Förderverein Informationstechnik und Gesellschaft

EDRI-gram - Number 2, 12 February 2003

------- Forwarded message follows ------- To: From: Bits of Freedom <> Subject: EDRI-gram - Number 2, 12 February 2003 Date sent: Wed, 12 Feb 2003 16:48:15 +0100

[ Double-click this line for list subscription options ]

EDRI-gram bi-weekly newsletter about digital civil rights in Europe Number 2, 12 February 2003



1. Internet censorship in Switzerland 2. E-commerce directive transposition raises serious privacy and free speech concerns in France 3. Critical draft EP report on safer internet action plan 4. EUCD-implementation stalled in Finland 5. Finnish companies oppose law to censor Internet 6. Microsoft Passport does not comply with European privacy rules 7. UK parliamentary inquiry rejects data retention 8. EDRI-gram available in Spanish 9. Agenda 10. About



In Switzerland, internet censorship is gaining ground. 2 recent events demonstrate this development.

Last December, the examining magistrate of the canton Vaud issued a command to many Swiss internet service providers (ISPs), to block access to 3 websites. The websites, all hosted in the USA, contain strong criticism of a.o. the Swiss courts and are prosecuted for defamation. ISPs were also asked to modify their DNS-servers to specifically block access to the domain

The 3 contested websites are:

Even before the blocking became effective, mirrors immediately sprang up at:

In their press release about this case, the Swiss Internet User Group (SIUG) and the Swiss Network operators Group point out that internet blocking measures are easily bypassed and that article 16 of the Swiss constitution guarantees to every person ‘the right to receive information freely, to gather it from generally accessible sources and to disseminate it.’

Most Swiss providers did not obey at first and appealed against the command. The magistrate then ordered the directors of the companies to appear in court in person. Guido Honegger of Swiss ISP Green refused to bend under this pressure and is now facing a procedure for disobedience. He plans to fight the command in court. Other ISPs like e.g. Init Seven AG are redirecting traffic for the incriminated sites to protest pages.

The blocking-orders coincide with a proposal from the Swiss federal office of justice for a revision of the federal law on lotteries and betting. In article 50 of the proposal, providers could be fined up to one year in prison or a penalty of up to 1 Million Swiss francs (approx. EUR 660.000) for ‘providing access to games that are not allowed according to this law’. The Swiss Internet User Group is concerned that this proposal is only the start of new legislation providing for much wider censorship.

More reading:

Command by the canton Vaud (unofficial copy, French)

Press release by SIUG and Swinog 13/12/02 (in German):

Press release ISP Green 30/01/03

ISP Init7 explanation about the DNS-block (in German)

Federal Office of Justice (in 4 languages)


France has started the process of implementing the European Directive on Electronic Commerce. The draft text of the Digital Economy Law ("Loi relative à l'économie numérique" or LEN in French) deals with ISP liability, electronic contracts and unsolicited commercial emails, cryptography, cybercrime, and satellite systems. Among them, the most controversial provisions are those concerning cryptography, cybercrime and ISP liability.

CRYPTOGRAPHY Providers of cryptography services should provide upon request decryption keys to authorised agents named by the Prime Minister. The penalty for not complying with this obligation is a 2 years jail sentence and a fine of EUR 30,000. When a crime or offence is suspected, the public prosecutor or a judge may ask any expert to decrypt data. If the incurred penalty exceeds a 2 years prison sentence, military staff may be asked for help. In that case, the decryption method and process would be kept secret, making it very difficult for defence lawyers to question the outcome. The last provision states that anyone having access to decryption keys should provide them. The keys should be provided upon judicial request when cryptography is used for commission, preparation, or facilitation of a suspected crime or offence. The penalty is very high again: a jail sentence of 3 years and a fine of EUR 45,000.

There are 3 major objections against these provisions. First, judicial control is not ensured. The public prosecutor may start investigations before any crime or offence has been committed. Secondly, they allow for self-incrimination, and thus contradict the French law. Thirdly, professional secrecy is no longer guaranteed for some professions, for example for lawyers that exchange encrypted e-mails with their clients.

ISP LIABILITY On ISP liability, the draft is a third attempt to introduce a "notice and take down" procedure in French legislation. Currently, a French ISP can only be held liable for hosting illegal content if he does not obey a judicial order to remove this content.

With the implementation of the Digital Economy Law, ISPs would not be held liable if, after obtaining actual knowledge or becoming aware of facts and circumstances indicating illegal activity, they act expeditiously to remove or to disable access to the information. These provisions reproduce the exact words of the E-Commerce Directive (article 14). This would open the way for privatized censorship, where the ISP has to decide what is illegal and what is not, after having been notified by a third party on the basis of its private interests. There is no provision for counter claims, seriously undermining presumption of innocence and the right to a fair trial.

Moreover, the draft introduces the possibility of ordering French providers to block access to foreign websites. This unprecedented provision may open the door to further restrictions and censorship on other media, and would undermine freedom of circulation on the Internet.

On 5 February, EDRI-member IRIS launched a petition against provisions on ISP liability and access filtering, in collaboration with 2 non commercial ISPs, the French Human Rights League and a Federation of Trade Unions. The still on-going petition has already been signed by more than 40 French organizations and almost 400 French individuals.

More reading:

European Directive on Electronic Commerce (2000/31/EC) CTION=oj&SERVICE=eurlex&LANGUAGE=en&DOCID=2000l178p0001

Petition against ISP liability and access filtering provisions (in French)

IRIS Dossier (in French)


The EU Safer Internet Action Plan, than ran from 1999 to 2002, did not deliver very impressive results, to put it mildly. Rapporteur Bill Newton Dunn (UK Liberal Democrat) from the Parliamentary Committee on Citizen’s Freedoms and Rights, Justice and Home Affairs (LIBE) wrote a slashing draft report about the request to extend the plan for another 2 years. The original plan had 4 objectives: -Create a European network of childporn hotlines -Develop European filtering and rating systems -Encourage awareness actions -Organise an international conference about the topic

Analysing the achievements, Newton Dunn states that nobody seems to know the telephone numbers of the supposed network of hotlines in 10 member states. Secondly, in stead of validating existing filtering software and carry out security tests against counter-attacks, the express wish of the EP, the Commission financed 13 seemingly vague and uncoordinated filtering projects. Awareness has not been promoted very well either. ‘Projects such as the SUI project resulted in the distribution of 60.000 copies of a brochure on safer Internet use to teachers (...).’ Finally, no conference was organised, ‘and now, in the rapporteur’s opinion, the money would be better spent with the candidate countries.’

The report will be discussed in the next meeting of LIBE, on 17 February 2003. Next day LIBE will vote, followed in Plenary on 10 March.

More reading:

Revised Newton Dunn draft report (January 2003) pdf


Last week, the Finnish parliament returned the national copyright law proposal back to the ministry that originally drafted it. Electronic Frontier Finland heavily criticized the anti-circumvention provisions and other controversial issues of the proposal. After a parliamentary hearing on the 31st of January, the chair of the hearing committee announced it was impossible to continue with the proposal.

Mr Jyrki Katainen, member of the parliament committee and vice chairman of the Conservative Party, confirmed to EFFI that the main reason for this very rare dismissal was the extreme unclearness of the law. The possibility of a 2 years jail sentence for the circumvention of copy protection for example, would have posed a serious risk to unwitting citizens.

Mr. Katainen was also worried the law would have harmed the Finnish competitiveness as an information society. "The proposal was simply overreaching", he said.

More reading:

EFFI press-release 31/01/03

Slashdot =153


A coalition of Finnish telecom and media companies has joined the fight against proposed government legislation to make owners of message boards liable for all content, similar to print media. Additionally, Finnish government wants access to historical data to trace anonymous postings. The law therefore requires publishers and ISPs website to log practically all Internet traffic data for a period of 3 months. In a message delivered to parliament on 5 February, the companies say the law could have a chilling effect on commercial communication.

Electronic Frontier Foundation has acted against the new law from the beginning, warning it will stifle freedom of expression on the Internet.

More reading:

Press release Finnish companies (06/02/03)

EFFI dossier about the law (Jan/Feb 2003)

Previous EFFI fight against mandatory data retention (25/11/02)


Microsoft has agreed to change its Passport authentication system, after the publication on 29 January of a very critical review by the united EU privacy commissioners. Besides the Microsoft .NET Passport system, the commissioners, united in the so-called Article 29 Working Party, also examined the Liberty Alliance Project. The review concludes with general guidelines for future on-line authentication systems.

In order to comply with EU privacy rules, Microsoft agreed to substantially modify the Passport system, "involving in particular a radical change of the information flow".

Passport is a system that centralizes authentication and information sharing for users on the internet. The system stores user information such as addresses, ages, phone and credit card numbers and other personal details in a large central database. With one click, users can transfer their personal information to participating websites.

The most important consequence of the agreement is that users "will be informed and empowered to decide as to which data they want to provide and under which conditions these data will be processed by Microsoft or by the participating websites".

Microsoft will have to enable users to decide on a site-by-site basis whether they want to communicate their profile data or not. Some of the changes involve giving information to users on how to open a Passport account without using their real e-mail address. Microsoft will have to reconfigure the user profile to allow users to fill out the fields they choose, while leaving others blank. All changes have to be made according to an agreed time line.

USA based privacy and consumers organisations, led by the Electronic Privacy Information Center (EPIC), previously filed a complaint in 2001 with the United States Federal Trade Commission (FTC) regarding Passport and other Microsoft products. The FTC ruled in 2002 that Microsoft made false security and privacy promises about Passport.

Microsoft has made no formal statement regarding the issue but a Microsoft spokesperson responded to the agreed changes of Passport saying that "data protection is a dynamic process".

Simultaneously, other complaints about Microsoft are pending with EU anti-trust regulators. A long running investigation involves the bundling of Windows Media Player and alleged abuse of dominance in the server market linked to Windows 2000. EU competition commissioner Mario Monti recently announced to present conclusions in the first half of 2003. A completely new complaint was filed this week by the Computer & Communications Industry Association, representing a number of large technology and media corporations, regarding the bundling of applications with Windows XP and the misuse of a dominant market position by Microsoft.

More reading:

Article 29 Data Protection Working Party: 'Working document on on-line authentication services' 29/01/03 df

EPIC archive on Passport

Computer & Communications Industry Association (CCIA) v. Microsoft


In the UK, a parliamentary inquiry resulted in a firm rejection of governmental plans for general data retention. In one piece of proposed legislation Government expected phone companies, mobile operators and Internet service providers to voluntarily keep logging data for a period of up to 12 months. These data would reveal who has been calling and e-mailing whom, which websites they had visited, and even where people have been with their mobile phones. In their report, the All Party Internet Group (APIG) concludes that the Government had underestimated the costs of the scheme, that billing databases would migrate abroad to escape regulation and that there were few incentives for industry to help the government track technical change. To cap all this, the scheme appeared to be in breach of Human Rights legislation and despite a year of effort by the Home Office, no solution was in sight.

The evidence heard by the parliamentary inquiry made it clear that the proposed voluntary retention scheme had no hope of acceptance by industry. The report also concludes that it would be impractical to proceed with the fallback of mandatory data retention and strongly recommends that the Home Office scrap their plans altogether and start negotiations on a lower impact scheme of targeted "data preservation" instead.

The group also examined existing pieces of legislation including the Regulation of Investigatory Powers Act 2000 (RIPA) and recommended that definition of communications data be improved.

More reading:

The APIG report 28/01/03


From now on, EDRI-gram will also be available in Spanish, usually 3 days after the English edition. Translations will be provided by David Casacuberta, secretary of the Spanish chapter of CPSR (Computer Professionals for Social Responsibility). To receive the Spanish EDRI-gram, please visit or subscribe by email: To: Subject: subscribe


17-28 February 2003 Geneva, Switzerland - Second Preparatory Meeting on the World Summit Second preparatory meeting for the World Summit on the Information Society to be held in Geneva from December 10-12 2003.

25 February 2003 Kiev, Ukraine - Problems and prospects of Information Society Development International conference organised by the All-Ukrainian Foundation “Information Society of Ukraine” in close cooperation with Ukrainian Institute of Information Society.

27-28 February 2003 Luxembourg, Luxembourg - 2 workshops on 'Safer Internet'

10-12 March 2003 Malmo, Sweden - ASEM summit on Globalisation and ICT

15 March 2003 Nomination deadline for the world's most stupid security measure. The Stupid Security Award will be presented on 3 April 2003, during the CFP-conference.

25 March 2003 - UK Big Brother Awards For the 5th time, Privacy International will present awards for: Worst Public Servant; Most Invasive Company; Most Appalling Project; Most Heinous Government Organisation & Lifetime Menace.

1-4 April 2003 New York, USA - CFP 2003, including international Big Brother Award presentation.

22-24 April 2003 St Petersburg, Russia - Building the Information Commonwealth International Conference on Information Technologies and Building Prospects for the Development of Civil Society Institutions in the CIS Countries.

6-7 May 2003 Padova, Italy - Information Society Visions and Governance Colloquium in preparation for the World Summit on the Information Society, organised by the European Institute for Communication and Culture (EURICOM), in co-operation with the University of Padua (Padova) Contact for information: Claudia Padovani, Dipartimento di Studi Storici e Politici, Università di Padova e-mail:


EDRI-gram is a bi-weekly newsletter from European Digital Rights, an association of privacy and civil rights organisations in Europe. Currently EDRI has 10 members from 7 European countries. EDRI takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. In general, all contributions, suggestions for content or agenda-tips are most welcome. Please e-mail your contributions to the editor, Sjoera Nas, .

Information about EDRI and its members:

Subscription Information

subscribe/unsubscribe web interface

subscribe by email To: Subject: subscribe

You will receive an automated email asking to confirm your request.


------- End of forwarded message -------