (ANPR) and preparing to roll out the technology nationwide next summer. ANPR tracks cars using the omnipresent CCTV systems and specialised fixed and mobile cameras. It can use government databases to detect untaxed, unroadworthy and uninsured vehicles. It also means that over time a record of the majority of car journeys around the country will be built up.
Privacy advocates have warned that 'function creep' will mean that these records become used for many purposes unrelated to their initial justification. They could allow the government to bring forward plans to introduce congestion charging across the country, charging drivers for all journeys according to the level of traffic on the road. They could be used to enforce speed restrictions across long distances. And they will certainly be used in all sorts of police investigations and even civil cases such as divorce.
Number plate recognition poised for national UK rollout (21.09.2003)
http://www.theregister.co.uk/content/6/32939.html
(Contribution by Ian Brown, FIPR)
Report on the balance between security and privacy after 11 September 2001, commissioned by the European Parliament, the committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE). The study analyses the security and privacy implications of three emerging technologies: identity management (on-line services based on the identification of the user), location-based services (focusing on local positioning and tracking of the user) and virtual residence in an ambient intelligence environment (with smart and mobile electronic devices connected to our home, office, car etc.). According to the report, there is a need to restore the balance in favour of privacy as the use of these technologies for some governmental or commercial actions stretch the ability of current legislation to provide adequate personal data protection.
Security and Privacy for the citizen in the Post-September 11 Digital Age
(06.10.2003)
http://www.jrc.es/home/publications/publication.cfm?pub=1118
Executive summary available in English, French, German and Spanish