============================================================ EDRI-gram
biweekly newsletter about digital civil rights in Europe Number 3.22, 3 November 2005 ============================================================ Contents ============================================================ 1. European Parliament: no retention of internet data 2. Article 29 WP rejects data retention once more 3. Big Brother Awards presented in 4 countries 4. French minister: copyright above privacy 5. Citizens' Summit on the Information Society 6. Greek court will rule on CCTV 7. European Data Protection Supervisor newsletter 8. Petition update: over 55.500 signatures 9. Support EDRI! 10. Agenda 11. About =========================================================== 1. European Parliament: no retention of internet data =========================================================== Behind closed doors, the European Parliament is engaged in a monumentous battle with the Council of ministers of Justice over the plans for mandatory data retention. After a first meeting of the leading parliamentary committee on Civil Liberties, Justice and Home Affairs (LIBE) on Monday 24 October, it looks like a majority of social-democrats, greens and some liberals is ready to delete internet data from the proposal all together, focus on a very limited set of telephony data and store them for only 3 months, while deleting the abhorred 'comitology procedure'. During the debate with LIBE the European Commission provided some technical explanations about their proposal for a directive. A 'connection label' is a number only related to voice over IP connections. And the term user ID only relates to internet access. That would clearly exclude the logging of data about e-mail correspondence. The Commission also explains to what extent service operators should retain data on other services. A question from the EP was "If a Vodafone user calls a Base user, how should Vodafone obtain knowledge on the identity of the Base user?" Answering that question, the Commission says the providers only need to deal with data 'generated or processed in the process of supplying their communications services', so in this example, Vodafone would only have to provide the number of the Base user. But this explanation carefully avoids to address the biggest uncertainty about the proposal; namely how an internet service provider could know what IP-numbers his customers contact. These are data perhaps flowing through the mass of data, but never stored for any business purpose. If such an obligation to store information about all these contacts was nevertheless included in the Directive, the only way of gaining any knowledge on the destination of IP communications would be by creating a full wiretap on all customers. If the leaders of the political groups don't reach another kind of agreement in their secret negotiations this month with the Council, it looks like LIBE will support some of the most important changes proposed by rapporteur Alexander Alvaro. Alvaro wants to exclude internet and location data, and to introduce a sunset provision. In that case, the directive would be valid for 5 years. After that, Commission and Parliament would have to evaluate the usefulness and engage in a new legislative procedure or let the directive disappear. Alvaro wants to delete the purpose of 'prevention' from the scope of data retention. The comitology procedure must be deleted and the flexible 'technical annex' must be replaced by a limited list of data within the text of the directive itself. Replacing the vague category of 'serious crimes' proposed by the Commission, Alvaro sums up a limited list of serious crimes, including terrorism, sexual exploitation of children, environmental crime, hijacking, rape and arson. On 14 November LIBE will meet again in Luxembourg and likely discuss the long list of amendments proposed by the Social Democrats (Mastenbroek, Grüber, Lambrinidis, Roure) the Conservatives (Newton Dunn) and the Christian Democrats (Charlotte Cederschiöld, who has been opposing data retention for a long time). Meanwhile, the EP committee on Industry, Research and Energy (ITRE) has made its amendments publicly available, together with the rapport of rapporteur Angelika Niebler (Christian Democrats). Niebler, like Alvaro, proposes to delete the comitology procedure and limit the storage period to 3 months. "The practice of criminal investigations," she writes "demonstrates that usually the data required by law enforcement are not older than 3 months. Therefore the legal retention requirements should be modified to meet the real needs." Like Alvaro, Niebler also proposes to limit the set of data in order to reduce the costs for the telecom industry, but she is not ready to delete internet data all together. Amendments from ITRE members Trautmann (Social Democrat) and Rübig (Christian Democrat) suggest 6 months retention for telephony data and 3 months for internet data, but all agree on deleting the comitology procedure, failed caller attempts and creating clearer provisions on cost reimbursement. Like the LIBE committee, ITRE will also discuss the amendments on 14 November 2005. Meanwhile, the UK EU Presidency has confirmed once more in a letter dated 28 October 2005 it is ready to adopt the framework decision on data retention if the European Parliament doesn't adopt the Commission proposal in a quick first and only reading. According to the Presidency a majority of member states was open to a Directive, as long as it would be exactly the same as the Framework decision. "There was wide agreement (in the JHA Council) that any measure must reflect the elements referred to in the Presidency paper, notably in respect of the provisions on retention periods, scope and costs." LIBE Draft report Alexander Nuno Alvaro (19.10.2005) http://www2.europarl.eu.int/registre/commissions/libe/projet_rapport/2005/364679/LIBE_PR(2005)364679_EN.doc ITRE report Angelika Niebler including all committee amendments (19.10.2005) Amendments 1-14 http://www2.europarl.eu.int/registre/commissions/itre/projet_avis/2005/364724/ITRE_PA(2005)364724_XM.pdf Amendments 15-48 http://www2.europarl.eu.int/registre/commissions/itre/amendments/2005/364725/ITRE_AM(2005)364725_XM.pdf Heise: Parlamentskoordinator gegen Vorratspeicherung von Internetverbindungsdaten (in German, 20.10.2005) http://www.heise.de/newsticker/meldung/65150 Technical Questions on Data Retention - answers from the Commission http://www.edri.org/docs/Technical_Questions_on_Data_Retention_answers.pdf EU Presidency: Report on proceedings in the Council's other configurations (28.10.2005) http://register.consilium.eu.int/pdf/en/05/st13/st13743.en05.pdf =========================================================== 2. Article 29 WP rejects data retention once more =========================================================== In a carefully worded report, the coalition of EU privacy commissioners (the Article 29 Working Party) criticises both the Council and the Commission policies on data retention. The Article 29 Working Party calls for restraint and safeguards that have to date not appeared in any national or EU policy. "The Working Party questions whether the justification for an obligatory and general data retention coming from the competent authorities in Member States is grounded on crystal-clear evidence. The Working Party also doubts whether the proposed data retention periods in the draft Directive are convincing." And when it comes to safeguards, the Working Party states: "imposing the said data retention obligations on communication service providers without having first realised adequate, specific safeguards is not to be accepted within the existing European legal framework." This opinion follows many previous statements by the Working Party rejecting the policy of retention. In November 2004, the Working Party used very strong words on the lack of proven necessity. "Not everything that might prove to be useful for law enforcement is desirable or can be considered as a necessary measure in a democratic society, particularly if this leads to the systematic recording of all electronic communications." This time, under pressure from the UK privacy commissioner in particular, the Working Party had to consider what a retention policy would look like ideally. Within this vacuum the Working Party outlines twenty specific safeguards for any policy on retention. The purpose of retention should be limited to combating terrorism and organised crime rather than to what it considers the 'undetermined' serious crime language. There should be a maximum retention period in all Member States for a maximum set of data, and the law should evaporate after 3 years unless Parliament and Commission should decide to re-confirm the need (a sunset clause). The Working Party also calls for a publicly available list of designated law enforcement authorities that may access the data in specific investigations into terrorism. With regards to the fear of further registration demands (for example for prepaid access), the Working Party says: "It is important to clarify also in this Directive that there is no obligation for identification in cases where the identification is not necessary for billing purposes or other purposes to fulfil the contract." Article 29 WP Opinion on data retention (21.10.2005) http://www.edri.org/docs/Art29-WP113en-Data_Retention_Oct2005.pdf Opinion EU privacy authorities on data retention (17.11.2004) http://www.edri.org/edrigram/number2.22/dataretention (Thanks to Gus Hosein, Privacy International) =========================================================== 3. Big Brother Awards presented in 4 countries =========================================================== The sixth edition of Swiss Big Brother Awards ceremony was held in Zurich's Rote Fabrik on 29 October 2005. The Swiss jury received 100 nominations in four categories: government, business, workplace and the special life-time achievement award. The financial services branch of Swiss Post, Postfinance, was awarded the business award for the illegal transfer of bank transaction data to the United States. The transfer became apparent after a Swiss man tried to transfer an amount in US dollars to a Cuban travel agency based in Switzerland. Both bank accounts were registered in Zurich. Although the man assumed the transfer was purely domestic it turned out that Postfinance uses its US partner Western Union for all transactions in US dollars. The man was notified that the US Department of the Treasury had confiscated his money because of the US embargo against Cuba. Postfinance advised him to send a protest to the US authorities in order to get his money back. So much for the Swiss bank secrecy. The workplace award went to a public prosecutor in Zurich who, during a secret nightly search, had examined the contents of the paper waste baskets of all 100 employees at his office. The reason for the search remains unknown but after the exposure of the search the paper shredder at the office became much more popular. The government award went to the city of Emmen for having appointed the first inspector in Switzerland in charge of investigating social security fraud. The life-time award was given, as a comfort, to the police commissioner of the city of Biel-Bienne. The poor man has been trying for years to promote CCTV but saw his aspirations blocked repeatedly by the city council. A positive Winkelried-Award for people or institutions that fight against control and surveillance went to the human right group Augenauf. The group registers pre-paid mobile phones on the names of its members, in order to comply with the newly introduced Swiss mandatory registration for pre-paid GSM. They give the phones to asylum seekers who lack the proper documents to register themselves. The Swiss jury consisted of journalists, politicians and representatives of consumer organisations and trade unions. The first Big Brother Awards ceremony in the Czech republic was organised by the Czech NGO Iuridicum Remedium on 28 October in Prague. Awards were given in 8 categories. The city of Prague and its mayor Pavel Bém in the category won an award as Greatest State Institution Intruder for their massive and uncritical support of the implementation of CCTV. Supermarket chain Tesco was awarded in the category Greatest Corporate Invader for their reluctance to inform customers and employees about the companies practice in dealing with the personal data of customers and employees, the extensive implementation of camera surveillance in the stores and the possible experiments with the introduction of RFID chip technology. The European Commission got an International Snooper award for its proposal on data retention. The Czech Credit Bureau got a prize in the category Lifetime Menace for building an extensive database of personal information with client banking information. A positive prize for the protection of privacy went to the cryptographic software PGP and its inventor Phil Zimmermann. The jury of the Czech Big Brother Awards included the former chief of the Czech Data Protection Office, a member of the Bureau of European Parliament and representatives of consumer organisations, trade unions and several privacy NGOs. The sixth German Big Brother Awards were presented in 8 categories on 28 October in Bielefeld. The Communications award went to the State Prosecutor of Schleswig-Holstein for tracking all 700 mobile phone users who had been near a crime scene. In a press statement the police made it clear that mobile phone users who did not report as a witness would arouse suspicion. In the category Consumer Protection the prize was won by the organisational committee of the 2006 football world cup for sharing customer data with sponsors, and for the use of RFID spy-chips in the tickets and thus the attempt to make this surveillance technology acceptable. The regional award went to a primary school near Bünde and two local banks for sharing the names of first time school pupils without the parents' consent. The banks used the information to advertise starter accounts. The Lifetime Achievement award was won by Otto Schily, the former Federal Minister of the Interior for the introduction of the biometric passport and his persistent efforts to expand surveillance systems and erode data protection under the guise of public security and the fight against terror. The German jury consisted of representatives of privacy NGOs, the humanist union and the international human rights league. In Vienna the seventh edition of the Austrian Big Brother Awards saw awards in six categories. The Business award went to the cleaning company Assa. They take fingerprint and DNA samples of all cleaning personnel because, according to the companies website, most of the personnel originates from Eastern countries. The judges of the Austrian criminal courts won a joint award for authorising an explosive rise in telephone surveillance. The makers of the online computer game 'World of Warcraft' won an award for installing spy software on the computers of gamers without their consent. The metro in Vienna won the publics choice award for installing a new CCTV system while crime statistics are falling rapidly. A positive prize, the Defensor Libertatis award, went to the European Parliament for resisting software patents and voting against the transfer of air passengers data to the US. Lawyers, journalists and privacy NGO took part in the Austrian jury. The next Big Brother Award ceremonies will take place in Australia (8 November) and for the first time in South Korea (22 November). Since the Big Brother Awards were launched in 1998 in the UK by Privacy International in total 60 award ceremonies took place around the world. Big Brother Awards Switzerland 2005 http://www.bigbrotherawards.ch/2005/ Big Brother Awards Czech Republic 2005 http://www.bigbrotherawards.cz/ Big Brother Awards Germany 2005 http://www.bigbrotherawards.de/en/2005/ Big Brother Awards Austria 2005 http://www.bigbrotherawards.at/ Big Brother Awards International http://www.bigbrotherawards.org/ =========================================================== 4. French minister: copyright above privacy =========================================================== After the French data protection authority CNIL published a strong rejection of the systematic collection of IP-addresses by the music and film industry, the French minister of Culture, Renaud Donnedieu de Vabres, said he would look at the current implementation of the Copyright Directive to override these privacy-hurdles. The proposal for implementation will be discussed in the Lower House for the first time on 6 December 2005. On 18 October 2005 the CNIL organised a debate with representatives of the entertainment industry to discuss their strategy to deal with unlawful file-sharing. The collecting societies proposed to employ automatic systems to detect copyright infringement on peer to peer networks, and secondly, to force internet service providers to translate a given IP-address into an e-mail address and forward a 'pedagogical' e-mail message from the societies to their customer. Though the French privacy law, as modified in August 2004, allows for actions against copyright infringement, the CNIL rejects both proposals. First of all, service providers should not collaborate with the industry. The CNIL quotes a ruling from the Constitutional Court of 29 July 2004 that the use of traffic data in relation to copyright infringement should be under judicial control. The CNIL also sums up 4 strong reasons why the automatic collection of IP addresses is not proportional, and thus not allowed in France: -The goal is not strictly limited to the fight against infringement -The approach may easily lead to the massive collection of personal data -It allows for extensive and permanent surveillance of peer to peer networks -Users may be prosecuted in civil or penal proceedings as a result of the collection, but it is unclear which users risk prosecution, since the copyright societies base their decision to start proceedings only on the amount of works offered, an amount they can change anytime they feel like it. La Cnil gêne ? Changeons les règles ! (in French, 27.10.2005) http://www.ratiatum.com/news2555_La_Cnil_gene_Changeons_les_regles.html Conclusions CNIL on the policy of warning and tracing P2P-users (in French, 24.10.2005) http://www.cnil.fr/index.php?id=1881 =========================================================== 5. Citizens' Summit on the Information Society =========================================================== A broad coalition of human rights organisations has announced they will organise a Citizens' Summit on the Information Society in Tunis, from 16 to 18 November 2005, to coincide with the World Summit on the Information Society (WSIS). Citizens groups, civil society organisations, national, regional and international institutions, government delegations and all other interested parties and individuals are invited to participate in the Citizen's Summit on the Information Society. The CSIS program will consist of a series of panels and conferences addressing main WSIS issues from the public perspective. CSIS aims to first of all send a strong message of support and solidarity from the international civil society to the local civil society and citizens in Tunisia. Secondly, CSIS wants to offer a specific civil society perspective on the main issues debated at the WSIS. In the first phase, in Geneva in 2003, thanks also to constant pressure from civil society, the conference focussed on human rights and social justice as cornerstones of the Information Society. CSIS is organised by a large coalition of human rights organisations such as the Association for Progressive Communications, the Canadian Journalists for Free Expression, Human Rights Watch, the World Association of Newspapers, the World Press Freedom Committee and the WSIS Civil Society Human Rights Caucus. CSIS will be organised in coordination with independent Tunisian civil society organisations. These local Tunisian organisations are having difficulties in accessing the WSIS conference itself. Most of the independent Tunisian organisations are even denied any access to WSIS. Since they are not officially recognised by the Tunisian government, they can not ask for accreditation. Announcement and call for support CSIS (24.10.2005) http://www.iris.sgdg.org/actions/smsi/hr-wsis/csis-pr-241005-en.pdf Citizens' Summit on the Information Society http://www.citizens-summit.org/ =========================================================== 6. Greek court will rule on CCTV =========================================================== The Greek public prosecution service has filed an appeal on 11 October 2005 at the highest administrative court of Greece against a decision by the Hellenic Data Protection Authority (DPA) that a new large high-tech CCTV system in Athens can only be used to monitor traffic. The Greek DPA decided that the CCTV cameras could only be used to watch congested roads. The ministry of public prosecution service argues that the DPA's decision is "unconstitutional, against the European Convention of Human Rights and illegal since national safety and public order rank higher than the protection of privacy", according to the Greek newspaper Kathimerini. The Greek DPA has put many restrictions on the use of the system which consists of camera's, microphones and video analysis software. "Using the system and utilising the data collected through the system and recorded on it for any other reason is forbidden, including discovering offences, other than those related to regulating circulation." The usage of CCTV on "low traffic roads, squares, parks, pedestrian zones and citizens' assembly places (i.e. theatre entrances)" is not allowed. Placing microphones in the public space is also forbidden by the DPA. "Taking and recording sound is prohibited. Therefore, microphones must be taken off the poles on which they are set." But it doesn't stop there. The DPA also ruled that many camera positions need to be changed: "Cameras must operate in such a way that taking and recording pictures of the entrance or the interior of houses is not possible. Therefore, cameras must be adjusted so that either they are stable or able to exclude certain areas through proper restrictions of the optical angle, tilt or zoom." In preparation of the Olympics, 293 CCTV cameras were installed in Athens last year. Dozens of them have been set on fire by angry citizens. Court to rule on CCTV cameras (12.10.2005) http://www.ekathimerini.com/4dcgi/_w_articles_politics_100008_12/10/2005_61791 Decision 63/2004: CCTV cameras on the Attica road network (24.11.2004) http://www.dpa.gr/Documents/Eng/CCTV%20cameras%20on%20the%20Atttica%20road%20network.doc =========================================================== 7. European Data Protection Supervisor newsletter =========================================================== The European Data Protection Supervisor has started an e-mail newsletter to inform a general public about his activities such as opinions, policy papers and publications. The October newsletter contains brief information and links to the EDPS's involvement in PNR and the Visa Information System. The newsletter also mentions a policy paper on the conflict between two fundamental rights: access to information and data protection. European Data Protection Supervisor newsletter http://www.edps.eu.int/publications/newsletter_en.htm =========================================================== 8. Petition update: over 55.500 signatures =========================================================== The EDRI and XS4ALL petition against data retention has attracted over 55.500 signatures, of which over 20.000 from the Netherlands (where the campaign was launched), over 6.500 from Germany and almost 6.000 from Finland. Runners-up in the daily country count are Bulgaria (over 3.000), Sweden and Spain (over 2.000 each), Austria (over 1.750). France, the UK, Italy, Belgium, the United States and Slovenia have each contributed over a 1.000 signatures. Currently, 81 organisations and companies have signed in support of the petition. The petition is available in 21 languages, with Portugese as the last addition. The campaign continues to invite last-minute signatures and support. The petition will be offered to the European Parliament before the end of November. Petition http://www.dataretentionisnosolution.com http://www.stopdataretention.com Petition WIKI http://wiki.dataretentionisnosolution.com =========================================================== 9. Support EDRI! =========================================================== European Digital Rights needs your help in upholding digital rights in the EU. Donations allow EDRI to hire part-time professional assistance in Brussels, to continue EDRI-gram in 2006 and invest in targeted campaigns. With the plans for mandatory data retention and the continuous erosion of digital civil rights, your donation could make a huge difference. If you wish to help us promote digital rights, please consider making a private donation, or interest your organisation in sponsorship. We will gladly send you a confirmation for any amount above 250 euro. KBC Bank Auderghem-Centre, Chaussée de Wavre 1662, 1160 Bruxelles, Belgium EDRI Bank account nr.: 733-0215021-02 IBAN: BE32 7330 2150 2102 BIC: KREDBEBB =========================================================== 10. Agenda =========================================================== 15-19 November 2005, Tunis, Tunesia Word Summit on the Information Society (WSIS) http://www.itu.int/wsis/ 16-18 November 2005, Tunis, Tunesia Citizens Summit on the Information Society (CSIS) http://www.citizens-summit.org/ 1-2 December 2005, London, UK, Patenting Lives Conference in the Queen Mary Intellectual Property Research Institute. The call for papers closes on 26 August 2005 and invites abstracts on topics such as Access to Knowledge, Consumer Aspects, Public Interest, Public Goods, Public Domain and Human Rights. http://www.patentinglives.org/conference.htm 27-31 December 2005, Berlin, Germany, 22nd CCC congress http://www.ccc.de/ =========================================================== 11. About =========================================================== EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 21 members from 14 European countries. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Sjoera Nas <[EMAIL PROTECTED]> Information about EDRI and its members: http://www.edri.org/ - EDRI-gram subscription information subscribe by e-mail To: [EMAIL PROTECTED] Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: [EMAIL PROTECTED] Subject: unsubscribe - EDRI-gram in Ukrainian and Italian EDRI-gram is also available in Ukrainian and Italian, a few days after the English edition. The contents are the same. Translations are provided by Privacy Ukraine and autistici.org, Italy The EDRI-gram in Ukrainian can be read on-line via http://www.internetrights.org.ua/index.php?page=edri-gram The EDRI-gram in Italian can be read on-line via http://www.autistici.org/edrigram/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <[EMAIL PROTECTED]> if you have any problems with subscribing or unsubscribing. ============================================================ Publication of this newsletter is made possible by a grant from the Open Society Institute (OSI). ============================================================ _______________________________________________ asbl-libre mailing list asbl-libre@ael.be http://www.ael.be/mailman/listinfo/asbl-libre ASBL Association Electronique Libre http://www.ael.be/