Rights groups demand action on export controls

The signatories of the letter support restrictions on the proliferation of surveillance technologies. Conversely, it is important that bona fide cybersecurity and security research are not undermined. In this regard, the current language on controls on intrusion software, encryption, and the proposed inclusion of forensic tools needs to be considered. We urge participants of the Wassenaar Arrangement to remove encryption technology from the control list. If adequate language cannot be drafted to capture all considerations, this is likely to mean that intrusion software and forensic tools would have to be excluded from the controls list as well.

We urge participant states to address our concerns prior to the final agreement and the plenary session taking place in December 2017.

Civil society organisations’ letter to the participants of the Wassenaar Arrangement (06.03.2017)
https://edri.org/files/exportcontrols/letter_wassenaar_controllist_20170223.pdf

Rights organisations urge export control body to change control list (06.03.2017)
https://medium.com/@privacyint/rights-organisations-urge-export-control-body-to-change-control-list-997c209c6aa4#.j0a90vqco

Privacy

The 2016 Eurobarometer (pdf) survey found that nearly 60% of individuals in the EU had avoided certain websites for privacy reasons, while 82% were in favour of restrictions on cookies. This shows how important clear privacy rules are for individuals and for trust in the online economy. The European Union has addressed this problem head-on, by proposing and adopting the General Data Protection Regulation (GDPR) and, more recently, proposing the e-Privacy Regulation.

Clear rules, with effective enforcement, generate trust and provide a harmonised market for companies serving individuals in Europe.

The US national telecoms regulator the Federal Communications Commission (FCC) also saw the danger from the “wild west” of personal data exploitation online. The danger was illustrated when the National Telecommunications and Information Administration carried out a survey in 2016. This study found that – in the previous 12 months – 19% of internet-using households had suffered an online security breach, while 45% had refrained from an online activity due to privacy and security fears. Faced with this compelling evidence of the damage caused by lack of trust and security, the FCC tried to act in October 2016. It passed ground-breaking privacy rules (by 3 votes to 2) to protect broadband users and improve trust. However, it was not possible to enshrine the rules in law, meaning that the rules are contingent on the whims of the Commissioners. The appointment of a new FCC Chairman by the incoming president makes it almost certain that US citizens – and the US online economy – will be robbed of this essential protection… unless they use European services, of course.

Far from GDPR and e-Privacy being European protectionism, the US laissez-faire approach appears to be self-inflicted US destructionism.

Net neutrality

In 2013, the EU was faced with increasing evidence of internet access companies seeking to undermine innovation and competition online. It was faced with calls to legislate to protect discriminatory “specialised services” which would allow big online companies to sell “fast lane” to gain access to the customer base of big telecoms operators. Not alone did the European Union not give in to this huge lobbying effort, it legislated in favour of rules that will prevent big telecoms operators from becoming a gatekeeper that stops the full internet being accessible to their customers. It legislated for openness and innovation with a binding EU-wide regulation.

The Federal Communications Commission saw the same danger as the European Union. However, it was not possible to enshrine net neutrality in law. All the FCC could do was to adapt its own implementation of its own rules and powers to defend the online environment from big telecoms operators, in a market that was already less competitive than the one in Europe. As a result, those rules are contingent on the whims of the Commissioners. The appointment of a new FCC Chairman by the incoming president makes it almost certain that US citizens and online businesses will be robbed of this essential protection.

Europe has legislated for open, innovative, better value online services. If the US abandons net neutrality and privacy, it will be opting for self-inflicted destructionism.

Only the EU could have adopted positive, exemplary legislation on this scale to protect individuals and businesses. And it did.

Community building workshop: Societal impacts of big data and the role of civil society
Moderator:
Rocco Bellanova, University of Amsterdam and USL-B
Speakers:
Hans Lammerant, VUB and BYTE
Diego Naranjo, EDRi
Estelle Massé, AccessNow
Christian D’Cunha, EDPS

Link: https://youtu.be/QpXaW5Rcbgc

Owning the web together: Peer production and sharing
Moderator:
Seda Gürses, KULeuven
Speakers:
Ela Kagel, Supermarkt
Shermin Voshmgir, BlockchainHub
Tim Jordan, University of Sussex

Link: https://www.youtube.com/watch?v=Z9Z9ewyhI0A&t=19s

Instant big data targeting: Programmatic ad tech & beyond
Moderator:
Anna Fielder, Privacy International
Speakers:
Jeff Chester, Center for Digital Democracy
Wolfie Christl, Cracked Labs
Frederik Borgesius, University of Amsterdam

Link: https://www.youtube.com/watch?v=ge0Q1hlhUpI

The Internet of Things, security, and privacy 
Moderator:
Sid Rao, Mozilla Advocacy Open Web Fellow at EDRi
Speakers:
Finn Myrstad, Norwegian Consumer Council
Katitza Rodriguez, Electronic Frontier Foundation
Andreas Krisch, EDRi and Forum Datenschutz
Fieke Jansen, Tactical Tech

Link: https://www.youtube.com/watch?v=f4VKJJUz2Yw

Surveillance tech export and human rights law
Moderator:
Lucie Krahulcova, AccessNow
Speakers:
Joshua Franco, Amnesty International and CAUSE
Renata Avila, World Wide Web Foundation and Courage Foundation
Walter van Holst, Vrijschrift
Ellen Desmet, UGent and HRI Network

Link: https://www.youtube.com/watch?v=hdDSoNYkOV4

Lightning talks:

Alexander Czadilek and Christof Tschohl, epicenter.works, Austria: Presentation of HEAT – Handbook for the Evaluation of Anti-Terrorism legislation

Link: https://www.youtube.com/watch?v=Xh_hG1iLBiQ&t=9s

Eva Lievens, Ghent University: Youth in the data deluge: How can the General Data Protection Regulation protect their privacy while fostering their autonomy

Link: https://www.youtube.com/watch?v=vJWbZFNKUZ0

Katarzyna Szymielewicz, Panoptykon, Poland How to ensure a strong General Data Protection Regulation implementation

Link: https://www.youtube.com/watch?v=RnXVaK3cCvM

Kirsten Fiedler, EDRi: Presentation of Digital Defenders: privacy for kids comic booklet

Link: https://www.youtube.com/watch?v=DK9_mT51JJ4&t=3s

Arne Hintz, Cardiff University: Presentation of Data Justice Lab

Link: https://www.youtube.com/watch?v=BP0Rs-2m6vo

Theresia Reinhold: Presentation of documentary Information. What are they looking at?

Link: https://www.youtube.com/watch?v=7j3tBG60GPI&t=48s

Ali Lange, Center for Democracy & Technology, USA: The right to explainability

Link: https://www.youtube.com/watch?v=8r-ftqFuoJc&t=1s

EDRi is looking for an intern to support our advocacy team, located in Brussels. The internship will go from mid-March/beginning of April mid-July 2017, and is paid 750,- EUR per month.

European Digital Rights (EDRi) is an international non-profit association of 31 digital civil rights organisations from across Europe. We defend and promote rights and freedoms in the digital environment, such as the right to privacy, freedom of expression, and access to information.

Join EDRi now and become a superhero for the defense of our rights and freedoms online!

Key tasks:

• Research and analysis on a range of policy topics, such as surveillance and law enforcement, intermediary liability and freedom of expression, net neutrality, trade agreements, etc.;
• Monitoring international, EU and national related policy developments;
• Organising and participating in meetings and events;
• Assisting with writing of the EDRi-gram newsletter;
• Assisting with preparing draft reports, presentations and other internal and external documents;
• Assisting with preparing communication tasks;
• Development of public education materials.
• Find out more about internships at EDRi

Qualifications:

• A demonstrated interest in and enthusiasm for human rights and technology-related legal issues;
• Excellent research and writing skills;
• Fluent command of spoken and written English;
• Computer literacy.

How to apply:

To apply please send a maximum one page cover letter and a maximum two page CV in English and as pdf (other formats – such as doc and docx – will not be accepted) to julien.bencze(at)edri.org

The closing date for applications is the 12 March. The interviews take place 13-15 March 2017, starting date is as soon as possible – 1 April at the latest.

Commissioner Jourová is planning to be in Washington DC in March in order to discuss the EU-US Privacy Shield. The civil society organisations behind this letter, including EDRi, ask her to have a strong position during her visit so she can ensure the protection of the rights of non-US persons including Europeans.

In the letter we argue that there is the need for an urgent reform of US surveillance laws, especially of the Section 702 of the FISA Amendments Act. This piece of legislation has been the base to authorise warrantless surveillance programs like Upstream and Prism, as was revealed in the documents leaked by Edward Snowden. Although the current legislation expires in December 2017, the House Judiciary Committee has already began negotiating an extension to it.

You can read the letter here: https://www.accessnow.org/cms/assets/uploads/2017/02/Section702CoalitionLetter1.pdf

Press release from Access Now:
https://www.accessnow.org/global-civil-society-groups-call-for-reform-of-us-surveillance-law-section-702/

Just how chaotic is the Commission’s proposal regarding upload filtering?

The “e-Commerce Directive” protects internet companies from liability for illegal behaviour of their users, in limited circumstances. This protects users, because it removes an incentive for internet companies to proactively police and delete content. The European Commission is trying to remove this protection, by redefining the companies that are covered by it.

Rather bizarrely, the European Commission tried to re-interpret liability protection rules, rather than actually legislating to change them. Even more bizarrely, the Commission tried to do this in an explanatory “recital”, while claiming that it is not changing the legal framework.

Ms Stihler proposes deleting two of the three paragraphs of that explanatory recital in the draft proposal of the Copyright Directive, while heavily editing the remaining text, to bring it into line with the e-Commerce Directive and requiring licensing arrangements to be reached, in appropriate situations.

In the main Article, she crucially removes the European Commission’s upload filtering obligation. However, the licensing arrangements that are proposed are somewhat unclear regarding their possible scope, adjudication processes and meaningful stakeholder involvement.

Does the draft Opinion fix the messy wording from the Commission?

The new explanatory recital aims at addressing what the Commission claimed to be addressing: an alleged missing income from intermediaries to rightsholders. Ms Stihler has opted to spell out that goal rather than replicating the European Commission’s elegant sophistry. Although she goes in the right direction, by deleting the worst of the text, more clarity is needed on how the proposed “fair and balanced licensing agreements” could (or even should) work in practice.

Expanding the failed experiment of “ancillary copyright”? Catherine Stihler says: No, thanks!

Contrary to what is proposed in Article 13 – re-wording to kill the worst parts and keep the alleged spirit of the proposal, as we explain below – Ms Stihler has taken a more direct approach to the other huge failure of the Commission’s proposal: ancillary copyright. Ms Stihler asks for the deletion of Article 11, basing her decision on the fact that this is unnecessary and that there are other ways to address the problems publishers are facing, such as strengthening enforcement, opting out of search engines and using tax incentives to promote journalism. We welcome this very sensible suggestion.

Compromise on Article 13? Academics say: No!

Ms Stihler has put a great deal of work into fixing the European Commission’s bewildering re-imagining of existing law and established jurisprudence of Court of Justice of the European Union (CJEU) in Article 13 (amendments 62-65). First, she has gone to the root of the problem and removed the proposal for an upload filtering rules, which is a huge step forward in the right direction. Second, her substitution of the words “access to large amounts” with “copyright protected” makes somewhat more sense, while her meaningful references to fundamental rights and the transparency of the proposed agreements are welcome. Third, it is also notable that in paragraph 2 (amendment 64) Ms Stihler tries to strengthen the (albeit still weak) redress mechanism.

After suggesting the deletion of the ancillary copyright proposal, Ms Stihler tries hard to find a meaningful compromise on the upload filter proposal. However, the Commission’s proposal is extremist, duplicitous and, ultimately, not worthy of further debate. Deletion is a more sensible approach. This suggestion has already been supported by leading copyright academics as the most reasonable outcome.

Thus, the next logical step is to give the Commission’s text on the upload filter the respect it deserves, and delete it completely.

Copyright reform: Document pool
https://edri.org/copyright-reform-document-pool/

The copyright reform: A guide for the perplexed (02.11.2016)
https://edri.org/copyright-reform-guide-for-the-perplexed/

IMCO Opinion on Copyright in the Digital Single Market: Things are looking better, but the devil is still in the details (24.02.2017)
http://copyright4creativity.eu/2017/02/24/imco-opinion-on-copyright-in-the-digital-single-market-things-are-looking-better-but-the-devil-is-still-in-the-details/

(Contribution by Joe McNamee and Diego Naranjo)

The issue at hand is that the consultation has a narrow scope with no regard to social impacts, including fundamental rights. Therefore it is crucial to react. The deadline for submitting comments on the questionnaire on options for a multilateral reform of investment dispute resolution is 15 March 2017.

The multilateral investment court proposal is based on an Inception Impact Assessment which presents various scenarios. Its baseline scenario – what would happen without EU policy changes – is just one sentence long and doesn’t expect the court to have social (or environmental) impacts. The baseline scenario ignores existing impacts, a huge expansion, through new treaties, of covered foreign direct investment, and a greater scope, as EU trade and investment treaties bring EU decisions under the scope of investment mechanisms. A more comprehensive baseline scenario would address growing social impacts.

Compared to ISDS, a multilateral investment court would bring institutional improvements. Such improvements, however, do not solve systemic issues with specialised and supranational adjudications, which create a high risk of expansive interpretations of investors’ rights. Specialised courts tend to interpret expansively and the supranational level lacks effective instruments to correct expansive interpretations.

A multilateral investment court would shift the balance between investments on the one hand and democracy and fundamental rights on the other. This undermines our values, ability to reform, and ability to respond to crises.

Foreign investors would be able to use a multilateral investment court to challenge EU data protection enforcement measures. This could apply to, for instance, the suspension of cross-border data flows or fines imposed by supervisory authorities on data controllers and data processors under the General Data Protection Regulation (GDPR). A multilateral investment court would also impede reform of “intellectual property” rights.

The Commission’s consultation seems designed to keep social (and environmental) impacts out of the consultation’s results. In light of the need to protect fundamental rights, the EU cannot ignore, legitimise, or perpetuate increasing impacts. With a baseline scenario showing growing impacts on fundamental rights, the Commission should work out scenarios which will decrease them.

General Data Protection Regulation: Document pool
https://edri.org/gdpr-document-pool/

Questionnaire on options for a multilateral reform of investment dispute resolution
http://trade.ec.europa.eu/consultations/index.cfm?consul_id=233

Multilateral investment court assessment obscures social and environmental impacts
https://blog.ffii.org/multilateral-investment-court-assessment-obscures-social-and-environmental-impacts/

Defend democracy: draft answers for new ISDS consultation
https://blog.ffii.org/defend-democracy-draft-answers-for-new-isds-consultation/

ENDitorial: EU Commission ISDS proposal – a threat to democracy
https://edri.org/enditorial-eu-commission-isds-proposal-threat-to-democracy/

(Contribution by EDRi member Vrijschrift, The Netherlands)

Age verification:
The bill includes proposals to force porn sites to verify the age of their users with no requirements to protect their privacy. During the debate on 6 February 2017, the UK government said no privacy safeguards were necessary. In order to force foreign websites to comply with the proposals, the government has proposed that a regulator could instruct Internet Service Providers (ISPs) to block websites that fail to provide age verification. This could mean that thousands of websites containing legal content could be censored. These proposals have implications for privacy and free speech rights in the UK and EDRi member Open Rights Group (ORG) is campaigning to amend the bill.

Data sharing:
There are worrying proposals to make it easier to share data not only across government departments, but also with private companies. ORG has been involved in government discussions about these measures but the concerns raised have not been addressed in the bill. The main concerns are that the bill lacks sufficient privacy safeguards, ministers have too much power without scrutiny, data on births, deaths, and marriages can be shared without any restrictions other than those found in pieces of other legislation, and the codes of practice are not legally binding.

Copyright:
There are proposals to increase the maximum prison sentences for online copyright infringement to ten years – to bring it in line with offline infringement. ORG is concerned that the definition of the infringement is too broad and will catch large numbers of internet users. ORG is trying to amend the bill to ensure that such severe sentences are given to only those guilty of serious commercial infringement.

ORG has made a submission explaining the huge threat to free speech and why these proposals should be dropped. They launched a spoof recruitment campaign for Internet Censors to help classify the web for age verification. Over 23 000 people have signed a petition for rejecting the proposals.

ORG’s submission
https://www.openrightsgroup.org/ourwork/reports/written-evidence-to-house-of-commons-public-bill-committee-on-the-digital-economy-bill

Spoof recruitment campaign
https://www.newgovernmentjobs.co.uk

Petition about the proposals
https://www.newgovernmentjobs.co.uk/petition/say-no-to-censorship-of-legal-content/

(Contribution by Pam Cowburn, EDRi member Open Rights Group, the United Kingdom)

Social media monitoring will involve massive processing of personal data about citizens that are not suspected of a crime. Under Danish law, PET already has wide powers to collect personal data for the purpose of prevention and prosecution of terrorist offences. For the ordinary police, the Danish Data Protection Act based on the Data Protection Directive currently applies, except that the police is generally exempted from the provisions on data subject rights and profiling. Specific rules for processing of personal data by the police are typically laid down in administrative orders pursuant to the Data Protection Act. This includes the Danish system for Automatic Number Plate Recognition (ANPR).

Together with the General Data Protection Regulation (GDPR), the European Union has recently adopted the Law Enforcement Data Protection (LEDP) Directive, which, when transposed into Danish national law, will apply to the ANPR system and other police data processing in connection with criminal investigations. Denmark must implement this directive by 1 May 2017 in order to secure an operational arrangement with Europol which Denmark would otherwise have to leave completely because of the Danish opt-out from the Justice and Home Affairs (JHA) area of the European Union.

In October 2016, the Danish newspaper Information reported that the Danish police and PET had purchased an intelligence-led policing platform from Palantir Technologies, a highly controversial company that specialises in big data analytics for private companies, military agencies, intelligence services and police authorities. Palantir was selected among three companies in a public tender. A summary of the requirements for the two intelligence systems (called PET-INTEL and POL-INTEL, respectively) is publicly available, and it mentions capabilities for accessing existing police and intelligence databases, information exchange with Europol, open source collection of new information, as well as algorithms for pattern recognition, hotspot analysis, and social network analysis. In short, the public tender document describes a system for predictive policing, which was subsequently confirmed by the Danish Minister of Justice when answering a written question from a Member of Parliament.

On 10 February 2017, the Danish Ministry of Justice presented a draft law for public consultation on amending the Police Act with new data analysis provisions. The main purpose of the draft law is to create a legal basis for processing personal data in the POL-INTEL system. The draft law uses the legal framework of the existing Data Protection Act as a reference, even though this act must be replaced by the Danish LEDP transposition before 1 May 2017. A complete LEDP implementation by 1 May 2017, which is a condition for continued Danish access to Europol databases, will require a lot of work by the Danish Parliament and the Legal Affairs Committee. It would seem prudent to complete the LEDP implementation first, but the Danish government ostensibly has different priorities.

The draft law provides a very general legal basis for combining existing police databases for information analysis in the POL-INTEL system, irrespective of the purpose limitations of these databases, and for collection and processing of information, including personal data, from open sources. The definition of open sources is very broad as it includes any information source which does not require a court order for evidence seizure or interception of electronic communications. The most obvious open data sources are information from the internet and surveillance in public spaces like ANPR, and perhaps facial recognition in the future. However, information that can be purchased from commercial vendors is also specifically mentioned as an open source. This means that the police can buy information on individual citizens from data brokers in Europe, or maybe even the United States, for predictive policing purposes in the POL-INTEL system.

The new powers are described in very broad terms, and according to the comments of the draft law, more specific provisions will be laid down in future administrative orders. Presumably, the administrative orders are also expected to provide the necessary data protection safeguards to ensure compliance with the LEDP Directive (when it applies in Denmark), and the rights to privacy and data protection under the Charter of Fundamental Rights of the European Union and the European Convention of Human Rights. One of the safeguards mentioned in the comments of the draft law is that access to POL-INTEL will be restricted to specially authorised police officers, and that the use of POL-INTEL will be limited to necessary data analysis purposes, some of which can only use aggregated or non-personally identifiable data as output. This does not change the fact that POL-INTEL will become a huge database with potentially massive amounts of personal data on individual citizens.

For open source collection, the comments of the draft law claim that no new legal basis for data collection is created by the proposal. This is confusing and in conflict with other parts of the comments of the draft law. However, it could be the case that the draft law only particularises a legal basis for mass or targeted data collection from open sources that either exists in the current legislation or will be provided for in future legislation or administrative orders within the general data protection framework for law enforcement. A legal basis for the Danish ANPR system was created in this way, so there are certain precedents.

The issue of data subject rights is not mentioned in the comments of the draft law. Under the current Danish legal framework for law enforcement data processing, there is a complete exemption from the information requirements and the data subject rights to access, rectification and erasure. The LEDP Directive does not allow for such a blanket limitation of all data subjects rights. Under the LEDP Directive, the specific limitations of data subject rights must constitute necessary and proportionate measures in a democratic society with due regard for the fundamental rights and legitimate interests of the persons concerned. It remains to be seen what implications this might have for the data processing in the POL-INTEL system and in particular right to access for citizens.

EDRi-gram: Denmark about to implement a nationwide ANPR system (02.07.2014)
https://edri.org/denmark-implement-nationwide-anpr-system/

Declaration to minimise the negative effects of the Danish departure from Europol, following the referendum in Denmark on 3 December 2015 (15.12.2016)
http://europa.eu/rapid/press-release_IP-16-4398_en.htm

Denmark buys surveillance system for millions from NSA vendor, Information (only in Danish, 28.10.2016)
https://www.information.dk/indland/2016/10/danmark-koeber-overvaagningssystem-millioner-nsa-leverandoer

Public tender summary for PET-INTEL and POL-INTEL (only in Danish, 16.09.2015)
http://www.udbudsavisen.dk/Pages/Tenders/ShowTender?tenderid=26170

Draft law on amending the Police Act with data analysis provisions (only in Danish, 10.02.2017)
http://hoeringsportalen.dk/Hearing/Details/60330

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

Swiss journalist, called Mr J for the purposes of the research, visited the Tactical Tech office in Berlin in June 2015, and provided them with a sample of his web history, upon which this research was based. By analysing large sets of web addresses (so-called Uniform Resource Locators URLs), especially from popular services such as Google Maps, Google Search or YouTube, they were able to create a picture of Mr J’s everyday routine, including his interests and intentions, even apartments he rented via Airbnb while he was travelling abroad. Also, since Facebook has a “real-name policy”, it is quite easy to link a person’s web history to their profile, as well as create a social graph of their Facebook friends and connections, based on the Facebook URLs they visited.

As websites Mr J visits contain a lot of trackers, small bits of data used for collecting behavioural information of users, the experiment also showed which companies extract the most data on Mr J. Google, Facebook and Twitter were unsurprisingly among the companies with the largest number of trackers. It was also interesting to “read” sample web pages Mr J visited like a machine would do it. This is possible with Google’s Cloud Natural Language tool, which is attached to its deep learning platform and can be used to extract information about people, places, events, and much more, mentioned in text documents, news articles or blog posts. It recognised important events, names, and places based on keywords it picked up from web pages.

All these findings lead to the conclusion that if someone, such as private companies, the state, or law enforcement, were to employ these techniques on a large segment of the population and target people’s web history, it would be a frightening introduction to a project of “thought police”, arresting individuals suspected of committing a crime in the future.

SHARE Lab: Browsing Histories – Metadata Explorations
https://labs.rs/en/browsing-histories/

(Contribution by Bojan Perkov, EDRi observer SHARE Foundation, Serbia)