EDRI-gram - Number 5.15, 1 August 2007

EDRI's contributions to the RFID Expert Group

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The RFID Expert Group created by the European Commission in order to assist in drafting the future RFID strategy had several meetings until now. European Digital Rights Initiative (EDRI) submitted two papers to this group on RFID Privacy and Security in order to stress that the reliable protection of privacy and personal data is a key issue for the acceptance of this technology.

The first paper on RFID Privacy issues was EDRI's contribution to the RFID Expert Group Meeting on 10 July 2007 and focused on the data protection and privacy issues of RFID applications, but also suggested a classification scheme for RFID applications based on data protection and user control.

The first part of the paper explains that an enhanced data protection is essential while a widespread use of RFID applications and collection of data will dramatically increase and it will become more and more complicated for the affected persons to understand and overlook all these applications and the data they collect.

"Therefore it is of special importance to strengthen the data protection authorities and to enable them to protect the legitimate rights of the data subjects effectively " underlined Andreas Krisch, the EDRI representative in the RFID Expert Group

He explained that in order to "achieve the users trust in RFID applications, two provisions are required: effective tools that support the users protecting their personal data and privacy, and information on the systematic context of these systems."

EDRI also suggests a classification of the RFID applications that is based on the user control criterion that defines to which extent the affected person is able to access, correct or delete information stored about her or him (3 categories - user-informed, user accessible and user controlled applications) and the data-protection criterion that defines the extent to which other applications are able to use the information stored on a tag (3 categories - data-protected, data shared and data unprotected RFID applications). An assessment of barriers and threats especially with regard to privacy and security needs to be made on a case-by-case basis.

The second paper on RFID Security issues that was submitted to the Group explains that dealing with security and RFID means "to deal not only with security aspects of RFID systems but also with security aspects of anything or anyone affected by RFID systems."

Krisch underlined that the RFID security issues needed to "start at the very basis of the technology. Information on the tags has to be stored in a secure way. Communication protocols have to ensure secure communication. Information Systems have to use state of the art data protection mechanisms." At the same time he pointed out that a second very important issue was securing a proper quality of the stored information and therefore it was important "to implement means to verify who provides, alters, controls or is responsible for a given set of data."

Other experts from the group have publicly shared their concerns and opinions. BEUC (the European Consumers' Organisation) and ANEC (the European Consumer Voice in Standardisation) published on 12 July 2007 a common position regarding the next steps that need to be envisaged in a RFID policy framework. The comments entitled "Consumers' scenarios for a RFID policy" focus on the fact that the consumers need confidence to fully embrace RFID technology and suggest several measures to be implemented. The measures start with the consumers' rights to know and to choose and continue with the actions in the domains of regulatory framework, privacy and security, health and environment or standardisation.

The European Parliament's Scientific Technology Options Assessment group (STOA) has also recently published a comprehensive study that evaluates the use of RFID technology in the European Union citizens. The report considers it is difficult to predict an impact, due to the lack of enough maturity with the systems or of general awareness of the citizens about the technology. It also sees as a major challenge the need of reconsidering the "privacy guidelines and the concepts of personal data and informational selfdetermination" in the light of an increasingly interactive environment.

RFID Privacy Issues (10.07.2007)
http://www.edri.org/docs/EDRi_RFID_Privacy_Issues_published.pdf

RFID Security Issues (07.2007)
http://www.edri.org/docs/EDRi_RFID_Security_Issues.pdf

RFID and Identity Management in Everyday Life - Striking the balance between convenience, choice and control (07.2007)
http://www.europarl.europa.eu/stoa/publications/studies/stoa182_en.pdf

Consumers' scenarios for a RFID policy - Joint ANEC/BEUC Comments on the Communication on Radio Frequency Identification (RFID) in Europe: steps towards a policy framework (12.07.2007)
http://www.anec.org/attachments/ANEC-ICT-2007-G-059.pdf

EDRI-gram: RFID Expert Group - Kick Off (6.06.2007)
http://www.edri.org/edrigram/number5.11/rfid-workgroup

ECJ's Advocate General says no handing traffic information in civil cases

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

In her opinion on case C-275/06 (Productores de Música de España Promusicae vs. Telefónica de España SAU) the advisor to the European Court of Justice (EJC), Advocate General Juliane Kokott, considered that, according with the EU law, the ISPs are not obliged to reveal personal data in civil litigation cases.

In this case, the Spanish music Association Promusicae asked the ISP Telefonica to hand over the names and addresses of the subscribers that allegedly distributed copyrighted songs via the p2p software Kazaa. Telefonica refused, considering that it could do that only in a criminal investigation or in matters of public security and national defence. A Spanish Court of Madrid asked the ECJ for the interpretation of the EU law on this matter.

Thus the following question was brought up in case C-275/06 : "Does Community law(...)permit Member States to limit the duty of operators of electronic communications networks and services, providers of telecommunications network access and providers of data storage services to retain and make available connection and traffic information generated during the supply of an information society service to where it is required in connection with a criminal investigation or the need to protect public safety and national defence, thus excluding civil proceedings?"

The answer suggested by Advocate General Juliane Kokott was published on 18 July 2007. The conclusion was that the member states exclusion of revealing personal data from Internet traffic in the civil law cases regarding copyright infringement was compatible with the EU law.

The opinion of the Advocate General is not binding on the court. The Advocate General has the role to suggest to the Court, in complete independence, a legal solution to the cases for which they are responsible. The ECJ will decide in this case later this year.

Conclusions of the Advocate General Ms. Juliane Kokott - Case C 275/06 (18.07.2007)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:62006C0275...

EU Court Backs ISPs on User Privacy (20.07.2007)
http://www.businessweek.com/globalbiz/content/jul2007/gb20070720_37216...

A German court held Skype responsible for having failed to meet GPL terms

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Following a complained filed by gpl-violations.org which holds the copyright for parts of the Linux kernel, the Munich District Court found Skype in infringement of the General Public Licence (GPL) terms.

Skype offered SMC WSKP100 VoIP telephone produced by the Spanish manufacturer SMC Networks, running with Linux, without including the source code and the GPL license text. Later on, the manufacturer included a supplementary text to the product referring to the use of GPL software and containing URLs to source code downloads but this was not considered good enough. The court declared that the information was not concrete enough and that making the source code available on the Internet was sufficient only in the case of software sold on the Internet as well. The court held Skype responsible considering that, after becoming aware of the violation, it should have checked the compliance with the law.

Till Jaeger of the Institute for Legal Issues of Free and Open Source Software (IfrOSS), having represented the plaintiff in court, considers there were two important aspects in the court decision: one that that the GPL terms had to be strictly followed and secondly, that a German court found a foreign vendor guilty of having violated GPL conditions.

The non-profit project gpl-violations.org tries to bring commercial users and vendors of Free Software into compliance with the licence conditions established by the original authors.

"The main focus of the gpl-violations.org project is to fix problems vendors have with shipping products that contain GNU GPL code," stated an engineer at the gpl-violations.org project. "We want to work with vendors to implement long-term solutions to compliance issues. It is our wish to ensure everyone operates according to the same terms and rules, as decided by the authors of the code in question."

The decision was welcomed by the Free Software Foundation Europe (FSFE). "Adhering to the terms of the GNU GPL is not difficult, and this case re-emphasises the importance of doing so" said Shane Coughlan, Freedom Task Force coordinator at FSFE.

FSFE's Freedom Task Force is also offering professional consultancy services for businesses using Free Software in their products. "One of the purposes of the FTF is to help companies avoid costly mistakes. Where the FTF can help people, we will. If we don't have the answers in-house we will help guide people to the external information or expertise they need. The one thing I would like to stress is that businesses should not and cannot ignore these issues" said Shane Coughlan.

According to Mr. Jaeger, a legal action against SMC Networks is pending, the trial being scheduled for the month of November 2007.

Skype has not yet made comments regarding the ruling, although they can appeal the decision.

Skype found guilty of violating the terms of the GPL (26.07.07)
http://www.heise.de/english/newsticker/news/93381

FSFE offers to help companies adhere to Free Software licence terms (27.07.2007)
http://mail.fsfeurope.org/pipermail/press-release/2007q3/000182.html

Czech government accepts the new PNR agreement with reservations

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

On the 18 July 2007, the Czech government approved, with signficant reservations, the new PNR agreement prepared by the European Commission with the US Department for Homeland Security (DHS).

During the short period of consultations among the Czech authorities and politicians on the new agreement, the Czech Data Protection Authority stated that the current proposal deteriorated the level of protection of personal data. The Czech Data Protection Authority however did not clearly oppose the new agreement.

Following the EDRi-member Iuridicum Remedium lobbing activities, the Green Party MP Katerina Jacques took up the position of the privacy activists group and pushed for stricter and more binding assurances to protect data of the citizens in relation to the new agreement. Responding to this opposition, the Czech Ministry of Foreign affairs adopted the following position: "The Czech Republic will keep the reservation that would allow the National Parliament of the Czech Republic to scrutinize thoroughly the text of the Agreement with a special attention to guarantees of the appropriate level of Personal Data Protection of the EU Citizens."

The Minister of Foreign Affairs, Karel Schwarzenberg, will present the unilateral Czech declaration to the agreement at the next session of GAERC, and the same declaration was presented by the Czech deputy at the session of COREPER II on 19 July 2007.

Czech Government Declaration to the US-EU PNR Agreement (19.07.2007)
http://www.edri.org/docs/CZ_Declaration_PNR.pdf

PNR - Wrong agreement succeeded so far (in Czech only, 20.07.2007)
http://www.slidilove.cz/kampane/pnr.html

EDRI-gram: PNR deal ratification postponed by the Czech Senate (9.05.2007)
http://www.edri.org/edrigram/number5.9/pnr-czech-republic

Observatory on the exchange of data on passengers (PNR) with USA
http://www.statewatch.org/pnrobservatory.htm

(Thanks to Marek Tichy - EDRI-member Iuridicum Remedium, Czech Republic)

Data retention for one year for UK telecom companies

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The transposition into the UK law of most part of the EU Data Retention Directive (2006/24/EC) was approved on 24 July 2007 by the House of Lords and signed the next day by the Home Secretary.

The approval followed after a period of public consultation proposed by a paper published by the Home Office in March 2007.

As a result of the public consultation, the law applies only to telecom companies that will have to preserve phone call logs for one year, but does not apply to Internet traffic data such as emails, web surfing or VoIP phone calls.

The new law is meant to provide security services with a reliable log of mobile and fixed phone calls they could use in investigations, referring only to the records of their occurrence and not their content. It is also intended to ensure an even approach within the industry.

During the consultation period, the telecom industry considered that the collection of Internet data was too complicated to be included in the current rules, the ISP Association stating "the draft regulations as they stand would not enable implementation of the internet aspects of the Directive".

According to the conclusions of the consultation, the implementation of the Regulations was inappropriate for Internet data due to "particular technical and resourcing issues" such as "increased difficulties in replicating the 'end to end' picture of communications data, the difference in the cost profile for storage and retrieval of Internet communications and the need for a strong business case, if the retention period for IP data is set at 12 months."

The Regulations will come into force on 1 October 2007. Although the data retention is not yet applicable to Internet traffic data in UK, the possibility still exists in the future. The EU Directive allows the member states to postpone the implementaion of the rules to Internet data until 15 March 2009.

Data retention law passed in UK (27.07.2007)
http://www.out-law.com//default.aspx?page=8332

Draft Statutory Instrument 2007 No. The Data Retention (EC Directive) Regulations 2007
http://www.opsi.gov.uk/si/si2007/draft/20077449.htm

The Initial Transposition of Directive 2006/24/EC Government Responses to the Consultation (June 2007)
http://www.homeoffice.gov.uk/documents/consult-cover-europe-direct/con...

A consultation paper, - The initial transposition of Directive 2006/24/EC
http://www.homeoffice.gov.uk/documents/consult-cover-europe-direct/con...

EDPS - Data Protection Directive should be fully implemented

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The EDPS (European Data Protection Supervisor), Peter Hustinx, issued on 25 July 2007 an opinion on the European Commission communication regarding the improved implementation of the EC Data protection directive (95/46), considering that the Directive should not be amended and asking for its full implementation before applying any changes.

The EDPS' opinion is that specific actions are needed in the short term to ensure the full implementation of the Directive pending the Reform Treaty that will make the Charter of Fundamental Rights legally binding, "thus offering the citizens better data protection".

"In the longer term, changes of the Directive seem unavoidable, while keeping its core principles" and "A clear date for a review to prepare proposals leading to such changes should already be set now. Such a date would give a clear incentive to start the thinking about future changes already now."

Hustinx reminds the dynamic context within which the Directive operates with the constantly changes in EU, as well as in the information society."... the free flow of information between the Member States - and between the Member States and third countries - has become more important and will become an even more important reality. ... The information society is evolving and has more and more characteristics of a surveillance society. This implies an increasing need for effective protection of personal data to deal with these new realities in a fully satisfactory way."

Some of the short-term actions that the EDPS considers necessary for a full implementation of the Directive are an efficient use of infringement procedures, the promotion of best practices, self-regulation, "privacy by design" and privacy seals type of non-binding measures.

He sees long-term measures will also be needed in order to address issues such as interoperability or the wider use of biometric data.

EDPS also considers the number of stored data should also be limited to the needs of law enforcement and that access to content data should not be made possible. Specific proper safeguards should be ensured to avoid access of non-authorised people to the stored data as well as adequate technical measures for the security of the data. In his opinion, the subjects of the stored data should be able to exercise their rights and data protection authorities should be enabled to supervise effectively.

Press release - Data protection directive: EDPS wants full implementation before considering changes to the framework (25.07.2007)
http://edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS...

Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament and the Council on the follow-up of the Work Programme for better implementation of the Data Protection Directive (25.07.2007)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/...

Search engines dealing with privacy standards

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Google has recently announced a new change in its privacy policies by reducing its cookies lifetime to just two years, but experts warn this is more a PR move than a substantial one. However, other search engines started the discussions on their privacy issues.

A new post in the Google blog announced on 16 July 2007 that, following consultations with privacy experts and user feedback, the major search engine will significantly shorten the lifetime of its cookies, as a major change from the initial policy that kept the cookies as long as possible in the future, until the year 2038. Peter Fleischer, Global Privacy Counsel from Google confirmed that they "will start issuing our users cookies that will be set to auto-expire after 2 years, while auto-renewing the cookies of active users during this time period. In other words, users who do not return to Google will have their cookies auto-expire after 2 years." He also explained that this is part of the plan "to continue innovating in the area of privacy to protect our users."

Although the move was appreciated by the privacy experts, it was pointed out that the value of the cookie data beyond the 2 year period is very low. The regular visitors of Google will not benefit from this new policy, since the cookie will renew its maximum period every time a user accesses the search engine.

Michael Zimmer explains: "My hunch is that the brilliant data-mining minds at Google recognize that if someone hasn't searched on Google in two years, their past history probably isn't a good indicator of their current needs. So, if linking to two-year-old data isn't all that valuable, they might as well just dump the cookie altogether. It doesn't harm their data-mining needs - and it's good PR." He also suggests a next step by removing "any record associated with that cookie from their internal databases."

The German Working Group on Data Retention also questions the data protection standards imposed by Google that breach the European Law. In an open letter sent on 25 July 2007, the Working Group warned that Google's blanket retention of users Internet protocol addresses allows tracking every mouse click and every search made by a user for months. Patrick Breyer, the legal expert of the NGO, underlines : "The anonymisation of personally identifyable data after '18 to 24 months' as announced by Google is entirely inadequate. According to German and European law the systematic retention of personally identifyable data on all users is prohibited." The German group also asked Google to consider "opening anonymous gateways to your services such as the Google search engine."

All the major four search engines - Google, Microsoft, Yahoo and Ask have started to discuss openly about their data protection policies, probably also after the ranking from the PI's Privacy Ranking of Internet Service Companies. Yahoo stated that they would delete the IP addresses and cookies after 13 months. Microsoft made a similar statement for data from searches after 18 months. Ask went further and said that it was creating a tool called AskEraser that would let people decide what data is gathered about them on every search.

Ask and Microsoft released also a joint statement asking search companies to create common standards in this field. "People should be able to search and surf online without having to navigate a complicated patchwork of privacy policies," said Peter Cullen, Microsoft's chief privacy strategist.

Cookies: expiring sooner to improve privacy (16.07.2007)
http://googleblog.blogspot.com/2007/07/cookies-expiring-sooner-to-impr...

Google's Cookie to have 2 Year Expiration (Because it is of little value after that time) (16.07.2007)
http://michaelzimmer.org/2007/07/16/googles-cookie-to-have-2-year-expi...

Search sites tackle privacy fears (23.07.2007)
http://news.bbc.co.uk/2/hi/technology/6911527.stm

Internet users criticize Google's data greed and call for anonymous services (25.07.2007)
http://www.vorratsdatenspeicherung.de/content/view/128/79/lang,en/

UK Government rejects the extension of the copyright term for performers

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

To the big disappointment of the music industry, the UK Government refused to promote at the EU level, the extension of the presently 50-year copyright term for performers.

According to the EU rules, the copyright period for song writers and their families covers their entire lives plus 70 years while performers and their producers benefit of a 50 year copyright period starting from the recording date.

UK Government considers that the majority of the performers would not benefit of the extension as most of them "have contractual relationship requiring their royalties be paid back to the record label." It also stated that such an extension would lead to the increase of costs for the industry and to the consumers.

The government took as argument a study of intellectual property rights in the UK made in December 2006 by Andrew Gowers. The report recommended against a previous request for copyright term extension considering UK did not suffer from a deficit in creativity due to a shorter copyright term as compared to the USA.

The Gowers report included a diagram showing an increased term would not necessarily be the best way of supporting artists. Few records generate royalties after 50 years and the chart shows a more effective method could be the re-evaluating of the recording contracts in favor of artists.

But John Kennedy, the head of IFPI (International Federation of the Phonographic Industry), complained: "Some of the greatest works of British music will soon be taken away from the artists who performed them and the companies that invested in them. Extending copyright term would promote vital investment in young talent and new music, all of which will help to secure the UK's future as an exciting music market."

UK rejects push for longer copyright in the EU (25.07.2007)
http://euobserver.com/9/24534/?rk=1

UK rejects music copyright extension (24.07.2007)
http://www.reuters.com/article/internetNews/idUSL2442476820070724

The UK Says No to Over 50 Year Music Copyright (24.07.2007)
http://www.techcrunch.com/2007/07/24/the-uk-says-no-to-over-50-year-mu...

EDRI-gram: Copyright extension term rejected by EU commissioned report (17.01.2007)
http://www.edri.org/edrigram/number5.1/copyright_term

Prague will anonymise RFID city cards

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Prague Deputy Mayor announced that following the presure of EDRI-member Iuridicum Remedium and the interpellation of the member of city parliament Petra Kolinska (Green Party) the city authorities decided that RFID chips in newly issued city cards will no longer contain personal data.

This move is a reaction to the press conference Iuridicum Remedium held on 12 June2007. At the press conference cryptologist Tomás Rosa demonstrated that first and last name as well as date of birth of the owners of the newly issued city card can be easily read by any unauthorised person from a distance of a dozen centimeters even when carried in the purse or pocket. The NGO requested city authorities to stop the project of city card immediately or at least delete personal information from the chips.

Multipurposed city card (named Open Card) containing RFID chip has been distributed since the beginning of this year to the Prague citizens. City authorities claim that citizens will be able to pay with the card for parking, use it in city library, ticket on public transport and as electronic signature for communication with the Town Hall. The city of Prague has invested in the new Open Card already more than 100 million crowns (approx. 3.2 million Euro) and want to distribute the first series of 50 000 cards to the citizens by Autumn.

Municipality accommodated requests of data protection group (only in Czech, 28.07.2007)
http://www.slidilove.cz/node/182

Open letter of Iuridicum Remedium to the municipality of Prague on Open Card (only in Czech, 15.06.2007)
http://www.iure.org/616260

Universal card of prague citizens represents risk for data protection (only in Czech, 11.06.2007)
http://www.blisty.cz/2007/6/12/art34799.html

Nomination for Big Brother Awards: Card of Prague´s municipality (only in Czech, 12.06.2007)
http://ihned.cz/3-21375720-karta+pra%9Eana-000000_d-ce

(Contribution by Filip Pospisil - EDRI-member Iuridicum Remedium - Czech Republic)

Recommanded Reading

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Implications of Internet regulation on media freedom in the OSCE region are the focus of a report presented by Miklos Haraszti, the Organization's Representative on Freedom of the Media. The publication offers case studies from different parts of the OSCE region on how governments, civil society and the telecommunications industry can co-operate in their approaches to Internet governance.
http://www.osce.org/item/25756.html

Agenda

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

8-12 August 2007, near Berlin, Germany
Chaos Communication Camp 2007 "In Fairy Dust We Trust!"
http://events.ccc.de/camp/2007/

5-11 September 2007, Linz, Austria
Ars Electronica Festival - Festival for Art, Technology and Society
http://www.aec.at/en/festival2007/index.asp

21 September 2007, Amsterdam, Netherlands
Bits of Freedom organizes the 5th Dutch Big Brother Awards Nominations can be sent to info at bigbrotherawards.nl until the end of August.
http://www.bigbrotherawards.nl/

22 September 2007, Berlin, Germany
Protest march against excessive surveillance
http://www.FreiheitstattAngst.de

25 September 2007, Montreal, Canada
Civil Society Workshop: Privacy Rights In A World Under Surveillance A one-day workshop organized by the International Civil Liberties Monitoring Group (ICLMG) in cooperation with Canadian and international civil rights and privacy organizations ahead of the 29th International Conference of Data Protection and Privacy Commissioners in Montreal.
http://www.thepublicvoice.org/events/montreal07/default.html

25-28 September 2007, Montreal, Canada
29th International Conference of Data Protection and Privacy Commissioners
http://www.privacyconference2007.gc.ca/Terra_Incognita_home_E.html

3 October 2007, Ottawa, Canada
Participative Web Forum
http://www.oecd.org/futureinternet/participativeweb

11 November 2007, Rio de Janeiro, Brazil
GigaNet'07 - Global Internet Governance Academic Network 2nd Annual Symposium Deadline for submissions: 1 August 2007
http://www.igloo.org/giganet

12-15 November 2007, Rio de Janeiro, Brazil
The Government of Brazil will host the second Internet Governance Forum meeting.
http://www.intgovforum.org/
http://cgi.br/igf/