thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Friday, October 03, 2014

The Ballad of Google Spain

The judgement of the European Court of Justice in the case Google Spain from May 2014 has caused a very diverse and intense debate that is not finished by far. Though the ruling does not contain this, it has become known as the "right to be forgotten"-ruling, or #R2BF.

The best summary by far has been provided by Paul Bernal. The analysis is very much to the point, but even better: For the national poetry day yesterday, he wrote it in the form of a poem!
The Ballad of Google Spain

There was a case, called ‘Google Spain’
That caused us all no end of pain
Do we have a right to be forgotten?
Are Google’s profits a touch ill-gotten?

read the full poem

Labels: , , , , , ,

TTIP and TiSA: big pressure to trade away privacy

I have been asked by Statewatch before the summer to contribute to their collection of essays and analyses on transatlantic relations. I wrote an analysis of the pressure on European data protection and privacy rules, including strategic discourses and lobbying around it. It is based on the documents that are available so far.

The paper has finally been published in September, very timely after the end of the Brussels and Washington summer break.
TTIP and TiSA: big pressure to trade away privacy, Statewatch Analysis 257, September 2014

Labels: , , , , , ,

Saturday, December 14, 2013

layers of the struggle privacy vs surveillance, in my picture of the year

This is the picture of the year for me, on so many different layers: 
Stewart Baker, ex-NSA general counsel, and Jacob Appelbaum, internet freedom activist/hacker/journalist (left, right).
Eingebetteter Bild-Link
  • They pretty much symbolise the two sides of the global scandal of the year.
  • They also symbolise the attitudes of both sides.
  • This struggle has defined a large part of my professional life in 2013.
  • I was involved in defining much of this struggle (at least on the EU Parliament side) as a large part of my professional life in 2013.
  • I was on a panel with both of them yesterday, which was one of the most unlikely things I ever imagined in my life.
  • This picture was one of the more unlikely pictures in my life of which I imagined to be there when they were taken. 
  • But hey, I was involved in pulling that panel together.
  • Most basic question that says it all: With whom of these guys would you prefer to hang out and collaborate and try to change the world? The answers to this one again can be on many layers, but they actually converge to the same answer.
  • [fill in your own layer in the comments / shares] 
(picture by Omer Tene, who also moderated the panel) 

Update, 6 April 2014: Jake and Stewart now finally got into the heated discussion they were supposed to have back in December. 

Labels: ,

Sunday, December 09, 2012

EU Commission: No new law enforcement databases needed

In a communication and a press release, somewhat hidden on a Saturday Friday for whatever reasons, European Union Home Affairs Commissioner Cecilia Malmström announced that her services had done an assessment of EU-wide law enforcement information exchange mechanisms. She concluded that
information exchange generally works well, and no new EU-level law enforcement databases are therefore needed at this stage.
This is the first time in a long while that a top-level home affairs official has said that they don't need more new databases. Emphasis is added in the quote for a reason!

This conclusion is based on an "Overview of information management in the area of freedom, security and justice" which the Commission had released in 2010 and which introduced a number of criteria for further policy development in this field:
  • Safeguarding fundamental rights, in particular the right to privacy and data protection
  • Necessity
  • Subsidiarity
  • Accurate risk management
  • Cost-effectiveness
  • Bottom-up policy design
  • Clear allocation of responsibilities
  • Review and sunset clauses
In the new communication, the Commission examines a number of EU-wide information exchange instruments among law enforcement agencies. Oddly enough, they mix existing EU stuff such as Europol and the Schengen Information System (SIS) with projects started by a number of member states which have not yet been Europeanised, such as the Püm Decision or the European Border Surveillance System EUROSUR.

The Commission does also not address a number of other initiatives and databases that are currently in the legislative pipeline:
  • Eurodac, the database of fingerprints of asylum seekers, where Parliament and Council are currently debating law enforcement access;
  • EU-PNR, the proposed system of EU-wide gathering, profiling, and retention of data on all air passengers entering or leaving Europe (and with an extension to inner-European flights under discussion);
  • Smart Borders, a legislative package probably coming in early 2013, which would collect data about everbody entering and leaving the EU, including fingerprints (Entry-Exit System) and which would allow easier entering of the EU if travellers were pre-checked and profiled.
The Commission is to be applauded for such a sober look at the state of play in information exchange. Members of the European Parliament as well as several stakeholders had repretedly asked "when is it enough?" after the Commission in alliance with the Member States had pushed through massive surveillance projects such as telecommunications data retention, bulk bank data transfers to U.S.  financial intelligence services through the SWIFT agreement or air passenger mass surveillance through the PNR-agreements with Australia and the U.S. Good to finally see a red line here.

However, this raises urgent questions about the need for the above-mentioned measures still in the pipeline. The European Parliament is about to vote on the negotiation mandate for EU-PNR and Eurosur, and on the final agreements for law enforcement access to Eurodac. And one can wonder how the Commission will justify its "smart borders" package next year.

It seems the EU institutions should stop current initiatives and have a more general debate on further databases and information exchange in the field of justice and home affairs. It would make sense to align this with the debates on the work programme of the upcoming Irish Council presidency as well as the legislative reports from the Parliament on the EU data protection reform, which both will be debated in the Civil Liberties, Justice and Home Affairs Committee on 10th January 2013. 

Saturday, July 07, 2012

Post-ACTA: declassified negotiation documents on criminal provisions

Immediately after the defeat of the notorious Anti-Counterfeiting Trade Agreement (ACTA) in the European Parliament on 4th of July, it seems the institutions are quickly wrapping it up. Right on the next day, the Council of the European Union has declassfied the different (and still secret) negotiation versions of the ACTA criminal sanctions chapter (these fall under Council competence, whereas the Commission was in charge of the general trade provisions). A list in chronological order is provided below. Let's see if the Commission will also declassify the other chapters.

21 November 2008

3 December 2008

25 March 2009

9 October 2009

19 October 2009

29 October 2009

22 December 2009

Labels: , ,

Wednesday, July 04, 2012

EU Commission will link data retention reform to e-privacy reform in 2013

EU home affairs commissioner Cecila Malmström has announced in an interview with German newspaper Frankfurter Allgemeine Zeitung that she will not propose a revision of the notorious data retention directive this year. Instead, she will work with information society commissioner Neelie Kroes to review the e-privacy directive and the data retention directive together in 2013.

This is big news. Malmström and her services have been struggling with the data retention reform for almost two years. Now she and Kroes want to reform it together with the e-privacy directive in a package, both closing loopholes for further data use in the latter and reducing retention periods and police access in the former.

My reading is this: The liberal Malmström does not know how to get out of this data retention mess in one piece, with activists and "the internet" (c.f. ACTA) on one side, and home affairs ministers in Council on the other side. So she is now siding with Kroes in a hope to get anything agreed under the stewartship of an experienced telco regulator. They will try to ease industry opposition and in return get an okay for a limited version of data retention.

The big question is: How will this interact with the data protection reform package proposed by justice commissioner Viviane Reding in January? It was supposed to also amend and have an impact on the e-privacy directive with the data protection regulation for the internal market, and the proposed directive on data protection in the law enforcement field would need some rules on access of police investigators to corporate databases about their customers.

Time for some interesting coalition-building of institutional players, activists and lobbyists all across the field.

Competing schools in political science would suggest:
  1. Whoever gets the major conflict lines and narratives set up first and firmly, will win (constructivism);
  2. Whoever controls the institutional agenda, will win (institutionalism);
  3. Whoever is in better understanding of economic and political interests, will win (realism).
And this finally reminds me of my academic years and also shows how unpredictable all of this is in theory. Think ACTA, again.

Labels: , , ,

Saturday, June 02, 2012

EU Commission to present regulation on electronic identity cards (Update)

EU information society commissioner Neelie Kroes will present a new regulation on the mutual recognition of national e-ID systems on Monday (4th June), according to news reports. There will for sure be a number of data protection issues related to this.

This is from the Commission Work Programme 2012:
Pan European framework for electronic identification, authentication and signature - Legislative

The proposal will present legislation to boost trust and facilitate electronic transactions notably by ensuring the mutual recognition of electronic identification and authentication across the EU, and of Electronic Signatures. (2nd quarter 2012)
Electronic identification and authentication schemes have a number of data protection issues. has seen an internal Commission paper which shows that EU Justice Commissioner Viviane Reding (in charge of data protection) seems to only focus on breach notifications.
But I am not sure anyone is addressing the inherent data protection issues related to functioning and non-breached e-ID schemes, such as the problem that the issuing authority ("identity provider" in technical jargon) may be notified every time one uses his or her eID card. I hope that someone reminds the Commission of e.g. the recommendations on "Identity Management and Reputation" from Civil Society to the OECD ministerial meeting "The Future of the Internet Economy" in Seoul in June 2008.

What does not seem to be the case is an EU-wide obligation for member states to introduce eID schemes or even use a harmonised European standard, as had been reported by more europsceptic, right-wing and conspiracy-driven news websites.

Update: Here is the draft regulation, here is an FAQ from the Commission.