The Swedish Government will start issuing its citizens with biometric passports in 2005. The new document will be consistent with the facial recognition standard adopted by the International Civil Aviation Organization (ICAO) and will fulfil the US visa waiver programme's requirements. http://europa.eu.int/ida/en/document/3247/194
On 29 July 2004 the French Constitutional Council decided that the proposed new data protection act is not unconstitutional, except for one provision (article 9.3), which has been suppressed from the law. The law is an adoption of the European privacy directive of 1995 (1995/46/EC), and was accepted by the French Senate on 15 July 2004.
The proposal to examine the law was submitted on 20 July by members of the French parliamentary opposition. They objected particularly against the powers granted in the new paragraph 9.4 to collecting societies and similar representatives of intellectual property rights to create files with telecommunication traffic data of supposed copyright infringers to 'mutualise the battle against the piracy of works'.
The Constitutional Council rejects this complaint explicitly, considering that existing safeguards established by other laws are sufficient, like the fact that the storage of traffic data should not exceed a one year period. Generally the Council 'confirms that the law does not damage in any legal way the constitutional requirement to respect private life'. However, the Council does object to the possibility to give all (business) victims of fraud the same powers in the analogue world, i.e. to create private police records without any rights of access and correction, because the definition of 'fraud' lacks precision. But at the same time the Council also remarks that this ban on databases with private infringements (the stricken article 9.3) should not harm the constitutional rights of every person, natural or legal, to defend their rights in court.
A broad coalition of French NGOs and trade-unions, including the French Human Rights League (LDH) and EDRI-member IRIS has objected against many provisions of the new law for a long time, since the first introduction of the pre-draft in September 2000. Amongst their concerns about the act is the fact that genetic and biometric data are not included in the list of sensitive data, and the possibility for companies to appoint a 'data correspondent' (privacy officer) in stead of filing a list of personal data with the data protection authority (the CNIL in France). The DELIS-coalition finds it unacceptable that these in-house privacy officers do not have a protected status, necessary to guarantee independence from their employers.
Earlier the DELIS-coalition announced they would file a complaint with the European Commission against France if the Council decision was not found satisfactory
Constitutional Council full verdict (in French, 29.07.2004) http://www.conseil-constitutionnel.fr/decision/2004/2004499/2004499dc.htm
DELIS, LDH and IRIS press release (16.07.2004) http://www.iris.sgdg.org/info-debat/comm-infolib0704-en.html
EDRI-gram 2.8 'France to implement 1995 Privacy Directive' (21.04.2004) http://www.edri.org/cgi-bin/index?id=000100000148
"According to a new survey conducted by Forrester Consulting and sponsored by Proofpoint Inc., a company that makes anti-spam and filtering software, more than 43 percent of corporations with more than 20,000 employees employ staff to monitor and read outbound e-mail," Internetnews.com's Erin Joyce reports. "The survey of 140 [US] corporate decision-makers found that companies' concern about employees leaking sensitive information via e-mail ranked as the biggest reason behind the snooping policy...
"The Forrester/Proofpoint survey also found that about 30 percent of all respondent companies rely on staff to monitor outbound e-mail content. And the larger the organization, the more prevalent is the practice...
"Staggering stats? Forrester thought so, but not how you may think. In its summary and conclusions, the research firm's consulting group suggested the results are a testament to 'the widespread failure of current content-scanning technologies to stop the leak of intellectual property, confidential memos and embarrassing information from the enterprise.' ...[Less] than 12 percent of companies report that they have deployed technology for detecting intellectual property breaches in outbound e-mail. The most common technique used for detecting these e-mails remains physical review by hired staff..."
A Chinese firm, Venus Info Tech Ltd., announced on 11 June that it had received the Ministry of Public Security's first permit to sell a real-time content monitoring and filtering system for SMS. This is outside our usual range of topics, but the company's press release (translated by Babelfish and then polished) strongly suggests that the same technology can be applied to email, IRC and HTTP:
"SMS has quickly become an important channel uniting Internet technology and mobile communications for the dissemination of information in the form of short news messages or notes. The country already has more than 2,800 SMS management units. However, while SMS is very convenient for the user, it also poses significant hidden dangers to information security as every kind of pornographic violence, political rumor, reactionary opinion, cheating trick and illegal advertisement effects social stability. Therefore, a platform for strict and highly effective SMS filters must be established, to guarantee that harmful information is promptly intercepted...."
The press release continues with a technical description of their product, which we must paraphrase because it was quite repetitive: Venus' system uses the Chinese Academy of Science's tests of information content as the basis of its filtering algorithm. There are two main components - management/control centers and filtering engines. The monitoring system gathers bidirectional TCP/IP data and processes a variety of application layer protocols including CMPP, SGIP, SMPP, HTTP, SMTP, etc. It is extremely scalable and does not consume network resources or degrade network performance. The filtering algorithms are rule-based, using keywords or combinations of keywords. Harmful information can be preserved both as plain text and in the original format, along with the source and destination addresses, the time of transmission, etc. Tools are built in for generating reports and warnings for the police, localizing the monitored channel and interrupting the delivery of harmful content, and for retrieving and further processing the recorded data. There are management functions for concurrently selecting users, jurisdictions, SMS content, rules and output diaries. Filtered messages can be preserved for at least 60 days and delivered through encrypted channels to the "correlation department."
While the focus of the company's announcement is on installations inside China, if this product works as claimed, and if its price is as low as Chinese products usually tend to be, exports to other countries may soon follow.
Mudasir Butt writes today in the Pakistani newspaper The Nation that "US agencies have set up a mechanism with the help of Pakistan’s intelligence agencies, Pakistan Telecommunication Authority (PTA) and ISPs to monitor all online traffic in the country in order to trace out Al-Qaeda activist's presence and their communicating network. The Pakistani intelligence agencies have been collecting records of all the internet-users from the ISPs for onward transmission to the US officials on regular basis, the sources revealed. Under the arrangement PTA which is the regulatory body which monitors the activities of ISPs operating in Pakistan, directed the [ISPs] to co-operate with the security agencies... The US agencies have developed an organization named 'SITE' which monitors the Al Qaeda internet communication..."
Our colleagues at the Center for Democracy and Technology "joined other privacy groups and an ISP trade association in filing an amicus brief today [24 May] in support of the ACLU's challenge to the FBI's National Security Letter authority, which allows [the FBI] to obtain certain customer records from ISPs and other businesses without a court order." The text of CDT's brief is here.
ACLU's website gives the background of this case: "the American Civil Liberties Union has challenged the FBI’s unchecked authority to issue 'National Security Letters' (NSLs), which demand sensitive customer records from Internet Service Providers and other businesses without judicial oversight. Before the Patriot Act, the FBI could use the NSL authority only against suspected terrorists and spies. Thanks to Section 505 of the Patriot Act, the FBI can now use NSLs to obtain information about anyone..."
Here is the item we posted last month about this case.
This week's Global E-Law Alert from Baker & Mckenzie reports that "A Chinese citizen has appealed a decision of the Beijing Haidian District Court to dismiss her suit against the China Internet Network Information Center for automatically installing monitoring software when she visited its website." (For more information contact Andreas Lauffs.)
From the latest GILC Alert: "Privacy experts have voiced concern over a proposal submitted to the European Union that would require the retention of customer communications data. The United Kingdom, France, Ireland and Sweden are urging the European Union (EU) to adopt a Draft Framework Decision on this issue. If implemented, telecommunications companies would have to keep customer traffic and location data for 1-3 years (or even longer depending 'upon national criteria') and allow law enforcement agents to access this data. The draft is written broadly to include data generated by a number of different systems, such as communications carried through 'Internet Protocols including Email, Voice over Internet Protocols, world wide web, file transfer protocols, network transfer protocols, hyper text transfer protocols, voice over broadband and subsets of Internet Protocols numbers - network address translation data'... Signatories would have to comply with the Framework Decision 'within two years following the date of adoption.' ...Ben Hayes from Statewatch (a GILC member) suggested that the proposal was deeply misguided: 'What is needed is good intelligence on specific threats, rather than mass surveillance of everyone, generating more data than can usefully be analyzed.... This proposal is disproportionate, unnecessary and has no place in a democracy.' ...A Statewatch analysis of the Draft Framework Decision is posted [here]."
News24.com relays this report from Pakistan: "Cyber cafes are favourite hangouts for Pakistanis young and old to play games, chat, e-mail, surf the web... or send terror emails and watch hard porn. But soon the internet cafes' dual use as pseudo blue cinemas and terrorist mailing points could be a thing of the past. Concern at the cafes' seamier side has prompted the government to draft a law to regulate their activities...
"The state-run Pakistan Telecommunication Authority last year prepared a consultation paper on regulations for cyber cafes. It requires all internet cafes to register with PTA, bans under-15s unless they are accompanied by their parents, and bars under-18s from viewing porn websites and playing violent video games. It cites national security as a key concern, according to a copy of the draft, and cafes where internet activity is deemed a security risk will lose their registration automatically..."
"The New Surveillance" by Sonia Katyal, Fordham Law School (Pub-Law Research Paper No. 46), Case Western Law Review, Vol. 54, No. 297, 2004:
"...Piracy surveillance comprises extrajudicial methods of copyright enforcement that detect, deter, and control acts of consumer infringement. In the past, legislators and scholars have focused their attention on other, more visible methods of surveillance relating to employment, marketing, and national security. Piracy surveillance, however, represents an overlooked fourth area that is completely distinct from these other types, yet incompletely theorized, technologically unbounded, and, potentially, legally unrestrained. The goals of this Article are threefold: first, to trace the origins of piracy surveillance through recent jurisprudence involving copyright; second, to provide an analysis of the tradeoffs between public and private enforcement of copyright; and third, to suggest some ways that the law can restore a balance between the protection of copyright and civil liberties in cyberspace. This paper was selected as the winning entry for the 2004 Yale Law School Cybercrime and Digital Law Enforcement Conference writing competition..."
