EDRI-gram Nieuwsbrief - 1 december 2010

1. Internet blocking - key decisions to be made by 3 February 2011

The legislative process on Internet blocking is about to move from almost standstill to almost completed between now and the beginning of February. In the Council of Ministers, an informal agreement is planned for the Justice Council in December, while the MEP in charge in the Parliament will present her draft report on 10 January 2011 with an informal orientation vote just three weeks later.

Every civil society organisation that wants to stop web blocking and the damage that this will do for child protection must focus all available resources on the Civil Liberties Committee of the European Parliament between now and early February. Afterwards, it will be too late. The risk of damage to child protection is abundantly clear from the Working Document prepared by the MEP in charge of the dossier, Roberta Angelilli (Italy). She says: “We have to bear in mind that our priority is to eliminate these images for public access as quick as possible.” The priority is not to identify the children, not to investigate the criminals, but to avoid public access via blocking, which does not even serve the purpose of stopping deliberate access.

Bizarrely, Ms Angelilli also suggests that “the providers would be promptly informed about their rights to appeal against the decision”. This assumes that there would be no immediate investigation - having been accused of having a website containing images of gross violations of children, the suggestion is a polite notice to the alleged criminal that he may wish to complain.

In the Parliament, MEPs remain divided but the argument that blocking is a “complementary” measure, to be implemented with other measures (such as deletion and prosecution), rather than instead of them, is successful with many parliamentarians. The argument is working, despite the fact that there is no evidence of this being the case in countries that already have blocking.

In the Council, Germany and Romania are fighting hard for blocking to remain optional for Member States. However France and Italy (coincidentally, countries that also have blocking for gambling and intellectual property) are campaigning for obligatory blocking with what one negotiator described as “missionary fervour”. Most countries are remaining silent on the issue, meaning that they are passively having blocking imposed on them by the larger countries. The only large country to remain silent is Poland, and this silence will be crucial for the success of mandatory blocking, if it is maintained.

In the Council, the current negotiating text reads as follows: “2. Where the removal of webpages containing or disseminating child pornography is not possible within a reasonable time, Member States shall take the necessary measures, including through non-legislative measures, to ensure that the blocking of access to webpages containing or disseminating child pornography is possible towards the Internet users in their territory. The blocking of access shall be subject to adequate safeguards, in particular to ensure that the blocking, taking into account technical characteristics, is limited to what is necessary, that users are informed of the reasons for the blocking and that content providers, as far as possible, are informed of the possibility of challenging it.”

This text raises three interesting points. Firstly, blocking through non-legislative measures has already been described as illegal by the European Commission in the impact assessment it prepared to accompany the proposals. In that text, the Commission assessed extra-judicial blocking as follows: “More problematic may be the compliance with the requirement that the interference in this fundamental right must be “prescribed by law”, which implies that a valid legal basis in domestic law must exist” (page 30).]] before coming to the conclusion that “such measures must indeed be subject to law, or they are illegal” (page 37). The illegality of this approach is quite clear from the European Convention on Human Rights, which states that “the exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary.”

The second interesting point refers to the last lines of the draft text. It suggests that a legal obligation is necessary for Member States to take the step of contacting the alleged criminals, accused of publishing pictures of children being abused on the Internet, and politely informing them that their page has been blocked and giving them the opportunity to complain, if they so wish.

The final point is that Member States should do what they consider necessary, which means that, strictly speaking, this text places no obligations on anyone. Its only real purpose is to give Member States an excuse to introduce blocking, even via “self-regulatory” measures that are in breach of the European Convention on Human Rights and the Commission's own assessment of the legality of the measure.

The civil society in Poland is pushing hard to demand that the government have the courage to take a position. EDRi-member the Panoptykon Foundation, along with representatives of the Kidprotect Foundation, the Modern Poland Foundation, the Foundation for Free and Open Source Software and the Interactive Advertising Bureau Poland appealed to the Prime Minister to ensure that Polish representation to the European Council takes a critical stance on the Child Exploitation Directive.

In their appeal, the groups demanded proper action against the abuse, rather than the childish act of placing its hands before its eyes in the hope that the monsters would disappear. Illegal content must be removed and not hidden by the creation of a censorship infrastructure.

2. Data protection authorities call for a strict EU-US privacy agreement

As the European Commission prepares to conclude a deal with the US on the protection of personal data exchanged in police and criminal justice cooperation matters, the European privacy watchdogs call for a strict and clear privacy agreement.

Article 29 Data Protection Working Party (WP) sent a letter on 18 November 2010 to the three European main institutions (Council, Commission and Parliament) expressing its concerns for not having been consulted on the development of the discussion within the Council and European Parliament over the draft negotiation mandate presented by the European Commission on 25 May 2010, voicing certain concerns and giving its recommendations.

Referring to the agreement as “an umbrella agreement” that should cover all existing and future deals between the EU and the US and any other state as well as between EU member states, the WP emphasizes the fact that it should comply with the EU data protection framework including the Charter of Human Rights.

WP recommends that the agreement be widely applicable for a “coherent and high level of data protection” and a clear purpose limitation be imposed. “This means the agreement should be applicable to all transfers of personal data to prevent, detect, investigate and prosecute serious transnational crime and terrorist acts. This purpose should be clearly defined by the agreement, preferably including a definition of 'law enforcement purposes'”.

In the WP's opinion, a national security exception for the transfer of data concerning “essential national security interests and specific intelligence activities in the field of national security” should not be considered.

Furthermore, the WP urges the Commission to obtain the retroactive application of the future agreement to cover “all existing multilateral and bilateral agreements between the EU and/or its Member States and the US, unless the current level of data protection is higher than the level of protection offered by the EU-US general agreement.” A maximum 3-year transition period could be acceptable.

Having in view the privacy issues raised by the TFTP II Agreement (so called SWIFT) allowing the US to obtain access to information on international bank transfers, the WP stresses the need for data protection safeguards in the future agreement, including “full, effective and enforceable rights for all individuals, including both administrative and judicial redress, and limitations to bulk transfers.”

On 24 November, LIBE (Civil Liberties, Justice and Home Affairs) Committee of the European Parliament Chairman also sent a letter to the EU Council on the future EU-US agreement regarding the protection of personal data that are transferred and processed in the framework of police and judicial cooperation in criminal matters.

The letter reiterates the support of the European Parliament for the data protection agreement draft mandate and reminds the urgent need of such an agreement between the EU and US that should cover personal data exchanges as well as an “early start to negotiations on enforceable data protection rights” in compliance with the EU Charter of Fundamental Rights and EU Data Protection Directive.

LIBE held on 25 October 2010 a public hearing on Data Protection in a Transatlantic Perspective - Future EU-US data protection agreement in the framework of police and judicial cooperation in criminal matters - with MEP Sophia In't Veld as chairperson.

While the US Ambassador to the EU assured that the US believed both parties had to “safeguard their citizens' security to the same degree to which they protect their liberties” and there was “no need to sacrifice privacy for security”, he showed concern that the proposed mandate might “jeopardize the several hundred treaties, agreements, conventions, and arrangements underpinning every facet of Europe's and the United States' robust cooperation in justice and law enforcement” and believed that a retrospective application of the mandate would create “confusion among the law enforcement and legal authorities.”

One of the most important interventions was that of Mr Rotenberg's from EPIC (Electronic Privacy Information Center) who pointed out that in the US, personal data is often “used for inappropriate purposes, there is no transparency and rights are violated”. In his opinion, the US data protection laws should be amended. The Privacy Act of 1974, which refers to the collection of personal data by the US federal agencies, does not include non-US citizens or non lawful permanent residents. Also the Patriot Act “has reduced the privacy standards for US and non-US citizens limiting at the same time the power of the courts' authority in the matter.”

Rotenberg considers that the data protection agreement could bring global benefits influencing other countries in adopting stronger privacy acts to protect the transfer of personal data.

Dr. Patrick Breyer from the German Working Group on Data Retention was very firm in stating that the transfer of personal data to the US created the risk of a violation of human rights and that no agreement could eliminate that risk. However, an international agreement with the US could improve the present situation if applied “exclusively to the information sharing that is taking place under existing agreements, thus reducing the amount of information shared and providing for more safeguards”.

The negotiating mandate for the beginning of the talks between the European Commission and the US is expected to be adopted at the Justice and Home Affairs Council on 3 December 2010.

3. The Pirate Bay founders lost their appeal in the Swedish Appeals Court

Peter Sunde, Carl Lundström and Fredrik Neij, who, in April 2009, were found guilty of copyright infringement through their file-sharing website, The Pirate Bay (TPB), have recently lost their appeal in Svea Court of Appeal.

Although the court has decided to reduce their imprisonment sentence of one year to 8, 4 and 10 months respectively, it has however increased their individual fines from about 3,45 million Euro to about 5 million Euro each.

A separate hearing will take place later for the forth TPB founder, Gottfrid Svartholm Warg who was ill and could not take part in the proceedings with the other three men.

Rick Falkvinge, leader of the Swedish Pirate Party, considers the trial was politically-motivated and believes that: “The copyright laws have strayed so far from the public's perception of justice that copyright cannot survive without drastic reform. In such a reform, there is no place for today's copyright industry.”

La Quadrature du Net called the decision “both absurd and unfair. It illustrates how an obsolete copyright law and its indiscriminate application are harmful to society as a whole.”

Christian Engstrom, member of the European Parliament for the Pirate Party has told Deutsche Welle that the ruling only proved that the influence corporations have on the Swedish coursts is too large.. “The lawyers for the record companies are friends with the judges, both in the lower court and in the appeals court. They belong to the same societies for copyright, which is a lobby organization for copyright lawyers. This corruption unfortunately leads to the fact that you can't get a fair trial in copyright-related issues in Sweden today,” he said. He also expressed his concern as to the damage this kind of ruling might do to the Internet. “It's potentially very damaging to the Internet as a whole that the providers of infrastructure can't know if they will be held liable for what other people do.”

Obviously, the music industry welcomed the ruling. “Today's judgement confirms the illegality of The Pirate Bay and the seriousness of the crimes of those involved.” was the statement of the International Federation of the Phonographic Industry's CEO Fances Moore.

The court had found that TPB “has facilitated illegal file sharing in a way that results in criminal liability for those who run the service.” However, Pirate Bay facilitates the exchange of so-called Bit Torrent data but only provides the links to content that is already available online. “This decision amounts to condemning a library catalogue instead of the author of some infringing content or activity” underlined La Quadrature du Net.

The defendants had claimed they could not be liable for the material exchanged via their site, because the copyrighted material was not stored on its servers and there was no actual exchange of files. But the prosecution argued that, through TPB, the four men encouraged the infringement of copyrights.

Sunde said on Twitter that the case would now go to the Swedish Supreme Court.

4. ICO started applying fines for Data Protection Act breaches

After having received increased powers in April 2010, the UK Data protection authority (Information Commissioner Office - ICO) has recently used these powers to fine an organisation and a local authority for having breached the Data Protection Act.

Hertfordshire County Council has been fined with about 120 000 Euro for the fact that its employees sent highly sensitive information by fax to the wrong recipients twice, once in June to a member of the public instead of a barrister and the second time, 13 days later, to the office of an unconnected barrister instead of the Watford County Court.

“The Commissioner ruled that a monetary penalty of 100,000 pounds was appropriate, given that the Council's procedures failed to stop two serious breaches taking place where access to the data could have caused substantial damage and distress,” was the ICO's statement. The Commissioner considered that the council did not take the necessary measures to reduce the risk of another incident, after the first one.

Employment services company A4e was also fined with about 72 000 Euro for having given a laptop with the unencrypted personal information of 24 000 people to an employee to take home. The laptop was stolen from the employee's home and there was an unsuccessful attempt to access the information. The information included individuals' names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.

ICO is also concerned about Google's collection of personal data with its Street View vehicles. Initially, ICO considered it was unlikely that Google had gathered too much information through its service but after it was revealed that the company had gathered entire emails, user names and passwords by mistake, ICO decided to make an audit of “Google's internal privacy structure, privacy training programs and its system of privacy reviews for new products.”

“It is a significant achievement to have an undertaking from a major multinational corporation like Google Inc. that extends to its global policies and not just its UK activities. We will be keeping a close watch on the progress Google makes and will follow up with an extensive audit,” stated The Information Commissioner Christopher Graham.

Others are sceptic regarding ICO's influence on Google. “The Information Commissioner is ineffective and is widely held in contempt,” said Ross Anderson, a professor of computer science at Cambridge University who believes that the Information Commissioner is not feared by the companies he is supposed to regulate.“ Mr. Anderson places more hope in the German authorities which, in his opinion, ” will have much more influence, and indeed Google now does its privacy research in Munich. (…) They know that if they can sell their privacy policies there, they will work everywhere else.“

5. Azeri bloggers released from prison

After a long and continuous pressure from several civil society groups and European international organisations such as the European Parliament, the Presidency of the European Union, the Parliamentary Assembly of the Council of Europe (PACE), the Organization for Security and Cooperation in Europe (OSCE), Human Rights Watch and Reporters Without Borders, the US President Barack Obama and Secretary of State Hilary Clinton, the two Azeri bloggers arrested in 2009 on false pretences of hooliganism, have been finally released from prison.

A Baku court released Emin Milli on 18 November 2010, one day after his friend Adnan Hajizade's release. The court however did not release them on account of their innocence; it just suspended the rest of their sentence (14 months out of the entire 30 and 24 months sentence respectively).

The decision was welcomed by Reporters Without Borders which, however, expressed its disappointment for the fact that the bloggers had not been cleared. “We nonetheless regret that his conviction has not been quashed as we have always insisted that he was arrested for exercising the right to free expression and was jailed on grotesque charges after a sham trial. The vigilance must not let up and the campaigning must continue in order to protect him from any kind of harassment or intimidation by the authorities and to obtain the release of Milli and Fatullayev,” stated the organisation.

After his release, Hajizade reaffirmed his innocence and said he would remain in Azerbaijan and continue his blogging. “I am not guilty and will demand full rehabilitation. Freedom is my right,” he said. Adnan Hajizade and Emin Milli's lawyers have submitted their case to the European Court of Human Rights hoping to overturn their conviction and be declared innocent.

On this occasion, pressure for all sides continues for the release of newspaper editor Eynulla Fatullayev who has been imprisoned since April 2007 for his political convictions, on false pretences as well. On 22 April 2010, the European Court of Human Rights ruled that the journalist had been illegally detained and asked for his immediate release. The Azeri supreme court partially complied with the European Court ruling by rejecting his conviction on charges of terrorism and inciting hatred. Yet, the court still retained the earlier conviction on charges of tax fraud and possession of heroin.

6. Ireland: reshaping the law for the digital economy

EDRi-member Digital Rights Ireland, Google and the Institute of International and European Affairs co-sponsored an event in Dublin on 19 November 2010 which presented suggestions for the reform of Irish law to promote digital innovation.

Speakers were Niall O'Riordan (Google) who called for developing fair use at the Irish and European level, Kate O'Sullivan (UPC) who spoke on the topic of the difficulties faced by ISPs due to the music industry demands that they act as copyright police, Johnny Ryan (IIEA) who placed the growth of interactive media in a historical context, Nick Kelly (musician and author) who spoke about the challenges he has faced in selling music online since moving from a major label, and Darragh Doyle ( who discussed the problems online forums face under Irish law.

Chairing the event was TJ McIntyre from Digital Rights Ireland who concluded with a presentation which called for reform of defamation law and for greater immunities to be given to intermediaries under the Irish law.

7. Lack of net neutrality and open standards threaten the web

“The Web is critical not merely to the digital revolution but to our continued prosperity-and even our liberty. Like democracy itself, it needs defending.”

This is the subtitle of a recent article of Tim Berners-Lee published in the Scientific American Magazine on 22 November 2010 where he focuses on the new threats of the current developments of the world wide web: lack of Internet neutrality, social networking, closed standards and attempts from governments to snoop on web communications.

The articles titled “Long Live the Web: A Call for Continued Open Standards and Neutrality” gives the opportunity to the inventor of the WWW in 1990 to focus on the core design principles of the web and how they are endangered today by new policies from private and public actors on the Internet.

Sir Tim Berners-Lee points to Internet neutrality as one of the core issues that needs to be preserved in order to allow the unhindered development of the WWW, based on its principles of universality and de-centralization.

The author is clear in emphasizing why legislation is needed to protect these principles: “A neutral communications medium is the basis of a fair, competitive market economy, of democracy, and of science. Debate has risen again in the past year about whether government legislation is needed to protect net neutrality. It is. Although the Internet and Web generally thrive on lack of regulation, some basic values have to be legally preserved. ”

The father of the WWW also explains what the open standards are key to keep innovation at maximum in the Internet: “By 'open standards' I mean standards that can have any committed expert involved in the design, that have been widely reviewed as acceptable, that are available for free on the Web, and that are royalty-free (no need to pay) for developers and users. Open, royalty-free standards that are easy to use create the diverse richness of Web sites, from the big names such as Amazon, Craigslist and Wikipedia to obscure blogs written by adult hobbyists and to homegrown videos posted by teenagers.”

Sir Tim Berners-Lee also points to stupid EU legislation, such as the Hadopi law in France or the Digital Economy Bill in the UK to prove that the normative processalso needs to be under scrutiny to ensure the respect of human rights in the online environment as well:

“In these cases, no due process of law protects people before they are disconnected or their sites are blocked. Given the many ways the Web is crucial to our lives and our work, disconnection is a form of deprivation of liberty. ”

8. ENDItorial: EC Internal Security Strategy - My dog is a cat

The European Commission (EC) recently published its “Internal Security Strategy” - a wide-ranging security programme covering international crime networks, radicalisation, cybersecurity, border management and crisis/disaster management.

One almost amusing element is how it included “piracy” (meaning unauthorised downloads) as a security issue. The logic is very reminiscent of the 1980s British comedy “Yes Prime Minister” where a senior civil servant explains to a colleague how to argue to stop power being put in the hands of citizens. “All cats have four legs, so does my dog. So my dog is a cat”. Counterfeiting is sometimes carried out by criminal gangs, who are a security threat. Counterfeiting is an intellectual property infringement. “Piracy” is an intellectual property infringement, so “piracy” is a security threat.

Meanwhile, some elements that are missing are also interesting. For example, the Strategy argues that “security should be integrated in relevant strategic partnerships” but, having accused major trading partners like the USA of failing to take action against online child abuse and international trade in abuse images, the strategy prioritises “trafficking in human beings, drugs trafficking and terrorism” for this action. Indeed, while the strategy covers, in the Commission's own words “seemingly petty crimes”, the child abuse that was such a priority when tackling the symptoms via blocking, fails to get a single mention in the document.

With regard to cybercrime, the Strategy suggests the creation of a “cybercrime centre” to build operational and technical capacity, working with national Computer Emergency Response Teams (CERTs) and the European Network and Information Security Agency (ENISA). The proposal to have a centralized hub for reporting of all forms of illegal material (useful for creating multiple blocking lists for Internet access providers), which was first made under the French Presidency of the EU, is made again. However, this still does not have adequate political support, so the Strategy says that this will be introduced “if appropriate”.

Even though no progress has been made on the Commission's proposals for an industry agreement for extra-judicial deletion of websites accused of child abuse, xenophobia or terrorism since the summer, the Strategy suggests that this will be achieved by 2011. The Commission has organised a meeting on 15 December 2010 with the industry to push its draft agreement, with a separate informal meeting the week before to discuss “outstanding issues”.

11. Agenda

archief/edri_gram_nieuwsbrief/01_12_10.txt · Laatst gewijzigd: 2017/09/11 21:36 door KapiteinG