Per 31 October 2003 spamming will be prohibited in all EU member states, but it is completely unclear what authority should supervise the spam-ban. The European Commission doesn't have a ready-made answer, and is currently asking privacy-authorities and telecommunications ministries what approach they prefer.
The new Privacy Directive prohibits the sending of unsolicited e-mail but doesn't regulate the practicalities of penalties, damage claims or prosecution of cross-border violations. To make matters even more complicated, the Directive leaves the level of privacy protection of legal persons up to member states. Therefore, in some countries all e-mail addresses will be protected, in other states the spam-ban is limited to natural persons. On top of that, the directive bans commercial spam, but does allow for a ban on all unsolicited electronic communications, including those for charity and political purposes.
Seven EU member states already have anti-spam legislation; Austria, Denmark, Germany, Finland, Greece, Italy and Spain. In Europe-at-large, spam is also banned in Hungary and Norway. Punishments differs widely. In Austria for example, spammers can be fined to a maximum of 36.330 Euro, while in Italy spammers risk prison sentence, next to the obligation to pay damages of 500 to 5000 euro per spammail.
Answers to the questionnaire from DG Infosoc should be in by 28 February 2003. Based on the answers, the European Commission will probably produce a guideline for recommended practice. Most likely, direct marketers will lobby for self-regulation, leaving it up to the industry to punish itself. EDRI opposes such a soft approach, and strongly recommends the institution of a European hotline for spam, to solve the problem of having to find out where the spam was sent from. This should not be left up to individual citizens, nor should they have to instigate cross-border procedures themselves.
Previous initiatives by the Belgian and French data-protection authorities to open up a national spam-box showed immense public interest. The Belgian authority even closed its mailbox after 2 months, after having received 50.000 spams. As well-intended as it was, they were inundated with identical spams. To withstand the spam-deluge, more is needed, like a dedicated transnational institute, with smart automatic processing of spams, a searchable public database and professionally trained staff.
Privacy-directive (2002/58/EC)
http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en0...
Overview of anti-spam legislation in Europe-at-large
http://www.euro.cauce.org/en/countries/
Questionnaire
http://edri.org/EU-spam-questionnaire.pdf
Belgian privacy-authority (in Dutch and French)
http://www.privacy.fgov.be/
Ireland has had a secret data retention regime for almost a year, after the Cabinet confidentially instructed telecommunications operators to store traffic information about every phone, fax and mobile call for at least three years. The Irish Data Protection Commissioner Joe Meade revealed this last monday at a forum on data retention. Telcos even used to keep these data for a period of 6 years, the commissioner found out in January 2001, when he obliged ISPs and telcos to register with the Office for Data Protection. Following EU privacy-guidelines the Commissioner pressed for a maximum retention period of 6 months.
Meade said: 'While this period was eventually acceptable to most of the telcos and ISPs it raised legitimate concerns in the Department of Justice regarding access for security and crime investigations. Following discussions with me the Department indicated that a retention period of three years, rather than the then six years, was necessary for security purposes for telcos.'
In spite of the Commissioners protest, in April 2002 the Minister for Public Enterprise issued directions to telcos to keep detailed, non-anonymous traffic data for a three-year period. Without any public debate government went on to prepare official legislation, Meade stated, including mandatory data-retention for internet providers. Details are not yet known, but legislation could oblige providers to keep track of the destination, origin, timing, size and itinerary of every e-mail, as well as the locations of every website visited by every customer.
The Irish scandal comes at a time of relative quiet about a possible European decision about mandatory data retention. In September 2002 the answers to a questionnaire became available, showing a large majority of EU member states in favour of a decision for systematic retention of traffic data concerning all kinds of telecommunication for a period of one year or more. The Danes concluded their presidency of the Justice and Home Affairs Council in December 2002 with the recommendation to organise more discussions with the industry. Under current Greek presidency, the topic seems to have dropped from the priority-list.
All over Europe, the privacy authorities, organised in the Article 29 Working Party, have expressed grave doubts about the legitimacy and legality of such broad measures and stated that systematic retention of all kinds of traffic data for a period of one year or more would be clearly disproportionate and therefore unacceptable in any case.
Statement by Joe Meade (24.02.2003)
http://www.dataprivacy.ie/7nr240203.htm
Conclusions Danish Presidency 15763/02 (19.12.2002)
https://umbrella.quintessenz.at/cgi-bin/image?user=edri&funktion=c...
Answers to questionnaire on traffic data retention (November 2002)
http://www.effi.org/sananvapaus/eu-2002-11-20-original.html
Statement of the European Data Protection Commissioners (September 2002)
http://www.cbpweb.nl/documenten/med_20020912_eu_verkeersgegevens.htm
The quantity of police interceptions of telecommunication in the Netherlands is higher than anywhere else in the world, according to the few available official statistics. Government however, tries to maintain secrecy about the exact numbers and the technical specifications of the equipment.
Last week, a Freedom-of-Information request by EDRi-member Bits of Freedom for statistics covering the nineties was turned down by government because of 'the lack of available statistics'. The ministry of Justice could not explain why there seem to be no statistics for most years.
The few official publications show an explosive increase of interception numbers in the nineties. According to a 1996 report by the Ministry of Justice's research centre, in 1993 and 1994 respectively 3.619 and 3.284 telephone lines were wiretapped. The researchers concluded that those numbers already were considerably higher than the absolute quantity in the USA and the UK. According to Ministerial answers to Parliament, in 1999 the number of intercepts had increased to an astonishing 10.000 tapped phones by Dutch police (TK 27591, nr. 2). Official reporting by the US Courts and the UK Communications Commissioner show considerably lower numbers over 1999: 1.277 for the USA and 1.933 for the UK.
Police in the Netherlands have made themselves very dependent of wiretapping. Since 1998, the introduction of the Dutch Telecommunications Act, all telephone companies and internet service providers are obliged to install interception devices at their own expense. Wiretapping being such an elementary part of police investigation, government shies away from transparency and accountability. Even though telecom and internet operators regularly send bills for operational wiretapping costs, the ministry of Justice claims it doesn't keep account of the numbers.
But secrecy is not limited to the numbers; there are no certifications for the wiretapping equipment. In recent criminal court cases lawyers have declared wiretap evidence unreliable and manipulated. Since most of the interception equipment in the Netherlands is closed-source (even for the police) and not certified, little assurance can be given that the produced evidence is indeed correct and reliable. In a high profile court case against the Kurd Baybasin, a former signals intelligence expert from the military intelligence service has come forward as an expert for the defence lawyers, stating that the intercepts were clearly manipulated.
Report of the UK Commissioner for 1999
http://www.archive.official-documents.co.uk/document/cm47/4778/4778.ht...
US Courts Wiretap Reports
http://www.uscourts.gov/wiretap.html
Making up the rules: Interception versus privacy (August 2000)
http://www.burojansen.nl/crypto/english/
From 5 March onwards, USA officials will have direct electronic access to databases with EU passenger data. On 19 February, U.S. Deputy Customs Commissioner Douglas Browning and officials of the European Commission agreed to give the custom officials direct access to the personal data of passengers flying to, from and through the United States.
These databases don't just include names of passengers, but also itinerary, phone and credit card number, time of booking and possible changes. The discussion about data of a sensitive nature, such as meal preferences, was closed with a recommendation to jointly develop measures to protect these data, preferably before 5 March 2003.
In return, 'US Customs undertakes to respect the principles of the Data Protection', at least, as long as these principles don't stand in the way of the secret services. 'US Customs may provide information to other US law enforcement authorities only for purposes of preventing and combating terrorism and other serious criminal offences, who specifically request PNR information from US Customs.'
According to a press statement on 18 February by EU Traffic-Commissioner Loyola de Palacio, information would only be transferred with the consent of the passenger. If the passenger didn't agree, he or she would pay with more stringent checks upon arrival. However reasonable that might sound, it is highly unlikely that US Customs will just close its eyes, every time it sees a mark in the database that the passenger doesn't agree to share personal data.
Joint statement of the European Commission and US Customs
http://quintessenz.org/pnr.pdf
Article about the statements of Palacio (in German)
http://futurezone.orf.at/futurezone.orf?read=detail&id=145486
Ignoring criticism from the national privacy authority, Belgian parliament approved of the introduction of an electronic passport. The new chipcard will be tested in 11 municipalities. If the pilot succeeds, all inhabitants of Belgium will have an electronic ID within 5 years. The new credit-card sized passport shows regular data like name, date of birth and national ID-number, but the chip will also contain the address-data.
The revised law simultaneously lowers the access barriers to the national register. Every public and private authority or any of its assignees are granted access 'to excise tasks of public interest'. On top of that, a newly instituted 'sectoral committee' can authorise any other sort of access-request.
The new credit-card sized passport contains several digital keys, to enable remote identification via internet. Personal data on the chip are secured via a public key infrastructure (PKI). To be able to read or scramble data, a combination is required of a public and a private key. The public key can be given out to everybody, while the 'private key' is locked in the chip on the ID-card.
Revised ID-law, nr. 50/2226/066 (in Dutch and French)
http://www.dekamer.be/
http://www.lachambre.be/
Only a few EU-member states currently have ID-requirements. Privacy-authorities and civil rights groups alike doubt the practical effects and warn against highly arbitrary checks. Belgium, France and Spain, where ID-requirements have been in place for a long time, have bad track-records of police discrimination.
Belgium currently has the strictest legislation, requiring everybody age 15 and older to show ID when asked by a police officer, without the need for a suspicion. In the Netherlands, the minister of justice recently proposed an ID-requirement for everybody age 12 and above. According to research by the ministry of justice, published in a letter to parliament 29 October 2001, the Netherlands would suddenly have the most repressive ID-scheme in Europe.
According to this research, in Germany inhabitants 16 years and older are required to show ID to police officers. In practice ID-requirement is limited to financial transactions. In France and Spain, officials must provide some ground, like danger to public safety, to require ID, but in practice there is a lot of debate about arbitrary checks, like in Belgium.
In Portugal ID-requirements are limited to very specific transactions and to suspects of criminal offences. In Sweden ID-requirements are very specific as well. No ID-requirements exist in the UK, Denmark, Norway and Switzerland, though the plans for a national entitlement-card in the UK are heavily criticised as a hidden ID-scheme.
Netherlands: ID-checks to be introduced
http://www.statewatch.org/news/2003/jan/05neths.htm
In a remarkable change of heart, rapporteur Bill Newton Dunn removed all criticism from his draft report on the Safer Internet Action Plan (EU Document Number COD/2002/0071). In stead of the original recommendation to discontinue the program because of its complete in-effectiveness, Mr. Newton Dunn (British Liberal) now pleads for an extension of the program.
The change is the outcome of a series of so-called trilogue meetings, high-level, closed-door meetings of Council and Commission representatives as well as EP rapporteurs and shadow rapporteurs. Newton Dunn subdued completely to the will of the Council. Not only did he withdraw all of his critical original amendments, he even asked the Council for formulas he then tabled as last-minute amendments in his own name. The result: not a single amendment was adopted in the EP Internal Affairs committee that had not been approved by the Council before. It is very likely that the outcome in the EP Plenary, which will vote on March 10, will look likewise.
The Action Plan can now be extended to almost all forms of electronic communication and all protocols. At the last trilogue meeting, Newton Dunn agreed to withdraw part 2 of his original amendment 4, which would have taken 'peer-to-peer file transfer, text and enhanced messages and all forms of real-time communications such as chat rooms and instant messages' out of the scope of the program, on the grounds that 'the aims of the initial Action Plan have not been entirely achieved'. Instead, the rapporteur accepted an insignificant formula saying the goal of the program is 'primarily (...) improving the protection of children and minors'. Amendment 5, which contained implicit criticism that hotlines were not known to users, disappeared as well, without giving any explication about the sudden increase of knowledge about these hotlines.
The deadline for amendments for the Plenary is 6 March.
LIBE Revised report
https://umbrella.quintessenz.at/cgi-bin/image?user=edri&funktion=c...
Voting list
https://umbrella.quintessenz.at/cgi-bin/image?user=edri&funktion=c...
(Contribution by Andreas Dietl, consultant on EU privacy issues)
In Bulgaria, a Big Brother Award was awarded to the Ministry of Interior Affairs for the double achievement of a proposal to wiretap all internet traffic and the censorship of a satirical homepage.
The draft new Telecommunications Law would have obliged internet service providers to buy wiretapping equipment that would have given police live access to all data traffic going through the networks of the providers. The proposal was stopped just in time and sent back to several parliamentary committees.
In September 2001, the National Unit for Combating Organized Crime traced down and confiscated the computer of the 26-year old individual Lubomir Kolev. His 'crime' was that he published a website under the name of a Bulgarian bank, where he made mockery of the election promise of the prime minister to give a rent-free loan of 5000 Leva (EUR 2.500) to every Bulgarian citizen.
The Ministry explained the take-down because 'in the web site a picture of the prime minister Mr. Simeon Sax-Coburg-Gota was published, with which Lubomir K. has lowered not only the image of the bank, but also of the official Bulgarian institutions'. Many people joked 'We didn't know that publishing a picture of the prime minister could ruin the image of Bulgarian institutions or banks'.
Though never charged for the satire, Kolev recently received a fine of EUR 1.000 for having illegal software on the confiscated computer. To obtain the report, send an e-mail to veni@veni.com
Explanation of the Interior Ministry
http://www.mvr.bg/show/index.asp?dat=200109&nom=23
(Contribution by Veni Markovski, GIPI Bulgaria)
There is not much research done about privacy and digital civil rights in the Baltic EU accession countries (Estonia, Lithuania and Latvia). Estonia refers to itself as E-stonia, with the ambition to outclass even Finland as ICT-nation. Groundwork was done by the Open Society Institute in Lithuania, resulting in the report Digital Lithuania in 2001 by Marius P. Saulauskas.
In spite of extreme pessimism about the level of ICT-development in 2001, seventy-four percent of the interviewed Lithuanians felt that the development of an information society would favourably influence the Lithuanian economy. With Parliament reviewing the conclusions, the study has become an important factor in official plans for Lithuania's development over the next 15 years. In cooperation with the Ministry of Economical Affairs, the Institute launched a website to allow people to express their opinions about the development program.
Summary in English
http://www.politika.osf.lt/inf_society/summaries/DigitalLithuania2001....
27-28 February 2003 Luxembourg, Luxembourg - 2 workshops on 'Safer Internet'
http://www.saferinternet.org/news/Events-feb2003.asp
10-12 March 2003 Malmo, Sweden - ASEM summit on Globalisation and ICT
http://www.iked.org/asem2003ict/program.html
15 March 2003 Nomination deadline for the Stupid Security Award
http://www.privacyinternational.org/activities/stupidsecurity/
25 March 2003 - UK Big Brother Awards
http://www.privacyinternational.org/bigbrother/uk2003/
1-4 April 2003 New York, USA - CFP 2003
http://www.cfp2003.org/cfp2003/program.html
22-24 April 2003 St Petersburg, Russia - Building the Information Commonwealth
http://www.communities.org.ru/conference/
6-7 May 2003 Padova, Italy - Information Society Visions and Governance
Contact for information: Claudia Padovani,
claudia.padovani@unipd.it
8 - 9 May 2003, Namur, Belgium - Collecting and Producing Electronic Evidence in Cybercrime Cases
2-day workshop organised by the University of Namur
http://www.ctose.org/workshop-8-9-may-2003.html