thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Thursday, January 29, 2009

Ireland: Copyright Filtering Case Settles out of Court

Over the last few years, the European music industry has tried to establish a secondary liability for ISPs whose customers share copyrighted material. The aim was to pressure ISPs into setting up filtering technology a.k.a. "censorware". What looked like a first quick success was the case in Belgium, where the music industry association (SABAM) demanded that ISP Scarlet (Tiscali) installs a filtering technology that would detect and block copyrighted material. The injunction from June 2007 in fact established exactly that obligation. After this initial success, the music industry moved on to Ireland in 2008 and sued its largest ISP, Eircom. EMI, Sony, Warner and Universal sought an injunction from the Dublin High Court which would have required Eircom to establish the same filtering system.

But in late 2008, the Belgian case turned out different than expected. ISP Scarlet convincingly demonstrated to the court that the technology suggested by SABAM as well as in Ireland (Audible Magic) - did not work and that the music industry even had deceived the court by falsely claiming it had already been used elsewhere. Therefore, the trial court in Belgium lifted the injunction against Scarlet. An interesting problem for the music industry in Ireland, right?

Now, just two weeks into the proceedings of the Irish case, the law suit has settled out of court, as the London Internet Exchange reports:
The parties have agreed that the music industry will hire (or continue to hire) Dtecnet, a investigation company that identifies copyright infringers by participating in P2P file-sharing networks. Eircom will then operate a three-strikes policy, the details of which is yet to be agreed.

Given the damage that would be caused by a filtering imposition, and despite ISPs’ understandable reluctance to adopt three-strikes policies, this can be seen as a significant victory for the ISP industry. However it does leave us without the court judgement (and legal precedent) that we all looked forward to with such interest.

As an aside, the case settled at the conclusion of the Plaintiff’s (EMI’s) case, before the Defense (Eircom) introduced their own witnesses.

The reason for the settlement is obvious: They wanted to avoid a precedent.

In essence, this means: Automatic filtering does not work, suing customers does not work (this was the reason the music industry tried to use the ISPs in the first place), and the only hope the content industry has left is the "three-strikes" policy currently under heavy discussion in the EU Telecom Package. I guess the latter will also be dead by the summer, considering the significant uproar and opposition these proposals sparked last year, and having the upcoming elections to the European Parliament in mind.

(via Monica Horten from Iptegrity, who provides the best coverage of the Telecom Package and related issues anyway)

Update: TJ McIntyre from Dublin has more details and analysis.

Privacy in Germany 2008: A new fundamental right, a privacy mass movement, and the usual surveillance suspects

This is an article I wrote together with Annika Kremer from the German Working Group on Data Retention for today's EDRi-Gram. This issue has a special focus on privacy developments all across Europe, because today is international data protection day. Some links on further details can be found in the original version.

The year of 2008 can be marked as the year where privacy moved high on the public agenda in Germany. On 1st of January, the law on data retention went into effect, which made Germany drop from number one to seven in the country ranking published by Privacy International. At the same day, a constitutional challenge was submitted at the supreme court. The German working group on data retention and its allies managed to have more than 34,000 people participate in this case - the largest constitutional complaint ever seen in German history. The paperwork had to be brought to the constitutional court in huge moving boxes, which also offered a nice photo opportunity for everyone wanting to demonstrate how many people oppose data retention.

In February we saw the constitutional court decision on secret online searches of peoples' hard drives (the "federal trojan"). The court limited the use of this tool for cases where there are "factual indications of a concrete danger" in a specific case for the life, body and freedom of persons or for the foundations of the state or the existence of humans, government agencies may use these measures after approval by a judge. The decision was widely considered a landmark ruling, because it also constituted a new "basic right to the confidentiality and integrity of information-technological systems" as part of the general personality rights in the German constitution.

In March, the Chaos Computer Club published the fingerprint of the federal minister for the interior, Wolfgang Schäuble. This sparked high public attention and made frontpage news, and proved that biometric athentication as introduced in the German passport and identity card is not safe at all. Inspired by the recent successes, the growing number of privacy activists held a de-central action day in May. Different kinds of activities, like demonstrations, flash mobs, information booths, privacy parties, workshops, and cultural activities took place in all over Germany.

Over the summer, some of the biggest German companies helped in raising public awareness of the risks of large data collections. Almost every week, there were reports on a big supermarket chain spying on its employees, on cd-roms with tens of thousands of customer data sets from call centers - including bank account numbers - being sold on the grey market, on the largest German telecommunications provider using retained traffic data for spying on its supervisory board and on high-ranking union members, on an airline using its booking system to spy on critical journalists, on two large universities accidentially making all student data available online, or on a big mobile phone provider "losing" 17 million customer data sets.

The Federal Government, under building public pressure, introduced some small changes for the federal data protection law, but at the same time continued its push for more surveillance measures in the hands of the federal criminal agency (Bundeskriminalamt, BKA). These included the secret online searches the constitutional court had just cut down to very exceptional circumstances a few months earlier. The German public discussed these moves very critically, especially since journalists are exempted from special protections that are given to priests, criminal defense lawyers, and doctors.

Because of the public concern and debate about privacy risks, the call to another mass street protest was even more successful than ever before. The "Freedom not Fear"action day on 11th October was the biggest privacy event of the year. In Berlin, between 50,000 and 70,000 persons protested peacefully against data retention and other forms of "surveillance mania", making it the biggest privacy demonstration in German history. Privacy activists in many cities all over the world participated with very diverse and creative kinds of activities and turned this day into the first international action day "Freedom not Fear".

The anti-surveillance protests finally kicked off some serious discussion within the Social Democratic Party in a number of the German länder (states). This resulted in a loss of the majority for the law on the federal criminal agency (BKA) in the second chamber (Bundesrat) in the first vote. It only was passed weeks later, after some changes were introduced, and with heavy pressure from leading federal Social Democrats. The new law is still seen as unconstitutional by many legal and privacy experts and in January 2009 a case was submitted to the constitutional court.

Privacy activists in the fall of 2008 also campaigned against the retention on flight passenger name records, forcing Brigitte Zypries, the German minister of justice, to freeze her plans on the matter until after the federal elections in the fall of 2009. More recently, the working group on data retention attacked the "voluntary data retention" proposed in the EU telecom package, as well as the renewed data exchange agreements between the EU and the USA.

Wednesday, January 28, 2009

EU Proposal puts Confidential Communications Data at Risk

Here is an international press release I was involved in creating. The negotiations at EU level are humming already, there is a trilogue about this on Thursday. We in Germany also greatly appreciate this help, because there is a similar draft bill underway on the fast-track in the German parliament right now.

Press release by La Quadrature du Net, European Digital Rights (EDRi), Working Group on Data Retention (AK Vorrat), and Netzpolitik.org, 2009-01-28:

EU proposal puts confidential communications data at risk

Civil liberties groups La Quadrature du Net, European Digital Rights (EDRi), AK Vorrat, and Netzpolitik.org are urging the European Parliament to heed advice given by the European Data Protection Supervisor Peter Hustinx and scrap plans dubbed "voluntary data retention".

"A proposal currently discussed in the European Parliament as part of the 'telecom package' would allow providers to collect a potentially unlimited amount of sensitive, confidential communications data including our telephone and e-mail contacts, the geographic position of our mobile phones and the websites we visit on the Internet", warns Patrick Breyer of German privacy watchdog AK Vorrat. "Apart from the creation of vast data pools that could go far beyond what is being collected under the directive on data retention, the proposal would also permit the passing on of traffic data to other companies for 'security purposes'. We must not let a potentially unlimited amount of confidential data be exposed to risks of disclosure or abuse in this way."

"This proposal is lobbied for under the guise of 'security', but what it really means is that users and citizens would have no expectation of privacy on the Internet anymore," adds Ralf Bendrath from EDRi. "This is a clear breach of the European tradition of considering privacy a fundamental human right."

In a paper published earlier this month, European Data Protection Supervisor Peter Hustinx joined the critics, warning the proposal would constitute a "risk of abuse" and "may be interpreted as enabling the collection and processing of traffic data for security purposes for an unspecified period of time." Hustinx reached "the conclusion that the best outcome would be for the proposed Article 6.6(a) to be deleted altogether" - a view firmly shared by La Quadrature du Net, EDRi, netzpolitik.org and AK Vorrat.

"A few months before the elections, citizens will have the opportunity to see if the Members of European Parliament are willing to protect their privacy", declares Jérémie Zimmermann, co-founder of the citizen's initiative La Quadrature du Net. "Every citizen should inform their MEPs and ask them to massively reject this article 6 (6a) of the ePrivacy directive. Other crucial issues about content and network neutrality are at stake as well. We must remind MEPs that they were elected to protect Europeans' fundamental rights and freedom rather than abolishing them in favour of particular interests."

In a letter of September last year, 11 German civil liberties, journalists, lawyers and consumer protection organisations "urgently" asked the Commission, the Council and Parliament to scrap the proposed article 6 (6a) and "maintain the successful regulation of traffic data" which they say has "proven to constitute the best guarantee for our safety in information society."

Background paper by Working Group on Data Retention

About us:

La Quadrature du Net (Squaring the Net) is a France-based citizen group informing about legislative projects menacing civil liberties as well as economic and social development in the digital age. It became well known in the summer of 2008 for putting the spotlight on draft provisions in the EU telecom package that would allow a private, unaccountable regime for cutting citizens off the internet for alleged copyright infringements. Home page: http://www.laquadrature.net

EDRi is an association of 29 privacy and civil rights organisations from 18 different countries in Europe, who have joined forces to defend civil rights in the information society. Among other activites, EDRi is well known for its bi-weekly EDRi-Gram newsletter with world-wide readership. Home page: http://www.edri.org

The Working Group on Data Retention (AK Vorrat) is a German association of civil rights and privacy activists and Internet users. Among other activities, it organized the biggest privacy protest in German history in October 2008 with more than 50,000 participants. Home page: http://www.vorratsdatenspeicherung.de

Netzpolitik.org is the most-linked political blog in German and a political plattform for digital rights. It has received several national and international awards. Home page: http://www.netzpolitik.org

What "the web" knows about him, online reporter finds out

Robert L. Mitchell from Computerworld did a fascinating research tour on what he could find about himself in all these databases. He started with ones that are available publicly or for a small fee. He then spent some money on data brokers and paid sources. Here is what he got:
Source: Government records
Information discovered: Full legal name, address, Social Security number, spouse's name and Social Security number, price paid for home, mortgage documents, signature

Source: Free people searches
Information discovered: Employer name, job title, age, month and date of birth, phone numbers, wife's name and age, historical addresses and phone numbers, personal e-mail address, identifying photographs, employment history

Source: Search engines
Information discovered: Age, phone numbers, Computerworld affiliation, Computerworld stories, blog posts, identifying photos, social network and nonprofit affiliations, editorial award

Source: Image search
Information discovered: Computerworld publicity photos, Flickr photos

Source: Social network search engines
Information discovered: Computerworld stories, blog posts, social network friends and co-workers

Source: Paid searches
Information discovered: Address history to 1985; real estate purchase dates, assessed values and mortgagors; 2004 property tax bill; nonprofit affiliations; Flickr account details; published stories; parents' names, address, phone number and first five digits of Social Security numbers; current and past neighbors' names, addresses, phone numbers, dates of birth and first six digits of Social Security numbers
Mitchell has a very good point when he concludes that authentication with several factors does not really help if it is only based on "what you know", and he even did some social engineering based on his own data he found, e.g. with his bank. The other interesting thing he discovered, not to my surprise: Much of the data was wrong, outdated, or wrongly combined with other persons with the same name.

But with all the information on how local governments fail to protect court records or housing documents they put online, how Acxiom and other data brokers have much more than they would tell you, or how much "the internet" knows about you, it's a bit sad that Mitchell only gives his readers "12 tips for managing your information footprint".

This is a political problem, and it has to be dealt with politically, not individually.

Tuesday, January 13, 2009

Privacy Conferences, first half 2009

Some interesting privacy-related conferences in the coming months: