[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] (Fwd) EDRI-gram - Number 3, 26 February 2003
------- Forwarded message follows -------
From: EDRI-gram newsletter <email@example.com>
Subject: EDRI-gram - Number 3, 26 February 2003
Date sent: Wed, 26 Feb 2003 15:31:32 +0100
[ Double-click this line for list subscription options ]
bi-weekly newsletter about digital civil rights in Europe
Number 3, 26 February 2003
1. EU questionnaire on spam-ban
2. Data-retention scandal in Ireland
3. Dutch interception secrecy
4. USA gets direct access to EU passenger data
5. Belgium introduces electronic passport
6. ID-requirements in Europe
7. Criticism gone from EP report on safer internet plan
8. Bulgarian Big Brother Award for Interior Affairs
9. Recommended reading: Digital Lithuania
EU QUESTIONNAIRE ON SPAM-BAN
Per 31 October 2003 spamming will be prohibited in all EU member
states, but it is completely unclear what authority should supervise
the spam-ban. The European Commission doesn't have a ready-made
answer, and is currently asking privacy-authorities and
telecommunications ministries what approach they prefer.
The new Privacy Directive prohibits the sending of unsolicited e-mail
but doesn't regulate the practicalities of penalties, damage claims or
prosecution of cross-border violations. To make matters even more
complicated, the Directive leaves the level of privacy protection of
legal persons up to member states. Therefore, in some countries all
e-mail addresses will be protected, in other states the spam-ban is
limited to natural persons. On top of that, the directive bans
commercial spam, but does allow for a ban on all unsolicited
electronic communications, including those for charity and political
Seven EU member states already have anti-spam legislation; Austria,
Denmark, Germany, Finland, Greece, Italy and Spain. In
Europe-at-large, spam is also banned in Hungary and Norway.
Punishments differs widely. In Austria for example, spammers can be
fined to a maximum of 36.330 Euro, while in Italy spammers risk prison
sentence, next to the obligation to pay damages of 500 to 5000 euro
Answers to the questionnaire from DG Infosoc should be in by 28
February 2003. Based on the answers, the European Commission will
probably produce a guideline for recommended practice. Most likely,
direct marketers will lobby for self-regulation, leaving it up to the
industry to punish itself. EDRI opposes such a soft approach, and
strongly recommends the institution of a European hotline for spam, to
solve the problem of having to find out where the spam was sent from.
This should not be left up to individual citizens, nor should they
have to instigate cross-border procedures themselves.
Previous initiatives by the Belgian and French data-protection
authorities to open up a national spam-box showed immense public
interest. The Belgian authority even closed its mailbox after 2
months, after having received 50.000 spams. As well-intended as it
was, they were inundated with identical spams. To withstand the
spam-deluge, more is needed, like a dedicated transnational institute,
with smart automatic processing of spams, a searchable public database
and professionally trained staff.
Overview of anti-spam legislation in Europe-at-large
Belgian privacy-authority (in Dutch and French)
DATA-RETENTION SCANDAL IN IRELAND
Ireland has had a secret data retention regime for almost a year,
after the Cabinet confidentially instructed telecommunications
operators to store traffic information about every phone, fax and
mobile call for at least three years. The Irish Data Protection
Commissioner Joe Meade revealed this last monday at a forum on data
retention. Telcos even used to keep these data for a period of 6
years, the commissioner found out in January 2001, when he obliged
ISPs and telcos to register with the Office for Data Protection.
Following EU privacy-guidelines the Commissioner pressed for a maximum
retention period of 6 months.
Meade said: 'While this period was eventually acceptable to most of
the telcos and ISPs it raised legitimate concerns in the Department of
Justice regarding access for security and crime investigations.
Following discussions with me the Department indicated that a
retention period of three years, rather than the then six years, was
necessary for security purposes for telcos.'
In spite of the Commissioners protest, in April 2002 the Minister for
Public Enterprise issued directions to telcos to keep detailed,
non-anonymous traffic data for a three-year period. Without any public
debate government went on to prepare official legislation, Meade
stated, including mandatory data-retention for internet providers.
Details are not yet known, but legislation could oblige providers to
keep track of the destination, origin, timing, size and itinerary of
every e-mail, as well as the locations of every website visited by
The Irish scandal comes at a time of relative quiet about a possible
European decision about mandatory data retention. In September 2002
the answers to a questionnaire became available, showing a large
majority of EU member states in favour of a decision for systematic
retention of traffic data concerning all kinds of telecommunication
for a period of one year or more. The Danes concluded their presidency
of the Justice and Home Affairs Council in December 2002 with the
recommendation to organise more discussions with the industry. Under
current Greek presidency, the topic seems to have dropped from the
All over Europe, the privacy authorities, organised in the Article 29
Working Party, have expressed grave doubts about the legitimacy and
legality of such broad measures and stated that systematic retention
of all kinds of traffic data for a period of one year or more would be
clearly disproportionate and therefore unacceptable in any case.
Statement by Joe Meade (24/02/03)
Conclusions Danish Presidency 15763/02 (19/12/02)
Answers to questionnaire on traffic data retention (November 2002)
Statement of the European Data Protection Commissioners (September
DUTCH INTERCEPTION SECRECY
The quantity of police interceptions of telecommunication in the
Netherlands is higher than anywhere else in the world, according to
the few available official statistics. Government however, tries to
maintain secrecy about the exact numbers and the technical
specifications of the equipment.
Last week, a Freedom-of-Information request by EDRi-member Bits of
Freedom for statistics covering the nineties was turned down by
government because of 'the lack of available statistics'. The ministry
of Justice could not explain why there seem to be no statistics for
The few official publications show an explosive increase of
interception numbers in the nineties. According to a 1996 report by
the Ministry of Justice's research centre, in 1993 and 1994
respectively 3.619 and 3.284 telephone lines were wiretapped. The
researchers concluded that those numbers already were considerably
higher than the absolute quantity in the USA and the UK. According to
Ministerial answers to Parliament, in 1999 the number of intercepts
had increased to an astonishing 10.000 tapped phones by Dutch police
(TK 27591, nr. 2). Official reporting by the US Courts and the UK
Communications Commissioner show considerably lower numbers over 1999:
1.277 for the USA and 1.933 for the UK.
Police in the Netherlands have made themselves very dependent of
wiretapping. Since 1998, the introduction of the Dutch
Telecommunications Act, all telephone companies and internet service
providers are obliged to install interception devices at their own
expense. Wiretapping being such an elementary part of police
investigation, government shies away from transparency and
accountability. Even though telecom and internet operators regularly
send bills for operational wiretapping costs, the ministry of Justice
claims it doesn't keep account of the numbers.
But secrecy is not limited to the numbers; there are no certifications
for the wiretapping equipment. In recent criminal court cases lawyers
have declared wiretap evidence unreliable and manipulated. Since most
of the interception equipment in the Netherlands is closed-source
(even for the police) and not certified, little assurance can be given
that the produced evidence is indeed correct and reliable. In a high
profile court case against the Kurd Baybasin, a former signals
intelligence expert from the military intelligence service has come
forward as an expert for the defence lawyers, stating that the
intercepts were clearly manipulated.
Report of the UK Commissioner for 1999
US Courts Wiretap Reports
Making up the rules: Interception versus privacy (August 2000)
USA GETS DIRECT ACCESS TO EU PASSENGER DATA
From 5 March onwards, USA officials will have direct electronic
databases with EU passenger data. On 19 February, U.S. Deputy Customs
Commissioner Douglas Browning and officials of the European Commission
agreed to give the custom officials direct access to the personal data
of passengers flying to, from and through the United States.
These databases don't just include names of passengers, but also
itinerary, phone and credit card number, time of booking and possible
changes. The discussion about data of a sensitive nature, such as meal
preferences, was closed with a recommendation to jointly develop
measures to protect these data, preferably before 5 March 2003.
In return, 'US Customs undertakes to respect the principles of the
Data Protection', at least, as long as these principles don't stand in
the way of the secret services. 'US Customs may provide information to
other US law enforcement authorities only for purposes of preventing
and combating terrorism and other serious criminal offences, who
specifically request PNR information from US Customs.'
According to a press statement on 18 February by EU
Traffic-Commissioner Loyola de Palacio, information would only be
transferred with the consent of the passenger. If the passenger didn't
agree, he or she would pay with more stringent checks upon arrival.
However reasonable that might sound, it is highly unlikely that US
Customs will just close its eyes, every time it sees a mark in the
database that the passenger doesn't agree to share personal data.
Joint statement of the European Commission and US Customs
Article about the statements of Palacio (in German)
BELGIUM INTRODUCES ELECTRONIC PASSPORT
Ignoring criticism from the national privacy authority, Belgian
parliament approved of the introduction of an electronic passport. The
new chipcard will be tested in 11 municipalities. If the pilot
succeeds, all inhabitants of Belgium will have an electronic ID within
5 years. The new credit-card sized passport shows regular data like
name, date of birth and national ID-number, but the chip will also
contain the address-data.
The revised law simultaneously lowers the access barriers to the
national register. Every public and private authority or any of its
assignees are granted access 'to excise tasks of public interest'. On
top of that, a newly instituted 'sectoral committee' can authorise any
other sort of access-request.
The new credit-card sized passport contains several digital keys, to
enable remote identification via internet. Personal data on the chip
are secured via a public key infrastructure (PKI). To be able to read
or scramble data, a combination is required of a public and a private
key. The public key can be given out to everybody, while the 'private
key' is locked in the chip on the ID-card.
Revised ID-law, nr. 50/2226/066 (in Dutch and French)
ID-REQUIREMENTS IN EUROPE
Only a few EU-member states currently have ID-requirements.
Privacy-authorities and civil rights groups alike doubt the practical
effects and warn against highly arbitrary checks. Belgium, France and
Spain, where ID-requirements have been in place for a long time, have
bad track-records of police discrimination.
Belgium currently has the strictest legislation, requiring everybody
age 15 and older to show ID when asked by a police officer, without
the need for a suspicion. In the Netherlands, the minister of justice
recently proposed an ID-requirement for everybody age 12 and above.
According to research by the ministry of justice, published in a
letter to parliament 29 October 2001, the Netherlands would suddenly
have the most repressive ID-scheme in Europe.
According to this research, in Germany inhabitants 16 years and older
are required to show ID to police officers. In practice ID-requirement
is limited to financial transactions. In France and Spain, officials
must provide some ground, like danger to public safety, to require ID,
but in practice there is a lot of debate about arbitrary checks, like
In Portugal ID-requirements are limited to very specific transactions
and to suspects of criminal offences. In Sweden ID-requirements are
very specific as well. No ID-requirements exist in the UK, Denmark,
Norway and Switzerland, though the plans for a national
entitlement-card in the UK are heavily criticised as a hidden
Netherlands: ID-checks to be introduced
CRITICISM GONE FROM EP-REPORT ON SAFER INTERNET PLAN
In a remarkable change of heart, rapporteur Bill Newton Dunn removed
all criticism from his draft report on the Safer Internet Action Plan
(EU Document Number COD/2002/0071). In stead of the original
recommendation to discontinue the program because of its complete
in-effectiveness, Mr. Newton Dunn (British Liberal) now pleads for an
extension of the program.
The change is the outcome of a series of so-called trilogue meetings,
high-level, closed-door meetings of Council and Commission
representatives as well as EP rapporteurs and shadow rapporteurs.
Newton Dunn subdued completely to the will of the Council. Not only
did he withdraw all of his critical original amendments, he even asked
the Council for formulas he then tabled as last-minute amendments in
his own name. The result: not a single amendment was adopted in the EP
Internal Affairs committee that had not been approved by the Council
before. It is very likely that the outcome in the EP Plenary, which
will vote on March 10, will look likewise.
The Action Plan can now be extended to almost all forms of electronic
communication and all protocols. At the last trilogue meeting, Newton
Dunn agreed to withdraw part 2 of his original amendment 4, which
would have taken 'peer-to-peer file transfer, text and enhanced
messages and all forms of real-time communications such as chat rooms
and instant messages' out of the scope of the program, on the grounds
that 'the aims of the initial Action Plan have not been entirely
achieved'. Instead, the rapporteur accepted an insignificant formula
saying the goal of the program is 'primarily (...) improving the
protection of children and minors'. Amendment 5, which contained
implicit criticism that hotlines were not known to users, disappeared
as well, without giving any explication about the sudden increase of
knowledge about these hotlines.
The deadline for amendments for the Plenary is 6 March.
LIBE Revised report
(Contribution by Andreas Dietl, consultant on EU privacy issues)
BULGARIAN BIG BROTHER AWARD FOR INTERIOR AFFAIRS
In Bulgaria, a Big Brother Award was awarded to the Ministry of
Interior Affairs for the double achievement of a proposal to wiretap
all internet traffic and the censorship of a satirical homepage.
The draft new Telecommunications Law would have obliged internet
service providers to buy wiretapping equipment that would have given
police live access to all data traffic going through the networks of
the providers. The proposal was stopped just in time and sent back to
several parliamentary committees.
In September 2001, the National Unit for Combating Organized Crime
traced down and confiscated the computer of the 26-year old individual
Lubomir Kolev. His 'crime' was that he published a website under the
name of a Bulgarian bank, where he made mockery of the election
promise of the prime minister to give a rent-free loan of 5000 Leva
(EUR 2.500) to every Bulgarian citizen.
The Ministry explained the take-down because 'in the web site a
picture of the prime minister Mr. Simeon Sax-Coburg-Gota was
published, with which Lubomir K. has lowered not only the image of the
bank, but also of the official Bulgarian institutions'. Many people
joked 'We didn't know that publishing a picture of the prime minister
could ruin the image of Bulgarian institutions or banks'.
Though never charged for the satire, Kolev recently received a fine of
EUR 1.000 for having illegal software on the confiscated computer. To
obtain the report, send an e-mail to firstname.lastname@example.org
Explanation of the Interior Ministry
(Contribution by Veni Markovski, GIPI Bulgaria)
RECOMMENDED READING: DIGITAL LITHUANIA
There is not much research done about privacy and digital civil rights
in the Baltic EU accession countries (Estonia, Lithuania and Latvia).
Estonia refers to itself as E-stonia, with the ambition to outclass
even Finland as ICT-nation. Groundwork was done by the Open Society
Institute in Lithuania, resulting in the report Digital Lithuania in
2001 by Marius P. Saulauskas.
In spite of extreme pessimism about the level of ICT-development in
2001, seventy-four percent of the interviewed Lithuanians felt that
the development of an information society would favourably influence
the Lithuanian economy. With Parliament reviewing the conclusions, the
study has become an important factor in official plans for Lithuania's
development over the next 15 years. In cooperation with the Ministry
of the Economy, the Institute launched a website to allow people to
express their opinions about the development program.
Summary in English
27-28 February 2003 Luxembourg, Luxembourg - 2 workshops on 'Safer
10-12 March 2003 Malmo, Sweden - ASEM summit on Globalisation and ICT
15 March 2003 Nomination deadline for the Stupid Security Award
25 March 2003 - UK Big Brother Awards
1-4 April 2003 New York, USA - CFP 2003
22-24 April 2003 St Petersburg, Russia - Building the Information
6-7 May 2003 Padova, Italy - Information Society Visions and
Governance Contact for information: Claudia Padovani,
8 - 9 May 2003, Namur, Belgium - Collecting and Producing Electronic
Evidence in Cybercrime Cases 2-day workshop organised by the
University of Namur http://www.ctose.org/workshop-8-9-may-2003.html
EDRI-gram is a bi-weekly newsletter from European Digital Rights, an
association of privacy and civil rights organisations in Europe.
Currently EDRI has 10 members from 7 European countries. EDRI takes an
active interest in developments in the EU accession countries and
wants to share knowledge and awareness through the EDRI-grams. All
contributions, suggestions for content or agenda-tips are most
Sjoera Nas, email@example.com
Information about EDRI and its members:
You may redistribute the EDRI-gram newsletter freely (but only for
- EDRI-gram subscription information
subscribe/unsubscribe web interface
subscribe by email
You will receive an automated email asking to confirm your request.
- EDRI-gram in Spanish
EDRI-gram is also available in Spanish, usually 3 days after the
English edition. The contents are the same. Translations are provided
by David Casacuberta, secretary of the Spanish chapter of Computer
Professionals for Social Responsibility (CPSR).
To subscribe to the Spanish language EDRI-gram, please visit
or subscribe by email:
- Newsletter archive
Back issues are available at:
Please ask firstname.lastname@example.org if you have any problems with subscribing or
Publication of this newsletter is made possible by a grant from the
Open Society Institute (OSI)
------- End of forwarded message -------
To unsubscribe, e-mail: email@example.com
For additional commands, e-mail: firstname.lastname@example.org