EDRI-gram Nieuwsbrief - 9 februari 2011

1. Data retention law provisions declared unlawful in Cyprus

The Cyprus Supreme Court decided on 1 February 2011 that some of the provisions of Law 183 (I) / 2007 on disclosure of telecommunications data are unlawful, as they breach the Cyprus Constitution and its jurisprudence, as revealed by the daily Cyprus Mail.

Law 183 (I) / 2007 (Retention of Telecommunication Data for Purposes of Investigation of Serious Criminal Offences Law of 2007) was adopted by Cyrpus on 31 December 2007 as the national implementation of the EU Data retention directive.

In the case brought to the Supreme Court, four people claimed that Articles 4 and 5 of the national law, that provided police forces access to the retained data, were unlawful. The court considered that the articles in question go beyond the provisions of the EU Directive which does not address the issue of access to the retained data.

Therefore, the court considered it may check the constitutionality of these articles, especially in relation with Art 15 of the Cyprus Constitution (right to privacy) and article 17 (confidentiality of communications).

Based on the Cyprus Constitution, and jurisprudence from itself and from the EctHR, the Supreme Court issued a unanimous ruling regarding the legality of court orders issued for the disclosure of telecommunications data by the district courts of Nicosia, Limassol and Larnaca at the request of police investigating serious crimes. The orders concerned the four complainants that claimed a breach of privacy and confidentiality of their communications.

The court considered that three of the four court orders for disclosing telephone numbers and calls were illegal and should be annulled. In the case of the fourth person the case was rejected, since the person was imprisoned and banned for using a mobile phone.

It is unclear how this decision will affect the law and its application. According to a statement of police spokesman Michalis Katsounotos to Cyprus Mail, “the decision will be studied in depth by the assistant police chief and all under investigation or criminal proceedings will be identified for which a court order was secured for the disclosure of telecommunications data, so that in consultation with the Attorney-general, a decision can be taken on the further handling of them.”

2. Commission's proposal for PNR Directive fails to impress MEPs

On 2 February 2011, the European Commission released its proposal for a directive on the use of Passenger Name Records. This would require airlines flying into and out of the EU to give travellers' personal information to national authorities in the Member State of departure or arrival. Such data includes, for example, home address, mobile phone number, frequent flier information, email address and credit card information.

The document is a follow up to the proposal for PNR in 2007, for which the European Parliament, led by rapporteur Sophia in't Veld (ALDE, Netherlands), requested from the Commission, particularly in terms of better justifications regarding the measure's supposed necessity and proportionality.

With a number of databases related to travellers already in existence, such as the Schengen Information System (SIS), the Visa Information System (VIS) and the Advanced Passenger Information system (API), many members of European Parliament were and are sceptical about the necessity of a Passenger Name Record regime.

The scope of the purpose of PNR is widened. Whereas, in the 2007 document, the purposes were preventing and combating terrorist offences and organised crime, now it extends to “serious crimes” (defined as offences which call for a minimum prison sentence of 3 years). As these crimes are not specified, there is, by definition, no way of assessing the necessity and proportionality of all crimes that could be covered by this wording.

The processing of the PNR data outlined in Article 4 stipulates that the Passenger Information Unit (PIU -the body responsible for the storage and management of PNR databases), can use the data for profiling purposes, an issue that has been highly criticised in Parliament. The data can also be compared with other “relevant” databases, while not making clear which databases will be accessed by Member States. PIUs will also be obliged to hand over PNR data at the request of the competent authorities in Member States. Finally, the document proposes using the data to update and create new profiling criteria.

The document indicates that it will “mask” some pieces of data after 30 days of storage. The data is, however, not anonymised - instead, a certain amount of data is “masked” with no actual anonymisation. These pieces of information can be easily re-personalised and, in fact, access to the full PNR data is always available to the Head of the PIU, “where it could be reasonably believed that it is necessary to carry out an investigation and in response to a specific and actual threat or risk or a specific investigation or prosecution.”

Furthermore, considering the list of PNR data to be collected, there are a number of personally identifiable information that will not be “masked”, such as billing information (including credit card numbers).

The document also prohibits the collection, storage and processing of “sensitive data”, defined in the proposal as “any personal data that could reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sexual life of the individual concerned”. In the same paragraph however, it states the PNR data “should contain details on the passenger's reservation and travel itinerary”, which include special meal requests which can indicate religious orientation; special service requests that can indicate disabilities or specific medical conditions and billing and contact information.

MEP Sophia in't Veld seems pleased with the document, saying, “we will closely scrutinise the proposals, but at first glance there is a substantial improvement compared to the previous proposals”. However, she did indicate that better justification of the necessity of collecting PNR data remains, and that Parliament needs the facts and figures before they can make a well founded decision.

Other members of the European Parliament are not so optimistic. EPP member Manfred Weber (Germany) is sceptical of the necessity of PNR, saying, “there are deficits in the usage of current data. So why should we collect even more mass data?”

“The EU-US PNR agreement is already bad enough”, stated German Greens member Jan Albrecht. “The last thing we need to do in Europe is to copy this model, which infringes on the civil liberties of EU citizens.”

Claude Moraes (S&D, UK) has concerns about the Commission's proposal to profile individuals and indiscriminately collect personal data, calling on Commissioner Malmström to “urgently come before the European Parliament and to provide precise evidence that massively collecting air travellers' data is an effective and necessary way to prevent terrorists from flying to and from Europe.”

Commissioner Malmström is likely to meet with the LIBE committee in the next few weeks to discuss the contentious elements of the proposal. The entire negotiation process in the Council and the Parliament is expected to take around two years.

3. German study finds the data retention ineffective

A study of police statistics published by the German Federal Crime Agency on 26 January 2011, finds telecommunications data retention ineffective for the prosecution of serious crime.

An analysis of Federal Crime Agency statistics published on 27 January 2011 by German civil liberties NGO AK Vorrat reveals that data retention, while in force, did not make the prosecution of serious crime any more effective. With data retention in effect, more serious criminal acts (2009: 1 422 968) were registered by police than before (2007: 1 359 102), and a smaller proportion were cleared up (2009: 76.3%) than before the introduction of blanket retention of communications data (2007: 77.6%). Likewise, after the additional retention of Internet data began in 2009, the number of registered Internet offences surged from 167 451 in 2008 to 206 909 in 2009, while the clear-up rate for Internet crime fell (2008: 79.8%, 2009: 75.7%).

According to AK Vorrat, user avoidance behaviour can explain the counterproductive effects of blanket data retention on the investigation of crime. In order to avoid the recording of sensitive information under a blanket data retention scheme, users begin to employ Internet cafés, wireless Internet access points, anonymisation services, public telephones, unregistered mobile telephone cards, non-electronic communications channels and the like. This avoidance behaviour cannot only render retained data meaningless but also frustrate more targeted investigation techniques that would otherwise have been available to law enforcement. Overall, blanket data retention can thus be counterproductive to criminal investigations, facilitating some, but rendering many more futile.

4. UK Supreme Court to hear DNA cases

Following a decision of the European Court of Human Rights (ECtHR), the UK Coalition Government has recently stated its intention to dramatically reduce the retention period of DNA data. In 2008, the ECtHR ruled that a blanket policy of retaining DNA samples of people who were not charged or convicted of offences indefinitely was breaching human rights.

The UK Supreme Court has recently held hearings in two cases related to the retention of DNA, fingerprints and other information by the Police of Metropolis of two individuals, independently arrested by the police for suspected offences but had no further action taken against them.

“It makes good sense to hold the DNA of dangerous convicts, but holding intimate information on thousands of innocents is discriminatory as well as intrusive. The high numbers of black men arrested and never charged explains but doesn't justify their over-representation on the database. In the absence of long-trailed new law from Parliament, Britain's highest court must inject fairness into DNA retention practice,” stated Liberty's legal officer Anna Fairclough.

The Supreme Court will decide whether the respective data retention violates the rights of the plaintiffs under Article 8 of the European Convention on Human Rights. The decision will probably largely influence the actions taken further on by the UK authorities.

The Coalition expressed the intention to introduce a similar policy to that in Scotland where only the samples of people suspected of serious offences are retained and only for a limited period of time.

“The Government is committed to adopting the protections of the Scottish model for DNA retention. In particular, we are examining whether the provisions of section 23 of the Crime and Security Act 2010 should be brought into force. This would empower the National DNA Database Strategy Board to issue binding guidance to chief police officers on the types of case in which deletion would be appropriate,” Home Office Minister James Brokenshire announced in the Parliament.

For the time being, according to the statistics, one out of four people whose DNA data are retained by the UK police forces are innocent and the data are retained indefinitely.

In January 2011, Northern Ireland's High Court of Justice ruled that the retention of a 14-year-old boy's DNA by the police was not illegal, stating ECHR's 2008 ruling could not be followed because it was not binding and it was in conflict with the earlier ruling by the House of Lords.

“The lengthy, perhaps indefinite, retention by the police of the Applicant's photographic images seems incompatible with the broad and elastic formulations of the scope of Article 8(1) [of the ECHR],” said Mr Justice McLoskey who added: “But for [the House of Lords] decision and our analysis of it, we consider that there is substantial force in the view that the retention of the Applicant's photographic images by the Police Service for a minimum period of seven years, which may be extended indefinitely, unconnected in any concrete or rational way with any of the statutory purposes, interferes with his right to respect for private life guaranteed by Article 8(1).”

Innocent DNA retention to be challenged (31.01.2011). Supreme Court to revisit DNA retention (30.01.2011).

Police DNA retention ruled lawful by NI High Court (21.01.2011).

EDRi-gram: ECHR decided against the UK DNA Database (17.12.2008).

5. Spanish sports streaming domain seized by US authorities without warning

The US authorities have recently seized, without any warning, the domain names of several sports streaming sites over alleged copyright infringements within the “Operation In Our Sites” action launched at the beginning of July 2010, targeting websites having allegedly offered users copyrighted material without copyright owners' consent.

In July 2010, the Department of Justice (DOJ) and Homeland Security's Immigration and Customs Enforcement (ICE) seized a series of film streaming domain names. It is now the turn of sports streaming domain names.

Among the recently seized domains, DOJ and ICE have included, a popular sports steaming website, despite the fact that the site is owned by a Spanish company and its only relation to the US is that the .org domain is maintained by a US company.

Furthermore, the site has already been declared legal by two Spanish court rulings in 2009 and 2010, following an action introduced by sports rights holder Audiovisual Sport in 2007. “In our opinion the US authorities are completely despising the Spanish justice system and sovereignty,” stated Igor Seoane, Rojadirecta's owner for TorrentFreak.

Rojadirecta, as a streaming site, does not host any copyrighted material but indexes HTTP links to sports streams that can be found on the Internet and links to torrent files hosted on other sites.

This seizure of a site domain already declared legal in Spain, raises concerns related to generic domain names that are controlled exclusively by US companies. Without even contacting the site owners, the US authorities may obtain a seizure warrant from a District Court judge and use this to take control over the domains in question even if the sites are not based in the US, which provides US censorship powers over a great part of the Internet.

Besides, the domains of several other sports streaming sites were seized by DOJ and ICE, only a few days before the Super Bowl, the most-watched American television broadcast. This seems like a pattern. In November, the US authorities seized domains of online retailers of alleged counterfeit goods, just a few days before “Cyber Monday”, a commercial event.

The sites in question had the option to move to alternative domains, which they did in a short time. Rojadirecta is presently available on several alternative domains, such as .es, .in and .me., one of the other seized sites is now available under, has moved to while turned to

6. France: Increased powers for Hadopi authority

The Hadopi law continues to develop as the French Government pushes last minute amendments to be passed by the Parliament.

Thus, the French National Assembly adopted on 1 February 2011, late at night, an amendment filed at the last moment by the Government, that would allow French three strikes authority (Hadopi) to pay private-sector companies for carrying out online surveillance and filtering.

Amendment 151 to the draft Law on Simplifying and Improving the Quality of Laws extends Hadopi powers to “provide support for innovative research and experimentation projects by state or privately-owned entities that would assist the Authority in fulfilling its mission (…)”, meaning that the authority would have the freedom to subsidise private entities for “the development of the legal offer and the observation of legal and illegal use of works”.

Although it was passed in a rush and late at night, the amendment did not go unnoticed. The legal commission of the General Assembly showed concerns regarding the constitutionality of the amendment stating it had no time to examine it and asked for its withdrawal. Deputy Alain Vidalies warned that the opposition would take the issue to the Constitutional Court, considering the amendment as a “legislative knight” (a text which has actually no relation to the text examined).

Another draft decree related to Hadopi was on CNIL's agenda on 20 January 2011 and is now to be examined by the State Council. The decree, already modified once in October 2010, introduces means to interconnect ISPs' subscriber files with infringement information received by the Hadopi authority and makes electronic transmissions of all files from Hadopi to courts.

This modification fulfils Hadopi's wish to manage all three strikes processes up to the courts by information systems, as the authority stated in November 2010: “Actually, the information system manages the first pedagogical phases of the graduate response procedure (…) It must be completed to manage the next exchange phase with the prosecutor offices and jurisdictions, for which a decree of the Culture Minister is to be published next month.”

The current procedure is that the files are verified first by the Commission for the Protection of Rights (CPD) before being sent to the prosecutor. However, the president of CPD stated in an interview at the end of 2010 that he supported the idea that the “negligent infraction” can be verified by the repeated offence and therefore, no additional evidence is necessary. “If the subscriber has not changed his behaviour after three offences, he has therefore not placed any security measure (…) the consequences of your actions are those that prove the infringement ”, said CPD President.

The transmission of Hadopi files to the prosecutor offices is already covered by a procedural decree of July 2010 which says that the files are sent “to the prosecutor of the Republic attached to the competent high court.”

The idea is to make these transmissions electronic and to allow the courts to send their decisions electronically. Hadopi wants to make certain that a decision to suspend a subscriber's Internet access is applied. The authority also wants to be sure the subscriber cannot use another ISP during the suspension period.

7. ENDitorial: Internet blocking and damage to child protection

The child protection industry has been campaigning for years for the introduction of EU-wide mandatory blocking of websites accused of being illegal by the police, by independent authorities, etc. This is as a result of a very laudable reflex - child abuse websites are even more abhorrent than one would imagine and blocking a bad thing can only logically be a good thing. Politically, it is an easy message.

Unfortunately, child protection in an international context is polluted with easy messages and unthinking reflexes. Every government loves sounding tough on child protection and every soundbite that does not require concrete action results in a weakening of real measures being taken to protect children from real abuse. The self-appointed childrens' representatives consistently support and encourage these meaningless and counterproductive soundbites, ultimately damaging the very interests they claim to defend.

Every country in the world except Somalia has signed and ratified either the UN Child Rights Convention or its Optional Protocol on the sale of children, child prostitution and child pornography. The Convention requires governments to take all appropriate national, bilateral and international measures to prevent the exploitative use of children in “pornographic” performances. The Optional Protocol requires governments to ensure that child “pornography” is “fully covered under its penal and criminal law”.

We are told that some countries leave child abuse websites online for months. Where is the public condemnation from the United Nations for these blatant breaches of its most successful binding Convention? Where are the shadow reports from child protection organisations condemning those countries for gross failures to protect the weakest in society? Where are the sanctions from governments bound under international law to take “all appropriate national, bilateral and international measures to prevent the abuse”? They are lost in soundbites.

The problem is that the Convention and the Optional Protocol have no enforcement mechanisms. They can be signed and forgotten and states can move on to the next soundbite.

We are told that web blocking is meant to be a “complementary measure”. It will be part of a wider strategy. Unfortunately, it requires no action from governments - building on years of failure and years of soundbites, they will be able to claim that they are fighting child abuse when all they are really doing is asking Internet providers to put up a screen - a screen which will mask their own failures better than the abuse.

So, why does the child protection industry insist on promoting blocking? It would be unfair to say that they are funded by governments and therefore unwilling to criticise them. The issue appears to be based more on misunderstandings than anything else. If we look at one particular child campaigner's blog (link below), we can see this quite clearly. He says:

“Blocking is, after all, a form of deletion. It renders the material inaccessible to the great majority of internet users in the country where blocking happens.”

A system which leaves the material online is not a form of deletion. Nobody has been able to indicate any statistical difference between the number of - or trends in - reports to child abuse hotlines in countries with or without blocking.

It has, therefore, no discernible impact on the great majority of internet users. In any event, the great majority of internet users never find child abuse material and, according to statistics from Internet hotlines. Furthermore, the great majority (over 75%) of those who think that they do have actually found entirely legal material.

He goes on to say: “Opponents of blocking are sort of saying everyone should be able to see the images until no one can.”

It is difficult to know which opponents of blocking might be referred to here. Innocent people very rarely access the material and there is no evidence that blocking stops this to an appreciable extent. What we object to are measures which take the pressure off governments to take real action against websites containing evidence of real abuse and which destroy fundamental rights in the process

He then explains that: “A number of opponents of blocking make references to “the thin end of the wedge” and to “dangerous precedents”, sometimes referred to jointly or severally as the “slippery slope”. “Where will it all end?” they ask.”

This fails to recognise that this is not a “stand alone” argument. The “slippery slope” is an inevitable cost. Any policy in any area requires the costs and benefits to be compared and balanced. As there is no demonstrable benefit to blocking, the slippery slope alone would make the measure disproportionate.

He continues: “More reprehensible in some ways are those who make no attempt to deny that blocking child abuse images is a good thing to do. Instead, and often without any apparent embarrassment, they say they would do it in a trice if only they could be sure blocking would forever be limited to that.

Terrorism, anorexia or suicide related materials frequently get mentioned as examples of the types of content it is known others are pushing to be blocked.”

Having worked on this issue for several years, I have never once heard someone make this argument. Blocking is dangerous, counter-productive and useless for child abuse images, whether other types of site are blocked does not change this.

He adds: “Why do they find it difficult to agree that they should be blocked pending their deletion? It does not add up.”

Having seen governments sign, ratify and forget the UN Child Rights Convention, the Convention's Optional Protocol, the International Labour Organisation Convention on the worst forms of child labour and the Stockholm Declaration, it does not add up that people interested in child protection would want to give governments yet another soundbite - another way of hiding inaction on child protection behind empty promises.

There MUST be investigations in order to identify and rescue as many children as possible. There MUST be investigations in order to find and prosecute both the owners and users of such sites. Blocking will immediately warn the people behind the websites that they have been spotted by law enforcement authorities and they can act to protect themselves. Why would child protection organisations want this?

He says: “The techie world generally dislikes solutions which it believes are “broken” i.e. that can be defeated or circumvented, but the point is the knowledge and the determination to circumvent or defeat blocking are very unevenly distributed.”

The problem that the techie world has is the same as the one that the political world increasingly has with blocking. Techies are parents too and therefore understand that all efforts to protect children must be effective. They understand that every failed initiative has real human consequences. If a policy has demonstrable costs and no demonstrable benefits, it must be avoided.

He continues: “Critics say that if the EU gives official blessing to the use of blocking it would enable totalitarian regimes in other parts of the world to point to it to justify their own oppressive use of blocking.”

Nobody says that blocking of child abuse images will directly cause this.

However, “mission creep” is not a risk, it is a guarantee. Lawless blocking, such as in the UK and Sweden is not a risk, it is an existing fact. If, and it is already beginning to happen, EU countries block child abuse websites to hide their own international failures, if they block entirely legal gambling websites in order to protect tax revenues and gambling monopolies and if they block websites accused of copyright infringement in order to protect outdated industries that cannot cope with the digital age, if EU countries abandon the rule of law and permit blocking without any involvement of law enforcement (let alone judicial) authorities, it is not alone encouraging totalitarian regimes to undermine access to information, it is providing a blueprint for them.

Sadly and disappointingly, the campaigner then goes on to give statistics which have been comprehensively, repeatedly and unquestionably disproven.

One of the many clear analyses of why the “statistics” are misleading nonsense is linked from the bottom of this page.

To finish, and bearing in mind that total lack of any benefit of blocking and the real dangers to child protection that blocking presents, I will finish with two quotations from the campaigner that sum up the debate very neatly:

“If your starting point is the best interests of the child there is no way you can end up concluding that, actually, after a lot of careful thought, a great deal of soul searching and hand wringing it is best to leave pictures of children being raped on full public view for a little while longer.”

“This argument turns sexually-abused children into bargaining chips.”

This is completely and reprehensibly true. It is incomprehensible to find oneself trying to defend measures that will force governments to take proper action against child abuse, being fought every step of the way by those people whose job it is to do this.

With new data protection challenges arising everyday, the Convention is being overhauled to meet new realities and time is now ripe to think about modernising it. The technological developments of the information and communication society as well as the globalisation of exchanges lead to unexplored challenges and potential new risks for the protection of human rights and fundamental freedoms. Is Convention 108's protection still in line with today's needs in respect of data protection or should it be modified and complemented in order to better satisfy the legitimate expectations of individuals and concerned professionals?

10. Agenda

archief/edri_gram_nieuwsbrief/09_02_11.txt · Laatst gewijzigd: 2017/09/11 21:36 door KapiteinG