Yesterday, an appeal-court in Germany suspended an earlier order to build a backdoor into Germany's most famous anonymising service. The backdoor was removed immediately. According to the original court-order, the IP-addresses of all visitors to a certain website had to be logged and handed-over to the federal criminal police office. This vital information was not disclosed by the developers, but discovered by an attentive user of the service who close-read the open source.
The AN.ON-service enables its users to surf anonymously via a Java-webproxy, disguising traces through a network of 'Mix'-computers. The software was developed by experts from the universities of Dresden and Berlin, in collaboration with the independent regional data protection authority of Schleswig-Holstein. According to the data protectioners, they were constitutionally forbidden to communicate this privacy-breach to their customers. Only after great public upheaval they felt free to give their opinion on the case, stating the court-order was illegal to begin with, since telecommunication service providers should only hand-over data they are regularly obliged to retain. Obviously, the anonymiser did not regularly store data that are traceable to individual users. The developers launched a formal legal protest against the order, but since that did not have a suspending function, they felt forced to create the backdoor.
Erster Teilerfolg fuer AN.ON (27.08.2003)
http://www.datenschutzzentrum.de/material/themen/presse/anonip2.htm
AN.ON still guarantees anonymity (19.08.2003)
http://www.datenschutzzentrum.de/material/themen/presse/anonip_e.htm
Information about AN.ON in English
http://anon.inf.tu-dresden.de/index_en.html
Today, both online and off-line demonstrations were organised in a final attempt to change a proposed EU-directive on software patents. The European Parliament will vote on the proposal in the plenary session on 1 September. The demonstrations were organised by FFII. In an open letter to the members of parliament, FFII points out that the proposal 'would make calculation rules and business methods such as Amazon One Click Shopping patentable, as in the USA.' Moreover, FFII fears that the 30.000 patents on software that have already been granted by the European Patent Office 'against the letter and spirit of the current law', would become enforceable in Europe, making it impossible for national courts to continue to revoke these patents.
Resistance against the proposal was also strongly voiced by a group of 10 leading European economists. According to them, the exploitation of extensive portfolios of software patents 'will have serious detrimental effects on European innovation, growth, and competitiveness.'
FFII open letter to members of parliament (27.08.2003)
http://swpat.ffii.org/letters/meps038/index.en.html
Open letter economists (25.08.2003)
http://www.researchineurope.org/policy/patentdirltr.pdf
A few days ago, the Sunday Times revealed plans from British government officials to fit all cars in Britain with personalised spy-chips. The micro-chip will automatically report a wide range of offences including speeding, road tax evasion and illegal parking. Roadside sensors will be able to monitor all private cars wherever they travel.
But plans for Electronic Vehicle Identification (EVI) are not limited to the UK. The European Directorate General Energy and Transport aims to develop a standardised electronic, unique identifier for motor vehicles, interoperable all over Europe. In December 2002 the Commission gave a grant to the umbrella organisation ERTICO (made up of different stake-holders in the field of implementation of transport telematics systems and services) to do a feasibility study. Results are expected in the summer of 2004.
In February of this year an EVI workgroup was formed, consisting of the Ministries of Transport of Belgium, France, the Netherlands, Norway and the UK, as well as ACPO (UK), KLPD (Netherlands), RDW (Netherlands), Q-Free (Norway), EFKON (Austria), TNO (Netherlands) and ERTICO.
Both the Directorate General and the EVI workgroup seem confident that they will overcome public resistance against the plans. According to the website of the DG Energy and Transport, 'there are not only the political and strategic decisions to be taken, (but also ...) societal issues to be tackled such as privacy and security.' The EVI workgroup describes 'socio-political aspects like general acceptance' as a relevant non-technical issue.
Goodbye speed cameras, hello a spy in every car (subscription - 24.08.2003)
http://www.timesonline.co.uk/article/0,,2087-790512,00.html
Commission workingplan Electronic Vehicle Identification
http://europa.eu.int/comm/transport/road/roadsafety/its/evi/index_en.h...
EVI workgroup
http://www.ertico.com/activiti/projects/evi/home.htm
A new price-scheme for public transport in London puts a high price on privacy. Bus and tube tickets in central London will rise up to 25% in price from January 2004. But passengers using the Oyster smartcard will be able to travel at 2003 prices. This plastic card, fitted with a contact-less microchip (RFID), was introduced earlier this summer for annual and monthly ticket holders and requires registration of name, address and photocard number. According to the official website, one of the scheme's advantages is that it will 'provide information that will help London to manage its transport system better. For instance, we will be able to identify where people, and how many, are transferring from bus to bus or from bus to Tube.'
For almost the same plans to register all travel-movements, the Helsinki public transport company YTC was presented with a Big Brother Award in June. In Finland anonymous cards were only available at a much higher price. Only after a long struggle with the the Finnish data protection agency YTV finally changed their mind and concluded that the system could also work without any identification of the passengers.
Tube fares to rise (19.08.2003)
http://news.bbc.co.uk/1/hi/england/london/3163103.stm
Oystercard (introduced 30.06.2003)
http://www.oystercard.com
YTV English web page
http://www.ytv.fi/matkakortti/english/index.html
The identity of a Dutch pudding-poisoner was revealed through an anonymiser. The Dutchman tried to blackmail Campina, a large dairy producer, by poisoning a tin of pudding. He made Campina open a bank account, get a 'world card' with it and deposit 200.000 Euro. Then they had to send him the details of the magnetic stripe, together with the PIN code. With the information he created a copy of the card. To prevent being traced, he made Campina use steganography. He sent them a floppy with a stego program and instructed them to encode the information into a picture of a red Volkswagen Golf.
Finally, Campina had to place the picture in a fake add on a website where large amounts of people sell/buy second hand cars. Trying to be really clever, the blackmailer did not approach the website with the car adds directly, but trough an anonymiser called surfola.com. On its website this Florida-based anonymiser claims: 'We will not give out your name, residence address, or e-mail address to any third parties without your permission, for any reason, at any time, ever.' But in spite of this privacy-statement, Surfola immediately handed-over the details when asked to do so by the FBI.
The poisoner was caught red-handed at an ATM trying to collect some of the money. He immediately confessed and will be tried in the middle of October.
Campina blackmail suspect arrested (22.08.2003)
http://www.expatica.com/index.asp?pad=2,18,&item_id=33655
Overview of available steganographic software
http://www.jjtc.com/stegoarchive/stego/software.html
15,000 Danish voters in the council of Ishoj, near Copenhagen, are invited to experiment with internet voting during the next elections for the European Parliament, in June 2004. According to the spokesperson from the European Parliament, Soren Sondergaard, the Danes aim at a high voter participation, especially among the young. 'At the same time it is cheaper and more efficient when the votes are to be counted,' he added. To overcome security concerns, the Ishoj voters will also have to pass by a 'real' ballot box to cast their votes.
In may, in a large-scale experiment during local elections in the United Kingdom 1.5 million people in 18 local council areas were able to take part in voting trials by text message, Internet, electronic kiosk and digital TV. Other governments in Europe with plans for e-voting include Estonia and Ireland (for their next general elections), the Netherlands (the European parliament, limited to voters outside of the Netherlands) and the canton of Geneva in Switzerland and the city-boards of Bremen and Cologne (for local elections).
Worldwide, civil rights advocates and security experts express grave concerns about the security, anonimity and accountability of internet elections. Governments should use open source systems for e-voting, not the closed systems currently in vogue. Guaranteeing the anonymity of voting in a living-room is a tough problem to solve. And finally, e-voting lacks the accountability of a paper audit trail that can be verified by voters.
Danes to experiment with e-vote in EP election (21.08.2003)
http://www.euobserver.com/index.phtml?sid=9&aid=12406
UK e-voting pilots deeply flawed (31.07.2003)
http://www.theregister.co.uk/content/55/32091.html
According to an article in Transfert.net, Air France has been spying for years on some of its staff with the help of a camera hidden behind a clock. A union-member became suspicious when he took a close look at the thick electrical wires going to a clock in a private relaxation room on Roissy airport. Flipping the clock, he discovered a hidden camera. Asked for an explanation by the union CGT, Air France said the camera was only monitoring a door leading directly to a border, and would only be activated in case the door was opened. The camera was installed back in 1999, following orders from the airport security working-group.
The union wasn't satisfied with the answers, and wanted to know why the employees had not been properly informed about this camera. According to their statement, all other camera's on Roissy are marked with signs referring to the responsible authorities. Investigating the exact position of the camera, CGT concluded the view of the door was actually blocked by a clothing cabinet. Moreover, looking at the surveillance of a similar waiting-room, with a clearly visible camera outside, they couldn't understand why in this case Air France wanted to film the backs of possible intruders, instead of their faces.
Une camera cachee dans une salle de repos cree de la confusion a Air
France (21.08.2003)
http://www.transfert.net/a9164
The UK Anti-Terrorism, Crime and Security Act 2001 was introduced in response to the attacks of 11 September. The act facilitates the use of electronic surveillance in order to prevent, detect or prosecute the perpetrators of terrorism, augmenting existing surveillance powers under the Regulation of Investigatory Powers Act 2000. This article plots the relationship between the two statutes and also their relationship to data protection laws. For example, the study explains that 'one way or the other, many more terabytes of data will have to be stored' by communications service providers about their users 'as a result of the threat or operation of Part XI' of the Anti-Terrorism, Crime and Security Act even though there are serious doubts as to 'whether Part XI will achieve its ultimate objective of providing evidence against nefarious activities.'
Anti-Terrorism Laws and Data Retention: War is over? by Clive Walker and
Yaman Akdeniz, published in the Northern Ireland Legal Quarterly, 54(2),
pp 159-182.
http://www.cyber-rights.org/documents/data_retention_article.pdf