Thursday, May 20, 2004

FIPR, Privacy International, Stand, Liberty, the Liberal Democrats and several other groups have launched a campaign to stop national identity cards in the UK. Their slogans (you need pithy slogans for a campaign these days):

An ID scheme won't stop terrorists

An ID scheme will not control illegal immigration

An ID scheme won't enable you to have anything you do not already have

An ID scheme will cost billions in taxpayers money and achieve nothing
An ID scheme will mean your most intimate details will be controlled by the government forever

An ID scheme will cost everyone £75 every year

More power to their elbow.
The OECD working party on information security and privacy have published their report about biometrics. It's 66 pages and not bedtime reading unless you suffer from insomnia or have a really serious interest in biometrics and their possible implications. But it is worth pointing to their conclusion:

"The extent to which we are willing to incorporate statutory and policy and technological controls into these
systems and technologies will determine the extent to which they will improve our quality of life; providing convenience and security or conversely, the extent to which they threaten our liberty and freedom via actual or potential surveillance and control."

In other words, as with the deployment of all complex technologies, the devil is in the detail and it is time policy makers, like David Blunkett for example, started getting real about the detail.
EFF news: The EFF have supplied an amicus brief in the lawsuit against California Secretary of State Kevin Shelley for decertifying specific electronic voting machines. The brief says the state can have secure electronic voting with an auditable paper trail by November and the presidential election.

There's quite a good editorial in the NYT about electronic voting. Extract:

"In an age when consumers expect to be offered a receipt every time they use an A.T.M. or buy gasoline, it is hard to believe that there is opposition to paper records for electronic voting. But the opposition has been strong. Many local election officials and voting machine companies are fighting paper trails, in part because they will create more work and will raise difficult questions if the paper and electronic tallies do not match. Officials in places that have invested heavily in electronic machines that do not produce a paper trail, like Florida and Georgia, have been particularly vehement.

As many computer scientists have explained, voters cannot trust electronic machines that do not produce voter-verifiable records. If New York throws its weight behind California, Ohio and several other states to require them, the odds are good that such records will become the national standard and that even states like Florida will have to retrofit their machines to produce them. It is too late for New York to lead the movement for reliable electronic voting, but if it acts in the next few weeks, it can still be an important part of the solution."




Digital Media News For Europe reports
"Rotterdam-based website Dvdstream.nl is
using the Dutch copyright law that permits the
copying of films or music for private
consumption, to lawfully provide unlimited
film-downloads. "
I expect to hear more about this.
Sharman networks have been back in court in Australia, saying nobody has provided hard evidence of copyright infringement on Kazaa.
John Lettice continues to warm to his theme on ID cards over at the Register.

"Regular readers
will recall that Home Secretary David Blunkett justifies the ID card scheme on the basis
that most of the cost is money we'd have to spend anyway, because we need to upgrade
our passports to meet US and ICAO (International Civil Aviation Organisation)
standards...

...when David Blunkett tells us that what he is
proposing is necessitated almost entirely by the new passport regime, he is simply (as
we've pointed out before) not telling the truth. ICAO's requirements are for a biometric
machine-readable passport, with the face as the primary biometric, and ICAO is entirely
silent on the subject of vast interlocking National Identity Register databases - if you want
to implement one of these, that's up to you, it's not compulsory. Similarly, the US wants
visitors' passports to be ICAO standard, which is only reasonable, given that the ICAO
standard seems to have been devised more or less in accordance with State Department
wishes. Once you've done that the US will happily (we fear, very happily) collect personal
information on the bearers all by itself - you don't have to do anything, and you never
know, they might even share some of it with you.

The biometric passport system the US intends to use simply seems to be an addition of
the necessary machine readable capabilities to the existing system. Passport applications,
including photograph, will still be accepted via mail, and the picture will then be encoded,
added to the database and put onto the chip that goes in the passport. As you may note,
a picture is in these terms a biometric, while a camera is a biometric reader, which they
are. But don't noise it around, or you'll screw the revenues of an awful lot of snake-oil
salesmen."

It's worth repeating that last sentence: As you may not, a picture is in these terms a biometric, while a camera is a biometric reader, which they are. But don't noise it around, or you'll screw the revenues of an awful lot of snake-oil salesmen.

Keep up the good work, John.
James Heald of FFII tells me:

"First indications are that the Irish presidency has secured political
approval for a new draft of the controversial software patents directive
in a meeting of the Council of Ministers today -- by 4 votes.


Belgium (5), Denmark (3), Italy (10), Spain (8) and Austria (4) refused
to support the new text.

Estonia (3) voted against.

That made 33 votes refusing to support the text -- a mere 4 votes short
of the 37 needed to block it.


The support of Germany, with 10 votes, was crucial.

The Irish were only able to get their proposal through with the support
of Germany, which had been previously been pressing for much tighter
restrictions.

It is believed that an amendment was found to satisfy German concerns,
but the details are still emerging."

So Germany voted for, in spite of previous speculation. And James later corrected this sligthly to say Estonia voted for and Spain actively voted against the proposal. ZDNet have a report on the vote.

Ian Brown at FIPR is asking for support on the issue of the EU software patents directive, which the Irish presidency of the EU is currently trying to push through. Incidentally, Bertie Ahern's interest in software patents, it seems may stem from a little (just a little) bit more than his 'pass as many EU laws as you can' stance to the presidency. I undertand that Microsoft are sponsoring the Irish presidency, not that I'm implying that such sponsorship is anything other than above board and purely public spirited, of course.

Ian writes:

The UK government position has been set for some time as generally pro the original Commission proposal. The best thing to do now if you are
concerned about the directive is:

(a) Sign the EuroLinux petition:
http://petition.eurolinux.org/index_html?LANG=en

(b) Write to your MP (see http://www.ffii.org.uk/council.html for a
guide on the best way to go about this).

(b) You can see how your MEP voted last September on the directive at
http://www.ffii.org.uk/uk_meps.html. If your MEP (listed at
http://www.europarl.org.uk/uk_meps/MembersMain.htm) voted along the
lines outlined by the FFII (as did Caroline Lucas and Jean Lambert
(Green), Jeffrey Titford, Graham Booth and Nigel Farage (UKIP), John
Purvis, Jacqueline Foster, Martin Callanan and Theresa Villiers
(Conservative)) write to support that decision and state that it will
have a strong influence in how you vote in the European elections on 10
June. If they voted against the FFII-supported amendments, write to
politely explain why you hope they will vote differently in the Second
Reading, and that you look forward to their response to help you to
choose who to support in the European elections. The small turnout in
these elections mean that you can make a big difference by doing this!

Many thanks,
Ian.

Have to say I was pleased with Tony Blair's calm response to the purple flour attacks in the House of Commons at Prime Minister's questions yesterday, both at the time and afterwards.

His calmness is in deep contrast to that of many of his parliamentary colleagues and the media hysteria about lack of security.

I hope, though doubt, that calm reason will prevail. Hysteria leads to measures which create the illusion of security without the reality. And that can lead to poorer security. And whatever one thinks of politicians as a breed it is a relief that no one was hurt or seriously injured in the incident.

Tuesday, May 18, 2004

The Lures of Biometrics
Bruce Schneier author of (the terrific)"Beyond Fear: Thinking Sensibly About Security in an Uncertain World" writes an op ed at NewsDay.

"Unfortunately, the debate often gets mischaracterized as a question
about how much privacy we need to give up in order to be secure.
People ask: "Should we use this new surveillance technology to
catch terrorists and criminals, or should we favor privacy and ban its
use?"

This is the wrong question. We know that new technology gives law
enforcement new search techniques, and makes existing techniques
cheaper and easier. We know that we are all safer when the police
can use them...

...What we need are corresponding mechanisms to prevent abuse. This
is the proper question: "Should we allow law enforcement to use new
technology without any judicial oversight, or should we demand that
they be overseen and accountable?" And the Fourth Amendment
already provides for this in its requirement of a warrant...

...The key is independent judicial
oversight; the warrant process is itself a security measure protecting
us from abuse and making us more secure.

Much of the rhetoric on the "security" side of the debate cloaks one
of its real aims: increasing law enforcement powers by decreasing its
oversight and accountability. It's a very dangerous road to take, and
one that will make us all less secure. The more surveillance
technologies that require a warrant before use, the safer we all are."

Schneier should be compulsory reading especially for lawmakers and journalists. They'd be much better informed though I doubt they'd be any less prone to engaging in the usual rhetoric. Rhetoric after all sells papers and wins arguments.
Bruce Schneier author of (the terrific)"Beyond Fear: Thinking Sensibly About Security in an Uncertain World" writes an op ed at NewsDay.

"Unfortunately, the debate often gets mischaracterized as a question
about how much privacy we need to give up in order to be secure.
People ask: "Should we use this new surveillance technology to
catch terrorists and criminals, or should we favor privacy and ban its
use?"

This is the wrong question. We know that new technology gives law
enforcement new search techniques, and makes existing techniques
cheaper and easier. We know that we are all safer when the police
can use them...

...What we need are corresponding mechanisms to prevent abuse. This
is the proper question: "Should we allow law enforcement to use new
technology without any judicial oversight, or should we demand that
they be overseen and accountable?" And the Fourth Amendment
already provides for this in its requirement of a warrant...

...The key is independent judicial
oversight; the warrant process is itself a security measure protecting
us from abuse and making us more secure.

Much of the rhetoric on the "security" side of the debate cloaks one
of its real aims: increasing law enforcement powers by decreasing its
oversight and accountability. It's a very dangerous road to take, and
one that will make us all less secure. The more surveillance
technologies that require a warrant before use, the safer we all are."

Schneier should be compulsory reading especially for lawmakers and journalists. They'd be much better informed though I doubt they'd be any less prone to engaging in the usual rhetoric. Rhetoric after all sells papers and wins arguments.
The Guardian is reporting that now that the EU council of foreign ministers has rubber stamped the Commission agreement to hand over airline passenger data to the US, the EU parliament's European Court of Justice challenge to the deal is rendered invalid.

Surely that can't be right? The processes involved need a serious review if it is. I don't care whether you're one of Jerry Kang's 'market' or 'dignity' ideologists in the privacy debate, allowing the circus of ministers to nod through an agreement to bypass that kind of ECJ challenge on principle doesn't work for me.

How does it stack against Kang's questions?

a) Who gets the initial entitlement? Well, it's a get out of jail card for the airlines who were caught between large US fines for not sharing data for homeland security and large EU fines for breaching data protection rules. On ideologies it's a nod to the market and the war on terrorism. The individual gets relegated to the choice of not flying if they don't want personal data transferred.

b) How will the choices get made? How is it ensured that the decisionmaker is fortified to do it well/effectively? I don't see much fortification for the individual here. How, for example can someone correct errors that may occur and accumulate? How can an individual opt out? The only way I can see is as above - don't fly.

c) What are the societal overrides? What are the allowable contexts within which we can override the rights/market actions of individuals? How to pick/adjudicate/etc. The article says "dietary requirements that could reveal religion, race or health" will not be included in the data transfers. We don't have any further detailed information on the small print here. One important 'how to' process - the ECJ challenge - would appear to have been neutered?

d) How much supporting information infrastructure needed to enforce? Quite a lot from a technical perspective alone and this is rapidly evolving on both sides of the atlantic with no fly lists and CAPPS II, for example. There are lots of issues of substance related to the development and deployment of these infrastructures alone e.g the design, collection rules, access rules, maintainance, error correction, identification, authentication, restrictive purpose, function creep etc.

Prof Kang would like us to explore issues of substance on all four questions rather than getting distracted by unproductive ideology. As he says, the key thing is the "fortifying of the individual" i.e. can you say yes(or no)?

That's an off the top of the head application of the Kang framework, so don't look too closely for holes.

Privacy International have been pretty quick to respond by updating their comprehensive report on the subject. They are disgusted.

"This report outlines how the European Commission failed outright at protecting EU interests and upholding EU laws within the negotiations with the U.S. Government. As a result, the U.S. Government
managed to get the Commission to concede European privacy rights and burdening EU carriers, even while U.S. carriers and U.S. citizens are exempt from these rules..." The report goes on to say that

The US Dept for Homeland Security get access to data from EU airlines but does not require similar access to US airline databases

The US therefore gets to test CAPPS II with EU data. (The Commission "believe" that the data will be removed from CAPPS II when the tests are complete. The actual agreement with the US is silent on this point).

The Commission is contemplating a central EU database to make the transfer of this data to the US easier.

The Commission wants EU law changed to allow law enforcement access to airline passenger data.

The Commission want access to US airline passenger data but have not negotiated this yet (Currently there don't seem to be any grounds in US law to allow such transfers).

The Commission are supporting a global airline passenger surveillance system through the Internation Civil Aviation Organisation.

The report goes on to say that the case for collecting all this information has never been made and that it is neither necessary nor proportionate (especially the collection of information in the pretence that it is to combat terrorism, when it will also be used for other purposes).

It certainly paints the EU delegation as pretty poor negotiators at best or active conspirators in the dismantling of the EU's proud privacy-as-fundamental-right (or as Prof Kang would call them, 'dignity') principles at worst.

ILAW 2004 was on last week at the Berkman Center at Harvard. The usual suspects, Larry Lessig, Jonathan Zittrain, Charles Nesson, Yochai Benkler and William Fisher enjoyed themselves educating the latest cohort of delegates in the intricacies of internet law. Frank Field was there and reports on many of the sessions.

Donna, though, sees Jerry Kang's session as one of the higlights. She pegs him the Larry Lessig of privacy:

"UCLA law professor/Harvard law visiting professor Jerry Kang is the Larry Lessig of privacy, in that he was able very quickly
and powerfully to communicate that there are extremes in the debate that result largely from the culture-born clash between
"property talk" (U.S.-take on privacy) and "dignity talk" (Euro approach). He lifted the discussion out of the dreaded "tin foil
hat" arena -- that is, beyond "paranoid freaks v. reasonable people" nonsense that stops people from truly engaging with the
problem/issues at hand. He's one to learn from. (Check out Frank Field's comprehensive ILAW notes for a remarkably
detailed transcript of his talk.)"

Kang talked about the unproductive ideologies in the privacy debate and how to get round them.

"A clash of civilizations (america v europe)
america - market talk; privacy is a widget; let the market do it; exercise your freedom in the market; exchange for value; and in a good market, we get allocative efficiency - kind of a caricature, but this is a good short term mechanism
europe - dignity talk; privacy is a fundamental human right; we do not auction off babies; we let the law decide what it a fundamental human right.

Substance - turning to the substance suggests that the ultimate elements are the same.
at the core, they seem to be the same.
- Dignity talk says (consent is required) (apparatus to ensure that there is a process to protect consent)
- Market talks says (clear property rights needed/so who gets initial entitlement?/many possible results/these days, it’s largely in the commons)
there are good reasons to think that efficiency emerges when you give the entitlement to the individual – same result as dignity talk...

...Dignity talk hates the market approach because there’s too little control for individuals to exert; individuals have a hard time making a good bargain. Rather, the system is set up to fortify the individual’s position in these situations...

...Market approach says that the dignity approach is too stilted – there are situations where the balance of interests should go against privacy; the market achieves that balance more efficiently

But dignity talk leads to systems that explicitly generate exceptions to the dignity right within the supporting instutions created...

...So, it may be that we will all end up in the same place; and it may be that rather than arguing about which regime is “right” we should move on to the real, mechanical issues that are the same for both...

...What can we do to reframe this debate?

1) soft pedal the concern about market talk/dignity talk - unproductive

2) the substance is something we ought to be focusing on
a) who gets the “thing” - the initial entitlement
b) how will the choices get made, and how to ensure that the decisionmaker is fortified to do it well/effectively - this is where inalienability may emerge (can’t ask, can’t tell) - there are lots of intermediate forms of the way we might frame/constrain the kinds of exchanges that we will allow; ability to correct
c) what are the societal overrides; what is allowable contexts within which we can override the rights/market actions of individuals. How to pick/adjudicate/etc.
d) How much supporting information infrastructure needed to enforce - various flavors

That;s the claim – answer these four question, rather than talking to me about dignity or markets"


Monday, May 17, 2004

Bloggers have set up a defence fund for the professor from Tokyo University who was arrested last week for copyright infringements arising out of the use of the P2P file sharing software he created, Winny.
The Washington Post reports that the EU Commission has agreed to hand over airline passenger data to the US, even though they're being challenged through the courts by the EU parliament on the issue.

"Angry midwives defy order to inform on asylum seekers" says the Gaurdian. Good for them say I. More power to their elbows and I hope they seriously embarrass the UK government over this. Just another example of the insidious nature of the national ID card proposals.

Meanwhile, on the other side of the Atlantic, "A federal advisory committee says Congress should pass laws to protect the civil liberties of Americans when the government sifts through computer records and data files for information about terrorists.", according to the NYT.

Finally on ID cards for today, The Scotsman reports that a large consultancy firm that advised the UK government on the introduction of the ID card stands to make a lot of money from the government process of implementing odious system. Deloite is one of the remaining two bidders in deciding what company will be the government's main commercial adviser on the scheme.

Take advice from the company that wants sell you whatever snake oil you currently crave and then buy the snake oil from them and their buddies. Just good business as far as Deloite and other similar placed bidders are concerned and I don't blame them for exploiting the technology-will-solve-the-problem-even-if-you-don't-know-what-the-problem-is snake oil junkies in government. The fault lies squarely with the junkies and the rest of us, who frankly are getting the government we deserve, as we're letting them get away with it.
Groklaw is reporting that Germany are going to vote against the EU's software directive, which the Irish presidency has been trying to slip through.

FFII say:

NB. See FFII breaking news wiki for very latest information, at
http://kwiki.ffii.org/SwpatcninoEn


It looks as though there's a chance things may be moving in our favour.


The agenda for the Competitiveness Council meeting has been published,
with a full discussion now scheduled on the Software Patents directive;
furthermore the discussion is to be in public, ie with press and
visitors able to listen in with 11-way translation.
http://ue.eu.int/cms3_applications/Applications/newsRoom/loadbook.asp?BID=880&LANG=1&cmsId=364

We don't yet know whether there's any chance of it being webcast.


This a big step forward from the official EU media briefing, published
only on Friday morning, which said the directive was due to be
rubberstamped as an 'A-item' without discussion.
http://europa.eu.int/rapid/start/cgi/guestfr.ksh?p_action.gettxt=gt&doc=MEMO/04/114%7C0%7CRAPID&lg=EN&display=


The EU media briefing also tries very hard to play the play up the Irish
draft as a 'compromise' position.

But it's clear from this report from Paul Meller that by the time of the
press conference this afternoon journalists were obviously well enough
briefed that the EU spokesman had to confirm everything we'd said:
http://www.itworld.com/Man/2687/040514eupatents/


The national positions won't finally be clear until we hear what
actually gets said on Tuesday, but there are signs that there may be an
increasing number of ministers with concerns about the text, and a very
real possibility that a number of countries may seek a delay to give time to

* achieve more unity;
* investigate further the concerns about
- freedom of discussion
- interoperability
- scope of what is and what is not 'technical';
* produce a text more likely to pass the European Parliament.


On the other hand, as best we know, the UK and Ireland are still pushing
all-out for the Presidency text.




From Ian Brown of FIPR:

Where next for copyright in the new Europe?
-------------------------------------------
13 June 2004

Room H 2032, Technical University Berlin, main building
Strasse des 17. Juni, Berlin
(building 16 http://www.tu-berlin.de/karten/)

More information and updates at:
http://wizards-of-os.org/index.php?id=921

Associated with Wizards of OS 3: The Future of the Digital Commons 10-12
June, Berlin: http://wizards-of-os.org/index.php?id=50&L=3


Copyright law has become one of the most important and controversial
drivers of the Information Society. The Internet has made every user a
publisher, but copyright rules governing their activities are often
determined by opaque international bodies that decide rules with little
public input.

Join us in Berlin to debate where copyright *should* be going to ensure
that authors, musicians, film-makers and the public will all benefit.
Engage with leading international thinkers from across Europe and the
United States. Meet colleagues who are working to make sure all members
of society benefit from copyright.

Attendance is free thanks to sponsorship from the Open Society
Institute, but please send an e-mail to workshop@fipr.org to let us know
you will be coming for planning purposes.

Programme
=========

* Influencing the international agenda

Copyright policy has been a strongly international area of law since the
Berne convention was agreed in 1886. More recently, the World Trade
Organisation Agreement on Trade-Related aspects of Intellectual Property
Rights (TRIPS) and the World Intellectual Property Organisation
Copyright and Performances and Phonograms Treaties have changed
copyright law around the world. The European Union has passed five
copyright-related Directives in the last twelve years. How can civil
society play a full role in policy development in these fora?

1100 Teresa Hackett, Foundation for Information Policy Research:
International copyright bodies including the European Union and World
Intellectual Property Organisation

1110 Robin Gross, IP Justice: Free Trade Agreement of the Americas
experiences

1120 Simon Davies, Privacy International: European Union privacy
legislation experiences

1130 Sjoera Nas, Bits of Freedom: European Union spam legislation
experiences

1140 Audience


* Updating the Copyright Directive

The 2001 Copyright Directive is the key EU law that sets out how
copyright works are protected in Europe. A report on its operation
should be published by the Commission in the next 18 months, and can
recommend changes to improve its effect.

Which parts of the Directive is it most critical to change to benefit
the public interest? Given the controversy they have caused, are the
articles related to exceptions and technological protection measures
most vital? Where does civil society see the most urgency for change?

1200 Ian Brown, FIPR: Experiences in Canada, Australia and Japan

1210 Mindaugas Kiskis, Law University of Lithuania: Collecting societies

1220 Jonathan Griffiths*, Queen Mary, University of London: Protecting
free speech

1230 David Mann, Royal National Institute of the Blind: Collaborative
arrangements with publishers

1240 Lee Bygrave*, Norwegian Research Centre for Computers and Law:
Ensuring privacy

1250 Audience


1320-1430 Lunch


* Implementing the IPR Enforcement Directive

The controversial Intellectual Property Rights Enforcement Directive was
pushed through the European Parliament with no time to debate sweeping
last-minute changes from the EU Member States. It now covers any
infringement of any kind of intellectual property right. How can its
effects on civil society be minimised around the EU? Which countries
have the most to lose?

1430 Andreas Dietl, European Digital Rights: Remaining problems with the
Intellectual Property Rights Enforcement Directive

1440 Mariusz Kondrat*, Poland Office of the Committee for European
Integration: New member state issues and pharmaceuticals

1450 Georg Jakob, University of Salzburg: Winners and losers from the
Intellectual Property Rights Enforcement Directive

1500 Slobodan Markovic, Netcentar, Serbia*

1510 Audience


* Copyright beyond the EU

Countries aiming for EU membership in the next decade such as Romania,
Bulgaria and Turkey are updating their copyright laws as part of an
overall effort to harmonise law with the EU. What can they learn from
the experiences of new EU members like Slovenia that have already
harmonised their laws in the process of joining the EU? Countries
further east such as Armenia have signed Partnership and Cooperation
Agreements with the EU that include obligations to update copyright law,
and even those without formal obligations are influenced by the approach
of the EU. What positive and negative effects is this having? How can
civil society in the EU and beyond best work together to influence the
direction of copyright legislation?

1530 Maja Bogataj, University of Llubljana: Implementation of EU
copyright legislation in Slovenia

1540 David Sanduhkchyan, InterNews Armenia: Right holder demands on ISPs
in Armenia

1550 Teo Celakoski*, Multimedia Institute, Croatia: Civil society
cooperation in the EU and beyond

1600 Tattu Mambetalieva, Global Internet Policy Initiative, Kyrgyzstan:
Copyright convergence in central Asia

1610 Sacha Belyaeva, InterNews Russia: Russian copyright law and the All
of MP3 service

1620 Veni Markovski, Internet Society Bulgaria: Software company
lobbying in Bulgaria

1630 Audience


* Do we need a Digital Rights Directive?

Copyright law is often driven by the relatively small groups of right
holders whom it particularly benefits. Civil society and the general
public have had limited success in having their concerns taken into
account in such law. Should we instead push directly for an EU Digital
Rights Directive that would tip the balance back in our favour? What
would such a Directive contain? Or can we use existing human rights,
consumer and competition legislation to change the operation of
copyright legislation toward civil society interests?

1650 Ross Anderson, Cambridge University and FIPR: Enforcing competition
under trusted computing

1700 William Fisher, Berkman Center for Internet and Society: Reshaping
artist compensation

1710 Wendy Seltzer, Electronic Frontier Foundation and Berkman Center
for Internet and Society: Fixing the Digital Millennium Copyright Act

1720 Ville Oksanen, Helsinki Institute for Information Technology and
Electronic Frontier Finland: Balancing consumer and copyright law

1730 Audience

1800 Close

* Awaiting confirmation


Fravia (web searchlore expert), Richard Stallman and Cory Doctorow are due to be at Ravensbourne College in London on Thursday, 20 May (i.e. this week).