Förderverein Informationstechnik und Gesellschaft

EDRI-gram - Number 5, 27 March 2003

------- Forwarded message follows ------- Date sent: Thu, 27 Mar 2003 18:59:02 +0100 To: From: EDRI-gram newsletter <> Subject: EDRI-gram - Number 5, 27 March 2003

[ Double-click this line for list subscription options ]



bi-weekly newsletter about digital civil rights in Europe

Number 5, 27 March 2003

================================================================== Contents ==================================================================

1. No legal basis for transfer of passenger data 2. EU building bugged 3. French Constitutional Council validates computer search without warrant 4. Polish providers fight email monitoring obligation 5. Restrictions on cryptography in Spain 6. UK home office not amused with big brother award 7. Recommended reading: avoiding spam 8. Agenda 9. About

================================================================== 1. No legal basis for transfer of passenger data ==================================================================

The agreement between the European Commission and U.S. authorities on the transmission of passenger name record data (PNR) has encountered fierce opposition during a public hearing at the European parliament. The agreement gives the U.S Customs on-line access to passenger name record data of all EU based airlines for flights that go to, from or through the U.S.

During the 25 March public hearing in the European parliament the Commission argued that it had no choice but to accept the U.S. demands for passenger data. Threats to fine European airlines or even halt landing rights were taken very seriously by the Commission. But many participants were not satisfied with the explanation that the Commission had been blackmailed and couldn't do anything about it. They argued that the transfer of PNR data has no legal basis and is a direct violation of the EU data protection directive.

Stefano RodotÓ, chairman of the Article 29 Working Party (the coalition of EU privacy commissioners), concluded: "Everybody now realises how serious this is". He said the EU must take its responsibility and act, otherwise every third country could change its law and force the EU to adopt foreign legislation. Three civil liberty organisations (EDRI, Statewatch and EPIC) testified during the hearing and expressed concern about the willingness of the European Commission to bypass EU law to satisfy the U.S.

The scope of the agreement is wide. The agreement says that "Customs will retain the data no longer than is required for the purpose for which it was stored". But at the same time it is clear that the data is stored for an almost unlimited number of purposes, certainly not limited to fighting terrorism: "PNR data is used by Customs strictly for enforcement purposes, including use in threat analysis to identify and interdict potential terrorists and other threats to national and public security". The U.S. Customs will also share the data with all other U.S. agencies: "Other law enforcement entities may specifically request PNR information from Customs and Customs, in its discretion, may provide such information for national security or in furtherance of other legitimate law enforcement purposes". The agreement reads as an assurance that EU passenger data will be stored in FBI, NSA and CIA databases.

The PNR data consist of all relevant information related to a passengers flight: departure and return flights, connecting flights, special services required on board the flight (meals such as Kosher, Halal) and payment information such as credit card numbers.

EP public hearing: Grave concerns over data protection 030326-1+0+DOC+XML+V0//EN&LEVEL=2&NAV=S#SECTION5

European Commission - US Customs talk on Passenger Name Record transmission

================================================================== 2. EU BUILDING BUGGED ==================================================================

The telephones lines in the EU Justus Lipsius building in Brussels, home of the Council of Ministers, have been tapped for many years. The bugging devices were discovered in the rooms of the delegations of Britain, France, Germany, Spain, Italy and Austria. The devices were placed on lines between the central switchboard and the national delegations.

The German delegation ordered their Federal Office for Information Security (BSI) to examine the bugging devices. The expert called the building 'wired like a pinball machine'. It is suspected that the devices were installed during the construction of the building in 1995.

After discovery of the bugs a trap was set up to find out if the devices would be 'serviced' by the spying agency that had placed them. Nobody showed up and it is still unclear which country is responsible for the bugging.

George Papandreou, the Greek foreign minister and spokesman for the EU's presidency, said the eavesdropping is a waste of time. "To all those who feel that it is necessary to tap our phones, we say that Europe is a very transparent organisation," he said. "They shouldn't go to such lengths to try to find out information - we can provide it for them." These remarks have caused quite some amusement with people and organisations that have been following the EU access to documents policies in the last years.

Der Spiegel: Spionage gegen EU (in German) (24.03.2003),1518,241722,00.html

Council of the European Union press release (19.03.2003)!!!&BID=75&DID=75009&G RP=5602&LANG=1

================================================================== 3. FRENCH CONSTITUTIONAL COUNCIL VALIDATES COMPUTER SEARCH WITHOUT WARRANT ==================================================================

The French Constitutional Council recently validated the Internal Safety Law ('Loi sur la sÚcuritÚ intÚrieure'), adopted by the Parliament on February 13. This decision has been commented by the Human Rights League - LDH, the French member of the International Human Rights Federation - as a 'step backwards for the rule of law'.

Among the many provisions infringing privacy and other human rights, one authorizes the immediate access by Law Enforcement Authorities to the computer data of Telecommunications Operators, including Internet Access Providers, as well as of almost any public or private institute, organization or company. The second important measure authorizes the searching without warrant of any information system, provided that its data are accessible through the network from a computer being searched with a warrant (e.g. all computers in a P2P network may now be searched on the basis of a single warrant for one of them). If the data are stored in a computer located in a foreign country, then their access remains subject to applicable international agreements.

These provisions implement parts of Article 19 (search and seizure of stored computer data) of the Council of Europe Cybercrime Convention, signed but not yet ratified by France. The Convention, which has been opened to signatures since 23 November 2001, has not entered into force to date. It has been strongly criticized by many Human Rights organizations as well as by professional experts.

EDRI-member IRIS notes in its press release that the French transposition of Article 19 of the Cybercrime Treaty doesn't even fulfil the minimal conditions and safeguards stated in Article 15, in reference to international instruments for the protection of human rights and fundamental freedoms.

(Contribution by Meryem Marzouki, IRIS)

Statement by Ligue des droits de l'Homme (in French)

Statement by IRIS (in French)

Treaty Watch

================================================================== 4. POLISH PROVIDERS FIGHT EMAIL MONITORING OBLIGATION ==================================================================

According to an item on Warsaw Polish Radio 1 on 19 March 2002, telecommunication providers in Poland have received an order from the Ministry of Infrastructure to install email wiretapping equipment.

In the item counsellor Daniel Wieszczycki stated the order is contrary to the Constitutional right of secrecy of correspondence. In pursuance of the order, the operators are obliged to connect their lines to authorized surveillance institutions. These are the Internal Security Agency, the Intelligence Agency, the Military Gendarmerie, the Border Guard, the police and the military intelligence.

Counsellor Wieszczycki emphasized that the Internet communities have already announced that they would take the order to the Constitutional Tribunal. He said: "we noticed some characteristics of this order, such as a lack of respect for the Constitutional right to protection of secrecy of communication. Indeed, it orders the application of technical solutions which will make impossible court supervision of the installation of such monitoring provisions or of surveillance in general..."

Translation source: Foreign Broadcast Information Service (USA government), document number FBIS-EEU-2003-0319

================================================================== 5. RESTRICTIONS ON CRYPTOGRAPHY IN SPAIN ==================================================================

A proposal to modify the Spanish telecommunication law threatens the free use of cryptography.

The current General Law of Telecommunications (Ley General de Telecomunicaciones (LGT) already puts some restrictions on the use of cryptography. The second part of article 52 ('Cifrado en las redes y servicios de telecomunicaciones', that is, network encryption and telecommunication services) says:

"Encryption is a security instrument for information. Among its conditions of use, when it is used to protect the confidentiality of information, an obligation may be imposed to notify either a General Administration State authority or a public one of the algorithms or any other encryption procedure used, in order to control it according to the law. This obligation will affect developers that include encryption in their equipment or software, the operators that include it in networks or in specific services and users that make use of it."

The modification proposal would create an obligation for every user to hand over their encryption key and password when asked by any public authority. The revised article (renumbered as 36.2) with the modification in capitals, looks like this:

"Encryption is a security instrument for information. Among its conditions of use, when it is used to protect the confidentiality of information, an obligation may be imposed to notify either a General Administration State authority or a public one of the keys, the algorithms or any other encryption procedure used, including all the technical information related to the used system, and also the obligation to facilitate, at no cost, the encryption devices used and the technical information related to the system used in the encryption procedure, in order to control it according to the law."

The Spanish government has not given any explanation about the need for this modification, just vague references to the need of some 'control'.

The law would clearly give new impulse to key escrow schemes. In fact the Fßbrica Nacional de Moneda y Timbre is allowed by the government to develop such schemes.

(Contribution by Arturo Quirantes - CPSR-Spain)

================================================================== 6. UK HOME OFFICE NOT AMUSED WITH BIG BROTHER AWARD ==================================================================

Yesterday, Privacy International announced the winners of the 5th Annual UK 'Big Brother' awards to the government and private sector organisations that have done the most to invade personal privacy in Britain.

Winner of the award for worst public servant is London Mayor Ken Livingstone, for his efforts in transport surveillance. Prime Minister Tony Blair received the Lifetime Menace Award. Blair earned the award partly because of his plans to force phone companies and Internet service providers to retain user data for 12 months as part of the country's stepped-up war on terrorism and crime.

According to an article in The Guardian, a representative of the Home Office attended the event, but did not take the special award for minister David Blunkett: a (fake) dog poo on a stick. The home secretary has been a long-time target for privacy campaigners, as a result of his support for schemes such as entitlement cards.

"These are silly and malicious awards which have rightly been ignored by most people," said a Home Office press officer.

Privacy International's Director, Simon Davies, said the award winners reflected the 'prolonged and vicious' attack on the right to privacy. He said privacy invasion in Britain has become "a vast industry that threatens the rights of everyone in Britain".

Press release UK Big Brother Awards 2003 (25.03.2003)

Home office attacks "malicious" awards (25.03.2003),12597,922483,00.html

================================================================== 7. RECOMMENDED READING: AVOIDING SPAM ==================================================================

Did you ever wonder how spammers got your email address? According to new research by the USA-based Center for Democracy and Technology, publication of your email address on a website is the number one cause of getting a lot of spam. It definitely helps to disguise your address, such as replacing '' with 'somebody at domain dot eu'.

Why am I getting all this spam? (19.03.2003)

================================================================== 8. AGENDA ==================================================================

2-4 April 2003 New York, USA - CFP 2003

6-7 May 2003 Padova, Italy - Information Society Visions and Governance Contact for information: Claudia Padovani,

8-9 May 2003, Namur, Belgium - Collecting and Producing Electronic Evidence in Cybercrime Cases 2-day workshop organised by the University of Namur

30 June - 2 July 2003 St Petersburg, Russia - Building the Information Commonwealth

7-10 August 2003 Berlin, Germany - Chaos Computer Camp 2003

================================================================== 9. ABOUT ==================================================================

EDRI-gram is a bi-weekly newsletter from European Digital Rights, an association of privacy and civil rights organisations in Europe. Currently EDRI has 10 members from 7 European countries. EDRI takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content or agenda-tips are most welcome.

Newsletter editor: Sjoera Nas,

Information about EDRI and its members:

- EDRI-gram subscription information

subscribe/unsubscribe web interface

subscribe by email To: Subject: subscribe

You will receive an automated email asking to confirm your request.

- EDRI-gram in Spanish

EDRI-gram is also available in Spanish, usually 3 days after the English edition. The contents are the same. Translations are provided by David Casacuberta, secretary of the Spanish chapter of Computer Professionals for Social Responsibility (CPSR).

To subscribe to the Spanish language EDRI-gram, please visit

or subscribe by email:

To: Subject: subscribe

- Newsletter archive

Back issues are available at:

- Help

Please ask if you have any problems with subscribing or unsubscribing.

================================================================== Publication of this newsletter is made possible by a grant from the Open Society Institute (OSI). ==================================================================

------- End of forwarded message -------