The European Parliament yesterday drastically altered the proposed directive on the patentability of computer-implemented inventions. A long summer of intensive lobbying by an impressive European alliance of open source advocates, economists and CEOs of small and medium-sized businesses has paid off.
One of the great fears about software patents, the extension to business methods like Amazon's one-click shopping, is effectively answered by the new Recital 13a. This states: "A computer-implemented business method, data processing method or other method in which the only contribution to the state of the art is non-technical cannot constitute a patentable invention."
In itself, software is excluded from patentability. So are any forms of information processing, handling and presentation. According to Recital 13d, only computer-implemented inventions that directly affect programmable apparatus can be patented, for example software applied in washing machines and mobile phones.
Another important victory for the broad alliance against software patents is the new Article 2b, which requires inventions to make a technical contribution, be new, non-obvious, and capable of industrial application. And the amended article 4 forbids the use of non-technical characteristics to judge if there is a technical contribution, a practice that had allowed the European Patent Office to decree that anything was technically innovative. Last but not least, interoperability is excepted from possible patent infringement.
The final vote showed 361 votes in favour, 157 against and 28 abstentions on the legislative resolution. The Green Party and GUE voted against the directive, in spite of succeeding in getting many amendments accepted.
According to FFII, the day before the vote the responsible Commissioner Frits Bolkestein had threatened that the Commission and the Council would withdraw the directive proposal should the Parliament vote for the amendments that it supported today.
"It remains to be seen whether the European Commission is committed to 'harmonisation and clarification' or only to patent owner interests", said Hartmut Pilch, president of FFII. "This is now our directive too. We must help the European Parliament defend it."
FFII Press release
http://swpat.ffii.org/news/03/plen0923/
Consolidated version of the vote (24.09.2003)
http://swpat.ffii.org/papers/eubsa-swpat0202/plen0309/resu/index.en.ht...
On 11 December 2003 new anti-spam legislation in the UK will come into force, implementing the European Directive on privacy in the telecommunications sector (2002/58/EC). In the UK, spammers risk a fine of 7.196 EUR (5.000 GBP) from a magistrates court or even an unlimited penalty from a jury. Though a criminal offence, spammers in the UK do not risk a prison sentence.
In a test case, on 10 September the UK's Advertising Standards Authority ruled that e-mail marketers must obtain explicit consent from the targets of advertising, even when they use a list of addresses purchased in good faith. The Authority revamped its Code of Practice in March 2003, with new requirements for consent before marketing by e-mail. As progressive as this code might seem, the Advertising Authority confirmed that business e-mail addresses remain unprotected.
First UK ruling under new rules on e-mail marketing (10.09.2003)
http://www.out-law.com/php/page.php?page_id=firstukrulingunde106320388...
UK legal implementation (approved by parliament 18.09.2003)
http://www.dti.gov.uk/industry_files/pdf/regulations_20030918.pdf
Negotiations about airline passenger data between the European Commission and the US are stuck but both parties have agreed to solve their differences before the end of this year. On 22 September, Asa Hutchinson, US Under Secretary for Border & Transportation Security met with EU Commissioner Bolkestein, but that didn't result in any public change of the US position.
Since March the US is demanding passenger data from European airlines flying to or through the US. The data is send to the US prior to flight departure and used by the US to screen passengers and apply a risk assessment. The passenger name record data (PNR) consist of 39 data items: departure and return flights, connecting flights, special services required on board the flight (meals such as Kosher, Halal) and payment information such as credit card numbers. Airlines might loose landing rights if they do not comply with US demands.
At the same time, a scandal broke out around passenger data from the US carrier JetBlue. JetBlue voluntarily handed over the itinerary information of 1.5 million passengers, including passenger name, address, and phone number to a US Defence contractor. This contractor used the data to test passenger screening software. The US Electronic Privacy Information Center (EPIC) responded by filing a complaint with the Federal Trade Commission. Since there is no legal privacy protection for passengerdata in the US, the claim could only be based on violation of JetBlues own privacy policy. EPIC also requested information from several federal agencies about possible government use of JetBlue passenger data. The case illustrates why European passengers should worry when their data are transferred to the US.
The scope of the use of EU passenger data by the US is wide. An initial agreement between the EU and US that will now be revised, says that 'Customs will retain the data no longer than is required for the purpose for which it was stored'. But at the same time it is clear that the data is stored for an almost unlimited number of purposes, certainly not limited to the fight against terrorism: 'PNR data is used by Customs strictly for enforcement purposes, including use in threat analysis to identify and interdict potential terrorists and other threats to national and public security'.
The EU Commission and Parliament agree that the passenger data can only be given to the US if an adequate level of data protection is in place. The US handling of the data seems in no way adequate, as the purpose of the data processing is not clearly defined, retention time is not limited and supervision is not independent.
Bolkestein said on 9 September to the European Parliament Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE) that 'progress on the remaining issues has been rather disappointing'. It seems no surprise as Tom Ridge, US Secretary of Homeland Security, said only a few days earlier: "Looking at this request beyond just a data protection issue but as a mutual security issue is something that can help us get closer to resolving our differences". On 29 September, LIBE will vote about a proposal for a resolution by the European Parliament to stop all transfer by 1 December 2003, if the US cannot guarantee adequate data protection.
Draft motion for a European Parliament Resolution on PNR-data (24.09.2003)
http://www.europarl.eu.int/meetdocs/committees/libe/20030929/en.pdf
Speech Bolkestein on EU/US talks (09.09.2003)
http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&am...
EPIC dossier on passenger profiling
http://www.epic.org/privacy/airtravel/profiling.html
Reporters Sans Frontieres, a non-governmental organisation fighting for freedom of the press, was banned from further participation in the World Summit on the Information Society (WSIS). According to a letter from the Executive Director of the Summit, RSF was excluded for 'administrative reasons'. The exclusion is in fact a direct result of a protest RSF staged in March, when Libya was appointed as chair of the UN Human Rights Commission. After that protest, the UN banned RSF from all meetings for a year.
Earlier, the organisation Human Rights in China was excluded from WSIS for similarly suspect administrative reasons as well. The WSIS Human Rights Caucus is very upset about these exclusions. "A summit on the information society that allows the participation of governments that systematically censor media and violate human rights but that doesn't allow the participation of some of the leading international groups defending those rights makes no sense."
Protest letter Human Right Caucus
http://www.iris.sgdg.org/actions/smsi/hr-wsis
Verisign, the US based registrar of the .com and .net top level domain, refuses to stop redirecting internet users to its own search engine Site Finder. Since 15 September everybody who makes a mistake in typing a web address is re-directed to their website, instead of just getting an error message. In spite of massive protests from internet users, technicians, the IAB and ICANN, Verisign doesn't seem willing to change its policy.
In a posting on the collective weblog CircleID privacy-expert Richard M.Smith states that Verisign is using the services of Omniture to set a cookie. Through this, the company is able to watch all future mistakes people are making in typing a domain name, besides analysing their search behaviour and gathering sensitive information like the previously visited web address.
With 4 to 7 million misguided visitors per day, Verisign is violating the privacy of internet users worldwide on an extremely large scale. This type of secretive monitoring is prohibited by the European Directive on privacy in the telecommunications sector (2002/58/EC). Via the Recitals 24 and 25 and Article 5.3 the Directive requires explicit consent of each internet user for cookies and similar monitoring devices. "So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned."
Bug Reveals the Snooper in VeriSign's Site Finder (17.09.2003)
http://www.circleid.com/article/260_0_1_0_C/
Stop Verisign DNS Abuse - online petition
http://www.whois.sc/verisign-dns/
On 15 September the Frankfurt District Court confirmed an earlier partial ruling in favour of the German web anonymiser AN.ON. According to this ruling, there was no legal ground for the request by the German Federal Bureau of Criminal Investigation to record data about visitors to a specific website (see EDRI-gram 16 and 17).
The initiators of the project are confident about the outcome of their other appeal against the court order to hand over the single record they stored under the initial order. However, they seem less confident about the legislator. They urgently call on all users of the service to "defend the right to anonymity against plans in the German Parliament's Upper House to change this right into an obligation for providers for data retention."
District Court in Frankfurt confirms legal claim of AN.ON (18.09.2003)
http://www.datenschutzzentrum.de/material/themen/presse/anonip3_e.htm
Industry and human rights campaigners have condemned new data retention proposals from the UK's Home Office (Ministry of Internal Affairs).
The draft Statutory Instruments (secondary legislation) would approve 'voluntary' retention by Internet Service Providers, but preserve the power of the Home Secretary to impose a compulsory code. Data on customers would be retained for up to 12 months, and could be accessed by a large number of government bodies for many different purposes. While the 'Snoopers Charter', that enabled access for almost every government-related agency was officially withdrawn in June 2002, the new proposals show no change of heart. In fact, only one of the 24 categories of bodies that were to be given access to data in 2002 has been dropped from the Government's list, while 3 new ones were added.
ISPs are worried about the cost and privacy implications for their customers. Human rights groups have criticised the regulations as a draconian invasion of privacy that is unlikely to provide the benefits claimed by its intelligence agency and law enforcement supporters.
Home Office snooping plans are almost unchanged (15.09.2003)
http://www.fipr.org/press/030915ripa.html
Blunkett revives plan to let agencies trawl phone and net users' records
http://www.guardian.co.uk/online/news/0,12597,1041392,00.html
The European Commission is planning a new Directive on privacy in the workplace, in 2004 or 2005. After two consultations with the social partners, in August 2001 and October 2002, the Commission is convinced of the necessity of such a new directive. 3 main grounds for the new legislatory framework are: technological advances that increasingly blur the boundary between work and private life; globalisation and the outsourcing of human resources and finally; 'post-11 September insecurity'.
In preparation of the new directive the European Industrial Relations Observatory (EIRO) published a very interesting and detailed comparative legal study on privacy and e-mail at the workplace.
The study states that "it is rare for countries to have introduced specific legislation applying data protection rules to the employment context." The most notable exception is Finland, which introduced its Act on Data Protection in Working Life in 2001. However, earlier this summer the Ministry of Labour released a draft revision of this act that would considerably lower the level of privacy protection (see EDRI-gram 12, item 6).
Many member states include general privacy provisions in their national constitutions that can be applied to the workplace. Additionally, employment law can also contain provisions on workers' privacy. For example, the report says that the "French Labour Code prohibits restrictions of workers' rights and freedoms except where justified and proportionate."
A common theme in court cases about e-mail and internet use is whether a company has a code of conduct or instructions on internet and e-mail use. In Denmark, Germany, the Netherlands and the UK, courts have refused to dismiss employees if the company didn't have a clear acceptable use policy.
According to the Article 29 Working Party (the coalition of all EU data protection authorities) "it should be clear that the simple fact that a monitoring activity or surveillance is considered convenient to serve the employer's interest would not solely justify any intrusion in worker's privacy." In their working document on the surveillance of electronic communications in the workplace, the data protection authorities suggest a test of 4 questions that each monitoring measure must pass:
1) Is the monitoring activity transparent to the workers?
2) Is it necessary? Could not the employer obtain the same result with
traditional methods of supervision?
3) Is the processing of personal data proposed fair to the workers?
4) Is it proportionate to the concerns that it tries to ally?
EU companies challenged by workplace monitoring rules (09.2003)
http://www.eiro.eurofound.eu.int/2003/07/study/TN0307101S.html
Art. 29 Working Document (29.05.2002)
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2002/wp5...
Confusion still reigns within the UK government over plans for a national ID card. Home Secretary David Blunkett (the Minister of Internal Affairs) has continued to push his scheme despite opposition from Cabinet colleagues.
Though it is unclear whether carrying a card would be mandatory, Blunkett said at the very least no-one should be able to work or claim benefits without one.
While little principled opposition seems to exist within the government, the Treasury has refused to fund the cards. The Home Office has therefore suggested that citizens should be forced to pay around 60 Euro each to obtain a card. Independent cost estimates are far higher, at around 140 Euro per card.
Blunkett pushes ID cards debate (21.09.2003)
http://news.bbc.co.uk/1/hi/uk_politics/3126540.stm
Thanks to an enthusiastic group of Italian-speaking activists, EDRI-gram is now also available in Italian. Similar to the Russian translation, the Italian translation will appear on-line a few days after the mailing. An archive is available from Nr. 10 onwards.
Check out:
http://www.autistici.org/edrigram/
A joint study about internet censorship by EDRI-member Privacy International and the GreenNet Educational Trust describes an alarming development of increased efforts to close down or inhibit the internet. Accelerated control is not just the case in countries like China and Burma where the medium has almost lost all usefulness for free speech. Worldwide, after the 11 September attacks governments have introduced new laws restricting a range of civil rights.
"While paying lip service to personal freedoms, the leaders of the democratic world have affirmed with uncharacteristic harmony that the pursuit of a safer society must prompt a reassessment of individual liberties and privacy. In its most blatant manifestation, this will result in a substantial increase in the right of the state to place controls on all citizens, shifting the default in favour of comprehensive surveillance over the population. Technology is at the same time the culprit and the saviour."
But the report isn't limited to state censorship. "One of the most important trends in recent years is the growth of multinational corporate censors whose agendas are very different from those of governments. It is arguable that in the first decade of the 21st century, corporations will rival governments in threatening Internet freedoms."
Silenced: an international report on censorship and control of the
internet
http://www.privacyinternational.org/survey/censorship/