We therefore call on EU policy makers:
• to oppose corporate lobbying and to prevent the erosion of privacy protections in the European Union,
• to set a high standard and ensure that EU data protection law sets a global standard for privacy;
• to ensure specific rights of individuals are being preserved, such as explicit consent to personal data processing, the right to access, rectification and certain rights to erasure that are in the existing European legal framework,
• to ensure basic principles that would help protect citizens against untargeted and disproportionate surveillance measures, such as data minimization, purpose limitation, limited storage periods and notification procedures,
• to ensure that personal data processed in the EU is not transferred to third country authorities without a determination that there are adequate privacy safeguards.
Microsoft's new XBox One will ship with region-locks that divide the world; yours will only work if it connects to the DRM server from one of 21 selected countries. The countries include some, but not all, EU nations, which is almost certainly illegal under the EU's strict common market rules. Here's hoping that Redmond gets a punitive fine big enough to clobber the program and scare the shit out of any other company contemplating similar idiocy.
Notably this "region coding" splits up the EU - most countries are in but some are out - and it also excludes Poland, the development home of The Witcher game series, a title Microsoft touted in its E3 launch presentation. Yes, that's right, the developers of this Xbox launch title will not be able to play the game they developed. I generally find it wise to assume that Microsoft are not stupid, but whatever their plan is, it's eluding me here. Sony was quick to announce that its competitive product, the PS4, would not be region-locked.
MSFT to Region-Lock Xbox One on Launch [Alan Wexelblat/Copyfight]
European Broadcasting Union steps in to keep the Greek national broadcaster on the air after police shut it down
Yesterday, the Greek government forcibly shut down the state broadcaster, ERT, sending in the police to drag journalists away from their microphones. The government claimed that the shutdown was the result of inescapable austerity measures. In response, the European Broadcasting Union -- an umbrella group representing public broadcasters across Europe -- has set up a makeshift mobile studio where ERT broadcasters can continue to work and stay on air.
This is being fed around Europe on an EBU satellite as part of its European news exchange operation and can be picked up by commercial stations in Greece but not the general public.
A spokesman for the EBU, which is headquartered in Geneva, said a "high-level meeting with a conference call" with the director general of ERT would take place later on Wednesday to decide on next steps.
Roger Mosey, the BBC's editorial director, who is on the EBU board told the Guardian: "We're watching events in Greece with great concern. When countries are in difficulty, there's an even bigger need for public service broadcasting and for independent, impartial news coverage. I hope that's restored in Greece as soon as possible."
The EBU spokesman said ERT staff in contact with the organisation have told them the power has not yet been cut by the government, but email servers have been taken down. They are now contacting the EBU through smartphones, using Facebook and personal email accounts.
"This is unprecedented, stations have closed and re-opened for a number of reasons, but never with such abruptness," said a spokesman for the EBU.
ERT shutdown: European Broadcasting Union sets up makeshift studio [Lisa O'Carroll/The Guardian]
Proposed EU Data Protection amendment would open the door for secret funneling of Europeans' data to the NSA
Here's an important consideration for Europeans in light of the NSA dragnet surveillance revealed by the recent leaks: some of the amendments to the controversial new EU Data Protection Regulation would open the door to the secret transfer of EU citizens' private information to US intelligence agencies. The UK Liberal Democrat MEP Baroness Ludford has advocated amendments that do this. The Open Rights Group and principled UK LibDems are calling on the Baroness to withdraw her support for these amendments and support transparency and accountability in the handling of sensitive personal information of Europeans.
For instance, the Baroness is behind amendment number 1210.
This removes the right to know if your data might be transferred to a third country or international organisation. It does this by deleting the following bit of the proposed Regulation:
Article 14 – paragraph 1 – point g
(g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;
It hardly needs spelling out given the recent news about PRISM and state surveillance, but knowing which companies or countries your data might be moved to is likely to increasingly be a fundamental consideration for someone deciding whether to share personal data.
My latest Guardian column is "Data protection in the EU: the certainty of uncertainty," a look at the absurdity of having privacy rules that describes some data-sets as "anonymous" and others as "pseudonymous," while computer scientists in the real world are happily re-identifying "anonymous" data-sets with techniques that grow more sophisticated every day. The EU is being lobbied as never before on its new data protection rules, mostly by US IT giants, and the new rules have huge loopholes for "anonymous" and "pseudonymous" data that are violently disconnected from the best modern computer science theories. Either the people proposing these categories don't really care about privacy, or they don't know enough about it to be making up the rules -- either way, it's a bad scene.
Since the mid-noughties, de-anonymising has become a kind of full-contact sport for computer scientists, who keep blowing anonymisation schemes out of the water with clever re-identifying tricks. A recent paper in Nature Scientific Reports showed how the "anonymised" data from a European phone company (likely one in Belgium) could be re-identified with 95% accuracy, given only four points of data about each person (with only two data-points, more than half the users in the set could be re-identified).
Some will say this doesn't matter. They'll say that privacy is dead, or irrelevant, or unimportant. If you agree, remember this: the reason anonymisation and pseudonymisation are being contemplated in the General Data Protection Regulation is because its authors say that privacy is important, and worth preserving. They are talking about anonymising data-sets because they believe that anonymisation will protect privacy – and that means that they're saying, implicitly, privacy is worth preserving. If that's policy's goal, then the policy should pursue it in ways that conform to reality as we understand it.
Indeed, the whole premise of "Big Data" is at odds with the idea that data can be anonymised. After all, Big Data promises that with very large data-sets, subtle relationships can be teased out. In the world of re-identifying, they talk about "sparse data" approaches to de-anonymisation. Though most of your personal traits are shared with many others, there are some things about you that are less commonly represented in the set – maybe the confluence of your reading habits and your address; maybe your city of birth in combination with your choice of cars.
(Estimated 40,000 people cross the Bosphorous Bridge to join the protests/OccupyGeziPics)
Taksim Gezi Park in Istanbul is alive with protest at this moment. The action began on May 28, when environmentalists protested plans to remove the park and replace it with a mall, and were met with a brutal police crackdown. Since then thousands have taken to the streets in Istanbul and other Turkish cities (though there's a media blackout on the protests, and poor Internet penetration in Turkey, which means the news is slow to reach other parts of the country).
The Dutch MEP Marietje Schaake has a fantastic, must-read essay on the problem with "cyber-war." She lays out the case for securing the Internet (and the world of people and systems that rely on it) through fixing vulnerabilities and making computers and networks as secure and robust as possible, rather than relying on weaknesses in security as vectors for attacking adversaries.
Mass surveillance, mass censorship, tracking and tracing systems, as well as hacking tools and vulnerabilities can be used to harm people as well as our own security in Europe. Though overregulation of the internet should never be a goal in and of itself, regulation of this dark sector is much needed to align our values and interests in a digital and hyper-connected world. There are many European examples. FinFisher software, made by UK’s Gamma Group was used in Egypt while the EU condemned human rights violations by the Mubarak regime. Its spread to 25 countries is a reminder that proliferation of digital arms is inevitable.
Vupen is perhaps best labelled as an anti-security company in France that sells software vulnerabilities to governments, police forces and others who want to use them to build (malicious) software that allows infiltrating in people’s or government’s computers.
It is unclear which governments are operating on this unregulated market, but it is clear that the risk of creating a Pandora’s box is huge if nothing is done to regulate this trade by adopting reporting obligations. US government has stated that American made, lawful intercept technologies, have come back as a boomerang when they were used against US interests by actors in third countries. Other companies, such as Area Spa from Italy designed a monitoring centre, and had people on the ground in Syria helping the Assad government succeed in anti-democratic or even criminal behaviour by helping the crackdown against peaceful dissidents and demonstrators.
It's just not good policy to make the people who are supposed to be securing our computers dependent on insecurity in computers to achieve that end.
Peter "brokep" Sunde -- who co-founded The Pirate Bay and founded Flattr, a system for allowing fans to directly pay the artists they love -- is standing for the European Parliament in Finland on behalf of the Finnish Pirate Party. Sunde was raised in Sweden, but has Finnish roots, and is able to run there. His platform sounds like an admirable and sensible one, and my personal experience of him is that he's a good, thoughtful and honorable person. If I were in Finland, he'd have my vote:
“Non-commercial file sharing should of course become legal and protected, and must re-think copyright all together. Copyright is not the thing that makes ARTISTS money, it’s only for their brokers and distributors,” Sunde says.
“I’d rather see us sponsor culture by pushing more money to music education, and facilities for your people to create music. It would be much more sane for cultural advancement then extending copyrights.”
If elected Sunde hopes to be aggressive rather than defensive. This means not just responding to treats to Internet freedom, such as ACTA, but ensuring that this type of legislation doesn’t even make it onto the political agenda in the first place.
“I think there’s a huge possibility for us to impact the EU and I would like to be part of it,” Sunde says.
The Pirates are delighted to have the Pirate Bay founder on board. Harri Kivistö, chairman of the the Finnish Pirate Party, says that Sunde’s candidacy will raise the visibility of the party during the upcoming election. Perhaps more importantly, his values fit well within the Pirate Party movement.
Pirate Bay Co-Founder to Run For European Parliament [Ernesto/TorrentFreak]
A brief list of misused English terminology in EU publications [PDF] is a fascinating look at the emerging dialect of English that is emerging out of the EU bureaucracy, in which odd bureaucratic language has to be translated from and to many languages. It's a good window into concepts that are common in one nation's bureaucratic tradition, but not others':
Explanation: the most common meaning of ‘dispose of’ is ‘to get rid of’ or ‘to throw away’; it never means ‘to have’, ‘to possess’ or ‘to have in one’s possession’. Thus, the sentence ‘The managing authority disposes of the data regarding participants.’ does not mean that it has them available; on the contrary, it means that it throws them away or deletes them. Similarly, the sentence below does not mean: ‘the Commission might not have independent sources of information’, it means that the Commission is not permitted to discard the sources that it has.
Example: ‘The Commission may not be able to assess the reliability of the data provided by Member States and may not dispose of independent information sources (see paragraph 39)46.’
As Bruce Sterling says, "I would not expect 'Brussels English' to get any closer to grammatically correct British English; on the contrary I would expect it in future to drift into areas of machine translation jargon, since that’s a lot cheaper than hiring human translators who are as skilled as the author of this document."
When I myself was a protesting student, I remember vividly remembered the cold warning in the text by Pier Paolo Pasolini. He reminded us youngsters that the police we faced in the streets were also someone's children, that not all young people were fortunate enough to be in colleges rather than wearing uniforms, and that we should join all together against the general oppressor, the system, capitalism, the corporations, name it…
That was then, and this is now, and while the students and policemen still have the same interests, they are still on the opposite sides of the barricade. Austerity has driven Italy to its knees. Day by day the future of Italy's young people is vaporizing, and now the streets are flooded by torrential rains, to boot. Italian cities rocked by earthquakes might as well settle for witchcraft, rather than find responsible and competent government officials who can rescue the nation's casualties. Read the rest
Read the rest
EU working group produces the stupidest set of proposed Internet rules in the entire history of the human race
An EU working group that's been charged with coming up with recommendations for a terrorist-free European Internet has been brainstorming the stupidest goddamned ideas you've ever read, which are now widely visible, thanks to a leaked memo. The group, CleanIT, which is composed of cops, governments, and some NGOs from across Europe, has been given €400,000 to make its recommendations, and a document dated August 2012 sets out some of the group's thinking to date. As mentioned, it's pretty amazingly bad. Like, infra-stupid, containing strains of stupidity so low and awful they can't be perceived with unaided human apparatus. Here's Ars Technica's summary of the ideas in the memo:
* "Knowingly providing hyperlinks on websites to terrorist content must be defined by law as illegal just like the terrorist content itself"
* "Governments must disseminate lists of illegal, terrorist websites"
* "The Council Regulation (EC) No 881/2002 of 27 May 2002 (art 1.2) should be explained that providing Internet services is included in providing economics instruments to Al Qaeda (and other terrorist persons and organisations designated by the EU) and therefore an illegal act"
* "On Voice over IP services it must be possible to flag users for terrorist activity."
* "Internet companies must allow only real, common names."
* "Social media companies must allow only real pictures of users."
* "At the European level a browser or operating system based reporting button must be developed."
* "Governments will start drafting legislation that will make offering... a system [to monitor Internet activity] to Internet users obligatory for browser or operating systems...as a condition of selling their products in this country or the European Union."
Ars Technica's Cyrus Farivar tracked down a CleanIT spokesman on his home planet. But Klaasen is
the Dutch national coordinator for counterterrorism and security programme manager of the office of the Dutch national coordinator for counterterrorism and security*, and he is really upset that we can read this stupid, stupid document full of recommendations that would be illegal in European law. He also can't believe that European Digital Rights, the NGO that published the leaked stupid, stupid document, didn't honor the confidentiality notice on the stupid, stupid cover-page.
* Update Cyrus sez, "Klaasen has corrected his title calling himself now the 'programme manager of the office of the Dutch national coordinator for counterterrorism and security'. Here's his LinkedIn page. He's referred to as the 'project manager,' which as far as I can tell, makes him in charge of the whole thing."
"I do fully understand that the publishing of the document led to misunderstandings," he told Ars. "If we publish like this, it will scare people—that’s the reason that we didn’t publish it. It’s food for thought. We do realize these are very rough ideas."
..."You can compare [this situation] to taking pictures of what someone buys for dinner with how a dinner tastes—you don’t have the complete picture," he added.
..."We really didn’t expect that people would publish a document that clearly says ‘not for publication’—that really surprised us," he said. "I don’t know if it’s naive. Why can’t I trust people?" [Ed: Oh, diddums]