GLOBAL INTERNET LIBERTY
CAMPAIGN
NEWS
ISSUES
RESOURCES
ABOUT
GILC
GILC Alert
March 1, 1999
Welcome to the Global Internet Liberty Campaign Newsletter
Welcome to GILC Alert, the newsletter of the Global Internet Liberty Campaign. We are an international organization of groups working for cyber-liberties, who are determined to preserve civil liberties and human rights on the Internet.
We hope you find this newsletter interesting, and we very much hope that you will avail yourselves of the action items in future issues.
If you are a part of an organization that would be interested in joining GILC, please contact us at gilc@gilc.org.
If you are aware of threats to cyber liberties that we may not know about, please contact the GILC members in your country, or contact GILC as a whole.
Please feel free to redistribute this newsletter to appropriate forums.
[1] EU Committee of Ministers Releases Privacy Recommendations
[2] New Russian Internet Surveillance Proposal Expands Government Powers
[3] Privacy Debate Continues as Intel’s Pentium Processor Slated for Release
[4] UK Demon Libel Case May Find ISP Liable for Stored Content
[5] Domain ‘COM.AU’ Arbitrarily Removed
[6] Coalition of US Groups Call for Legislative Action on Privacy Violations
[7] Convicted as Chinese Subversive, Lin Hai Gets Cyber-Speech Freedom Award
[8] UK Closed Circuit Cameras Surpass 1 Million
[9] GILC Members Comment on UK Crypto Plans
[10] Access and Anonymity severely punished by French Court
[11] About the Global Internet Liberty Campaign
[1] Council of Europe Committee Releases Privacy Recommendations
The Council of Europe’s Committee of Ministers last week released a set of recommendations on the protection of privacy on the Internet that caution users against privacy violations and encourage the use of anonymity, encryption and other privacy enhancing techniques.
In addition the guidelines reiterate the EU Privacy Directive stating that the "laws of numerous European countries forbid transfers to countries which do not ensure an adequate or equivalent level of protection to that of your country." However, the guidelines also state that exceptions to the prohibition allow for exchange with entities where the parties agree to protect information via contract or where users consent to a transfer of information to regions that do not observe strict privacy protections.
The guidelines also address protection of individuals with regard to the collection and processing of personal data on information highways stating that "technological development and the generalization of collection and processing of personal data on information highways carries risks for the privacy of natural persons."
"[T]echnological development also makes it possible to contribute towards the respect of fundamental rights and freedoms, and in particular the right to privacy, when personal data concerning natural persons are processed," the preamble to the Guidelines states, adding that there is a need to permit anonymity of people online so that confidential information may be exchanged in a manner "respecting the rights and freedoms of others and the values of a democratic society."
The guidelines set out principles of fair privacy practice for users and Internet service providers (ISP), they also set out responsibilities for users as well, stating that the use of online communications are not secure, adding, "[t]herefore, use all available means to protect your data and communications, such as legally available encryption for confidential e-mail, as well as access codes to your own personal computer."
They further caution the public that use of the Internet may lead to profiling to avoid being electronically tracked and profiled, the public should "use the latest technical means which include the possibility of being informed every time you leave traces, and to reject such traces. You may also ask for information about the privacy policy of different programmes and sites and give preference to those which record few data or which can be accessed in an anonymous way."
The guidelines also spell out basic issues, such as not giving out personal information to anyone but an ISP and cautioning users to be conservative with credit or other financial information.
For Internet service providers the guidelines state that users should be informed of privacy risks when they subscribe, including "data integrity, confidentiality, the security of the network or other risks to privacy such as the hidden collection or recording of data."
Other suggestions include: informing users about technical measures they can use to enhance their privacy; accessing the Internet anonymously, and using its services and paying for them in an anonymous way (for example, pre-paid access cards). The guidelines also caution ISPs to only interfere with communications of subscribers or provide information about users to third parties when required by law.
The guidelines state that data may not be used for "promotional or marketing purposes unless the person concerned, after having been informed, has not objected or, in the case of processing of traffic data or sensitive data, he or she has given his or her explicit consent." Moreover, they state that ISPs are required for ensuring proper use of all data and providing clear privacy policies.
The guidelines are available online at http://www.coe.fr/cm/ta/rec/1999/99r5.htm
[2] Russian Internet Surveillance Proposal Expands Govt Snooping
Surreptitious monitoring of Russian’s use of the Internet by its Federal Security Service or FSB may soon become a reality, the St. Petersburg Times reports.
According to the reports, "the only thing standing between the FSB and unlimited access to Internet correspondence is a little matter of who picks up the check for the necessary technology. If the FSB has its way, a regulation currently pending approval in the federal justice ministry will soon have the service providers themselves paying for the very upgrades that will leave their clients vulnerable to unchecked and unwelcome surveillance."
Russia already permits the FSB to monitor transmissions of ISP subscribers when they have a warrant under a regulation called SORM, which stands for the system of technical means ensuring investigative action, states that the "actual technical requirements should be observed for each individual subscriber regardless of the type of his connection to the DTC networks (individual or collective)." Full text of SORM is available online at http://www.libertarium.ru/eng/sorm/sormdocengl.html.
SORM requires service providers to make available all information about users habits, including the telephone number used for access to the Internet, network addresses used for reception or transmission of information, all real time information transmitted to the users.
The latest proposal, SORM 2, will give the FSB further authority to gain surreptitious access without a warrant, the St. Petersberg Times reports. ISPs complain that the new plan not only pose a huge financial cost on them while eliminating any privacy of individual communications, but will also make government spying on commercial activities commonplace.
Critics of the plan have blasted the plan saying that there has been no evidence to support the claim that such intrusive techniques are necessary or justifiable.
The St. Petersberg Times quotes Boris Pustinsev, chairman of the St. Petersberg group Citizens’ Watch as saying: "I’m sorry to say that they will probably only be successful at going broke."
"[I]f 51 percent of St. Petersburg providers unite and fight the FSB, they will be successful. And we’ll stand behind them and broadcast this throughout the world. The FSB can’t close them all down -- that would be a scandal of international proportions, and Russia can’t have that right now."
[3] Privacy Debate Continues as Intel’s Pentium Processor Slated for Release
Cyber-Rights & Cyber-Liberties (UK) (a GILC member) this week published a report on the controversial Intel PIII Processor Serial Number Feature, which advocates have criticized as compromising user privacy.
The report written by Dr. Brian Gladman, Technology Policy Adviser to Cyber-Rights & Cyber-Liberties (UK) criticizes Intel for introducing security features on the new Intel PIII chip without adequate or timely public consultation.
"CR&CL (UK) does not have any doubts about Intel's desire to improve security for its customers. We are, however, surprised to be faced with a ‘fait accompli’ on such an important issue. We are also surprised to be put in this position by a company that has a global influence on the safety, the security and the privacy of millions of consumers," the report states.
"Serial numbering of chips, under the owner's control, could offer some useful benefits. But it could also be helpful to repressive regimes in taking action against dissidents who use the Internet to promote democracy and human rights causes," Nicholas Bohm, E-Commerce Policy Adviser to CR&CL (UK) stated.
Privacy experts across the Atlantic have also said that while inclusion of the unique serial number in the new Intel Pentium III chips does not violate US privacy laws, they have charged that the chips may raise legal issues elsewhere. For example, advocates point out that under the European Union Data Protection Directive (Directive 95/46/EC) which has more stringent legal privacy protections there may be some problems where companies use information stored on the chip without proper notice of what information they will be collecting from users or how.
For example, under article 6(1)(b) of the directive, personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes."
Similarly, under the article 10, a data processor must provide a data subject with notice of the identity of the processor, purposes of the processing, and who receives the data.
The new processor is slated for release February 26 and will make it possible for a user’s online uses to be tracked via the chip. The potential for such monitoring has raised serious concern that companies will abuse such information and make anonymous online uses impossible.
Meanwhile GILC members including the Electronic Privacy Information Center and Privacy International are continuing a boycott of the new Pentium chip. After meeting with Intel officials for two hours on January 28, the organizers of the boycott determined that a software patch that would allegedly permit users to "turn off" the chip announced by Intel is not sufficient to eliminate the privacy problems of the PSN.
The organizers called on Intel to disable the PSN in their production of the Pentium III and to recall all existing Pentium III chips. The boycott will be extended to any PC manufacturer that ships a Pentium III system with the PSN included.
In addition to the boycott, EPIC has filed a series of Freedom of Information Act (FOIA) requests to federal agencies requesting documentation of any role the government may have played in persuading Intel Corporation to include a Processor Serial Number (PSN) in each of its Pentium III chips (see EPIC Alert 6.02). The requests were submitted to more than a dozen agencies, including the Federal Bureau of Investigation, the National Security Agency, the Central Intelligence Agency, the Department of Commerce and various Pentagon components.
Government involvement in the Intel PSN decision would not be unprecedented, according to EPIC. FOIA requests filed by EPIC in 1993 revealed that the Justice Department pressured AT&T to install the controversial Clipper Chip in the company's secure telephone unit, rather than a DES chip that did not provide law enforcement with "spare key" access to encrypted communications. The Department also assured AT&T that it would purchase a substantial number of the wiretap-friendly devices; DOJ ended up buying 10,000 Clipper phones, with only a handful purchased by other buyers.
According to EPIC, as a major purchaser of desktop computers, the federal government could have similar influence with respect to hardware features like the PSN. Law enforcement agencies -- most notably the FBI -- have expressed a strong interest in encouraging the development of technical means to identify Internet users and limit the ability to communicate anonymously. The PSN has been widely criticized as a potentially invasive tool that would significantly damage online privacy.
According to a recent report, Intel had guaranteed that users would have full control as to whether to allow the read-out of the serial number. This proved wrong when Andreas Stiller, the processor expert of c’t magazine, figured out a procedure to switch on the command for reading-out the serial number by software. An Intel spokesperson confirmed the use of such a procedure to re-activate the serial numbers.
The text of this report is available at : http://www.heise.de/ct/english/99/05/news1/
More information on the Pentium III and the PSN is available at: http://www.bigbrotherinside.com/
The CR&CL(UK) report is available online at: http://www.cyber-rights.org/reports/intel-rep.htm
[4] UK Demon Libel Case May Find ISP Liable for Stored Content
In what many free speech advocates are saying will be a precedent setting decision, a UK high court last week heard a case against a leading Internet Service Provider (ISP), Demon Internet, calling for the ISP to be held liable for information stored on its servers and created by third parties.
The suit was brought by Laurence Godfrey, a physicist who has brought nearly a dozen defamation suits involving online speech in recent years, and is based on a message posted to a newsgroup in 1997 that appeared to be from Godfrey but that he claims was forged. Godfrey’s suit against the ISP claimed that the message damaged his reputation even though the message was allegedly posted by a user.
Earlier in the case, a judge heard an argument that the ISP should not be permitted to raise an "innocent dissemination" defense under the 1996 Defamation Act that would have shield it from liability for third party conduct if it took reasonable care to prevent such conduct, according to news reports by Wired news. Godfrey argued that Demon could not rely on the "innocent dissemination" defense because the ISP had been informed three times of the offending message but refused to delete it from the newsgroup.
Daniel Lloyd, legal adviser to Internet Freedom (a GILC member) called Godfrey's suit against Demon "a worrying incursion on free speech" in an interview with Wired.
"An ISP is no different than a newsstand or a newspaper," he said. "If Demon loses the case, it will place an impossible burden on all ISPs to monitor the content of Internet material."
Other GILC members also predicted that the decision may have a chilling effect on online speech and the continued existence of many newsgroups in the wake of such liability for third party conduct. "The only way an ISP can control whether there is illegal material on its news server is not to have a news server," Carol Avedon of Feminists Against Censorship (a GILC member) said.
In 1997, in a similar US case, Zeran v. America Online, a court upheld the application of ISP protection against conduct of third parties or subscribers where damaging messages were posted and appeared to be from the plaintiff. In addition, the court refused to find that the ISP was not shielded even though the plaintiff argued that they had not immediately removed the damaging content after it was discovered.
[5] Domain ‘COM.AU’ Arbitrarily Removed
Electronic Frontiers Australia, a GILC member, condemned Internet Names Australia (INA), administrator of the com.au domain, for arbitrarily deregistering domain names that comply with INA's published policy, this week.
"Domain names are absolutely central to an online presence", said EFA Board member Irene Graham. "Deregistration of domains at the whim of INA creates serious uncertainties for Australian businesses."
An Australian business recently registered the domain "fuck.com.au", an abbreviation of the business name "Futurechicks". Three weeks after approving the domain name, INA deregistered the domain on the ground that approval was granted in error and the name is 'unacceptable'. The domain name complies with INA's published policy.
"INA obviously seeks to be part of the 'respectable' establishment by suppressing naughty words, albeit retrospectively.", said Graham.
"However, INA has demonstrated that it is out of touch with prevailing community standards. The word "fuck" is not illegal in Australia. It is permitted, for example, in films and videos that Australian children may legally view without parental supervision, in accord with classification guidelines established under Australian censorship laws."
"INA must comply with its published policy and reinstate the domain", said Graham. "Failure to do so sends a message to all Australian businesses that receipt of approval of a domain name from INA is worthless. At any moment, INA is likely to retract approval."
"While INA ignores its own published guidelines, and prevailing community standards, it is quite probable that they will next decide that fk.com.au, currently held by a firm of solicitors, is phonetically unacceptable, or claim that bhp.com.au means something unacceptable in a Central Australian language."
"INA's attempts to sanitise the Web are misguided. Web sites with addresses such as anyname.com.au/fuck and email addresses such as fuck@anyname.com.au are trivial to create and outside the control of INA. INA's prohibition of the domain name fuck.com.au is completely ineffective in protecting anyone from coarse language."
A South Australian business, Hydrocorp Pty Ltd, has engaged technology lawyers K. Heitman & Co to appeal INA's ruling.
"No-one will find this site through search engines without typing the word "fuck" first. It is a word printed in the Macquarie Dictionary, and the domain name drew up to a thousand visitors per day. The site did not contain illegal content, and earned money from advertising." said Hydrocorp's lawyer Kimberley Heitman.
This is not the first time INA has tried to impose censorship of Internet addresses. The band TISM was refused the domain name wanker.com.au, and had to buy the domain name wanker.com from America instead.
[6] Coalition of US Groups Call for Legislative Action on Privacy Problems
A broad range of US groups, which includes several members of GILC such as the Electronic Electronic Frontier Foundation, American Civil Liberties Union, Center for Democracy and Technology, Electronic Privacy Information Center, in addition to conservative groups has begun calling on Congress to conduct hearings on abuse of private citizen’s personally identifiable information through the use of federal databases.
The groups sent a letter to key legislators last week, stating:
"We are concerned about proposals that the federal government use database information, initially gathered for one purpose, for completely unrelated purposes, without the consent of the person to whom the data relates. Uses and content of many of the databases authorized by Congress, despite privacy objections, are being expanded without Congressional or public debate."
"[T]he proliferation of massive federal databases with virtually no safeguards amounts to a piecemeal erosion of the American people's privacy and undermines our civil liberties. It seems that an enormous amount of personal information is being shared with an increasing number of un-elected bureaucrats without congressional oversight."
The coalition letter was sent on the eve of a disturbing disclosure by media organizations that the US Secret Service has provided millions of dollars to a private database firm that collects and disseminates photographs of citizens from state motor vehicle records as well as other personal information.
According to a 1997 letter about one data company, Image Data, written by eight members of Congress and quoted in the Washington Post, "[t]he TrueID technology has widespread potential to reduce crime in the credit and checking fields, in airports to reduce the chances of terrorism, and in immigration and naturalization to verify proper identity." The letter also defended the use of such databases by government stating, "[t]he Secret Service can provide technical assistance and assess the effectiveness of this new technology."
The release of the information about Image Data's support by government agencies has heated up the already intense debate over government use and sale of information about individuals that lead to the coalition letter and a series of lawsuits in states seeking to halt the sale of driver’s license information.
The full letter is available online at: http://www.epic.org/privacy/databases/joint_letter_2_99.html
For more information about the Secret Service funding of private databases, see:
U.S. Helped Fund License Photo Database, by Robert O'Harrow Jr. and Liz Leyden Washington Post, February 18, 1999; Page A1, online at:
http://www.washingtonpost.com/wp-srv/business/daily/feb99/privacy18.htm
[7] Convicted as Chinese Subversive, Lin Hai Gets Cyber-Speech Freedom Award
U.S.-based Webcasters Coalition for Free Speech announced last week that it is conferring its Freedom of Cyber-Speech Award to Shanghai-based computer engineer, Lin Hai for defying an official crackdown on Internet use, Reuters reports.
Lin represents the struggle for freedom for Internet users all over the world, said the Information Center of Human Rights and Democratic Movement in China.
In January a Shanghai court sentenced Lin to two years in jail for "subversion" by providing e-mail addresses to a U.S.-based dissident publication.
Earlier this year, members of the Global Internet Liberty Campaign, launched an online effort to free Lin and Physicist and dissident, Wang Youcai, who was also sentenced in December to 11 years in prison for trying to organize a peaceful opposition party in China and sending e-mail messages to dissidents in the U.S.
Meanwhile, the Beijing Public Security Bureau and two other government agencies have promulgated regulations for Internet cafes, which have grown in popularity across China. According to recent press reports, one of the regulations prohibits "activities endangering national security" at the cafes.
To send an e-mail letter of protest to the Chinese government and media, visit the Digital Freedom Network at: http://www.dfn.org/Alerts/freesci/freesci.html
[8] New Echelon Story on Growing EU Surveillance Plan Online
A new article on ENFOPOL 98 Rev 2 which uncovers further information concerning the growth of EU-wide surveillance plans is now available online. The report, was prepared after the meeting of EU Justice & Interior ministers on December 3, 1998 and alleges that ministers agreed on the surveillance proposals of joint secret ECU police.
According to the report ENFOPOL 98 Rev 2 either has passed the EU council already or will do so within the next few weeks. The report is available at:
http://www.telepolis.de/tp/deutsch/inhalt/te/1921/1.html
[9] GILC Members Comment on UK Crypto Plans
In a memorandum by members of the Global Internet Liberty Campaign to the House of Commons Trade and Industry Committee last month, the groups call for unrestricted use of encryption and dropping plans for key escrow.
The memo states that while there have been indications that the (UK) "Secure Electronic Commerce Bill will contain provisions that will allow government access to encrypted communications and documents, such a plan will compromise privacy; will not enhance detection of crime; will increase opportunities for crime; and will hinder or halt the development of online commerce."
The memo reiterates that experts have stated repeatedly shown that any cryptography system in which a third party has the ability to view the original communication is inherently insecure and that any plans for such a system be abandoned.
"Encryption has a long tradition in military defence. However, encryption technologies are increasingly integrated into commercial systems and applications and the exclusive character of encryption belongs to the past. Any prohibition or limitation of the use of encryption will not only have a terrible effect on online computer security - a national security issue itself - and electronic commerce, but will also directly affect the right to privacy," it states.
The memo also points out that the latest UK Encryption Proposals are in contrast with recent global initiatives:
- The government's encryption proposals are in clear contrast with the recent policy change in France with the French government announcing that it will remove all controls over the domestic use of encryption.- The proposals are also in contrast with the European Commission's Communication paper titled "Towards A European Framework for Digital Signatures And Encryption". In contrast to the UK initiatives, and despite years of US attempts to push the "government access to keys" idea overseas, this paper finds key escrow and key recovery systems to be inefficient and ineffective. The EU communication stated that "the European Union simply cannot afford a divided regulatory landscape in a field so vital for the economy and society."
The memo also points out that GILC Members have repeatedly urged national governments not to adopt controls on cryptography technology on several occasions. In 1998, GILC released "Cryptography and Liberty: An International Survey of Encryption Policy" which showed that most countries in the world do not have controls on the use of cryptography. The GILC report concluded that recent trends in cryptography policy suggest greater liberalisation in the use of this technology, which was originally controlled during the Cold War for reasons of national security.
For the full text of the GILC memo and links to further resources: http://www.gilc.org/crypto/uk/gilc-dti-statement-298.html
[10] Access and Anonymity Severely Punished by French Court
A French court ordered the manager of an internet server to remove a group of photographs from one of his 40,000 hosted websites. Lacambre registered and managed domain names and had set up a server named Altern that offered free Web Sites. Nineteen photographs of the famous model Estelle Hallyday in a state of undress appeared on an anonymous website on his server. Hallyday sued Lacambre for violations of privacy.
On June 9, 1998, according to Meryem Marzouki of civil liberties group IRIS, GILC member, a court ordered Lacambre to remove the Hallyday photos but stopped short of making any judgment about his liability. The court did set a dangerous precedent, though, by forcing him "to put in place means that would render impossible any diffusion of the photgraphic images." In other words, as Marzouki says, he would have "to check each day, each hour, each minute, all his 40,000 hosted website, looking for Estelle Hallyday photographs."
Lacambre appealed the decision on the basis that the guarantee was impossible to achieve. On February 10, a court found that he could be held responsible for the violation of privacy because the Web site was anonymous.
Lacambre’s case has been much publicized by IRIS, April (Association for the Promotion and research of Free Information) and many other political and cultural supporters. 198,000 organizations and many individuals have signed a petition supporting him and saying that he should be able to continue to manage his server. Supporters believe that the court’s decision was politically motivated, as also reflected by the high restitution figure. "There are plenty of precedents for digging up publishing infractions as a weapon of political censorship." "Activist Christine Treguier lays out the political battle as follows: ‘Now that France has released cryptography and big business can start up, they (the authorities, the multinationals, the private businesses) want to clean the yard. Move away, you dirty, chaotic internauts.’"
More information online at http://www.oreilly.com/~andyo/ar/anonymity_snare.html
ABOUT THE GILC NEWS ALERT:
The GILC News Alert is the newsletter of the Global Internet Liberty Campaign, an international coalition of organizations working to protect and enhance online civil liberties and human rights. Organizations are invited to join GILC by contacting us at gilc@gilc.org. To alert members about threats to cyber liberties, please contact members from your country or send a message to the general GILC address.
To submit information about upcoming events, new activist tools and news stories, contact: GILC Coordinator, American Civil Liberties Union 125 Broad Street 17thFloor, New York, New York 10004 USA. email: gilcedit@aclu.org
More information about GILC members and news is available at http://www.gilc.org. You may re-print or redistribute the GILC NEWS ALERT freely. To subscribe to the alert, please send an mail to gilc-announce@gilc.org with the following message in the body: subscribe gilc-announce
PUBLICATION OF THIS NEWSLETTER IS MADE POSSIBLE BY A GRANT FROM THE OPEN SOCIETY INSTITUTE (OSI)