European Parliament on Privacy vs Security and the "Balance" Metaphor

The European Parliament has adopted its resolution on the Stockholm Programme today. The Stockholm Programme is a political document that lays out the priorities for EU justice and home affairs policy for the years 2010 to 2014. It will be adopted by the Council of Ministers next Monday - therefore the Parliament's opinion on this was very timely. There were a lot of amendments, separate votes and split votes, so we have to wait a few days for the final consolidated text. Overall, it's a mixed bag, but that is a looong story.

What I want to point out here is only one amendment that was adopted - but it was an extremely crucial one:

The European Parliament

"... stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective"

I think this is one of the most important official contributions to the "freedom vs security" debate in the last few years. And it is the official opinion of Europe's directly elected representatives now.

Please help spreading the word and establishing this clarification firmly in the public discourse.

SWIFT Agreement Not in Line with European Parliament 's Demands

The draft agreement on bank data transfer between the EU and the US for anti-terrorism purposes ("SWIFT Agreement") was leaked on 11 November. It stirred a heavy debate in the media, even made front-page news in Germany, and resulted in members and staff of the European Parliament and of the Committee of Permanent Representatives of EU member states (COREPER) having hectic phone calls. Background on the SWIFT deal is available elsewhere.

I want to focus here on the conformity of the draft with the demands of the European Parliament. The EP adopted a resolution on the SWIFT agreement in September, which was not too strong, but clearly spelled out some substantial and procedural criteria.

There are rumours that the Council and the Commission are trying to get an informal confirmation (whatever that means) from the Parliament that the current draft meets the demands of the Parliament. The following quick analysis shows that this is clearly not the case.

1) Definition of Terrorism

The EP demands in paragraph 7(a)

"that data are transferred and processed only for the purposes of fighting terrorism (...), and that they relate to individuals or terrorist organisations recognised as such also by the EU".

The draft agreement has a definition of terrorism in article 2 and also refers to the EU definition on this, but spells out no procedure on who would make such a decision and how.

2) Judge Approval

The EP demands in paragraph 7(c) that data transfers have to be

"subject to judicial authorization".

The draft agreement does not mention this at all. It only describes a procedure in article 4 where requests by the US government are scrutinized by an ominous "central authority" in the EU member state where the financial service provider concerned is located. I assume this will be agencies like the Federal Criminal Police Agency (BKA) in Germany and the likes. Not exactly what is meant by an independent judge.

3) Judicial Review

The EP demands in paragraph 7(d) that

"legality and proportionality of the transfer requests should be open for judicial review in the US"

and in paragraph 7(e) that

"transferred data are subject to the same judicial redress mechanisms as would apply to data held within the EU".

The draft only has a meaningless clause on this in article 11(3). There is an annex to the draft that lists a number of U.S. laws and codes that allegedly provide for judicial redress, but none of these actually does so. In detail:

- The Administrative Procedure Act of 1946 only states that

"a person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action within the meaning of a relevant statute, is entitled to judicial review thereof".

The problem: The US Privacy Act offers protection against unlawful data processing by government agencies, but only for US citizens and residents.

- The Inspector General Act of 1978 only establishes the powers of inspector generals, of the various agencies and departments for auditing and investigations. There is no option for citizens to demand judicial review. Quite the contrary:

"the Secretary of the Treasury may prohibit the Inspector General of the Department of the Treasury from carrying out or completing any audit or investigation".

- The Implementing Recommendations of the 9/11 Commission Act of 2007 establishes the Privacy and Civil Liberties Oversight Board in the Department of Homeland Security. But the PCLOP is not really independent, has very few rights and can not pursue independent investigations. There is no option for citizens to demand judicial review. Quite the contrary - the act establishes even more possibiliites for data-sharing among government agencies, e.g. through the "State, Local, and Regional Fusion Center Initiative".

- The Computer Fraud and Abuse Act criminalizes unauthorizes and authority-exceeding use of computers. But this is not what the SWIFT agreement s about - the US government could theoretically send a carrier pidgin to the Europeans with the message demanding specific data. A computer is not abused or even broken into here - otherwise every corruption, libel or other white-collar-crime case where a computer was used would be sanctionable under this act, too. Ridiculous.

- Freedom of Information Act (FOIA): Any possible right to access information is immediately annulled by the exception clauses in article 11 of the draft agreement.

- Standards for Ethical Code for Employees of the Executive Branch: This code includes no option for citizens to demand judicial review. It only foresees the option of disciplinary measures in case of wrongdoing by executives.

4) Purpose Binding

The EP demands in paragraph 7(f) that transfers of data are limited to investigations about "terrorism financing". The draft agreement includes "prevention, investigation, detection, or prosecution of terrorism or terrorist financing". This means that the US can ask for data that is not related to terrorism financing at all, as long as they make the case that it is somehow related to terrorism or may help its "prevention" (which is a broad and unclear clause anyway).

5) Onward Data Transfers

The EP demands in paragraph 7(f) that

"the transfer of such data to third parties other than the public authorities in charge of the fight against terrorism financing is also prohibited".

The draft agreement allows the onward transfer of bank data to third countries, not just third parties within the US. The parliament clearly meant the latter in its resolution and did not foresee any transfer to third countries. This would be the major hole in the agreement where all the other criteria (judicial review, purpose binding etc.) would be annulled even if they existed.

6) Scope

The EP demands in paragraph 9 that

"batches and large files such as those concerning transactions relating to the Single European Payment Area (SEPA) fall outside the scope of the data".

The draft agreement in article 4(6) allows for the transfer of "bulk data" if the service provider can not identify the specific data requested. A slightly newer version of the agreement, according to German press reports, explicitly excludes SEPA data. But the parliament explicitly mentioned SEPA only as an example, as is clear by the word "such as". The draft agreement does not exclude all batches and large files.


7) Procedural Aspects

The EP demands in paragraph 13 that

"the European Parliament and all national parliaments will be given full access to the negotiation documents and directives".

This has repeatedly not happened. Neither has the parliament received the text of the draft agreement, not was it even informed about its very existence. It only learned about it from the press reports.

Conclusion

The current draft agreement on bank data transfers is clearly in breach of the criteria established by the European Parliament - on substance as well as on procedures.

It would be a clear affront by the Council of Ministers if they adopted and signed the agreement at their next meeting on 30 November - one day before the Lisbon Treaty will enter into force and the European Parliament will get full veto powers in the area of justice and home affairs.

"Freedom not Fear" 2009 - Protests Against the Surveillance Mania

(I have not been bloggin much here lately because I took a new job and moved to Brussels. I hope I will find more time for regular updates soon.)

On Saturday, 12 September 2009, civil liberties activists in many countries again took it to the streets under the motto "Freedom not Fear - Stop the Surveillance Mania". It was the second time these activities took place after the first international action day on 11 October 2008.

The biggest event was held in Berlin, where more than 25 000 people marched through the streets and applauded the speeches and the bands. Frank Bsirske, chairman of the world's largest trade union ver.di, called for a comprehensive law for employee and workplace privacy protection. Patrick Breyer from the working Group against Data Retention (AK Vorrat), which again had initiated the protests, reminded participants of the democratic rallies and events of 1847 and 1989 and called for continuous resistance against the surveillance state. Other speakers included Franziska Heine from the Working Group against Censorship (AK Zensur), who had organized the most successful online petition ever to the German parliament against a recent German law that permits blocking of web sites by the federal police. The event sent a strong signal to the political parties and was widely reported in the context of the upcoming German federal election. At the end of the demonstration, activists from EDRi member Chaos Computer Club were able to film a police assault on a peaceful participant. Public pressure as a result of this has now led to an announcement of the Berlin police that all officers will get mandatory name badges in early 2010.

Other activities took place in Bulgaria, Finland, Italy, Macedonia, the Netherlands, Austria, Sweden, Switzerland, the Czech Republic, and the United Kingdom. Activists had organized a plethora of events, including a full week of activities in Prague; demonstrations in Amsterdam,
Stockholm and Sofia; public teach-inns in Skopje (co-organized by EDRi member Metamorphosis), Milano, and Helsinki (co-organized by EDRi member EFFi); privacy parties and film screenings, and much more. Activists in Vienna (from EDRi member Vibe.at) reported such big interest from the population that they had to print 1000 more leaflets on the same day.
Outside of Europe, privacy activists in Guatemala joined the action day this year with a reading event from a new volume of fiction stories about surveillance, titled "stop the surveillance mania".

Links

Overview of Freedom not Fear activities

Press center for the Berlin demonstration

Report from activities in Skopje - EDRi-gram: Macedonia: Activities for
citizen education about their privacy rights (23.09.2009)

Report from activities in Vienna (only in German, 12.09.2009)

International Action Day "Freedom not Fear" (11.10.2008)

This article was also published today in the EDRi-Gram newsletter, edition 7.18

What happens to your Online Identity when you Die?

Lilian Edwards, a professor of internet law at Sheffield University and also a hard bloggin' scientist at Pangloss, is talking about this in a five minute video interview: "Death 2.0". Interesting.

The Dawning of Internet Censorship in Germany

This post was written by Markus Beckedahl and published first at Netzpolitik.org. The Creative Commons license for it is CC-BY-NC, as the other posts here. RB

Germany is on the verge of censoring its Internet: The government – a grand coalition between the German social democrats and conservative party – seems united in its decision: On Thursday the parliament is to vote on the erection of an internet censorship architecture.

The Minister for Family Affairs Ursula von der Leyen kicked off and lead the discussions within the German Federal Government to block Internet sites in order to fight child pornography. The general idea is to build a censorship architecture enabling the government to block content containing child pornography. The Federal Office of Criminal Investigation (BKA) is to administer the lists of sites to be blocked and the internet providers obliged to erect the secret censorship architecture for the government.

A strong and still growing network opposing these ideas quickly formed within the German internet community. The protest has not been limited to hackers and digital activist but rather a mainstreamed effort widely supported by bloggers and twitter-users. The HashTag used by the protesters is #zensursula – a German mesh up of the Ministers name and the word censorship equivalent to #censursula.

As part of the public’s protest an official e-Petition directed at the German parliament was launched. Within three days 50,000 persons signed the petition - – the number required for the petition titled „No indexing and blocking of Internet sites“ to be heard by the parliament. The running time of an e-Petition in Germany is 6 weeks – within this time over 130,000 people signed making this e-Petition the most signed and most successful ever.

During the past weeks, protests became more and more creative – countless blogs and twitter-users followed and commented the discussions within governments and opposing arguments. Many mainstream media picked up on this and reported about the protest taking place on-line. A working group on censorship was founded and the protest coordinated with a wiki, mailing lists, chats and of course employing twitter and blogs. One website „Zeichnemit.de“ created a landing page explaining the complicated petitioning system and making signing the petition easier and more accessible for non net-experts.

Over 500 people attended the governments official press conference on the planed internet censorship – a number of whom used this occasion to demonstrate and voice their concerns. In fact, demonstrators began attending some of the Minister von der Leyens public appearances, carrying banners and signs to raise attention to the stifling of information freedom in Germany.

The net community did not only oppose the governments plans, but also made constructive suggestions how to deal with the problem of child pornography without introducing a censorship architecture and circumcising constitutional freedoms. The working group on censorship demonstrated the alternatives for instance by actually removing over 60 websites containing child pornographic content in 12 hours, simply by emailing the international providers who then removed this content from the net. The sites were identified through the black lists of other countries documented on Wikileaks. This demonstration underlines the protesters main arguments: instead of effectively investing time and efforts to have illegal content removed from the internet, the German government is choosing censorship and blocking – an easy and dangerous way out. The greatest fear of the protesters is that once in place, the infrastructure will be used to censor other forms of unwanted content, not only child pornography. German politicians already seem to be lining up with their wish-list of content to be censored in future – the suggestions ranging form gambling sites, islamist web pages, first person shooters, and the music industry cheering up with the thought of finally banning pirate bay and p2p.

You can find a detailed linklist of the zensursula-debate here (in german).
Thanks to Geraldine de Bastion for the translation.

UK introducing "Three Strikes and Your Traffic will be Censored"

The UK government just produced a comprehensive "Digital Britain" report that lays out its strategy to improve broadband connectivity. While there has been significant media coverage of the proposed levy of 50 pence a month to fund better broadband rollout in rural areas, the really interesting part are the copyright enforcement ideas. The Hermes Project reports:

The government will give powers to Ofcom to put in place a system for repeat offenders that is known as "write and sue", and they will also work with the ISPs on technical measures against the problem - which is a eminently sensible response given the lack of scaleable technical solutions for such incredibly complex requirements - which is naturally not something that the people at the BPI agree with.

As the "write and sue" name suggests, ISPs will be required to work with Ofcom under the terms of a Code of Practice to write to those infringing copyright, followed by a court process of the release of identity information and civil action if users do not desist. The interesting part is the technical measures that may happen if this is still not effective. From the report:

"The Government will also provide for backstop powers for Ofcom to place additional conditions on ISPs aimed at reducing or preventing online copyright infringement by the application of various technical measures. In order to provide greater certainty for the development of commercial agreements, the Government proposes to specify in the legislation what these further measures might be; namely:

* Blocking (Site, IP, URL)
* Protocol blocking
* Port blocking
* Bandwidth capping (capping the speed of a subscriber’s Internet connection and/or capping the volume of data traffic which a subscriber can access);
* Bandwidth shaping (limiting the speed of a subscriber’s access to selected protocols/services and/or capping the volume of data to selected protocols/services);
* Content identification and filtering– or a combination of these measures."

And that's where things start to get incredibly complex and costly - although no doubt there are plenty of DPI vendors who won't complain if the need to undertake these measures is enshrined in law.

This is where the interests of ISPs (saving bandwidth) and the content industry (filtering copyrighted content and punishing file-sharers) finally align. The Deep Packet Inspection (DPI) industry will love this.

I am not a lawyer, but I guess there will be serious problems with the EU's e-Privacy directive and the human right to telecommunications privacy in the EDHR. The EU commission has already opened an infringement procedure against the UK because of their weak position on Phorm.

German Debate about Child Porn "Filters": Delete - don't Censor!

In Germany, we are approaching the show-down in a heavy political battle around how to fight "child pornography" (correct: documentation of child sexual abuse) on the internet. The government, lead by family affairs minister Ursula von der Leyen, is proposing a filtering system based on DNS poisoning. The Federal Criminal Police (BKA) would maintain the block list and send it to the ISPs once a day. Domains on the list would then be re-directed to a "STOPP" website instead of the originnal IP address. The list of course would be secret (as long as it does not end up on Wikileaks like many such lists from other countries before), no judicial oversight is planned, and people visiting a site on the block list (Rickrolling and tinyURL, anyone?) would have to fear criminal investigations, because the law enforcement agencies would get access to IP addresses ending up at the "stopp" site.

The plan has met heavy opposition from the already politicized German internet community. An online petition to the German parliament to not adopt this law today broke the barrier of 100,000 signatures. A parliament hearing yesterday showed massive problems with the current draft. The crucial question in the next two weeks, before the parliament ends it's session and everybody is heading towards the election campaign, will be if the Social Democrats, who are ruling together with the Conservatives, will understand that it does not make sense to adopt a quick&dirty law around such a serious topic.

The German blogosphere and twitterverse are furiously analyzing the factual errors in data presented by the government to support their proposal, discussing the constitutional problems, and pointing to the massive overblocking on leaked lists from other countries. They are organizing most of the core work in the "Working Group against Internet Blocking and Censorship" (Arbeitskreis gegen Internetsperren und Zensur / AK Zensur), which is more or less modeled after the successfull Working Group against Data Retention (AK Vorrat).

But interestingly, a lot of things are also happening extremely decentralized, only glued together by hashtags on twitter and similar microblogging services. The most popular hashtag is "#zensursula", which is a play of words with the German word for censorship (Zensur) and the minister's first name (Ursula). Last Saturday, there were public readings of the German constitution and many other protests on the streets in around 30 German cities, all triggered just by a blogpost and a tweet.

I'll speak about these methods of "activism 2.0", among other things, next week at the "Computers Freedom and Privacy" conference in Washington DC.

Now, a member of AK Zensur has made an interesting experiment and showed that it is not even necessary to block sites, because you can easily take them down completely. Stefan Graunke was so kind to do an English version of the press release:

Delete, don’t block: It works!

This is the English version of a German press release on ak-zensur.de

Within 12 hours, 60 child pornography sites were removed from the internet

In the ongoing German dispute over the appropriate action against documented child abuse on the Internet(child pornography), the supporters of a mere blocking solution argued that it is often not or only with considerable effort possible to remove the illegsl content or to get hold of it’s originator.

Alvar Freude of the Working Group against Internet blocking and censorship (AK Zensur) put this argument to the test. He analyzed the various European blocking lists via automatic procedures and wrote to each provider on whose servers child pornography was located according to lists. He received an impressive response: Within 12 hours after sending the first e-mail 60 websites were already deleted.

Further results and insights:

• The first reactions respectively deletions followed after a few minutes and came among others from the USA, Holland, Denmark, Russia and Germany.
  
• Three of the the deleted websites were located on servers in Germany.
  
• A total of 348 providers in 46 different countries were contacted automatically and informed of 1943 allegedly illegal websites. A previous individual analysis of the web sites content has not been made. (It is completely illegal in Germany to look at child pornographic content.)
  
• 250 providers have responded to the request, but they mostly found legal content. Samples that were taken afterwards confirmed the legal content.
  
• Ten providers indicated that a total of 61 cases of illegal content had been removed. With a simple e-mail you can achieve a lot.
  
• The examination through the providers showed that the vast majority of websites, including some from Germany, appeared to have no child pornographic content, some do not contain any objectionable material at all – therefore the websites were blocked in error. In Finland several domestic websites were blocked, that contain a critical examination of the blocking issue.
• The providers have not been informed that some of their hosted websites were put on the blocking lists.
  
• When made aware of this fact, the providers are more than willing to cooperate and remove illegal content as soon as possible.
• A certain part of the illegal material was located on ‘hacked’ websites, ie sites that were exploited through security holes to spread external material. Here too the providers were very grateful for the supplied information.

The process to shut down websites with child pornographic content does not take longer than the transmission of a blocking list. This shows the absurdity of the reasoning behind simple blocking – there is no rational reason to just block criminal content and leave it on the Internet, still accessible for everyone who uses minimal effort to circumvent the block.

What was possible for a citizens’ initiative, such as the Working Group against Internet blocking and censorship, should be even easier for the German government and law enforcement agencies and their results should by far exceed the results of AK Zensur.

Delete, don’t block – the motto of AK Zensur – is possible!

Released by: Working Group against Internet blocking and censorship (AK Zensur)
Web: http://ak-zensur.de/ (in German)

Press Contact:
Alvar Freude
presse@ak-zensur.de
+49 179 13 46 47 1

About the Working Group against Internet blocking and censorship (AK Zensur):

The Working Group on Internet blocking and censorship (AK Zensur) speaks out against the Federal Government’s planned Internet blocking and promotes an effective fight against child abuse instead of ineffective symbolic politics that only promotes ‘looking the other way’, does not help the victims and establishes an infrastructure that restricts basic public rights. AK Zensur coordinates the work of Internet blocking opponents, but is also appreciates the many activities that are happening decentralized in the on- and offline world.

The members of AK Zensur are amongst others: Chaos Computer Club (CCC), FoeBuD, Association for Information Technology and Society (FITUG), Forum of Computer Scientists for Peace and Social Responsibility (FIfF), Victims Of Abuse Against Internet Blocks (MOGIS), netzpolitik.org, the online platform ODEM.org, Trotz Allem e.V. and numerous individuals.