On 27 November the Legal Affairs Committee (JURI) of the European Parliament finally voted on the Draft Directive on the Enforcement of Intellectual Property Rights. The vote was a total victory for the Rapporteur, French Conservative Janelly Fourtou. Every single one of her amendments passed, and so did all of the compromise amendments she had worked out with other MEPs. There is no official version of the report as amended now - it has to be prepared by the JURI Secretariat from circa 250 pages of amendments and a 19-page list on the outcome of the vote. It can, however, already be concluded that the amended version is even more unproportional than it looked in worst-case scenarios during the weeks preceding the vote - and that is not entirely the fault of Mrs Fourtou, but also of a Green MEP from Austria called Mercedes Echerer.
Part of the last Compromise proposal Mrs Fourtou had presented more than two weeks before the vote was an agreement with the authors of amendments aiming at the deletion of article 20. This article contains an obligation for Member States to introduce criminal law sanctions for infringements of intellectual property rights, which do not yet exist in most EU Member States. The deletion of this article was proposed by Mrs. Echerer, together with her party colleague Neil MacCormick from Scotland, and three other MEPs from different parties. Mrs Fourtou's proposal was to support the deletion of criminal law provisions, if in return she would get a majority for widening the scope of the Directive to infringements that do not cause significant harm and are not committed for a personal purpose. This had always been one of Mrs Fourtou's most important objectives; some say because her husband - Jean-Rene Fourtou, the CEO of Vivendi Universal, the world's biggest music company - would like to crack down on file sharers.
When it came to the vote last Thursday, this widening of the scope was already accepted when Mrs Echerer proposed an oral amendment to Article 20, aiming not at the deletion of that Article as had done her former amendment, but indeed at the introduction of criminal sanctions for all kinds of intellectual property rights infringements, if they are serious and committed intentionally.
What 'serious' means would be left to the transposition of the Directive in Member States, or to be judged by courts. Generally the term refers to either commercial or large-scale infringements, the latter of which could very well apply to hundreds of thousands of users of the internet, and lead to young file sharers landing up in prison, as has happened in the U.S. under similar regulations in the Digital Millennium Copyright Act.
It is not yet clear when the report will be adopted in the European Parliament's plenary. It is not on the schedule for the December session in two weeks, and rumours have it that it will not even be voted in January, because the EU Council proposes massive changes, which will require several rounds of discussion.
Directory with personal websites and e-mail addresses of all MEPs&&& http://www.the-elected.com/showInstitution/1
Talks between the European Commission and the US department of Homeland Security about airline passenger data are moving very slowly. Commissioner Frits Bolkestein told the European Parliament that the US are only willing to compromise on a few disagreements. Most importantly the US do not want to limit the use of airline passenger data to the purpose of fighting terrorism.
Since March the US are demanding passenger data from European airlines flying to or through the US. The data is sent to the US prior to flight departure and used by the US to screen passengers and apply a risk assessment. The passenger name record data (PNR) consist of many data items: departure and return flights, connecting flights, special services required on board the flight (meals such as Kosher, Halal) and payment information such as credit card numbers. Airlines might lose landing rights if they do not comply with US demands. European Parliament, the European Data Commissioners and even the European Commission agree that the current transfer of passenger data violates EU privacy regulations.
On 9 October the European Parliament passed a resolution concerning the transfer of passenger data to the US. The resolution details various concessions the European Commission must require of the United States concerning data protection and collection limitation, and requires that the Commission act within two months or else be brought to the Court of Justice by the European Parliament for failure to do so.
On 1 December Commissioner Frits Bolkestein gave an overview of where the negotiation stands. The retention period is down from the previous 7 years to 3,5 years. The number of required PNR items is only down from 39 to 34 items. But most importantly, the US don't want to limit the use of PNR to fighting terrorism. Previously the US said it wanted to use the data also for combating 'other serious crimes'. Bolkestein told Parliament that "the US text is more precise than it was, but barely any narrower." The only 'concession' the Commission got is that the US will use the PNR only for crimes that are punishable by a minimum imprisonment term of at least 4 years. That still makes the use of PNR possible for a huge variety of crimes that are not related to terrorism at all.
Stefano Rodota, chair of the European Data Commissioners, already said that the US concessions won't comply with European law: "there are no grounds for saying that the American system is proper and suitable".
Marco Cappato, Italian member of European Parliament, has asked the Commission to take action against airlines that have passed his PNR to the US.
Bolkestein has committed himself to reach an agreement with the US before Christmas.
Speech by Frits Bolkestein (01.12.2003)
http://europa.eu.int/rapid/start/cgi/guestfr.ksh?p_action.gettxt=gt&am...
Speech by Stefano Rodota (25.11.2003)
http://www.statewatch.org/news/2003/nov/PNR-Rodota25-11-03.pdf
Marco Cappato complaints to Commission (07.11.2003)
http://coranet.radicalparty.org/pressreleases/press_release.php?func=d...
Travel Data and Privacy
http://hasbrouck.org/articles/travelprivacy.html
The Irish Labour Party is urging suspension of e-voting until major flaws are fixed. Ireland is planning to completely changeover to electronic voting in June 2004, for both local and European elections.
According to a report commissioned by the party the major defects are:
- An integrated end-to-end test of the entire system has not yet been conducted, only a partial test;
- The source code is not available, but code reviews indicate that certain formal methods have not been used to prove the accuracy of the software;
- It is possible to load the Microsoft Access database on the vote-counting computer with pre-prepared data. In addition vote information is transferred between PCs at the Count Centre on floppy discs. It would not be difficult to exchange discs.
- Unauthorised persons could produce an alternative version of the NEDAP voting machine software and/or the voting system biased in favour of a particular party or candidate.
Besides organising an end-to-end test and using formal mathematical methods to insure the reliability of the system, Labour demands the introduction of a Voter Verifiable Audit Trail (VVAT). That means creating a parallel paper record of votes cast which could be stored and checked in the event of a dispute over an election outcome.
The Belgian e-voting expert David Glaude reports an incident with e-voting in Belgium. Not widely published it took place on 18 May 2003, in the municipality of Schaerbeek. The total number of preferential votes cast on a specific candidate was higher than the total number of votes for his list. A series of tests was conducted on the computer of the president of the voting committee, but the error could not be reproduced. The difference in votes was exactly 4.096, leading the research-team to the conclusion that the error was probably due to a spontaneous inversion of a binary position in the read-write memory of the PC.
The Belgian e-voting system is fairly complex, with a blank magnetic card that every voter has to insert into a voting machine. After voting, the card must be entered into a ballot-box. Attached to the ballot-box is a computer with a floppy-drive. The voting-results are written on a floppy-disk.
Press release Irish Labour party (03.11.2003)
http://www.labour.ie/press/detail.tmpl?SKU=20031103143251
Electronic voting in Ireland: a threat to democracy? (November 2003)
http://www.labour.ie/policy/download/evoting.pdf
Website David Glaude (in French)
http://www.poureva.be
Ole Sorensen, the Rapporteur for the European Parliament on two proposals for Council Regulations to include biometric identifiers into visas and ID cards, is questioning the proportionality and the adequacy of this measure to enhance security standards of EU travel documents. In a Working Document discussed at an internal meeting with the shadow rapporteurs of the political groups, Sorensen criticises the Commission and the Council for not even being able to enumerate the number of falsified visas, passports and ID cards, which still have to serve as a justification for the biometrics proposal. He recalls that visas are already well protected by numerous technical features: "a sign consisting of nine ellipses in a fan-shape, a kinegram (an optically variable mark), a logo, the appearance of the word 'visa' in optically variable colouring depending on the angle of view etc. The visa itself is placed in the passport in a way that does not allow its removal and use in another passport."
Sorensen also questions the need for two biometric identifiers instead of just one: "Normally one would assume that a trained border control official should be able to check whether the person in front of him is the one on the visa and / or the chip and the passport." The Rapporteur criticises the Commission for not being able to tell what the proposal will cost: "The implementation of the proposal will be very expensive for Member States..." He is afraid that at the end - because of the high costs - Member States will be tempted to increase the costs of visas, which could ultimately result in third country nationals forced into illegal ways of entering the Union's territory. Concerning Data Protection, Sorensen praises the Commission proposal for being 'surprisingly honest' by pointing out that the supervisory authorities are currently under-resourced for their wide range of tasks... "Although very honest, the language used is suggesting: Well, it is a problem but it is one of Member States and we cannot do anything about it." Unfortunately, the proposal is in the Consultation Procedure, which means the Parliament can't do anything to stop it.
Proposal for a Council Regulation amending Regulation (EC) 1683/95 laying
down a uniform format for visas
http://europa.eu.int/cgi-bin/eur-lex/udl.pl?REQUEST=Service-Search&...
Article 29 - Data Protection Working Party - Working document on biometrics
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp8...
The Norwegian Jon Johansen pleaded 'not guilty' during the retrial on 2 December of his acquittal for reverse-engineering DVD technology and creating DeCSS in 1999. DeCSS is computer software that Johansen and others wrote in an effort to build an independent DVD player for the Linux operating system.
In January 2003, a three-judge panel in Oslo rejected charges against Johansen for accessing his DVD movies using an independently created DVD player. The court also rejected Hollywood's claim that it has the right to control the way in which an individual views a DVD after purchase.
The charges against Johansen were brought under the Norwegian criminal code section 145.2, which outlaws bypassing technological restrictions to access data that one is not entitled to access. Johansen's prosecution is the first time that this law has been used to prosecute a person for accessing his own property. This data theft law has been used in the past only to prosecute those who illegally access another's bank or phone records or data that they have no lawful right to access.
If Johansen's acquittal is over-turned on appeal, it will become illegal for Norwegians to bypass DVD region code restrictions or technical restrictions that prevent fast-forwarding over advertisements, or otherwise circumvent digital controls on their own property.
The case in the Oslo Appeals Court is set to end on 12 December with a verdict expected in early 2004.
In November 2003, Johansen published a new computer program called QTFairUse that allows consumers to make digital fair use of their Apple iTunes music collections by legally opening a music file and then saving it as an unrestricted file.
Timeline of DeCSS litigation by IP Justice
http://www.ipjustice.org/publications/decsstable.htm
Jon Johansen's page
http://www.nanocrew.net/
The presentation of a crypto mobile telephone has stirred some controversy in the Netherlands. The Cryptophone has been developed in the Netherlands and is sold through a German company. The device is a combined GSM and organiser running Windows Pocket PC. The software encrypts the call when connecting to another Cryptophone. The Cryptophone should make it impossible for any third-party, including the phone company and police, to listen to the call.
The Dutch christian-democrat Member of Parliament Haersma-Buma has asked the Dutch government if there is a possibility of forbidding the phones, since they can make it impossible for police to use the information from a wiretapped mobile phone call. Dutch police relies heavily on phone interception with an estimated 12.000 phone taps per year. This number is higher then in any other European country or even the US.
The Cryptophone is legal under Dutch law, that does not put any restriction on the use of cryptography by its citizens. It is not expected that legislation will be passed to change this situation. In 2002 the Netherlands decided not to evoke key escrow on Trusted Third parties. Dutch export regulation is in accordance with the liberal EU regulations that put little restrictions on cryptographic products for the consumer market. Furthermore, in recent years Dutch government proclaimed that the wide availability of cryptography is essential to information security and helps to maintain privacy of telecommunications.
Other European countries have little or no restrictions on the use of cryptography. France, that used to have laws against the use of strong crypto, liberalised its law completely in 2001. Programs like PGP and GPG are widely availably and used throughout Europe.
Cryptophone
http://www.cryptophone.de/
Crypto Law Survey
http://rechten.kub.nl/koops/cryptolaw/
The biometric technique that has been selected for incorporation into the new UK national ID card has been undermined in the scientific press. New Scientist has reported that the technique of iris scanning is not as perfect and infallible as the Home Secretary (Minister of Internal Affairs) has claimed. The article alleged that the technology was prone to failure and that its success could not be guaranteed if used on a national scale.
New Scientist reported that the key problem "is the limited accuracy of biometric systems combined with the sheer number of people to be identified. The most optimistic claims for iris recognition systems are around 99 per cent accuracy - so for every 100 scans, there will be at least one false match".
"This is acceptable for relatively small databases, but the one being proposed will have some 60 million records. This will mean that each person's scan will match 600,000 records in the database, making it impossible to stop someone claiming multiple identities. Even if they already had one or more records in the database, these would be swamped by the hundreds of thousands of false matches".
The magazine quoted Simon Davies, director of EDRI member Privacy International, as saying that the technology's performance would not improve in the foreseeable future.
The Guardian took Davies critique to a more complex level. "A system with 0.999999 reliability would make a false match, on average, once every million times - great for verification. But for identification, the chances of the system correctly comparing someone with its entire database can be calculated by its success rate to the power of the database size. If that is two, with the example above it would be 0.999999 squared, or 0.999998. That means 100 people would produce a 0.9999 success rate, 100,000 a 0.9048 success rate. A database holding the whole UK population - 50 million - leads to less than one in five thousand billion billion - in other words, useless".
Media extensively reported the issue, first through Reuters and then in the International Herald Tribune. The allegations sparked a lengthy and heated email exchange between Davies, iris scanning inventor John Daugman, and many of the world's leading biometric experts. New Scientist will publish some of the exchanges this week.
'Biometric cards will not stop identity fraud', New Scientist (21.11.2003)
http://www.newscientist.com/news/news.jsp?id=ns99994393
'Report faults biometric ID card plans', Reuters (20.11.2003)
http://www.iht.com/articles/118306.html
'Image Problem', The Guardian (20.11.2003)
http://www.guardian.co.uk/online/story/0,3605,1088437,00.html
According to the European Court of Justice, music can be deposited as a trademark in Europe. This is the outcome of a test-case instigated by the Dutch trademark agency Shieldmark. The founder of the company Shieldmark formally sued his father, founder of the trademark agency Kist, in order to get a European trademark on part of Beethoven's Fur Elise. The tune is used in an advertisement with a chicken that cackles the first nine tones of the world-famous tune. The trademark is granted on the picture of a musical score with the notes e, d sharp, e, d sharp, e, b, e, c, a.
The Dutch Supreme Court wondered whether sounds could be registered because normally trademarks are only granted on things that are capable of a graphic presentation. For this reason sounds could not be registered as a trademark. The European Court of Justice confirmed that a musical score is an effective representation of sound, and can therefore be registered.
The case can have serious consequences for the public availability of European musical heritage. Trademarks can now be used to claim exclusive rights even when the copyright has long passed and works belong to the public domain.
Press release European Court (27.11.2003)
http://www.curia.eu.int/en/actu/communiques/cp03/aff/cp03106en.htm
The French provider RAS does not have to remove a website from the trade-union SUD-PTT. On 24 November a Paris court rejected the claim from 2 telemarketing companies that the website was both hurtful and defamatory. The rejection is technical; the companies should have chosen 1 single argument for their complaint.
The contested remarks state that one of the companies is being reigned by 'little bosses', a manager is described as being unable to distinguish between friendship and hierarchical relationships and a female president is disqualified as being perfectly aware of the situation, but not acting on it - as usual. (See EDRI-gram nr. 21, 5 November 2003)
The companies are ordered to pay 2.000 Euro to the trade union and 3.000 Euro to provider RAS. The judge explicitly authorised to put the remarks back online, since the editor removed them before the ruling.
EDRI-member IRIS voluntarily joined the defendants in the lawsuit. IRIS' Meryem Marzouki is excited about the verdict. "It shows that the current French law shouldn't be modified towards recognition of notice and take down procedure (this is in the draft law for e-commerce directive transposition): if even a judge cannot find evidence that content is illegal, how should a private party or an ISP be able to do that?"
Press release IRIS and RAS (26.11.2003)
http://www.ras.eu.org/ras/actions/ceritex-SudPTT/index.html
"Independent providers are not responsible for content, at the moment" (25.11.2003)
http://www.transfert.net/a9625
Early in November independent experts from all regions of the world met in Geneva to discuss about the fundamental human rights in the information society. The meeting was supported by the Swiss Agency for Development and Cooperation (SDC), the European Commission, the Office of the High Commissioner for Human Rights and the Government of Mali, Chair of the Human Security Network. The experts produced a paper that was distributed during one of the last preparatory conferences (PrepCom 3A) for the World Summit on the Information Society (WSIS), that started on 12 November in Geneva. The paper calls on governments to protect all human rights related to the information society; ranging from freedom of expression and information to privacy to intellectual property rights, and from bridging the digital divide to good governance.
About freedom of expression the paper states: "Full respect for freedom of expression and information by States and non-State actors is an essential precondition for the building of a free and inclusive information and communication society. ICTs must not be used to curtail this fundamental freedom."
Statement in MS Word (12.11.2003)
http://www.pdhre.org/wsis/statement.doc
A new handbook about the Cybercrime convention warns that the interests of law enforcement are currently prevailing above respect for fundamental human rights. The handbook is written by dr. Yaman Akdeniz from the UK not-for-profit organisation Cyber-rights and Cyber-liberties.
The Cyber-Crime Convention (November 2001) and its additional protocol on racist and xenophobic acts committed through computer systems (January 2003) was developed by the Council of Europe, representing 45 European countries. The convention enters into force after ratification by 5 members. Currently only Albania, Croatia and Estonia have ratified the convention; no member state has yet ratified the first protocol.
The report concludes: "Governments and supranational and international organisations should co-operate to respect fundamental rights such as freedom of expression and privacy, and should encourage rather than limit the people's usage of the Internet through excessive regulation at the national level. (...) It should be remembered in the words of Judge Pettiti that 'the mission of the Council of Europe and of its organs is to prevent the establishment of systems and methods that would allow Big Brother to become master of the citizens private life'."