=================================================================
Global Internet Liberty Campaign News Alert - 1 March 1999
[1] EU Committee of Ministers Releases Privacy Recommendations
[2] New Russian Internet Surveillance Proposal Expands Government
Powers
[3] Privacy Debate Continues as Intel's Pentium Processor Slated
for Release
[4] UK Demon Libel Case May Find ISP Liable for Stored Content
[5] Domain 'COM.AU' Arbitrarily Removed
[6] Coalition of US Groups Call for Legislative Action on
Privacy Violations
[7] Convicted as Chinese Subversive, Lin Hai Gets Cyber-Speech
Freedom Award
[8] UK Closed Circuit Cameras Surpass 1 Million
[9] GILC Members Comment on UK Crypto Plans
[10] Access and Anonymity severely punished by French Court
[11] About the Global Internet Liberty Campaign
============================================================
[1] Council of Europe Committee Releases Privacy
Recommendations
============================================================
The Council of Europe's Committee of Ministers last week released a
set of recommendations on the protection of privacy on the Internet
that caution users against privacy violations and encourage the use
of anonymity, encryption and other privacy enhancing techniques.
In addition the guidelines reiterate the EU Privacy Directive
stating that the "laws of numerous European countries forbid
transfers to countries which do not ensure an adequate or equivalent
level of protection to that of your country." However, the
guidelines also state that exceptions to the prohibition allow for
exchange with entities where the parties agree to protect
information via contract or where users consent to a transfer of
information to regions that do not observe strict privacy
protections.
The guidelines also address protection of individuals with regard to
the collection and processing of personal data on information
highways stating that "technological development and the
generalization of collection and processing of personal data on
information highways carries risks for the privacy of natural
persons."
"[T]echnological development also makes it possible to contribute
towards the respect of fundamental rights and freedoms, and in
particular the right to privacy, when personal data concerning
natural persons are processed," the preamble to the Guidelines
states, adding that there is a need to permit anonymity of people
online so that confidential information may be exchanged in a manner
"respecting the rights and freedoms of others and the values of a
democratic society."
The guidelines set out principles of fair privacy practice for users
and Internet service providers (ISP), they also set out
responsibilities for users as well, stating that the use of online
communications are not secure, adding, "[t]herefore, use all
available means to protect your data and communications, such as
legally available encryption for confidential e-mail, as well as
access codes to your own personal computer."
They further caution the public that use of the Internet may lead to
profiling to avoid being electronically tracked and profiled, the
public should "use the latest technical means which include the
possibility of being informed every time you leave traces, and to
reject such traces. You may also ask for information about the
privacy policy of different programmes and sites and give preference
to those which record few data or which can be accessed in an
anonymous way."
The guidelines also spell out basic issues, such as not giving out
personal information to anyone but an ISP and cautioning users to be
conservative with credit or other financial information.
For Internet service providers the guidelines state that users
should be informed of privacy risks when they subscribe, including
"data integrity, confidentiality, the security of the network or
other risks to privacy such as the hidden collection or recording of
data."
Other suggestions include: informing users about technical measures
they can use to enhance their privacy; accessing the Internet
anonymously, and using its services and paying for them in an
anonymous way (for example, pre-paid access cards). The guidelines
also caution ISPs to only interfere with communications of
subscribers or provide information about users to third parties when
required by law.
The guidelines state that data may not be used for "promotional or
marketing purposes unless the person concerned, after having been
informed, has not objected or, in the case of processing of traffic
data or sensitive data, he or she has given his or her explicit
consent." Moreover, they state that ISPs are required for ensuring
proper use of all data and providing clear privacy policies.
The guidelines are available online at:
http://www.coe.fr/cm/ta/rec/1999/99r5.htm
==========================================================
[2] Russian Internet Surveillance Proposal Expands Govt
Snooping
==========================================================
Surreptitious monitoring of Russian's use of the Internet by its
Federal Security Service or FSB may soon become a reality, the St.
Petersburg Times reports.
According to the reports, "the only thing standing between the FSB
and unlimited access to Internet correspondence is a little matter
of who picks up the check for the necessary technology. If the FSB
has its way, a regulation currently pending approval in the federal
justice ministry will soon have the service providers themselves
paying for the very upgrades that will leave their clients
vulnerable to unchecked and unwelcome surveillance."
Russia already permits the FSB to monitor transmissions of ISP
subscribers when they have a warrant under a regulation called SORM,
which stands for the system of technical means ensuring
investigative action, states that the "actual technical requirements
should be observed for each individual subscriber regardless of the
type of his connection to the DTC networks (individual or
collective)." Full text of SORM is available online at
<http://feast.fe.msk.ru/libertarium/sorm/sormdocengl.html>.
SORM requires service providers to make available all information
about users habits, including the telephone number used for access
to the Internet, network addresses used for reception or
transmission of information, all real time information transmitted
to the users.
The latest proposal, SORM 2, will give the FSB further authority to
gain surreptitious access without a warrant, the St. Petersberg
Times reports. ISPs complain that the new plan not only pose a
huge financial cost on them while eliminating any privacy of
individual communications, but will also make government spying on
commercial activities commonplace.
Critics of the plan have blasted the plan saying that there has been
no evidence to support the claim that such intrusive techniques are
necessary or justifiable.
The St. Petersberg Times quotes Boris Pustinsev, chairman of the St.
Petersberg group Citizens' Watch as saying: "I'm sorry to say that
they will probably only be successful at going broke."
"[I]f 51 percent of St. Petersburg providers unite and fight the
FSB, they will be successful. And we'll stand behind them and
broadcast this throughout the world. The FSB can't close them all
down -- that would be a scandal of international proportions, and
Russia can't have that right now."
===========================================================
[3] Privacy Debate Continues as Intel's Pentium Processor
Slated for Release
===========================================================
Cyber-Rights & Cyber-Liberties (UK) (a GILC member) has published a
report on the controversial Intel PIII Processor Serial Number
Feature, which advocates have criticized as compromising user
privacy.
The report written by Dr. Brian Gladman, Technology Policy Adviser
to Cyber-Rights & Cyber-Liberties (UK) criticizes Intel for
introducing security features on the new Intel PIII chip without
adequate or timely public consultation.
"CR&CL(UK) does not have any doubts about Intel's desire to improve
security for its customers. We are, however, surprised to be faced
with a 'fait accompli' on such an important issue. We are also
surprised to be put in this position by a company that has a global
influence on the safety, the security and the privacy of millions of
consumers," the report states.
"Serial numbering of chips, under the owner's control, could offer
some useful benefits. But it could also be helpful to repressive
regimes in taking action against dissidents who use the Internet to
promote democracy and human rights causes," Nicholas Bohm,
E-Commerce Policy Adviser to CR&CL(UK) stated.
Privacy experts across the Atlantic have also said that while
inclusion of the unique serial number in the new Intel Pentium III
chips does not violate US privacy laws, they have charged that the
chips may raise legal issues elsewhere. For example, advocates point
out that under the European Union Data Protection Directive
(Directive 95/46/EC) which has more stringent legal privacy
protections there may be some problems where companies use
information stored on the chip without proper notice of what
information they will be collecting from users or how.
For example, under article 6(1)(b) of the directive, personal data
must be "collected for specified, explicit and legitimate purposes
and not further processed in a way incompatible with those
purposes."
Similarly, under the article 10, a data processor must provide a
data subject with notice of the identity of the processor, purposes
of the processing, and who receives the data.
The new processor was slated for release February 26 and will make
it possible for a user's online uses to be tracked via the chip.
The potential for such monitoring has raised serious concern that
companies will abuse such information and make anonymous online uses
impossible.
Meanwhile GILC members including the Electronic Privacy Information
Center and Privacy International are continuing a boycott of the new
Pentium chip. After meeting with Intel officials for two hours on
January 28, the organizers of the boycott determined that a software
patch that would allegedly permit users to "turn off" the chip
announced by Intel is not sufficient to eliminate the privacy
problems of the PSN.
The organizers called on Intel to disable the PSN in their
production of the Pentium III and to recall all existing Pentium III
chips. The boycott will be extended to any PC manufacturer that
ships a Pentium III system with the PSN included.
In addition to the boycott, EPIC has filed a series of Freedom of
Information Act (FOIA) requests to federal agencies requesting
documentation of any role the government may have played in
persuading Intel Corporation to include a Processor Serial Number
(PSN) in each of its Pentium III chips (see EPIC Alert 6.02). The
requests were submitted to more than a dozen agencies, including the
Federal Bureau of Investigation, the National Security Agency, the
Central Intelligence Agency, the Department of Commerce and various
Pentagon components.
Government involvement in the Intel PSN decision would not be
unprecedented, according to EPIC. FOIA requests filed by EPIC in
1993 revealed that the Justice Department pressured AT&T to install
the controversial Clipper Chip in the company's secure telephone
unit, rather than a DES chip that did not provide law enforcement
with "spare key" access to encrypted communications. The Department
also assured AT&T that it would purchase a substantial number of the
wiretap-friendly devices; DOJ ended up buying 10,000 Clipper phones,
with only a handful purchased by other buyers.
According to EPIC, as a major purchaser of desktop computers, the
federal government could have similar influence with respect to
hardware features like the PSN. Law enforcement agencies -- most
notably the FBI -- have expressed a strong interest in encouraging
the development of technical means to identify Internet users and
limit the ability to communicate anonymously. The PSN has been
widely criticized as a potentially invasive tool that would
significantly damage online privacy.
According to a recent report, Intel had guaranteed that users would
have full control as to whether to allow the read-out of the serial
number. This proved wrong when Andreas Stiller, the processor
expert of c't magazine, figured out a procedure to switch on the
command for reading-out the serial number by software. An Intel
spokesperson confirmed the use of such a procedure to re-activate
the serial numbers.
Finally, GILC member the Center for Democracy and Technology (CDT)
has filed a formal complain the US Federal Trade Commission alleging
that the Intel processor violates US law and should be withdrawn
from the market.
The text of this report is available at :
http://www.heise.de/ct/english/99/05/news1/
More information on the Pentium III and the PSN is available at:
http://www.bigbrotherinside.com/
The CR&CL(UK) report is available online at:
<http://www.cyber-rights.org/reports/intel-rep.htm>
Information regarding the CDT complaint can be found at
http://www.cdt.org
===========================================================
[4] UK Demon Libel Case May Find ISP Liable for Stored
Content
===========================================================
In what many free speech advocates are saying will be a precedent
setting decision, a UK high court last week heard a case against a
leading Internet Service Provider (ISP), Demon Internet, calling for
the ISP to be held liable for information stored on its servers and
created by third parties.
The suit was brought by Laurence Godfrey, a physicist who has
brought nearly a dozen defamation suits involving online speech in
recent years, and is based on a message posted to a newsgroup in
1997 that appeared to be from Godfrey but that he claims was forged.
Godfrey's suit against the ISP claimed that the message damaged his
reputation even though the message was allegedly posted by a user.
Earlier in the case, a judge heard an argument that the ISP should
not be permitted to raise an "innocent dissemination" defense under
the 1996 Defamation Act that would have shield it from liability for
third party conduct if it took reasonable care to prevent such
conduct, according to news reports by Wired news. Godfrey argued
that Demon could not rely on the "innocent dissemination" defense
because the ISP had been informed three times of the offending
message but refused to delete it from the newsgroup.
Daniel Lloyd, legal adviser to Internet Freedom (a GILC member)
called Godfrey's suit against Demon "a worrying incursion on free
speech" in an interview with Wired.
"An ISP is no different than a newsstand or a newspaper," he said.
"If Demon loses the case, it will place an impossible burden on all
ISPs to monitor the content of Internet material."
Other GILC members also predicted that the decision may have a
chilling effect on online speech and the continued existence of many
newsgroups in the wake of such liability for third party conduct.
"The only way an ISP can control whether there is illegal material
on its news server is not to have a news server," Carol Avedon of
Feminists Against Censorship (a GILC member) said.
In 1997, in a similar US case, Zeran v. America Online, a court
upheld the application of ISP protection against conduct of third
parties or subscribers where damaging messages were posted and
appeared to be from the plaintiff. In addition, the court refused
to find that the ISP was not shielded even though the plaintiff
argued that they had not immediately removed the damaging content
after it was discovered.
===========================================================
[5] Domain 'COM.AU' Arbitrarily Removed
===========================================================
Electronic Frontiers Australia, a GILC member, condemned Internet
Names Australia (INA), administrator of the com.au domain, for
arbitrarily deregistering domain names that comply with INA's
published policy, this week.
"Domain names are absolutely central to an online presence", said
EFA Board member Irene Graham. "Deregistration of domains at the
whim of INA creates serious uncertainties for Australian
businesses."
An Australian business recently registered the domain "fuck.com.au",
an abbreviation of the business name "Futurechicks". Three weeks
after approving the domain name, INA deregistered the domain on the
ground that approval was granted in error and the name is
'unacceptable'. The domain name complies with INA's published
policy.
"INA obviously seeks to be part of the 'respectable' establishment
by suppressing naughty words, albeit retrospectively.", said Graham.
"However, INA has demonstrated that it is out of touch with
prevailing community standards. The word "fuck" is not illegal in
Australia. It is permitted, for example, in films and videos that
Australian children may legally view without parental supervision,
in accord with classification guidelines established under
Australian censorship laws."
"INA must comply with its published policy and reinstate the
domain", said Graham. "Failure to do so sends a message to all
Australian businesses that receipt of approval of a domain name from
INA is worthless. At any moment, INA is likely to retract approval."
"While INA ignores its own published guidelines, and prevailing
community standards, it is quite probable that they will next decide
that fk.com.au, currently held by a firm of solicitors, is
phonetically unacceptable, or claim that bhp.com.au means something
unacceptable in a Central Australian language."
"INA's attempts to sanitise the Web are misguided. Web sites with
addresses such as anyname.com.au/fuck and email addresses such as
fuck@anyname.com.au are trivial to create and outside the control of
INA. INA's prohibition of the domain name fuck.com.au is completely
ineffective in protecting anyone from coarse language."
A South Australian business, Hydrocorp Pty Ltd, has engaged
technology lawyers K. Heitman & Co to appeal INA's ruling.
"No-one will find this site through search engines without typing
the word "fuck" first. It is a word printed in the Macquarie
Dictionary, and the domain name drew up to a thousand visitors per
day. The site did not contain illegal content, and earned money from
advertising." said Hydrocorp's lawyer Kimberley Heitman.
This is not the first time INA has tried to impose censorship of
Internet addresses. The band TISM was refused the domain name
wanker.com.au, and had to buy the domain name wanker.com from
America instead.
===========================================================
[6] Coalition of US Groups Call for Legislative Action
on Privacy Problems
===========================================================
A broad range of US groups, which includes several members of GILC
such as the Electronic Electronic Frontier Foundation, American
Civil Liberties Union, Center for Democracy and Technology,
Electronic Privacy Information Center, in addition to conservative
groups has begun calling on Congress to conduct hearings on abuse of
private citizen's personally identifiable information through the
use of federal databases.
The groups sent a letter to key legislators last week, stating:
"We are concerned about proposals that the federal government use
database information, initially gathered for one purpose, for
completely unrelated purposes, without the consent of the person to
whom the data relates. Uses and content of many of the databases
authorized by Congress, despite privacy objections, are being
expanded without Congressional or public debate."
"[T]he proliferation of massive federal databases with virtually no
safeguards amounts to a piecemeal erosion of the American people's
privacy and undermines our civil liberties. It seems that an
enormous amount of personal information is being shared with an
increasing number of un-elected bureaucrats without congressional
oversight."
The coalition letter was sent on the eve of a disturbing disclosure
by media organizations that the US Secret Service has provided
millions of dollars to a private database firm that collects and
disseminates photographs of citizens from state motor vehicle
records as well as other personal information.
According to a 1997 letter about one data company, Image Data,
written by eight members of Congress and quoted in the Washington
Post, "[t]he TrueID technology has widespread potential to reduce
crime in the credit and checking fields, in airports to reduce the
chances of terrorism, and in immigration and naturalization to
verify proper identity." The letter also defended the use of such
databases by government stating, "[t]he Secret Service can provide
technical assistance and assess the effectiveness of this new
technology."
The release of the information about Image Data's support by
government agencies has heated up the already intense debate over
government use and sale of information about individuals that lead
to the coalition letter and a series of lawsuits in states seeking
to halt the sale of driver's license information.
The full letter is available online at:
<http://www.epic.org/privacy/databases/joint_letter_2_99.html>
For more information about the Secret Service funding of private
databases, see: U.S. Helped Fund License Photo Database, by Robert
O'Harrow Jr. and Liz Leyden Washington Post, February 18, 1999; Page
A1, online at:
http://www.washingtonpost.com/wp-srv/business/daily/feb99/privacy18.htm
===========================================================
[7] Convicted as Chinese Subversive, Lin Hai Gets Cyber-Speech Freedom Award
===========================================================
U.S.-based Webcasters Coalition for Free Speech announced last week
that it is conferring its Freedom of Cyber-Speech Award to
Shanghai-based computer engineer, Lin Hai for defying an official
crackdown on Internet use, Reuters reports.
Lin represents the struggle for freedom for Internet users all over
the world, said the Information Center of Human Rights and
Democratic Movement in China.
In January a Shanghai court sentenced Lin to two years in jail for
"subversion" by providing e-mail addresses to a U.S.-based dissident
publication.
Earlier this year, members of the Global Internet Liberty Campaign,
launched an online effort to free Lin and Physicist and dissident,
Wang Youcai, who was also sentenced in December to 11 years in
prison for trying to organize a peaceful opposition party in China
and sending e-mail messages to dissidents in the U.S.
Meanwhile, the Beijing Public Security Bureau and two other
government agencies have promulgated regulations for Internet cafes,
which have grown in popularity across China. According to recent
press reports, one of the regulations prohibits "activities
endangering national security" at the cafes.
To send an e-mail letter of protest to the Chinese government and
media, visit the Digital Freedom Network at:
<http://www.dfn.org/Alerts/freesci/freesci.html>
===========================================================
[8] New Echelon Story on Growing EU Surveillance Plan Online
===========================================================
A new article on ENFOPOL 98 Rev 2 which uncovers further information
concerning the growth of EU-wide surveillance plans is now available
online. The report, was prepared after the meeting of EU Justice &
Interior ministers on December 3, 1998 and alleges that ministers
agreed on the surveillance proposals of joint secret ECU police.
According to the report ENFOPOL 98 Rev 2 either has passed the EU
council already or will do so within the next few weeks. The report
is available at:
<http://www.telepolis.de/tp/deutsch/inhalt/te/1921/1.html>
===========================================================
[9] GILC Members Comment on UK Crypto Plans
===========================================================
In a memorandum by members of the Global Internet Liberty Campaign
to the House of Commons Trade and Industry Committee last month,
the groups call for unrestricted use of encryption and dropping
plans for key escrow.
The memo states that while there have been indications that the (UK)
"Secure Electronic Commerce Bill will contain provisions that will
allow government access to encrypted communications and documents,
such a plan will compromise privacy; will not enhance detection of
crime; will increase opportunities for crime; and will hinder or
halt the development of online commerce."
The memo reiterates that experts have stated repeatedly shown that
any cryptography system in which a third party has the ability to
view the original communication is inherently insecure and that any
plans for such a system be abandoned.
"Encryption has a long tradition in military defence. However,
encryption technologies are increasingly integrated into commercial
systems and applications and the exclusive character of encryption
belongs to the past. Any prohibition or limitation of the use of
encryption will not only have a terrible effect on online computer
security - a national security issue itself - and electronic
commerce, but will also directly affect the right to privacy," it
states.
The memo also points out that the latest UK Encryption Proposals are
in contrast with recent global initiatives:
- The government's encryption proposals are in clear contrast
with the recent policy change in France with the French government
announcing that it will remove all controls over the domestic use of
encryption.
- The proposals are also in contrast with the European
Commission's Communication paper titled "Towards A European
Framework for Digital Signatures And Encryption". In contrast to the
UK initiatives, and despite years of US attempts to push the
"government access to keys" idea overseas, this paper finds key
escrow and key recovery systems to be inefficient and ineffective.
The EU communication stated that "the European Union simply cannot
afford a divided regulatory landscape in a field so vital for the
economy and society."
The memo also points out that GILC Members have repeatedly urged
national governments not to adopt controls on cryptography
technology on several occasions. In 1998, GILC released
"Cryptography and Liberty: An International Survey of Encryption
Policy" which showed that most countries in the world do not have
controls on the use of cryptography. The GILC report concluded that
recent trends in cryptography policy suggest greater liberalisation
in the use of this technology, which was originally controlled
during the Cold War for reasons of national security.
For the full text of the GILC memo and links to further resources:
<http://www.gilc.org/crypto/uk/gilc-dti-statement-298.html>
============================================================
[10] Access and Anonymity Severely Punished by French Court
============================================================
A French court ordered the manager of an internet server to remove a
group of photographs from one of his 40,000 hosted websites.
Lacambre registered and managed domain names and had set up a server
named Altern that offered free Web Sites. Nineteen photographs of
the famous model Estelle Hallyday in a state of undress appeared on
an anonymous website on his server. Hallyday sued Lacambre for
violations of privacy.
On June 9, 1998, according to Meryem Marzouki of civil liberties
group IRIS, GILC member, a court ordered Lacambre to remove the
Hallyday photos but stopped short of making any judgment about his
liability. The court did set a dangerous precedent, though, by
forcing him "to put in place means that would render impossible any
diffusion of the photgraphic images." In other words, as Marzouki
says, he would have "to check each day, each hour, each minute, all
his 40,000 hosted website, looking for Estelle Hallyday
photographs."
Lacambre appealed the decision on the basis that the guarantee was
impossible to achieve. On February 10, a court found that he could
be held responsible for the violation of privacy because the Web
site was anonymous.
Lacambre's case has been much publicized by IRIS, April (Association
for the Promotion and research of Free Information) and many other
political and cultural supporters. 198,000 organizations and many
individuals have signed a petition supporting him and saying that he
should be able to continue to manage his server. Supporters believe
that the court's decision was politically motivated, as also
reflected by the high restitution figure. "There are plenty of
precedents for digging up publishing infractions as a weapon of
political censorship." "Activist Christine Treguier lays out the
political battle as follows: 'Now that France has released
cryptography and big business can start up, they (the authorities,
the multinationals, the private businesses) want to clean the yard.
Move away, you dirty, chaotic internauts.'"
More information online at
<http://www.oreilly.con/~andyo/ar/anonymity_snare.html>
==========================================================
ABOUT THE GILC NEWS ALERT:
==========================================================
The GILC News Alert is the newsletter of the Global Internet Liberty
Campaign, an international coalition of organizations working to
protect and enhance online civil liberties and human rights.
Organizations are invited to join GILC by contacting us at
gilc@gilc.org. To alert members about threats to cyber liberties,
please contact members from your country or send a message to the
general GILC address.
To submit information about upcoming events, new activist tools and
news stories, contact: GILC Coordinator, American Civil Liberties
Union 125 Broad Street 17th Floor, New York, New York 10004 USA.
email: gilc-edit@aclu.org
More information about GILC members and news is available at
<http://www.gilc.org/>. You may re-print or redistribute the GILC
NEWS ALERT freely. To subscribe to the alert, please send an mail
to gilc-announce@gilc.org with the following message in the body:
subscribe gilc-announce
========================================================
PUBLICATION OF THIS NEWSLETTER IS MADE POSSIBLE BY A
GRANT FROM THE OPEN SOCIETY INSTITUTE (OSI)
========================================================
----------------------------------
Send mail for the 'huridocs-tech' list to 'huridocs-tech@hrea.org'.
Mail administrative request to 'majordomo@hrea.org'.
For additional assistance, send mail to: 'owner-huridocs-tech@hrea.org'.
Archives of previous messages posted to the list can be found at:
http://www.human-rights.net/huridocs-tech.
[Reply to this message] [Start a new topic] [Date Index] [Thread Index] [Author Index] [Subject Index] [List Home Page] [HREA Home Page]