From: [log in to unmask] [mailto:[log in to unmask]] On Behalf Of EDRI-gram newsletter
Sent: 05 November 2008 20:59
To: [log in to unmask]
Subject: EDRi-gram newsletter - Number 6.21, 5 November 2008

============================================================

            EDRi-gram

 biweekly newsletter about digital civil rights in Europe

     Number 6.21, 5 November 2008


============================================================
Contents
============================================================

New members EDRi
1. One more step for France in adopting the graduated response 2. The European Parliament says no to airport body scanners 3. US visa waiver program questioned by the Hungarian President 4. Finnish e-voting fiasco: votes lost 5. First PrivacyOS Conference: different privacy approaches in synergy 6. Big Brother Awards Germany 2008 7. Big Brother Awards Finland 2008 8. Internet giants gather for freedom of speech - Global Network Initiative 9. ENDitorial: The FRA Law - Sleepwalking into a Surveillance Society 10. Recommended Action 11. Agenda 12. About

============================================================
New members EDRi
============================================================

At the EDRi General Assembly of 25 October 2008 in Wien, Austria, EDRi welcomed 3 new members.

Electronic Frontier Norway (EFN) is a Norwegian civil liberties and digital rights organization working to protect and promote freedom of expression, privacy, the use of open standards and media file formats, public access to online resources and information, democratic IT infrastructures. The IT-Political Association of Denmark (IT-Pol) is a very active organization focusing on various issues, such as privacy, infrastructure security, open standards, software patents, DRM and copyright, e-voting or RFID.
Vrijschrift is a Dutch foundation that stimulates free and open software and knowledge with projects ranging from supporting the Openstreetmap and Gutenberg projects to providing an umbrella for translators of open source software, OOXML and IPRED2. EDRI now has 29 members that are based or have offices in 18 different European countries, all within the territory of the Council of Europe.

After the General Assembly, all the participant EDRi members were present at the Big Brother Awards Austria 2008 where Meryem Marzouki received the Positive Prize "Defensor Libertatis" for her work in the digital civil rights movement, including her active participation within EDRi and her involvement in the campaign against the French law on Edvige.

Big Brother Austria 2008 Prizes (only in German) http://www.bigbrotherawards.at/2008/Preistraeger

Electronic Frontier Norway (EFN)
http://www.efn.no

The IT-Political Association of Denmark (IT-Pol) http://www.itpol.dk

Vrijschrift (Netherlands)
http://www.vrijschrift.org/

EDRI members and observers
http://www.edri.org/about/members

============================================================
1. One more step for France in adopting the graduated response ============================================================

Despite all opposition and debates, on 30 October 2008, a crushing majority of the French Senate voted in favour of the anti-piracy law, the so called Hadopi law, introducing the graduate response against illegal content downloading.

The law enabling the introduction of three-strikes measure against file-sharers and Internet users comes now in contradiction with the European Parliament's opinion which called on the European Commission and all member states to "avoid adopting measures conflicting with civil liberties and human rights and with the principles of proportionality, effectiveness, and dissuasiveness, such as the interruption of Internet access."

Regarding the French Senate's vote, Jeremie Zimmermann, co-founder of La Quadrature du Net said: "Inconsistencies, lies, confusion and insults which the creative industries habitually use to blame their clients served as justification for a hurried vote, which ignored the wider public debate which is taking place in France and in Europe."

According to the modified law voted by the Senate, if an illegal downloading case is reported by an authorised body (industry associations, CNC, professional bodies), Hadopi, the body created especially for this purpose, will send the infringer a warning e-mail. If the infringement is repeated in 6-month time, a new e-mail is sent together with a warning by registered letter. In case in the next year the infringement is repeated, the Internet user in cause is penalised according to the gravity of the act. The sanction can be the denial of Internet access ranging from one month (duration decreased by the senators from 3 months as initially in the draft law) to a year during which time the Internet user continues to pay the access subscription and is included on a black list that forbids him
(her) to subscribe to any other operator.

Bruno Retailleau, a Senate member who voted against the legislation, argued that a full cut off of the Internet access is too severe a punishment as Internet access is essential to modern homes. In his opinion, cutting off households might even be considered discriminatory, as Internet access is usually tied to a cable line or phone service.

In case the French National Assembly (the second chamber of the Parliament) also votes in favour of the Hadopi law and the law becomes effective next year, the French government will be at odds with the European Parliament being in direct contradiction with Amendment 138 to the Telecoms Package, voted on 24 September which explicitly states that only the judicial authority can impose restrictions on citizens' fundamental rights and freedoms.

The European Parliament clearly expressed the opposition against the cutting off of Internet users' access, wishing "a balance between the interests of rights holders and those of consumers", and considering that "that big measures like cutting off Internet access shouldn't be used."

On the other hand, minister Albanel seems confident in the removal of Amendment 138 of the Telecom Package by the European Council having in view the pressure France is putting on the Commission and the Council.

Illegal downloading: the graduate response reviewed and corrected by the Senate (only in French, 1.11.2008) http://www.01net.com/editorial/394828/telechargement-illegal-la-riposte-graduee-revue-et-corrigee-par-le-senat/?rss

"Three strikes" P2P rule inches closer to law in France (2.11.2008) http://arstechnica.com/news.ars/post/20081102-three-strikes-p2p-rule-inches-closer-to-law-in-france.html

"Graduated response" - Will France disconnect Europe? (1.11.2008) http://www.laquadrature.net/en/graduated-response-will-france-disconnect-europe

EDRi-gram: French law on 'graduate response' opposed by ISOC Europe
(10.09.2008)
http://www.edri.org/edrigram/number6.17/3strikes-opposed-isoc-europe

============================================================
2. The European Parliament says no to airport body scanners ============================================================

MEPs will not support the European Commission plans to include body scanning procedures within the airport security systems.

The new system planned by the European Union to be introduced in airports allows security personnel to see an outline of passengers' bodies beneath their clothes, in order to detect concealed objects more easily. The resulted image is similar to that of the naked body. The system already works in several US airports and has been tested in EU as well, in countries such as UK and the Netherlands.

In MEPs' opinion, the measure is "equivalent to a virtual strip search" and "has a serious impact on the right to privacy...and personal dignity".
British Conservative Philip Bradbourn MEP said that such scans "were a grave violation of the right of privacy and a degrading measure".

Therefore, the MEPs intend to block the approval of the European Commission plans in this matter and, in a resolution passed on 21 October 2008, asked the Commission to carry out a fundamental rights impact assessment and to consult the Fundamental Rights Agency and the European Data Protection Supervisor. They also asked the European Commission to obtain medical expertise on the possible health risks of the technology.

"Travellers need to know exactly what the images display, their right to opt for an alternative search, and how they can have confidence that intrusive and sensitive images will not be misused. Although claims are made that the images are not of photographic quality, they seem to be quite explicit about portrayal of genitalia and intimate medical details like breast implants and colostomy bags" said Liberal Democrat MEP Sarah Ludford who also added:
"Fears arise about the images finding their way into the press and onto the internet, maybe through payment to employees, unless bans on storage are strictly policed."

Irish MEP Mary Lou McDonald also considered the measure as "unnecessary, unjustified and invasive" and commented: "Much controversy has surrounded the introduction of body scanners into U.S. airports, and here in Europe there is neither appetite nor agreement on introducing the technology into member states.(...) International human rights and civil liberty groups have described body scanners as 'shameful, undignified and demeaning'. The idea that any member state parliament would subject its young and elderly to such an inappropriate experience when travelling is difficult to rationalise."

The resolution supported by a majority of MEPs said all aviation security measures, including body scanners, should "respect the principle of proportionality as justified and necessary in a democratic society".

MEP Philip Bradbourn said the technology should not be used routinely on passengers, but could be introduced when suspicions are raised. "There may be some benefit in having body scanners in our airports, but they should be a last resort and a substitution for a strip search, not a random sample of innocent holiday-makers," he said.

The European Commission, in its turn, stated that the legislation backing the introduction of the scanners would observe safety and privacy rules and added that the passengers objecting to the procedure could be offered an alternative form of security check.

The Parliament expects a response in this matter from the Commission in a few weeks.

MEPs against body scans & pirates (24.10.2008) http://www.europarl.europa.eu/news/public/story_page/008-39967-350-12-51-901-20081020STO39966-2008-15-12-2008/default_en.htm

European airports will not get 'strip search' body scanners after MEPs refuse to support plans (23.10.2008) http://www.dailymail.co.uk/news/worldnews/article-1080080/European-airports-strip-search-body-scanners-MEPs-refuse-support-plans.html

EU lawmakers criticize virtual strip search (21.10.2008) http://ap.google.com/article/ALeqM5j6aLeHGjRhPaZHs9gEp6mX05CUggD93V8A3G0

EDRIgram - The European Union wants to introduce virtual body screening in airports 8.10.2008) http://www.edri.org/edrigram/number6.19/virtual-body-screen

============================================================
3. US visa waiver program questioned by the Hungarian President ============================================================

On 20 October 2008, Hungarian President László Sólyom sent back to the Parliament for reconsideration the adopted law on sharing criminal data that was to be the final agreement between the United States and Hungary on the US visa-waiver program.

Concerned with data protection issues, the President argued that the agreement which authorizes the introduction in a register of all fingerprints including those of the victims of crimes, would give the US too large an access to Hungarian criminal records. He believes that the Hungarian Parliament has to solve first the Hungarian criminal registry system before adopting the law.

The Justice and Law Enforcement Ministry and the Foreign Ministry, while expressing regrets regarding the president's decision, stated they would study his remarks and prepare a proposal in this sense.

As only part of the EU member states were benefiting of the US visa waiver program, 6 new EU member states, among which Hungary, which still needed visa for their citizens when entering the US decided to go into bilateral negotiations to become part of the visa waiver scheme. The new scheme has created concerns within the EU and EU data privacy ombudsman Peter Hustinx as well as data privacy ombudsman András Jóri protested against the regulation.

As a recent news, on 3 November, the Parliament ratified with a large majority, for a second time, the agreement for the country to join the US visa waiver program. According to the Hungarian constitution, if the document is voted in the Parliament the second time, the President has to sign the bill. Therefore, starting with 17 November, the Hungarians will be able to travel to the US without visas for up to 90 days. The only requirement is that they have to be registered electronically.

Hungarian president vetoes U.S. visa waiver agreement (23.10.2008) http://central.blogactiv.eu/2008/10/23/hungarian-president-vetoes-us-visa-waiver-agreement/

The US links the planned visa-exemption deal for Hungarians to the Hungarian Sólyom rejects final accord needed for US visa-waiver (21.10.2008) http://www.politics.hu/20081021/solyom-rejects-final-accord-needed-for-us-visawaiver

America does not force anybody to join its visa waiver program (17.10.2008) http://budapest.cafebabel.com/en/post/2007/08/29/Hungary-welcomes-US-visa-change

Ministry for Foreign Affairs of the Republic of Hungary - The last open chapter in Hungarian-U.S. relations has been closed with Hungary's entry in the Visa Waiver Program expected within a month - Kinga Göncz welcomes President Bush's announcement (17.10.2008) http://www.mfa.gov.hu/kum/en/bal/actualities/spokesman_statements/GK_US_visa_eng_1017.htm

Hungarian MPs ratify US visa waiver accord (4.11.2008)
http://www.caboodle.hu/index.php?id=12&no_cache=1&tx_ttnews[backPid]=11&tx_ttnews[tt_news]=5925

============================================================
4. Finnish e-voting fiasco: votes lost
============================================================

A fully electronic voting system was piloted in the Finnish municipal elections on 26 October 2008. EDRi-member Electronic Frontier Finland (EFFi) had criticised the pilot program for years, recently releasing a report on its deficiencies.

Today, the Ministry of Justice revealed that due to a usability issue, voting was prematurely aborted for 232 voters. The pilot system was in use in three municipalities; this amounts to about 2 per cent of the electoral roll. Seats in the municipal assemblies are often determined by margins of only a couple of votes.

It seems that the system required the voters to insert a smart card to identify themselves, type in their selected candidate number, then press "ok", check the candidate details on the screen, and then press "ok" again.
Some voters did not press "ok" for the second time, but instead removed their smart card from the voting terminal prematurely, causing their ballots not to be cast.

This usability issue was exacerbated by the Ministry of Justice instructions, which specifically said that in order to cancel the voting process, the user had to click on "cancel" and after that, remove the smart card. Thus, some voters did not realise that their vote had not been registered.

Also, there has now been at least one report of touchscreen issues. A voter had repeatedly tried to click on "ok", but either due to system lag or touchscreen sensitivity problems, it took "minutes" to get the button press registered. If hit by this type of problem, the voters may well have thought that the ballot casting process had completed.

EFFi argues that the election should be re-run in the affected municipalities, and has issued a press release arguing for the legal basis of a re-election. According to the Finnish election law, this would require a decision from the Administrative Court.

The electronic voting experiment in positive feedback - about 200 votes, however, was interrupted by mistake (only in Finnish, 28.10.2008)
http://www.om.fi/Etusivu/Ajankohtaista/Uutiset/1224166604122

The election result can not be undone (only in Finnish, 29.10.2008) http://www.hs.fi/keskustelu/Brax%3A+Vaalitulosta+ei+voi+perua+hukka%E4%E4nien+takia/thread.jspa?threadID=148607&tstart=0&sourceStart=40&start=60

EFFi press release (only in Finnish, 28.10.2008) http://www.effi.org/julkaisut/tiedotteet/lehdistotiedote-2008-10-28.html

Flash  demo of the e-voting user interface http://www.vaalit.fi/sahkoinenaanestaminen/en/esitys/index.html

EDRi-gram: Effi's e-voting 'shadow report' (10.09.2008) http://www.edri.org/edrigram/number6.17/effi-evoting-report

(contribution by Antti Vaha-Sipila - EDRi-member EFFi - Finland)

============================================================
5. First PrivacyOS Conference: different privacy approaches in synergy ============================================================

The first Open Space conference of the PrivacyOS project was held in Strasbourg on 13-15 October 2008, in the European Parliament premises.
PrivacyOS is a project funded under the European Commission's ICT Policy Support Programme, started on 1 June 2008 for a total duration of 24 months.
Seventeen partners have joined forced in this project aiming at bringing together industry, SMEs, Government, Academia and Civil Society to foster development of privacy infrastructures for Europe. The project is coordinated by Jan Schallaböck and Katalin Polgar, both from the Schleswig-Holstein (Germany) Data Protection Authority.

The general objectives of PrivacyOS are to create a long-term collaboration in the thematic network and establish collective interfaces with other EU projects. Participants exchange research and best practices, and develop strategies and joint projects following four core policy goals:
awareness-rising, enabling privacy on the Web, fostering privacy-friendly Identity Management, and stipulating research.

The Open Space conference format has proven a powerful mean to share participants' achievements, research and developments questions, and social concerns with respect to privacy. It also allowed to mix technical, legal and political approaches of privacy protection issues. It was a good venue to learn from other EU funded projects related to privacy, like the EuroPriSe (European privacy seal), PrimeLife, and others. This first edition was organized into 12 timeslots of 45mn each. Participants, including non project partners attending the conference, distributed the slots according to their proposed activities.

While most thematic sessions were introduced by one or two presentations, some timeslots took a more interactive form, like the one coordinated by the Oxford Internet Institute, a project partner, on 'Mapping the Database
State': participants were invited to form three groups to discuss what central databases are setup in the framework of EU member states e-government developments.

Privacy enhancing technologies (PETs) were intensively discussed during the conference. Technical solutions were presented, like the SWIFT project consortium's proposal for identity management or the 'Silent Tag' project presented by Friendly Technologies Ltd, aiming at defining RFID chips that do not reply to generic interrogation, but only to identified and authenticated ones. Legal, ethical and political requirements were also discussed, following a presentation by Microsoft's Chief Privacy Advisor Caspar Bowden. Caspar Bowden's idea of interpreting article 8 of ECHR as a mandatory requirement for PETs implementation probably fall into technological determinism, but his suggestion to regulate data mining as a technology nicely converge with the concept of 'design liability' advocated by Law Professor Joel Reidenberg at the 2007 International Conference of Data Protection and Privacy Commissioners in Montreal. The only remaining issue being that regulation implies control and such control is necessarily based on open access to the software to be examined..

As a PrivacyOS project partner, EDRI participated to this conference with a delegation of 4 persons representing its members FifF (Germany), IRIS (France), IuRe (Czech republic), and NNM (Germany). Two of them gave
presentations: Ralf Bendrath (NNM) on "The new Privacy Movement - how to link & use the energy" and Meryem Marzouki (IRIS) on "ICTs and Security
Policies: Trends and Needs for Specific Guarantees". Other EDRI members are also partners of this project on their own: Metamorphosis (Macedonia) and Quintessenz (Austria).

PrivacyOS is planning 3 other such conferences before the end of the project duration. Next conference will be held in Berlin, Germany, in April 2009.

PrivacyOS project (with conference presentations online) http://www.privacyos.de

EDRI-gram: ENDitorial: Montreal Privacy Week: Terra Incognita Or Deja Vu?
(10.10.2007)
http://www.edri.org/edrigram/number5.19/montreal-privacy-week

(Contribution by Meryem Merzouki - EDRi)

============================================================
6. Big Brother Awards Germany 2008
============================================================

The ninth edition of the Big Brother Awards Germany ceremony took place on
24 October 2008 in Bielefeld, Germany. The "Oscars for data leeches" event was organized by EDRi-member FoeBuD that gave seven negative awards.

The Big Brother Award 2008 in the "Europe/EU" category went to The Council of the European Union (EU Ministers Council) in Brussels for the EU terror list. On this list, numerous organisations and individual persons have been labelled as "terrorists" and placed under strict sanctions, leading to severe violations of human rights. There has been neither a democratic mandate for establishing this data collection, nor is it administrated with any democratic control. For a long time, the people affected have not even been given a legal hearing, let alone legal protection against this stigmatisation by the authorities.

The "Health and Social Services" category prize was won by the Deutsche Angestellten-Krankenkasse ("German Employees' Health Insurance", DAK, a statutory health insurer) for the unauthorised sharing of 200.000 chronically ill patients' data with a private company, without giving information to the insurance customers or asking for their consent.

The BigBrotherAward 2008 in the category "Consumers" went to the members of the 16th German Bundestag (the Lower House in Germany's Federal Parliament) for waving through a number of laws which enforce the collection, long-term storing and sharing of detailed data of travellers. A similar prize in the "Consumers" category was also received by the Work Group of German Market and Social Research Institutes for their recommendation in a guideline to have consumer interviews by telephone monitored secretly, and to continue propagating this illegal guideline even after protests from the data protection authorities.

Deutsche Telekom AG also won an award in the "Workplace and Communications"
category for their illegal use of telecommunication connections data to snoop on Telekom supervisory board members and journalists

In "Technology" category, the Yello Strom GmbH (Ltd) was hailed as the winner for their pioneering role in introducing digital electricity technology for private customers. With this technology, electricity consumption can be registered with single-second accuracy for each household and even for individual devices, potentially leading to a detailed surveillance of activities in the home.

Ministry of Economy and Technology also received the "Politics" section award for passing the law about the ELENA procedure und the associated forced introduction of the electronic signature.

Big Brother Awards Germany 2008
http://www.bigbrotherawards.de/

Winners BBA Germany 2008
http://www.bigbrotherawards.de/2008

============================================================
7. Big Brother Awards Finland 2008
============================================================

EFFi (Electronic Frontier Finland) gave out Big Brother Awards for the fifth time in a ceremony held at Helsinki Book Fair on 25 October 2008. This year, Big Brother Awards were given to companies and public servants who had done the most to promote an Orwellian surveillance society in Finland.

The recipients were selected by a board of experts, this year composed of political researcher Iivi Masso, professor Tere Vadén and EFFI's vice chairman Ville Oksanen.

Chief Inspector Lars Henriksson from the National Bureau of Investigation swept the individual series with his speedy censorship of "bad stuff" on the Internet with little or no regard for facts and the attitude of "never mind the innocents as long as we grab some guilty ones".

State prosecutor Mika Illman came second in the individual series. He was credited with persistent efforts to limit the freedom of speech in the Internet while paying scant attention to the principles of democracy, his own judicial status as a state prosecutor and the technological limitations governing the medium.

The community series award was hotly contested between the Ministries of Justice, Interior and Transport and Communications. This year the overall winner was Ministry of Justice with their aggressive promotion of "don't worry about your vote, we'll take care of it" electronic voting system and the rapid erosion of privacy and personal information protections.

The business series was swept by TietoEnator. Not only was their newly developed e-voting system immune to the usual security concerns associated with voting but also their auditing process was undermined by having auditors from the Ministry of Justice sign NDAs preventing them from disclosing their findings in public. Extra points were awarded for various failed information technology projects for the government that have contributed to employment in the information technology sector in Finland.

On the other hand, there were also plenty of nominees for the positive Winston Smith Award. In the end, hacker Harri Hursti won the award for his defence of democracy and free elections by studying and exposing various flaws and problems in electronic voting machines.

Other nominees for this award included anti-Internet-censorship activist Matti Nikki, data protection ombudsman Reijo Aarnio and MEP Pia-Noora Kauppi.

Previous Big Brother awards (only in Finnish) http://www.effi.org/julkaisut/tiedotteet/lehdistotiedote-2007-10-24.html

(Contribution by EDRi-member Electronic Frontier Finland )

============================================================
8. Internet giants gather for freedom of speech - Global Network Initiative ============================================================

Microsoft, Yahoo! and Google confirmed on 28 October 2008 having signed up for the Global Network Initiative (GNI), an organisation aimed at preserving free speech on the Internet.

GNI members are bound to challenge governments against requests for disclosure of private data if they consider the requests are in breach of international human rights laws. GNI is meant to give guidance and a set of procedures to technology companies in view of providing freedom of expression and privacy in countries where there are privacy issues.

The creation of the initiative was facilitated by the Center for Democracy and Technology and the Business for Social Responsibility and, besides the three giant companies, GNI includes several human rights organisations such as Electronic Frontier Foundation, Human Rights First, the Committee to Protect Journalists, Human Rights Watch, and Human Rights in China.

"This initiative is the result of two years of discussions with other leading technology companies, human rights organizations, socially responsible investors and academic institutions. Thanks to hard work and cooperation from all parties, the Initiative sets the kinds of standards and practices that all companies and groups should use when governments threaten internationally recognized rights to free expression and privacy.

The Global Network Initiative also offers an important commitment from all parties to take action together to promote free expression and protect privacy in the use of all information and communication technologies. We know that common action by these diverse groups is more likely to bring about change in government policies than the efforts of any one company or group acting alone" wrote Andrew McLaughlin, Google Director of Public Policy and Government Affairs on a Google blog post.

The Internet companies and search engines have been criticised in the past for having provided certain governments with private information on the online activities of citizens and political opponents. The most debated case was that of Yahoo which was revealed in 2006 to have provided information to Chinese officials on the online activities of Chinese political opponents. The action led to the imprisonment of the respective Chinese activists. Yahoo commits now to help in protecting the freedom of speech on the Internet.

"Yahoo was founded on the belief that access to information can enrich people's lives, and the principles we unveil today reflect our determination that our actions match our values around the world. (...) These principles provide a valuable roadmap for companies like Yahoo operating in markets where freedom of expression and privacy are unfairly restricted" stated Jerry Yang, Yahoo's CEO and co-founder.

By GNI principles, companies commit to opposing such requests from Governments even if they are in agreement with the domestic laws. "When required to restrict communications or remove content, participating companies will challenge the government in domestic courts or seek the assistance of relevant government authorities, international human rights bodies or non-governmental organizations when faced with a government restriction that appears inconsistent with domestic law or procedures or international human rights laws and standards on freedom of expression."

The principles however say that not every request is to be challenged as this would be "neither practical nor desirable" and the companies have the option to select cases in terms of certain criteria "such as the potential beneficial impact on freedom of expression, the likelihood of success, the severity of the case, cost, the representativeness of the case and whether the case is part of a larger trend." Also, the companies will "assess the human rights risks associated with the collection, storage, and retention of personal information in the jurisdictions where they operate and develop appropriate mitigation strategies to address these risks."

GNI members will submit themselves to independent audits for the compliance with GNI principles.

Microsoft, Yahoo! and Google sign privacy pact, vow to fight for human rights (29.10.2008)
http://www.out-law.com//default.aspx?page=9543

Google, Microsoft, Yahoo Forge Free Speech Pact (PC Magazine) (28.10.2008)
http://tech.yahoo.com/news/zd/20081028/tc_zd/233427

Diverse Coalition Launches New Effort to Respond to Government Censorship and Threats to Privacy (28.10.2008) http://www.globalnetworkinitiative.org/

New steps to protect free expression and privacy around the world
(28.10.2008)
http://googleblog.blogspot.com/2008/10/new-steps-to-protect-free-expression.html

============================================================
9. ENDitorial: The FRA Law - Sleepwalking into a Surveillance Society ============================================================

New disclosures from researchers and electronic surveillance experts in an effort to explain the real impacts and implications of the FRA law.

The Swedish Parliament passed controversial legislation last June, the so called FRA law. It seems that the MPs didn't realise what they were voting for when they voted the FRA law. The FRA law is one in a line of laws calling for mass surveillance of ordinary people. It gives the Swedish signal intelligence agency, FRA, (the National Defence Radio Establishment) the right to eavesdrop on all civilian Internet, telephone and fax traffic and keep tabs on the social networks of innocent citizens. This can be done by accessing various existing databases carrying information about a given person's race, ethnic origin, political views, union membership, sexual habits etc. In addition, the FRA agency is entitled to transfer personal data to foreign powers. In this way FRA may get to know you better than you know yourself. Keeping under surveillance lots of innocent private individuals is unacceptable and contrary to the principles governing democratic societies. This is the view of thirteen researchers and experts in different areas of knowledge who have analysed the FRA law.

The digital revolution affects our lives in terms of privacy more than we think. We leave electronic 'footprints' whatever we do: paying by credit card, visiting website homepages, calling friends on the phone or sending them an e-mail. Imagine that someone decides to collect all this information and assemble it in a massive database. Using the right tools they will be able to identify your lifestyle patterns and gain insight into your personality.

These recurring personality patterns can be graphically illustrated by means of a sociogram.

A sociogram is a graphic representation of the relationships between persons, organisations, homepages etc., with the view to determine personal social networks, position of power, views and beliefs and other personal information.

The actual message is less important than the information about the sender, recipient, the time of transaction, and means of communication. If the personal sociogram is known, it is possible to establish the person's contact relationships, which is often all that is needed.

Two questions have been left unanswered by the FRA-law debate. The first question is: How will FRA be able to access information when an increasing number of users choose to encrypt their messages? This is especially relevant, as there has been a tendency for encryption techniques to develop at a faster rate than decryption techniques. FRA has stated that this should not pose an insurmountable problem, since the message content need not be examined in order to determine whether a given communication is worth further examination.

The second question is: What will happen to all this incoming electronic traffic once it has been re-routed and fed into the FRA agency? The answer is that it will be examined and analysed by means of social network analysis techniques such as, for example, sociographic representations.

Different individuals can be linked to different sociograms: we have different everyday experiences, social relations, interests, views and beliefs, all of which is reflected in our electronic communication contacts.
Sociograms have applications in a plethora of areas. With the help of a powerful computer and appropriate analytical tools we might thus be able to build up a profile of and identify a typical benefit scrounger, a refugee in hiding, a data hacker, a homosexual couple, or a political activist, to give just a few examples. If we also monitor cross-border traffic we will be able to - at least theoretically - build sociograms identifying currency speculators, or foreign political and military leaders. The objectives of the FRA law scheme in which surveillance of the civilian population can take place comport well with this type of analysis.

The adoption of the new legislation giving officials sweeping powers to access all electronic information has been justified by combating external threats, including phenomena such as international terrorism, hostile foreign state behaviour towards Sweden, IT dependence, economic crises, environmental threats, ethnic and religious conflicts, vast refugee flows and illegal immigration, as well as currency and interest rate speculation.

The idea underlying the FRA law has been that on massive data we will be able to identify 'deviants' by means of the 'electronic footprint' that they leave behind. This is also the reason why FRA supporters claim that even the most complicated of ciphers does not pose an insurmountable problem, since the content of a message does not have to be examined in order to determine whether the message should be further investigated.

It is a well-known fact, however, that best results are obtained from monitoring a public who is unaware of being watched, or those who cannot protect themselves against it. We are of the opinion that the claim that one will be able to stop future terrorist plots is highly exaggerated. This view finds support in the MI5 report appearing in the Guardian on 21 August 2008, which challenges views on terrorism in Britain. The single most important conclusion of the report is that those who become terrorists "are a diverse collection of individuals, fitting no single demographic profile, nor do they follow a typical pathway to violent extremism". We would like to further suggest that whereas a terrorist will know how to conceal his or her dark intentions, an unsuspecting, innocent citizen will remain unprotected, and may be put at risk if personal information falls into the wrong hands.

On 16 June 2008, Sweden's largest news programme Rapport revealed that FRA had been storing traffic communications data in their large database named Titan for ten years.

Are there any indications that the electronic surveillance legislation passed by Swedish Parliament on 18 June allows introduction of such a scheme? If we compare the newly enacted legislation with the pre-existing legislation concerning FRA, we must give an affirmative reply.

Government Bill No. 2006/07:63, page 86, indicates that "data reduction is necessary. This means that the greater part of the intercepted signals will be sifted through and discarded." In other words, FRA will not store the original messages but only traffic analysis results. Storing analysis results requires very little in terms of computer memory, which is why practically unlimited amount of this type of data can be stored.

From Section 3 of the Ordinance concerning the Processing of Personal Data by the National Defence Radio Establishment (2007:261) we can draw the conclusion that a sociogram is the end product of traffic analysis in which patterns are drawn from the information flow among a set of senders and receivers. The analytical results are stored in a special database.
Similarly to other ordinances the latter Ordinance has been adopted by the Government, and did not have to undergo the standard legislative procedure.

There has been no public commentary by the Government as regards the above Ordinance in the context of the current debate. This is why we strongly suspect that the average MP has not been informed about the existence of these databases or the use of sociogram data. We could not find the term "sociogram" in any of the preparatory materials, but we assume that it is equivalent to something called "traffic patterns" in Bill No. 2006/07:46, p.
29.

This form of traffic data analysis constitutes a violation of personal integrity, which is just as bad as the violation of post and telecommunications secrecy when all cable communications become accessible to FRA, pursuant to Chapter 6, section 19 a of the Electronic Communications Act (2003:389).

Those who support the FRA law have been trying to tone down the criticism and charges of violation of personal integrity, claiming that processing of data is not carried out by individuals. For us it is the very efficiancy of automatic data processing, in which seemingly harmless data can be transformed with the help of statistics into a powerful instrument that will give the state a direct line into our lives, which is so horrifying.

The FRA agency can always validate their activities in relation to the Personal Data Act (which was enacted in 1998 in order to bring Swedish law into conformity with the requirements of the European Union Data Protection Directive (95/46/EC)) by reference to a special act containing provisions referring to personal data processing. According to this act (Act on Personal Data Processing by the National Radio Defence Establishment in its Signals Intelligence Analysis and Development Activities (2007:256)) searches based on what is known about a person's race or ethnic origin, political opinions, religious beliefs or philosophical convictions, trade union membership, health or sex life are permissible if certain conditions are satisfied. Chapter 1 section 17 of the above-mentioned Act provides that personal data collected by the FRA agency "may be transferred to a third country".

With the help of social network analysis the FRA agency may get to know a given person better than that person knows himself/herself, for example, as regards habits of which the habituee is quite unaware. The big problem is that data of this kind must be collected over a long period of time, and that we cannot know beforehand who will satisfy the deviance criterion linked to an external hazard. This is why the FRA agency has to store sociograms of a great number of people, which means keeping close tabs on practically everybody, whether they are innocent or not.

The Act contains provisions concerning destruction of records, but at the same time Chapter 6, section 1 of the Act contains an opt-out provision permitting retention of records for historical, statistical or scientific purposes.

In the end FRA agency's eavesdropping on civilian communications means keeping tabs on innocent, law-abiding citizens.

The FRA law is a slap in the face of democracy and must be repealed. We are not against signals intelligence as such, when applied to purely military communications systems, i.e. communication between warships, fighter aircraft, tanks or infantry. Neither have we any objection to wiretapping phones of persons suspected of terrorist or criminal activities in accordance with the provisions of the Code of Judicial Procedure and following a relevant court decision. But engaging in mass surveillance of innocent people is another thing and it is quite unacceptable. We must ask
again: did the MPs really know what they were doing when they voted in favour of the Bill last June?

List of Signatories
http://www.edri.org/docs/signatories-fra-law.pdf

Original article (only in Swedish)
http://www.dn.se/DNet/jsp/polopoly.jsp?d=572&a=827493

EDRi-gram: ENDitorial: Wiretapping - the Swedish way (27.08.2008) http://www.edri.org/edrigram/number6.16/wiretapping-swedish-way

(Contribution by Mark Klamberg - doctoral student - Sweden)

============================================================
10. Recommended Action
============================================================

In a letter to EU Commissioner Viviane Reding published on 28 October 2008,
11 German organisations are criticising a European Parliament move that would allow telcommunications providers to collect traffic data for "security purposes".

The civil liberties, journalists, lawyers and consumer protection organisations are warning in the letter that the European Parliament's vote on the telecom package of 24 September contains a "blank cheque" for the collection of more traffic data than is currently being collected even under the directive on data retention, without setting a time limit. The series of data abuses and incidents that have occurred in Germany, Italy, Greece, Latvia, Bulgaria, Slovakia and Hungary in recent years demonstrates that only erased data is safe data, the letter continues. The EU Council (where the telecom package will be debated on 27 November) is asked to reject the proposal.

Similar letters were sent to the European Data Protection Supervisor Peter Hustinx, the Chairwoman of the Committee on the Internal Market Arlene McCarthy and the German Minister of Economic Affairs Michael Glos.

A background paper published today by the German Working Group on Data Retention points out that the European Parliament move is the result of lobbying by the US-based Business Software Alliance (BSA).
The BSA recently sent a hitherto unpublished paper to EU member states, pushing for even more extensive data collection powers and for exempting Internet usage data from data protection law.

The German working group on data retention is encouraging other organisation in sending similar letter to each national permanent representation in Brussels, MEPs and national authorities, including the ministers of economic affairs or communication.

The letter sent by 11 organisations (only in German) http://www.vorratsdatenspeicherung.de/images/brief_esecurity_bmwi_publi.pdf

The Working Group's background paper on the issue (in English) http://www.vorratsdatenspeicherung.de/images/wg_esecurity_position.pdf

The Business Software Alliance's lobbying paper (in English) http://www.vorratsdatenspeicherung.de/images/bsa_position_esecurity.pdf

============================================================
11. Agenda
============================================================

13-14 November 2008, Chisinau, Moldova
IFLA/EBLIDA/eIFL Conference on copyright and libraries
Copyright: Enabling Access or Creating Roadblocks for Libraries?
http://www.eblida.org/index.php?page=draft-programme-2

14 November 2008, Prague, Czech Republik Big Brother Awards Czech Republik 2008 http://www.slidilove.cz/cs/soutez_o_nejvetsiho_slidila

25-26 November 2008, Brussels, Belgium
World e-Parliament Conference 2008
http://www.ictparliament.org/worldeparliamentconference2008/

2 December 2008, Hyderabad, India
Global Internet Governance Academic Network (GigaNet) Third Annual International Symposium http://tinyurl.com/ynsuuf/

3-6 December 2008, Hyderabad, India
Third Internet Governance Forum
http://www.intgovforum.org

9-10 December 2008, Madrid, Spain
Future Internet Assembly
http://www.future-internet.eu/home/future-internet-assembly/madrid-dec-2008.html
http://www.fi-madrid.eu/

10-11 December 2008: Tilburg, Netherlands Tilting perspectives on regulating technologies, Tilburg Institute for Law and Technology and Society, Tilburg University http://www.tilburguniversity.nl/tilt/conference

27-30 December 2008 Berlin, Germany
25C3: Nothing to hide
The 25th Chaos Communication Congress
http://events.ccc.de/congress/2008/

18-20 March 2009, Athens, Greece
WebSci'09: Society On-Line
http://www.websci09.org/

1-4 June 2009, Washington, DC, USA
Computers Freedom and Privacy 2009
http://www.cfp2009.org/

============================================================
12. About
============================================================

EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 29 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams.

All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website.

Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea <[log in to unmask]>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation.
http://www.edri.org/about/sponsoring

- EDRI-gram subscription information

subscribe by e-mail
To: [log in to unmask]
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: [log in to unmask]
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <[log in to unmask]> if you have any problems with subscribing or unsubscribing.

************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************