[wilhelmtux-discussion]
[edrigram@edri.org: EDRI-gram - Number 5, 27 March 2003]
Robert Ribnitz
ribnitz at linuxbourg.ch
Fre Mar 28 18:21:47 CET 2003
----- Forwarded message from EDRI-gram newsletter <edrigram at edri.org> -----
==================================================================
EDRI-gram
bi-weekly newsletter about digital civil rights in Europe
Number 5, 27 March 2003
==================================================================
Contents
==================================================================
1. No legal basis for transfer of passenger data
2. EU building bugged
3. French Constitutional Council validates computer search without warrant
4. Polish providers fight email monitoring obligation
5. Restrictions on cryptography in Spain
6. UK home office not amused with big brother award
7. Recommended reading: avoiding spam
8. Agenda
9. About
==================================================================
1. No legal basis for transfer of passenger data
==================================================================
The agreement between the European Commission and U.S. authorities on the
transmission of passenger name record data (PNR) has encountered fierce
opposition during a public hearing at the European parliament. The
agreement gives the U.S Customs on-line access to passenger name record
data of all EU based airlines for flights that go to, from or through the
U.S.
During the 25 March public hearing in the European parliament the
Commission argued that it had no choice but to accept the U.S. demands for
passenger data. Threats to fine European airlines or even halt landing
rights were taken very seriously by the Commission. But many participants
were not satisfied with the explanation that the Commission had been
blackmailed and couldn't do anything about it. They argued that the
transfer of PNR data has no legal basis and is a direct violation of the EU
data protection directive.
Stefano Rodot?, chairman of the Article 29 Working Party (the coalition of
EU privacy commissioners), concluded: "Everybody now realises how serious
this is". He said the EU must take its responsibility and act, otherwise
every third country could change its law and force the EU to adopt foreign
legislation. Three civil liberty organisations (EDRI, Statewatch and EPIC)
testified during the hearing and expressed concern about the willingness of
the European Commission to bypass EU law to satisfy the U.S.
The scope of the agreement is wide. The agreement says that "Customs will
retain the data no longer than is required for the purpose for which it was
stored". But at the same time it is clear that the data is stored for an
almost unlimited number of purposes, certainly not limited to fighting
terrorism: "PNR data is used by Customs strictly for enforcement purposes,
including use in threat analysis to identify and interdict potential
terrorists and other threats to national and public security". The U.S.
Customs will also share the data with all other U.S. agencies: "Other law
enforcement entities may specifically request PNR information from Customs
and Customs, in its discretion, may provide such information for national
security or in furtherance of other legitimate law enforcement purposes".
The agreement reads as an assurance that EU passenger data will be stored
in FBI, NSA and CIA databases.
The PNR data consist of all relevant information related to a passengers
flight: departure and return flights, connecting flights, special services
required on board the flight (meals such as Kosher, Halal) and payment
information such as credit card numbers.
EP public hearing: Grave concerns over data protection
http://www2.europarl.eu.int/omk/sipade2?PUBREF=-//EP//TEXT+PRESS+NR-20030326-1+0+DOC+XML+V0//EN&LEVEL=2&NAV=S#SECTION5
European Commission - US Customs talk on Passenger Name Record transmission
http://europa.eu.int/comm/external_relations/us/intro/pnr.htm
==================================================================
2. EU BUILDING BUGGED
==================================================================
The telephones lines in the EU Justus Lipsius building in Brussels, home of
the Council of Ministers, have been tapped for many years. The bugging
devices were discovered in the rooms of the delegations of Britain, France,
Germany, Spain, Italy and Austria. The devices were placed on lines between
the central switchboard and the national delegations.
The German delegation ordered their Federal Office for Information Security
(BSI) to examine the bugging devices. The expert called the building 'wired
like a pinball machine'. It is suspected that the devices were installed
during the construction of the building in 1995.
After discovery of the bugs a trap was set up to find out if the devices
would be 'serviced' by the spying agency that had placed them. Nobody
showed up and it is still unclear which country is responsible for the
bugging.
George Papandreou, the Greek foreign minister and spokesman for the EU's
presidency, said the eavesdropping is a waste of time. "To all those who
feel that it is necessary to tap our phones, we say that Europe is a very
transparent organisation," he said. "They shouldn't go to such lengths to
try to find out information - we can provide it for them." These remarks
have caused quite some amusement with people and organisations that have
been following the EU access to documents policies in the last years.
Der Spiegel: Spionage gegen EU (in German) (24.03.2003)
http://www.spiegel.de/spiegel/0,1518,241722,00.html
Council of the European Union press release (19.03.2003)
http://ue.eu.int/newsroom/LoadDoc.asp?MAX=1&DOC=!!!&BID=75&DID=75009&GRP=5602&LANG=1
==================================================================
3. FRENCH CONSTITUTIONAL COUNCIL VALIDATES COMPUTER SEARCH WITHOUT WARRANT
==================================================================
The French Constitutional Council recently validated the Internal Safety
Law ('Loi sur la s?curit? int?rieure'), adopted by the Parliament on
February 13. This decision has been commented by the Human Rights League -
LDH, the French member of the International Human Rights Federation - as a
'step backwards for the rule of law'.
Among the many provisions infringing privacy and other human rights, one
authorizes the immediate access by Law Enforcement Authorities to the
computer data of Telecommunications Operators, including Internet Access
Providers, as well as of almost any public or private institute,
organization or company. The second important measure authorizes the
searching without warrant of any information system, provided that its data
are accessible through the network from a computer being searched with a
warrant (e.g. all computers in a P2P network may now be searched on the
basis of a single warrant for one of them). If the data are stored in a
computer located in a foreign country, then their access remains subject to
applicable international agreements.
These provisions implement parts of Article 19 (search and seizure of
stored computer data) of the Council of Europe Cybercrime Convention,
signed but not yet ratified by France. The Convention, which has been
opened to signatures since 23 November 2001, has not entered into force to
date. It has been strongly criticized by many Human Rights organizations as
well as by professional experts.
EDRI-member IRIS notes in its press release that the French transposition
of Article 19 of the Cybercrime Treaty doesn't even fulfil the minimal
conditions and safeguards stated in Article 15, in reference to
international instruments for the protection of human rights and
fundamental freedoms.
(Contribution by Meryem Marzouki, IRIS)
Statement by Ligue des droits de l'Homme (in French)
http://www.ldh-france.com/actu_derniereheure.cfm?idactu=646
Statement by IRIS (in French)
http://www.iris.sgdg.org/info-debat/comm-loi-si0303.html
Treaty Watch
http://www.treatywatch.org/
==================================================================
4. POLISH PROVIDERS FIGHT EMAIL MONITORING OBLIGATION
==================================================================
According to an item on Warsaw Polish Radio 1 on 19 March 2002,
telecommunication providers in Poland have received an order from the
Ministry of Infrastructure to install email wiretapping equipment.
In the item counsellor Daniel Wieszczycki stated the order is contrary to
the Constitutional right of secrecy of correspondence. In pursuance of the
order, the operators are obliged to connect their lines to authorized
surveillance institutions. These are the Internal Security Agency, the
Intelligence Agency, the Military Gendarmerie, the Border Guard, the police
and the military intelligence.
Counsellor Wieszczycki emphasized that the Internet communities have
already announced that they would take the order to the Constitutional
Tribunal. He said: "we noticed some characteristics of this order, such as
a lack of respect for the Constitutional right to protection of secrecy of
communication. Indeed, it orders the application of technical solutions
which will make impossible court supervision of the installation of such
monitoring provisions or of surveillance in general..."
Translation source: Foreign Broadcast Information Service (USA government),
document number FBIS-EEU-2003-0319
==================================================================
5. RESTRICTIONS ON CRYPTOGRAPHY IN SPAIN
==================================================================
A proposal to modify the Spanish telecommunication law threatens the free
use of cryptography.
The current General Law of Telecommunications (Ley General de
Telecomunicaciones (LGT) already puts some restrictions on the use of
cryptography. The second part of article 52 ('Cifrado en las redes y
servicios de telecomunicaciones', that is, network encryption and
telecommunication services) says:
"Encryption is a security instrument for information. Among its conditions
of use, when it is used to protect the confidentiality of information, an
obligation may be imposed to notify either a General Administration State
authority or a public one of the algorithms or any other encryption
procedure used, in order to control it according to the law. This
obligation will affect developers that include encryption in their
equipment or software, the operators that include it in networks or in
specific services and users that make use of it."
The modification proposal would create an obligation for every user to hand
over their encryption key and password when asked by any public authority.
The revised article (renumbered as 36.2) with the modification in capitals,
looks like this:
"Encryption is a security instrument for information. Among its conditions
of use, when it is used to protect the confidentiality of information, an
obligation may be imposed to notify either a General Administration State
authority or a public one of the keys, the algorithms or any other
encryption procedure used, including all the technical information related
to the used system, and also the obligation to facilitate, at no cost, the
encryption devices used and the technical information related to the system
used in the encryption procedure, in order to control it according to the
law."
The Spanish government has not given any explanation about the need for
this modification, just vague references to the need of some 'control'.
The law would clearly give new impulse to key escrow schemes. In fact the
F?brica Nacional de Moneda y Timbre is allowed by the government to develop
such schemes.
(Contribution by Arturo Quirantes - CPSR-Spain)
==================================================================
6. UK HOME OFFICE NOT AMUSED WITH BIG BROTHER AWARD
==================================================================
Yesterday, Privacy International announced the winners of the 5th Annual UK
'Big Brother' awards to the government and private sector organisations
that have done the most to invade personal privacy in Britain.
Winner of the award for worst public servant is London Mayor Ken
Livingstone, for his efforts in transport surveillance. Prime Minister Tony
Blair received the Lifetime Menace Award. Blair earned the award partly
because of his plans to force phone companies and Internet service
providers to retain user data for 12 months as part of the country's
stepped-up war on terrorism and crime.
According to an article in The Guardian, a representative of the Home
Office attended the event, but did not take the special award for minister
David Blunkett: a (fake) dog poo on a stick. The home secretary has been a
long-time target for privacy campaigners, as a result of his support for
schemes such as entitlement cards.
"These are silly and malicious awards which have rightly been ignored by
most people," said a Home Office press officer.
Privacy International's Director, Simon Davies, said the award winners
reflected the 'prolonged and vicious' attack on the right to privacy. He
said privacy invasion in Britain has become "a vast industry that threatens
the rights of everyone in Britain".
Press release UK Big Brother Awards 2003 (25.03.2003)
http://www.privacyinternational.org/bigbrother/uk2003/
Home office attacks "malicious" awards (25.03.2003)
http://www.guardian.co.uk/online/news/0,12597,922483,00.html
==================================================================
7. RECOMMENDED READING: AVOIDING SPAM
==================================================================
Did you ever wonder how spammers got your email address? According to new
research by the USA-based Center for Democracy and Technology, publication
of your email address on a website is the number one cause of getting a lot
of spam. It definitely helps to disguise your address, such as replacing
'somebody at domain.eu' with 'somebody at domain dot eu'.
Why am I getting all this spam? (19.03.2003)
http://www.cdt.org/speech/spam/030319spamreport.shtml
==================================================================
8. AGENDA
==================================================================
2-4 April 2003 New York, USA - CFP 2003
http://www.cfp2003.org/cfp2003/program.html
6-7 May 2003 Padova, Italy - Information Society Visions and Governance
Contact for information: Claudia Padovani, claudia.padovani at unipd.it
8-9 May 2003, Namur, Belgium - Collecting and Producing Electronic Evidence
in Cybercrime Cases
2-day workshop organised by the University of Namur
http://www.ctose.org/info/events/workshop-8-9-may-2003.html
30 June - 2 July 2003 St Petersburg, Russia - Building the Information
Commonwealth
http://www.communities.org.ru/conference/
7-10 August 2003 Berlin, Germany - Chaos Computer Camp 2003
http://www.ccc.de/camp/
==================================================================
9. ABOUT
==================================================================
EDRI-gram is a bi-weekly newsletter from European Digital Rights, an
association of privacy and civil rights organisations in Europe. Currently
EDRI has 10 members from 7 European countries. EDRI takes an active
interest in developments in the EU accession countries and wants to share
knowledge and awareness through the EDRI-grams. All contributions,
suggestions for content or agenda-tips are most welcome.
Newsletter editor:
Sjoera Nas, edrigram at edri.org
Information about EDRI and its members:
http://www.edri.org/
- EDRI-gram subscription information
subscribe/unsubscribe web interface
http://www.edri.org/cgi-bin/mailman/listinfo/edri-news/
subscribe by email
To: edri-news-request at edri.org
Subject: subscribe
You will receive an automated email asking to confirm your request.
- EDRI-gram in Spanish
EDRI-gram is also available in Spanish, usually 3 days after the English
edition. The contents are the same. Translations are provided by David
Casacuberta, secretary of the Spanish chapter of Computer Professionals for
Social Responsibility (CPSR).
To subscribe to the Spanish language EDRI-gram, please visit
http://www.edri.org/cgi-bin/mailman/listinfo/edri-grama/
or subscribe by email:
To: edri-grama-request at edri.org
Subject: subscribe
- Newsletter archive
Back issues are available at:
http://www.edri.org/cgi-bin/index?funktion=edrigram
- Help
Please ask info at edri.org if you have any problems with subscribing or
unsubscribing.
==================================================================
Publication of this newsletter is made possible by a grant from
the Open Society Institute (OSI).
==================================================================
----- End forwarded message -----