In their vote yesterday on the future EU Data Protection Supervisor, the Committee of the European Parliament on Justice and Home Affairs (LIBE) produced a very surprising result. Out of 8 possible candidates, a majority of the MEPs voted for the only candidate who has no record of dealing with privacy, data protection or even the protection of any other civil rights.
Joaquín Bayo Delgado has become known to regular readers of the Official Bulletin of the State of Spain as the dean of the university of Barcelona, and that's about it. His election - at the expense of likely candidates as Netherlands Data Protection Commissioner Peter Hustinx or Commission Data Protection tsar Ulf Brühann - seems to be the result of a behind-the-scenes deal between the forepersons of the Social Democrat and the Conservative Groups in the LIBE Committee, Anna Terrón i Cusí and Jorge Salvador Hernandez-Mollar, both of whom happen to be Spanish.
The vote was quite a complicated procedure, in which the political groups had a certain number of points, according to their size, that they could place on the different candidates. The candidates and their results were as follows:
1. Joaquin Bayo Delgado (Spain), Magistrado-Juez Decano, Barcelona (56 points) 2. Waltraut Kotschy (Austria), Datenschutzbeauftragte des Europarats, Mitglied der österr. Datenschutzkommission, Vienna (51 points) 3. Peter Johan Hustinx (Netherlands), College bescherming persoonsgegevens (CBP), The Hague (50 points) 4. Ulrich Dammann (Germany), 2. stellv. Bundesbeauftragter für den Datenschutz, BMInneres, Berlin (48 points) 5. Anne Carblanc (France), OECD, Paris (41 points) 6. Ian John Harden, Head of Legal Dept., Office of European Ombudsman, Brussels (24 points) 7. Ulf Brühann (Germany), European Commission DG Market, Brussels (23 points) 8. Maurice Méda (France), Maitre des requetes au Conseil d'État, Paris (9 points) 9. Francis George Aldhouse (UK), Deputy Information Commissioner, London (9 points)
Brühann, who was regarded, along with Hustinx, as one of the 'natural candidates', was voted by the Green and GUE (Left) Groups only, while Hustinx was the candidate of the Liberal Democrat Group.
The vote is not a final decision, though. The list of the eight candidates was the result of an obscure selection among the more than 300 applicants for the position among Council and EP delegates. And the charades will continue. After last Tuesday's vote, which, in EP slang, was only an 'orientation vote', a delegation of the LIBE Committee will meet on May 27 with the Permanent Representative of the Greek Presidency at the Council to see whether the candidates who have found a majority in the Committee are to the liking of the Council. If that is the case, they will vote once more on June 2, and this time the vote will result in two definitive candidates (the Assistant Supervisor will be voted, also). If everything works well, the Conference of Presidents of the political groups in the EP - and not the EP Plenary - will confirm the LIBE committee's vote.
European Data Protection Supervisor
http://europa.eu.int/comm/internal_market/privacy/application_en.htm
(Contribution by Andreas Dietl, consultant on EU privacy issues)
EDRI and its partners held successful actions on 20 May at Schiphol (Amsterdam), Zaventem (Brussels) and Vienna airport.
At all three airports EDRI members have provided airline passengers with important information about the transfer of their personal data to US authorities. Passengers were given a letter they can send to the national Data Protection Authority in their country to request an investigation of the illegal transfer of their personal data.
The action in Amsterdam was done by Bits of Freedom with Kathalijne Buitenweg (member of the European parliament) and Marijke Vos and Jan de Wit (members of the Dutch parliament). In Brussels Kathalijne Buitenweg and Marco Cappato (both members of the European parliament) informed passengers. In Vienna passengers were given information and letters by Public Netbase.
The two most important Dutch news channels had items about the action, stressing the pressure on airlines to give full access to their databases or else risk loosing their landing rights in the US. Dutch airline KLM admitted to have opened their passenger databases to American law enforcement officers. The Dutch Data Protection Authority send a representative to observe the action and comment to the gathered press.
EDRI-members from Denmark and Finland found out their airlines (SAS and Finnair) had not yet succumbed to American pressure, and refuse to open their databases to US Customs.
In Switzerland, the Internet User Group sent out a press release and prepared a flyer and a letter for complaints and inquiries.
EDRI campaign against the transfer of passenger data
http://www.edri.org/cgi-bin/index?funktion=campaigns
Pictures from the Schiphol action:
http://www.p7.nl/gallery/view_album.pcgi?set_albumName=album13
Report on the Vienna action (in German)
http://www.t0.or.at/t0/projects/edri/
Swiss press release and flyer (in German)
http://www.bigbrotherawards.ch/index.shtml.de
Romania has adopted a new law to make free access to pornography illegal.
Online pornography must always be protected by a password, and should always charge a fee per minute, to be declared with the fiscal authorities. Free access is explicitly forbidden in a law formally adopted on 20 May 2003. The law has raised a number of comments from the civil society and ISPs.
The National Regulatory Authority on Communications ( ANRC) can receive claims regarding non-compliance with the law. In case of receiving such claims and after checking the contents of the site, ANRC may require internet service providers to block access to the respective site. If providers don't comply with these requests, they can be fined 100 - 500 millions lei (approx 2.700-13.500 euro).
Unofficial translation of these provisions
http://www.legi-internet.ro/en/lawporno.htm
Romania has implemented the Cybercrime Convention in Title III of the Anticorruption law no 161/2003, published in the Official Monitor no 279 from 21 April 2003. Romania signed the convention in the end of 2001. There are no provisions regarding data retention, even though in some previous versions of the law there was an obligation for service providers to keep all traffic data for 6 months. The Romanian implementation precedes the ratification of the Convention. Only Croatia, Albania and Estonia have ratified the Convention.
The main crimes foreseen in the law are :
Art 42 - illegal access to a computer system Art 43 - illegal interception of any transmission of computer data Art 44 par 1 - illegal alteration, deletion or deterioration of computer data of the access restriction to such data Art 44 par 2 - unauthorized data transfer from a computer system Art 45 - serious hindering, without right, of a computer system operation Art 48 - Input, alteration or deletion, without right, of computer data or the restriction, without right, of the access to these data Art 51 - Child pornography through computer systems
In a press conference held on 7 May, the Romanian Police gave insight in the number of internet related crimes. During the year 2002 242 complaints were registered about 35 internet related crimes. 96 persons were investigated and 54 were preventively arrested. The damages were estimated at 800.000 USD. From the beginning of the year 2003, 82 complaints have been solved in 12 penal cases where 18 people were arrested.
Unofficial translation of the law
http://www.legi-internet.ro/en/cybercrime.htm
(2 contributions by Bogdan Manolea, legal coordinator RITI - Romanian Information Technology Initiative)
Last month, during a congress on supermarket logistics, German supermarket Metro AG announced the introduction of RFIDs to boost store efficiency and eliminate long checkout queues. The announcement comes at a time of heightened public awareness of the negative privacy-implications of this new track & trace technology. In March, clothing designer Benetton announced plans to weave radio frequency ID chips into its garments to track its clothes worldwide. After massive protests the plans were postponed and Benetton made it clear that they will first do more research on the use of RFID technology for its garments including an assessment of the related privacy-effects.
RFID-tags are becoming smaller and cheaper everyday. In general the tags are passive. That means they don't have a power supply, and can't transmit any information themselves. They receive the energy they need to transmit the stored information from the readers which receive the information. The drawback of this technology is that this small amount of energy is not enough to perform encryption algorithms or any kind of access control mechanisms. So the information stored on the tag is normally readable to any reader using the same frequency as the tag (usually 13,56 MHz).The main privacy-concern about the tags is that individual consumption-patterns can be tracked and traced by any outsider with a reader. The only possibility to protect your privacy would be to remove or destroy the smart tags. A difficult task if the tag is invisibly small and woven into the garment or vulcanized into the soles of shoes.
In the last few years an increasing number of prototypes of RFID-technology were tested in real world situations. Beginning of 2003 Gillette announced the order of 500 million RFID-tags with the intent to attach them to products such as razors and razor blades. In combination with smart shelves they will be used to track inventory and send managers automatic alerts when stocks are low. Just a few days later, on 14 January 2003 Michelin announced that they are also introducing Radio Frequency Tire Identification Technology. Finally, many public libraries in the world have started using RFIDs for the identification and handling of books. Amongst them the newly built public library in Vienna, Austria.
Consumer groups and privacy advocates wish that RFID are either removed of disabled after purchasing a product and that a label will notify consumers that a product has an RFID embedded. Such ground rules can prevent RFIDs from becoming a tracking device instead of a logistical tool.
German supermarket introduces RFIDs (18.04.2003) http://www.forbes.com/home_europe/newswire/2003/05/14/rtr970418.html
Boycott Benetton http://www.boycottbenetton.org/
RFID tags: Big Brother in small packages http://news.com.com/2010-1069-980325.html
(Contribution by Andreas Krisch, EDRI-member VIBE!AT)
A gang of 6 Nigerian spammers was put to trial on 15 May. The gang was arrested last year in the Netherlands. Operating from Amsterdam the group posed as very rich businessmen from Nigeria. Victims were promised a lot of money in exchange for a temporary loan.
The Dutch police estimates the gang earned at least 4 million euro's. The most spectacular victim of the gang, a Swiss professor, transferred almost half a million euro. The money was necessary to buy chemicals to clean banknotes with a total value of 36 million US Dollars, the gang told the gullible professor. He was promised 25% of that amount.
The public prosecutor accused the Nigerians of swindle, participation in a criminal organisation and money-laundering. No date is known yet for the verdict.
Nigerian Scam Letter Gallery (note the Brad Christensen archive with
answers to the spammers)
http://www.quatloos.com/cm-niger/nigerian_scam_letter_museum.htm
The vote in the European Parliament on a new EU Directive on Patent Law will most likely be delayed until the end of June. Originally, parliament was supposed to have voted in plenary this week. The delay is due to the immense differences in opinion between large software companies like Microsoft and IBM on the one hand and small and medium enterprises, (open source) programmers and civil rights activists on the other hand. A hearing, organised by members of the Greens/EFA in the European Parliament on 8 May, showed massive resistance from programmers and open source developers against the creation of a European patent on software. Guest speaker Richard Stallman, one of the founding fathers of the open source movement, compared the patenting of computer algorithms with the patenting of musical notes, warning about a situation where composers can no longer write symphonies. He also cited a recent Harvard/MIT study about the negative impact on innovation that software patents have had on the American economy.
The proposal for a new directive on software patents was pre-discussed in 3 parliamentary committees, of which JURI (on legal affairs) was leading. While the 2 other committees (ITRE on industrial affairs and CULT on cultural affairs) opposed the patenting of software, JURI, lead by rapporteur Arlene McCarthy, was in favour of extensive patents on software. JURI is now expected to take their final vote on 10 or 17 June.
Hearing on Software Patents - speakers and presentations (08.05.2003)
http://www.greens-efa.org/en/issues/?id=14#5
Sequential Innovation, Patents and Imitation, by James Bessen and Eric Maskin, Harvard University and MIT
http://www.researchoninnovation.org/patrev.pdf
Commission proposal COM(2002) 92 – 2002/0047
http://europa.eu.int/eur-lex/en/com/pdf/2002/en_502PC0092.pdf
EP - JURI draft report by Arlene McCarthy
http://www.europarl.eu.int/meetdocs/committees/juri/20030521/488980en....
The internet censorship requests issued by the examining magistrate of the canton of Vaud (see EDRigram number 2 from 12 February) have been rejected on 30 April by a judge from the court of Lausanne. In December, over 30 providers had received the order, and while most of them installed some technical blocking-measures, they joined the legal protest.
The verdict however isn't based on any ethical or constitutional objections against provider-filtering, but on the wrong selection of legal arguments. The judge recommends other heavier laws to proceed with the case, for example suing the providers for acting as accessaries.
The examining magistrate immediately responded by sending a threatening letter to at least one of the ISPs involved, Init Seven AG. Though she admits she was wrong with her blocking order, she warns that the ISP is still with one foot in jail. If Init Seven AG, in its quality as "conductor of society and receiver of this formal warning" decides not to block the incriminated websites, "you risk a criminal investigation against you as an accessary to crimes of defamation, slander and injure".
Original text of the decision (in French)
http://www.nrg4u.com/abuse/canton-de-vaud-tribunal-daccusation.pdf
(Contribution by Felix Rauch, Swiss Internet User Group SIUG)
The US Defense Advanced Research Projects Agency (DARPA) has send a report to Congress on their enormous data mining project. The program's name is changed from Total Information Awareness Program (TIA) to Terrorism Information Awareness Program because "the program's previous name created in some minds the impression that TIA was a system to be used for developing dossiers on U.S. citizens".
DARPA stresses in the report that the collection and data mining of financial records, medical records, communication records and travel records will be completely lawful. Supposedly US law puts very little limitations on these activities.
Although the report to Congress only discusses the privacy concerns of US citizens, it is worth noting that the program will not limit itself to the collection of privacy sensitive data about US citizens. Europeans who wonder how their passenger data will be handled by the US might take an interest in the details of the TIA program.
Terrorism Information Awareness Program
http://www.darpa.mil/body/tia/tia_report_page.htm