International technical standards bodies (ISO) and civil aviation bodies (ICAO) are preparing plans for 'globally interoperable machine readable passports'. The technology should consist of RFIDs (Radio Frequency Identification) that contain 'details that enable the machine-assisted identification of the presenter'. These technical descriptions point at passports that can transmit biometric data over a radio frequency.
The organizations aim at 'fast-track deployment' presumably because of an October 2004 deadline. By that time the USA demand biometric data in passports issued by countries whose citizens normally don't need visa for travelling to the States, such as most EU countries. The US Enhanced Border Security and Visa Reform Act of 2002 states that those countries must have a program to issue "machine-readable passports that are tamper-resistant and incorporate biometric identifiers that comply with applicable biometric identifiers standards established by the International Civil Aviation Organization".
During the June 2003 EU summit in Greece the European leaders already decided to develop a 'coherent approach on biometric identifiers' and a 'harmonized solutions for documents'.
Cards and personal identification standards committee
http://www.sc17.com/
Meeting document regarding contact-less chip technology for machine readable passports
http://www.sc17.com/refined.cfm?DocumentNumber=2330
Wenn die Pässe Bio-Daten funken (09.07.2003)
http://futurezone.orf.at/futurezone.orf?read=detail&id=169869
EU Summit: Agreement on 'harmonised' biometric identification linked to EU databases
http://www.statewatch.org/news/2003/jun/22bio.htm
(Contribution by Maurice Wessling, EDRI-member Bits of Freedom)
On 4 July, the European Commission organised a technical workshop on Privacy Enhancing Technologies (PETS) in Brussels. 39 experts, from Europe, the USA and Canada were invited to participate, ranging from Commission officials to academic experts, from data protection authorities to business representatives. Amongst the invitees were also 2 EDRI-members; FIPR and Bits of Freedom.
After a somewhat predictable debate about the meaning of the acronym PET, the need to create PET-lovers, and possible other acronyms such as PUT and PAT, the value of existing privacy enhancing technologies was discussed. Basically, technology is considered privacy-friendly when it disables traceability to a person (be it a person or a company). In the implementation report of the 1995 privacy directive (95/46/EC), the European Commission announced determined efforts to encourage and promote the use and further development of these technologies.
John Borking, former member of the Dutch data protection authority, defended PET as the most suitable method to prevent the linking of databases. When he unfolded the theory of machine-made privacy choices, he was sharply attacked by the Swedish business representative Stephan Goldberg. According to Goldberg, "that kind of privacy-ontology is mainly a reflection of the typical idea of engineers that law is simple, and can thus easily be implemented in technology".
A large part of the workshop was devoted to anonymity. According to Stephanie Perrin, as a government official largely responsible for privacy-legislation in Canada, the nucleus of any privacy legislation is anonymity. She expressed regrets about the fact that PET is now largely associated with weaker protection mechanisms, like opt-out boxes on websites and cookie-management tools. As executive officer of Zero Knowledge Systems, creators of the defunct anonymizer tool 'Freedom', she was closely involved with the creation of a tool with anonymity in the core. But acknowledging the market-failure of this and similar tools, she argued the Commission should help develop these tools and generally focus on anonymity.
Peter Hustinx, chief of the Dutch data protection authority and candidate for the new function of EU Data Protection Supervisor, didn't agree. Besides anonymity, it is also useful to promote the use of partial, non-personalised, data. Legally such a requirement can be based on article 17 of the 1995 privacy directive (95/46/EC), which requires that controllers implement security measures which are appropriate to the risks presented for personal data in storage or transmission, with a view to protect personal data against accidental loss, alteration, unauthorised access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. According to Hustinx, this article is too easily considered old-fashioned in its stress on security, but it also prevents unlawful collection and processing of personal data.
Implementation report on Directive 95/46/EC (15.05.2003)
http://europa.eu.int/comm/internal_market/privacy/lawreport_en.htm
The European Commission is planning to issue a Communication this autumn calling for effective enforcement of the spam-ban, EU Commissioner Erkki Liikanen said during a press conference yesterday.
Action would focus on effective enforcement, notably through international cooperation, technical measures for countering spam, and consumer awareness. The proposed measures would be first tested with Member States and interested parties through a workshop to be convened in October.
Liikanen underlined the necessity for international cooperation both within the EU and with third countries. He referred to recent discussions with his US counterparts and proposal to host an OECD seminar on spam to be organized in Brussels in January 2004.
Under the new directive for privacy in the electronic communications sector (2002/58/EC) all Member States have to transpose a 'ban on spam' into national legislation by the end of October 2003. Results from a commission questionnaire about transposition plans (described in EDRI-gram nr. 11) showed a wide variety in approach. At that time, the Commission still seemed unwilling to take any further steps to harmonize enforcement.
SPAM: European Commission goes on the offensive (15.07.2003)
http://europa.eu.int/information_society/newsroom/relinfo/dir000/dir01...
On 5 and 6 July, European Digital Rights (EDRI) held its first general assembly in Paris. During the assembly four new members were admitted from 4 different countries. With the acceptance of the Belgian Association Electronique Libre (AEL), ISOC-Bulgaria, the Spanish chapter of CPSR and the Swiss Internet User Group (SIUG) EDRI now has 14 members from 11 different countries. EDRI will continue to expand it activities in Brussels to defend civil rights in the information society focussing on data retention, privacy, the impact of anti-terrorism measures on freedom, copyright, freedom of speech and spam. An important goal of EDRI will be to identify and admit members from the EU accession countries. During the meeting the members also chose a new board for a two year period, made up of Maurice Wessling (nl), Andy Müller-Maguhn (de) and Ville Oksanen (fi).
Association Electronique Libre (AEL)
http://www.ael.be/
ISOC-Bulgaria
http://www.isoc.bg/
CPSR-ES
http://www.spain.cpsr.org/
Swiss Internet User Group (SIUG)
http://www.siug.ch/
In a first result of legal procedures against record companies instituted by two French consumer unions, EMI Music France is condemned for deception. Within a month, they must print the following warning on copy protected CD's: 'Attention, this CD cannot be read by all players or car-radio's.'
Late in May, the 2 unions started legal procedures against several major record companies in order to fight copy protection on CDs. The Union Fédérale des Consommateurs (UFC-Que Choisir) deposited complaints in the courts of Paris against EMI Music France, Warner Music France, Universal Pictures Video as well as the distributors Auchan and FNAC. The consumer union CLCV (Consommation, Logement et Cadre de Vie) brought complaints against EMI, Sony and BMG in the court of Nanterre. The unions wish to establish that copy-protection is illegal.
The unions want to defend the right to make private copies, made impossible by copy protection. Another disadvantage of copy protection they wish to fight is the fact that many CDs cannot by played on many players, like players built into computers. Finally the unions argue that artists are not asked for consent.
The UFC accuses the music industry of giving consumers a bad conscience with false facts. In reality last year record sales in France increased with 10 percent. On top of that, users of recordable CD-ROMs paid about 135 million Euro in copyright levies, an increase of 44 percent compared with 2001. According to the UFC, this is an adequate compensation for artists and producers.
In response to the legal procedures, the director of SNEP, the French phonography-association acknowledged that record companies made speed prevail above precaution. The technique behind copy protection 'was not entirely satisfying' according to the director. Sony music immediately responded with the announcement to stop copy protection on its CDs.
CDs protégés: La CLCV fait condamner EMI Music France (25.06.2003)
http://www.clcv.org/index.php?v=detail&a=info&id=74
CD protégés: les associations de consommateurs attaquent les majors
(28.05.2003)
(The article contains direct links to the French press releases by the unions)
http://www.transfert.net/a8881
Developers of Radio Frequency Identification (RFIDs) are making plans to 'neutralize opposition' to their new technology. The strategy is discussed in confidential documents from the Auto-ID Center, in which RFID developers work together. The documents were uncovered by Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) through a security glitch on the Auto-ID Center' website.
In the document 'Managing External Communications', PR company Fleishman-Hillard states that the "political climate and shifting public perception require a proactive plan that (...) neutralizes opposition and mitigates possible public backlash".
The document advises the Auto-ID Center to establish an 'International Privacy Advisory Council' made up of 'potentially adversarial advocates' such as the European Consumers' Union. It also suggests to 'educate top-tier opinion leaders' such as officials from the EU Commission and members of the European Parliament Industry Committee.
Other documents describe privacy as the key issue to overcome since 78 percent of the consumers have privacy concerns regarding RFIDs. At the same time, the Auto-ID Center also expects consumers to be 'apathetic' and willing to 'resign themselves to the inevitability of it' instead of acting on their concerns. Other strategies in the communications strategy, such as renaming RFIDs into Green-Tags, are also discussed.
RFIDs are very small radio chips that transmit a unique serial code when a reader is placed in their proximity. Consumer groups and privacy advocates are campaigning for rules that inform consumers about the tags in or on products (notification) and a default disabling of tags when leaving the supermarket.
CASPIAN
http://www.nocards.org/
Confidential Auto-ID Center documents
http://cryptome.org/rfid-docs.htm
The associated European data protection authorities (the Article 29 Working Party) issued a formal opinion on WHOIS directories. These directories associate social information (like holder's identity and contact information) with network identifiers such as domain names or IP addresses.
The opinion is focused on domain name WHOIS, especially the fact that personal data about individual domain name holders are publicly accessible.
The working party notes that the original purpose of making these data publicly available -- finding contact points for addressing technical problems in operating the internet -- is legitimate. Concerns are raised about the compatibility of other purposes for which the data are being used today, e.g., private policing of intellectual property rights.
The working party questions whether the publication of contact information about individual registrants is actually relevant to the original purpose. This purpose could be served well -- or even better -- by publishing contact information pointing to the registrant's ISP, who would then know how to reach the registrant. The working party finds that "there is no legal ground justifying the mandatory publication of personal data referring to this person." Publication would lead to a conflict with directive 2002/58/EC (Privacy in the electronic communications sector).
Concerns are also raised about proposals to introduce extended search services which would, for instance, return a list of all domain names registered by one individual. Earlier, the working party concluded that the inclusion of personal data with this kind of services must be based on unambiguous and informed consent of the individual.
The working party explicitly supports recent decisions of the Internet Corporation for Assigned Names and Numbers (ICANN) to improve the accuracy of the data collected, and to forbid any marketing uses of WHOIS data obtained in bulk.
Very recently, ICANN held a workshop in Montreal, Canada, on WHOIS policy. This policy is part of ICANN's contracts with domain name retailers ('registrars') and database operators ('registries').
Registrars in general pointed to the contribution of WHOIS data to consumer fraud. European registrars in particular noted that the WHOIS provisions of their contracts with ICANN may be incompatible with applicable law. Data users from the Intellectual Property and Law Enforcement communities considered any possible restriction of access to WHOIS data as a nuisance which would hamper effective law enforcement on the internet.
Opinion 2/2003 on the application of the data protection principles to the
WHOIS directories
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp7...
WHOIS-related consensus policies recently adopted by ICANN
http://www.icann.org/minutes/minutes-27mar03.htm#GNSORecommendationonW...
Background material for the Montreal WHOIS workshop
http://www.icann.org/montreal/whois-topic.htm
(Contribution by Thomas Roessler, FITUG)
On 4 July, the Danish Committee on citizens IT-rights published a list of 10 recommendations on digital civil rights. The committee was established in September last year by the Danish Ministry of Science, Technology and Innovation. The recommendations deal with communication with the public sector, with privacy and registration, with freedom of expression and with access to information.
The recommendations paint a bleak picture of privacy in the state of Denmark. For example, as part of an anti-terrorism package telecom traffic data must be retained for 1 year. The committee now urges government to inform both citizens and internet service providers on the new rules and procedures for data retention, "upon completion of the administrative order, which is currently being drafted by the Ministry of Justice and the Ministry of Research, Technology and Innovation."
Among the recommendations for freedom of information is a call to make sure filters or other means of protecting minors in public libraries do not hinder parental rights to freely seek information. The committee also agreed on establishing a working group with the aim of clarifying the premises for granting citizens digital access to information regarding which authorities have used their personal data and for which objective.
The committee consisted of representatives from various ministries, consumer organisations, the IT-business sector and civil society, amongst which EDRI-member Digital Rights.
Recommendations (04.07.2003)
http://www.edri.org/docs/denmark_it_rights.pdf
The head of Switzerland's data protection commission says the United States' war on terror is undermining personal privacy. Hanspeter Thür calls for tighter controls on the campaign against terrorism and for more money to safeguard individual rights. According to him, the Bush administration is pursuing a repressive policy with little regard for data protection.
The unusually outspoken comments are contained in a new report to mark the tenth anniversary of Switzerland's data protection commission. In particular, Thür cites USA requirements for airlines flying to the USA to supply personal details of all passengers, including their religion, dietary preferences and credit card numbers to US customs. The mandatory transfer of PNR-data is forcing Swiss airline to break Switzerland's own laws on data protection, Thür says.
Data protection chief criticizes US (01.07.2003)
http://www.swissinfo.ch/sen/Swissinfo.html?siteSect=105&sid=399629...
Report of research on privacy for electronic government. Report for Japan's Ministry of Public Management, Home Affairs Post and Telecommunications, March 2003. On pages 351-402 there are 4 interesting European country reports (Denmark, Finland, France and the UK), coordinated by EDRI-member Privacy International. The authors are quite pessimistic about the adequacy of privacy enhancing technology.
"European data protection laws in general, arguably the most advanced in
terms of recognizing the importance of adequate data protection, have done
little to prevent the spread of DNA testing, the use of identity cards,
workplace surveillance, police powers, intrusion by tax authorities,
Internet snooping and national security surveillance of civilian
communications in the countries that comprise the European Union."
http://joi.ito.com/privacyreport/Contents_Distilled/EnglishSection/Eur...