GILC Actions 



 Free Speech 





 GILC Alert 

 Mailing List
 GILC Events 




 Mail GILC 

Home Page

US Site
European Mirror


GILC Alert
Volume 7, Issue 9

December 19, 2003


Welcome to the Global Internet Liberty Campaign Newsletter.


Welcome to GILC Alert, the newsletter of the Global Internet Liberty Campaign. We are an international organization of groups working for cyber-liberties, who are determined to preserve civil liberties and human rights on the Internet.

We hope you find this newsletter interesting, and we very much hope that you will avail yourselves of the action items in future issues.

If you are a part of an organization that would be interested in joining GILC, please contact us at

If you are aware of threats to cyber liberties that we may not know about, please contact the GILC members in your country, or contact GILC as a whole.

Please feel free to redistribute this newsletter to appropriate forums.

Free expression

[1] Hollywood suffers defeat in Net file sharing case
[2] Controversial world info summit held
[3] Christian Chinese online activist arrested
[4] Zimbabwean gov't arrests 14 online dissenters
[5] Protests mount against Iran Net censorship
[6] Tunisian Net dissident finally freed
[7] DVD programmer awaits appeals court ruling
[8] Diebold backs down on Internet copyright threats
[9] Report on Vietnam Net speech curbs released


[10] Bush Backs International Cybercrime Plan
[11] Planned VeriPay human implants pose privacy problems
[12] Microsoft security flaws affect automated bank tellers
[13] US gov't gets still more spy powers
[14] Study: many British websites poor on privacy
[15] Yahoo and Excite fix webmail security hole
[16] Controversy grows over South Korean mobile phone security
[17] New privacy-friendly Cryptophone unveiled

[1] Hollywood suffers defeat in Net file sharing case

A major telecommunications company has scored a significant victory over a recording industry trade group in a heavily watched online copyright and privacy case.

Several months ago, the Recording Industry Association of America (RIAA) requested data concerning a subscriber of telecom giant Verizon. The RIAA claimed that the individuals in question had engaged in copyright infringement through peer-to-peer music file trading over the Internet. The Association argued that it had the power to gather such information under the United States Digital Millennium Copyright Act (DMCA) even though it had not actually filed a lawsuit yet. The cited DMCA provision essentially says that copyright owners can request a U.S. Federal court to subpoena "information sufficient to identify the alleged infringer" from a "service provider." Verizon initially refused, claiming that this power can only be used when infringing material is stored or controlled on the service provider's network. A number of privacy groups, including GILC members the Electronic Frontier Foundation (EFF), Computer Professionals for Social Responsibility (CPSR) and the Electronic Privacy Information Center (EPIC), filed legal papers expressing opposition to the RIAA's demands. Earlier this week, an appeals court in the United States rejected a prior decision on the matter and sided with Verizon, saying "[i]t is not the province of the courts ... to rewrite [copyright law] in order to make it fit a new and unforeseen Internet architecture, no matter how damaging that development has been to the music industry." This new ruling may make it more difficult for the RIAA to identify people who trade files on peer-to-peer networks.

The decision came just as the RIAA sued another 41 Internet users who supposedly have engaged in copyright infringement by sharing music files online. All told, the RIAA has filed lawsuits against 384 alleged file-sharers this year, although it is not clear whether all of these people have actually broken any laws. In addition, as part of this third wave, the Association has contacted 90 other individuals beforehand, urging them to settle or face litigation. According to the RIAA, some 220 people have agreed to settlements.

The Association's legal attacks on Internet users have met with resistance from various quarters, including consumers, cyberlibertarians and industry leaders. In addition to the Verizon case mentioned earlier, SBC, another major Internet service provider (ISP), is continuing to fight against several RIAA subpoenas regarding its users. Meanwhile, the ACLU recently agreed to represent a student at the University of North Carolina whose personal information has been subpoenaed by the RIAA in preparation for a lawsuit.

The fierce battles in the United States over the legality of Net file sharing have begun to spill over into other countries. The Dutch Supreme Court has just decided that the Kazaa file-sharing program is legal and that the makers of the program cannot be held responsible for its users' actions. In Japan, two men were arrested for supposedly sharing copyrighted films and games via the Information Superhighway. In Argentina, a spokesman for recording industry trade group CAPIF (short for Camara Argentina de Productores de Fonogramas y Videogramas) said his organization was not filing mass lawsuits directly against online music file sharers, but would "stay alert and report infringements to whom it may concern," including ISPs, leading to 309 website takedowns and 395 email address deactivations between July and October of this year. Meanwhile, the Copyright Board of Canada has ruled that, among other things, downloading copyrighted music through the Internet is legal, but uploading such files is illegal.

For the latest details, see "Blow to online music piracy fight," BBC News Online, 19 December 2003 at

Read John Borland, "Court: RIAA lawsuit strategy illegal," CNET News, 19 December 2003 at

See "Dutch court tosses out attempt to control Kazaa," Reuters, 19 December 2003 at

See also John Borland, "RIAA launches new file-swapping suits," CNET News, 3 December 2003 at

For background information, visit the Electronic Frontier Foundation (EFF-a GILC member) website under

For background on the RIAA-Verizon case, click

See "Japanese 'file-swappers' arrested," BBC News Online, 5 December 2003 at

Read Jim Hu, "Canada ruling won't stop music lawsuits," CNET News, 16 December 2003 at

See Flavio Bustos, "Argentina Won't Copy RIAA Tactic," Wired News, 18 December 2003 at,1412,61531,00.html

See also John Borland, "Canada deems P2P downloading legal," CNET News, 12 December 2003 at

For coverage in German (Deutsch), see "Kanadische Musikindustrie plant Klagen gegen Tauschboersen-Nutzer," Heise Online, 17 December 2003 at

[2] Controversial world info summit held

The first phase of a World Summit on the Information Society (WSIS) has ended without firm decisions on several pressing issues.

The WSIS, which is being organized by the International Telecommunications Union under the auspices of the United Nations (UN), is supposed to foster discussion regarding the socio-economic impact of new technologies. The goal of the Summit is "to develop and foster a clear statement of political will and a concrete plan of action for achieving the goals of the Information Society, while fully reflecting all the different interests at stake." However, even before the first phase of the summit began last week in Geneva, negotiators remained bitterly divided over a host of issues, including (1) whether to create a special fund to help bridge the digital divide, (2) whether to shift managerial responsibility over the Internet away from the Internet Corporation for Assigned Names and Numbers (ICANN) to the United Nations and (3) whether the Summit documents would include a commitment to human rights online.

For the time being, negotiators made several deals just prior to the Summit that largely avoided hard decisions on these issues until the next Summit phase, which is scheduled to take place in Tunisia nearly two years from now. Under one such agreement, developing nations would pool resources to help bridge the digital divide, while various industrialized countries (including the United States, the European Union and Japan) would merely study the problem. Under a second deal, a UN group will be formed to study Internet governance and to report its findings at the Tunisia meeting. A third compromise package led to inclusion of a commitment to press freedom (as described in the UN's Universal Declaration of Human Rights) in the official WSIS Declaration of Principles.

Cyberliberties groups remain hopeful that a more concrete commitment to human rights and bridging the digital divide will come in the near future. In a press release, a civil society Human Rights Caucus (which includes many GILC member organizations) expressed relief "that a major setback in the international consensus on human rights has been avoided in the final declaration of Principles. ... But beyond principles, there is the question of enforcement. The Plan of Action is devoid of any mechanism to advance the human rights agenda." Moreover, there are lingering concerns over whether the WSIS is being run in a sufficiently transparent and democratic manner, as a number of groups, including Reporters Sans Frontieres (RSF-a GILC member) and Human Rights in China were excluded from WSIS proceedings.

For a Human Rights Caucus analysis of the first WSIS phase (in PDF format), visit the website of Imaginons un Reseau Internet Solidaire (IRIS-a GILC member) under

Further background information regarding the WSIS is available from the IRIS website via

The final draft of the WSIS Declaration of Principles and Plan of Action is posted at|1155

To read a civil society declaration regarding the WSIS and the "Centrality of Human Rights" in cyberspace (in RTF format), click

Read Alfred Hermida, "UN summit pledges net for all," BBC News Online, 12 December 2003 at

See "UN Summit fails to bridge digital divide," Associated Press, 12 December 2003 at,12597,1105849,00.html

For coverage in Spanish (Espanol), see "Piden que se reducza la brecha digital entre los paises ricos y pobres," La Nacion (AR), 17 December 2003 at

For more information regarding various civil society groups that were excluded from the Summit, visit the Reporters Sans Frontieres (RSF-a GILC member) website under

[3] Christian Chinese online activist arrested

The Chinese government has arrested a man for posting Christian materials online.

Zhang Shengqi was arrested several weeks ago. He allegedly published articles written by jailed Christian church historian Liu Fenggang via the Information Superhighway. After being arrested at the home of his fiancé, Chinese government agents searched the house and confiscated some 20 items, including Zhang's mobile phone and various Liu Fenggang-authored materials. He has since been charged with exposing state secrets.

Free speech advocates have expressed outrage over Zhang's detainment. Robert Menard, the Secretary-General of Reporters Sans Frontieres (RSF-a GILC member), explained: "Zhang's is the first case of a cyber-dissident jailed for expressing support for the banned Christian church. He has been accused of exposing state secrets, when in fact he only published articles about the government crackdown on his religious community. We condemn this abusive use of the concept of 'state secrets,' regularly used by the authorities to make unfair arrests. We hope that, as in the cases of cyber-dissidents Liu Di and Ouyang Yi, the law will recognise that Zhang Shengqi's imprisonment is unjustified."

The arrest comes as Chinese courts have sentenced several prominent Chinese dissidents to multi-year jail terms over their online activities. Li Zhi, a civil servant, received an 8-year sentence after he allegedly criticized the Chinese government through the Information Superhighway and contacted foreign groups online. Yan Jun, a biology professor, will spend the next 2 years behind bars for posting several controversial essays on the Internet, including one that called for the release of former communist party leader Zhao Ziyang, who had expressed support for the 1989 Tienanmen Square protestors. According to published reports, Yan had been beaten so severely in prison that he had to be hospitalized. Meanwhile, Liu Di has been released from jail for the time being, albeit under harsh terms (including a ban on speaking to foreigners). Liu, who had been studying at Beijing University, had, among other things, expressed support for Huang Qi, the proprietor of the "Tianwing Missing Persons Website" who was detained on charges of "instigation to subvert state power" after he republished essays written by other people about the 1989 Tiananmen massacre, the Falun Gong spiritual movement and other topics deemed taboo by the government.

In addition to these legal battles, there is growing evidence that the Chinese government is expanding its technological capability to censor the Internet with the help of Western companies. According to RSF, at least 14 leading international high-technology companies were either "selling material directly helping the government to spy on and crack down on people using the Internet," or simply closing "their eyes to the situation." For example, "Cisco Systems supplies special online spying systems while Intel just sells its standard products. Yahoo! agreed to change its portal and search-engine to facilitate censorship in exchange for access to the Chinese market, while South Korea's Samsung is simply selling its goods to a neighbouring country." RSF sent a letter to each company's Chief Executive Officer together with the first issue of a monthly newsletter called Internet Repression News; RSF secretary-general Robert Menard explained that his organization was asking the targeted companies "to bear in mind the contents of the newsletter when making their business decisions."

For more on the arrest of Zhang Shengqi, visit the RSF website under

See also

For more on the Li Zhi case, see

Additional details concerning Yan Jun are posted under

For more about Liu Di, click

Read "China continues online crackdown," South China Morning Post, 11 December 2003 at

For more regarding Western aid to Chinese online censors, click

Read "Firms helping China 'spy on web,'" BBC News Online, 4 December 2003 at

[4] Zimbabwean gov't arrests 14 online dissenters

Over a dozen people in Zimbabwe have been arrested over their online attempts to organize protests.

The case revolves around an email message that called for protests against the country's president, Robert Mugabe. The message took the nation's rulers to task for its economic policies and for "propaganda on the radio, TV and newspapers." The arrests were made pursuant to a recently-enacted law that, among other things, gave the Zimbabwean government the power to conduct email surveillance. Although the 14 detainees were released on bail, they are expected to appear in court shortly.

The case has drawn considerable concern from free speech advocates, who note that the Mugabe regime has been relentless in censoring criticism, including shutting down the country's leading independent newspaper, the Daily News. Robert Menard, the Secretary-General of Reporters Sans Frontieres (RSF-a GILC member), warned: "Robert Mugabe has already gagged the traditional news media and we must now speak out so that the Internet does not meet the same fate. The Zimbabwean opposition is increasingly using the Internet to distribute information criticising the regime and this right must not be denied them." Indeed, reports suggest that the Zimbabwean government is planning to introduce further measures that would expand its powers to silence dissent along the Information Superhighway.

An RSF press release on this subject is posted at

Read "Arrests over anti-Mugabe e-mails," BBC News Online, 21 November 2003 at

See also

[5] Protests mount against Iran Net censorship

A lively debate has erupted over efforts by the government of Iran to censor cyberspace.

For years, Iranian authorities have blocked numerous websites, including a number of webpages that called for reforms or otherwise criticized the country's leaders. More recently, the Iranian government reportedly extended this ban to various segments of the Google Internet search engine site and jailed Sina Motallebi, a journalist and online activist. Last week, during the first phase of the World Summit on the Information Society (see item [1] above), hundreds of Internet users posted complaints about this censorship scheme via a webpage that was dedicated to covering the Summit. Hossein Derakshan, a prominent Iranian web blogger, explained that the postings were meant to "grab the attention of delegates and participants in Geneva. The Iranian officials are very defensive over these kind of things and if there is enough public pressure, they'd definitely change their attitudes. EU [European Union] delegates could play a great role in this - EU pressure once forced Iran to suspend the stoning law, and they could do it for the Net censorship too."

In response, the Iranian government issued a number of somewhat confusing and contradictory statements regarding its attempts to block online content. The nation's President, Mohammad Khatami, claimed that while "criticism is OK" and is not censored, his government was indeed "exerting greater control" over websites "that are not compatible with Islam." Curiously, Khatami went so far as to suggest that, despite strong evidence to the contrary, "[e]ven political websites that are openly opposed to the Iranian Government ... are available to the Iranian people."

Read Aaron Scullion, "Iran's president defends web control," BBC News Online, 12 December 2003 at

See also Aaron Scullion, "Iranian bloggers rally against censorship," BBC News Online, 11 December 2003 at

For background information on the Motallebi case, visit the website of Reporters Sans Frontieres (RSF-a GILC member) under

[6] Tunisian Net dissident finally freed

The proprietor of a noted Tunisian news website has finally been released from prison.

Zouhair Yahyaoui was the founder and editor of TUNeZINE, which included coverage of political affairs in the North African nation and materials from opposition party leaders. The Tunisian government arrested, tortured and jailed him for republishing via the Internet a letter written by his uncle that criticized the country's legal system. During his time in jail, he had to share a cell with 100 other inmates, and prison authorities have reportedly denied Yahyaoui medical treatment even though he has been suffering from a variety of serious ailments. Yahyaoui went on several hunger strikes over the past year as a call to his supporters to keep up the pressure in order to obtain his freedom.

Human rights advocates generally have expressed exhilaration at Yahyaoui's release, but as Robert Menard, the Secretary-General of Reporters Sans Frontieres (RSF-a GILC member), explained: "His release cannot make us forget how he was ill-treated in prison, where he [was] sent for simply stating his opinion. The Tunisian regime has made a gesture by releasing him, but is still very far from allowing free expression in the country, especially online.

For more about the Yahyaoui case, click

An RSF press release about Yahyaoui's release is posted at

[7] DVD programmer awaits appeals court ruling

In a closely watched case, a Norwegian teenager is now waiting for an appeals court to decide whether he committed a crime by creating a DVD-related computer program.

In 1999, Jon Johansen created DeCSS to help Linux operating system users watch DVDs on their machines. Norwegian authorities briefly detained him in early 2000 for his activities but released him soon afterwards. Nearly 2 years later, he was arrested once more on the theory that by developing DeCSS, he violated a Norwegian law against break-ins. Presiding judge Irene Sogn subsequently cleared Johansen of the charges and held that, among other things, there was "no evidence" that he had used DeCSS for illegal purposes.

The Norwegian government (on behalf of the Motion Picture Association of America) then appealed the decision. During proceedings before the Oslo Appeals Court, Johansen's attorney, Halvor Manshaus, insisted that the case revolved around the consumer's fair use rights: "When you buy a DVD film, you are buying the right to watch it. How you choose to do that is up to you." A verdict is expected by 22 December; further appeals would go to the Norway Supreme Court.

See "Satser penger pa at DVD-Jon frikjennes," Aftenposten, 12 December 2003 at

Read Peter Sayer, "Verdict In 'DVD Jon' Appeal Expected Dec. 22," IDG News Service, 15 December 2003 at

See "Norwegian DVD piracy retrial ends," Reuters, 11 December 2003 at

[8] Diebold backs down on Internet copyright threats

In the face of mounting opposition, an embattled voting machine company has decided not to sue its online critics.

Over the past several months, experts have questioned the security of machines manufactured by Diebold Election Systems. These concerns reached a crescendo after several documents were posted online that contained information regarding vulnerabilities in Diebold voting software, including email warnings from Diebold technicians about various security flaws. Diebold subsequently threatened to sue various people and groups individuals who either hosted or provided weblinks to those documents, claiming their actions constituted copyright infringement. The list of targeted groups included Online Policy Group (OPG-a GILC member), which hosted an Independent Media Group site that had weblinks to the Diebold papers in question.

Diebold's threats led to a strong backlash. On the legal front, OPG, along with two college students who also received threats from Diebold, filed a lawsuit hoping to stop the election machine company from issuing further legal threats against Internet service providers (ISPs). In addition, Dennis Kucinich, a member of the United States House of Representatives and a U.S. Presidential candidate, called for a formal Congressional investigation and lambasted Diebold's actions as an "abuse" of the U.S. "Digital Millennium Copyright Act, using copyright to suppress speech rather than fulfill the Constitution's purpose for copyright, to 'promote progress.'"

Eventually, the company agreed in court not to sue or issue further legal threats regarding the released documents, and would send retractions of its threats to ISPs who had received them. Wendy Seltzer from the Electronic Frontier Foundation (EFF-a GILC member), which represented OPG in this case, expressed relief with this result: "We're pleased that Diebold has retreated and the public is now free to continue its interrupted conversation over the accuracy of electronic voting machines. We continue to seek a court order to protect posters, linkers, and the ISPs who host them."

An EFF press release on this subject is posted at

See Kim Zetter, "Diebold Backs Off Legal Challenge," Wired News, 2 December 2003 at,1294,61243,00.html

Read Paul Festa, "Diebold retreats; lawmaker demands inquiry," CNET News, 1 December 2003 at

See Steven T. Dennis, "E-mail stolen from Diebold is a call to gouge Maryland," (Maryland) Gazette, 10 December 2003 at

Additional background information is available from the website of the Stanford Law School Center for Internet and Society under

Representative Kucinich's letter on this subject (in PDF format) is posted at

See also

[9] Report on Vietnam Net speech curbs released

A new report indicates that recent actions by the Vietnamese government have left online "freedom of expression under threat."

The Amnesty International survey cited a number of reasons to be "increasingly concerned about human rights in cyberspace for people in Viet Nam, in particular the fundamental rights to freedom of expression, information, peaceful assembly and the right to privacy." The authors of the report noted that "the Internet's popularity has increased slowly but steadily" in the Southeast Asian nation even though "the cost of a computer and a dial-up connection is still prohibitively high for the vast majority of Vietnamese people living outside urban areas." However, accessing many websites, especially diaspora webpages, "can be difficult for people inside Viet Nam. Access to some sites is blocked. Some of the blocking is left to self-censorship by Internet Service Providers (ISPs) as required by law. The relative ease with which electronic footsteps can be traced and possible public ignorance about the increasingly sophisticated methods for monitoring have made expressing a dissenting opinion more dangerous. ISPs and individual Internet users are obliged by law to facilitate easy access for security agencies to networks and computers." Moreover, "individuals have been arrested for, inter alia, exchanging e-mails with contacts in the Vietnamese diaspora, posting articles critical of the government on the Internet, and expressing dissenting opinions."

The study made several recommendations to improve the situation, including the immediate and unconditional release of nearly a dozen people "who have been detained for the peaceful exercise of their rights to freedom of expression and access to information" via the Internet. Amnesty International also called on the Vietnamese government to "ensure that freedom of expression and related rights are protected from arbitrary interference whilst fulfilling the legitimate concerns and obligations of the state to protect its security and the rights of its citizens," and to "remove restrictions on management of the Internet, including ISPs, creation of personal websites, and operation of Internet cafés to guarantee the rights to freedom of expression, information, and assembly as set out in international standards, as well as inviolability of domicile and privacy as established in the Vietnamese Constitution."

The report is posted at

[10] Bush Backs International Cybercrime Plan

The United States government may soon consider a Council of Europe (CoE) treaty that critics say will severely erode Internet privacy.

The Council of Europe's Convention on Cybercrime would, among other things, require countries to authorize government agents to install spytools on the servers of Internet service providers (ISPs) and thereby intercept all Internet transmissions that come through the servers. The treaty requires signatory nations to comply with foreign investigators, even when they are investigating activities that are not crimes on domestic soil. The Convention, however, does not require countries to enact any specific procedural protections. The treaty was signed by many countries back in 2001 (including the Great Britain, Germany, France, the U.S., Japan and South Africa), but had since languished. To date, only 4 countries have ratified the Convention: Albania, Croatia, Estonia and Hungary.

U.S. President George W. Bush is now calling on Congress to ratify the treaty, asking the U.S. Senate to "give early and favorable consideration to the Cybercrime Convention, and that it give its advice and consent to ratification." Curiously, Bush claimed that "the Convention contains safeguards that protect civil liberties and other legitimate interests," but failed to acknowledge the fact that the treaty does not actually require signatory nations to implement specific procedural safeguards.

Many observers have objected to the Convention because it may allow unnecessary governmental intrusions into cyberspace. The Global Internet Liberty Campaign had condemned a past draft of the convention as "a document that threatens the rights of the individual while extending the powers of police authorities, creates a low-barrier protection of rights uniformly across borders, and ignores highly-regarded data protection principles. Although some changes have been made ... we remain dissatisfied with the substance of the convention."

Indeed, an analysis by Cyber-Rights & Cyber-Liberties UK (a GILC member) indicates many of these thorny problems remain unsolved in the latest version of the treaty. In "An Advocacy Handbook for the Non Governmental Organizations" regarding the convention, the group noted that the treaty, among other things, betrays a "serious lack of commitment to data protection principles" and fails to provide concrete measures to prevent abuses, such as subjecting surveillance powers to judicial warrants. "Although the Cyber-Crime Convention states in its preamble that a proper balance needs to be ensured between the interests of law enforcement agencies and respect for fundamental human rights, the balance is certainly in favour of the law enforcement agencies. ... It should be remembered ... that 'the mission of the Council of Europe and of its organs is to prevent the establishment of systems and methods that would allow "Big Brother" to become master of the citizen's private life.' But the Cyber-Crime Convention unfortunately suggests otherwise."

To read the Cyber-Rights & Cyber-Liberties handbook on the CoE Convention (in PDF format), click

The text of the treaty is available via

To read the text of President Bush's message, click

See Declan McCullagh, "Bush backs international cybercrime plan," CNET News, 19 November 2003 at,39020645,39117978,00.htm

For more details on GILC concerns regarding the CoE Cybercrime Convention, click

[11] Planned VeriPay human implants pose privacy problems

The manufacturers of a controversial subdermal tracking device are now planning to expand its functions to include credit card payments.

Verichip--a device that can carry individualized data (such as a person's name, current condition, medical records and unique identification number) and is designed to be imbedded under a person's skin. When a special external scanner is pointed at a Verichip, "a number is displayed by the scanner" and the stored information is transmitted "via telephone or Internet." Verichip's maker, Applied Digital Systems (ADS), is marketing its product for such purposes as "identification, various law enforcement and defense uses and search and rescue." ADS has now announced plans for a service that would allow Verichip recipients to make consumer payments by scanning their implants.

Privacy advocates had already expressed serious concerns about the device. Chris Hoofnagle from the Electronic Privacy Information Center (EPIC-a GILC member) warned: "When your bank card is compromised, all you have to do is make a call to the issuer. In this case, you have to make a call to a surgeon. It doesn't make sense to go from a card, which is controlled by an individual, to a chip, which you cannot control." Security expert Richard M. Smith explained that the ADS' latest plans might prove unpopular: "VeriPay will offer some conveniences over RFID credit cards, but I think most people will be creeped out with the idea of putting little radio transmitters in their bodies."

The official Verichip website is located at

Read Declan McCullagh, "Chip implant gets cash under your skin," CNET News, 25 November 2003 at

See also Julia Scheeres, "When Cash Is Only Skin Deep," Wired News, 25 November 2003 at,1282,61357,00.html

[12] Microsoft security flaws affect automated bank tellers

Security holes in the world's most popular computer operating system are now having a negative impact on financial privacy.

It was recently revealed that a number of automated teller machines (ATMs) had to be shutdown after they were infected with the Nachi computer bug. Also known as the Welchia worm, the bug takes advantage of a known flaw in an auto-update function in the latest versions of the Microsoft Windows operating system (notably Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003). The bug was ostensibly designed to cure machines of another Windows-related worm, Mblast, but instead disrupted millions of computers around the world. Diebold, which manufactured the ATMs, had previously used IBM's OS/2 operating systems for their machines, but had switched to Windows at the behest of banks.

These latest snafus are fueling long-standing concerns over whether Microsoft is doing enough to protect the privacy of computer users. Security expert Bruce Schneier explained that Microsoft's dominant position as a software manufacturer tends to exacerbate the impact of its privacy failings: "Specific-purpose machines, like microwave ovens and until now ATM machines, never got viruses, Now that they are using a general purpose operating system, Diebold should expect a lot more of this in the future." Indeed, Microsoft has recently announced plans to install its software in automobiles.

Meanwhile, researchers have discovered more security flaws in another widely used Microsoft program: Internet Explorer (IE). One of the holes pertains to a common fraud tactic that leads people (such as individuals who have clicked weblinks in email messages) to a phony webpage that is made to look like a well-known Internet company (such as eBay), where they are asked to provide their personal information. This tactic can often be detected by comparing the domain name displayed in the browser's address bar with the website. However, experts have discovered that IE can be fooled into displaying a phony domain name as well, making it much more difficult to detect such Internet misdirection ruses. Computer researchers have also discovered a number of scripting vulnerabilities in IE that could allow scripts across supposedly secure domains, so that attackers from the Internet could go through IE and execute commands on the victim's machine that are only supposed to be carried out by the victim.

Read "Worm hits Windows-based ATMs," Reuters, 9 December 2003 at

See "Microsoft Software in Every Car?" Associated Press, 30 November 2003 at,2554,61412,00.html

Read Paul Festa, "IE bug lets fake sites look real," CNET News, 10 December 2003 at

For coverage in Spanish (Espanol), see "Grave vulnerabilidad en Internet Explorer y otros navegadores,", 15 December 2003 at

See also Matthew Broersma, "New flaws reported in IE 6," CNET News, 28 November 2003 at

[13] US gov't gets still more spy powers

Lawmakers in the United States have approved a plan that some observers say will further undermine the privacy of people online.

The plan, which was part of an annual intelligence agency funding bill, involves the use of National Security Letters, which are issued at the sole discretion of the Federal Bureau of Investigation (FBI) to get personal information. Legislation passed in 2001 had already allowed the FBI the ability to get financial records and telecommunications data (including Internet logs) through such requests. Congress has now approved an expansion of this power so that the FBI can get information via National Security Letters from a wider range of organizations. The list of businesses and groups that could be affected by this change includes e-tailers and online auction houses (such as eBay) as well as travel agencies and even post offices.

The change has been severely criticized by privacy groups. Timothy Edgar of the American Civil Liberties Union (ACLU-a GILC member) warned: "The more that checks and balances against government abuse are eroded, the greater that abuse. We're going to regret these initiatives down the road."

An ACLU press release on this subject is posted at

Read Ryan Singel, "Congress Expands FBI Spying Power," Wired News, 24 November 2003 at,1283,61341,00.html

 [14] Study: many British websites poor on privacy

A recent report suggests that many British websites are in violation of new rules designed to protect personal information.

Compiled by WebAbacus, the study focused on the Britain's top 90 e-commerce sites. The report found that 98% of the sites surveyed did not fully comply with the Privacy and Electronic Communications (EC Directive) Regulations of 2003, which took effect earlier this month. Twenty-four percent of the websites that were studied had no privacy policy at all, and another twelve percent had no information about digital identification numbers in files known as "cookies." Only two percent allowed users to opt-out of cookie-type Internet tracking schemes with one click of a mouse, as the new law essentially requires.

These revelations have led to concern from government regulators. The British Information Commissioner was "very surprised" so many websites had failed to comply the rules, which had been in the works from quite some time. As for ways to improve the situation, Assistant Information Commissioner Phil Jones suggested that, at a minimum, "There should be transparency. People should know what is going on with the information collected about them."

A WebAbacus press release on this report is available via

Read "Top UK sites 'fail privacy test,'" BBC News Online, 11 December 2003 at

[15] Yahoo and Excite fix webmail security hole

Yahoo and Excite have repaired a security glitch that affected their popular web e-mail services.

While details regarding the glitch have been slow to emerge, reports indicate that attackers could have exploited the flaw by sending doctored messages to webmail users that, if opened, would allow them to run malicious code (such as computer worms) on the victims' machines. Although the company has software designed to stop computer bugs, researchers from Finjan Software discovered that this barrier could overcome with ease. Both Yahoo and Excite were told about the problem during the past few weeks and have now remedied the situation.

Read "Yahoo fixes a hole where the mail gets in," Reuters, 10 December 2003 at

See also John Leyden, "Yahoo! fixes Web mail vuln," The Register (UK), 11 December 2003 at

[16] Controversy grows over South Korean mobile phone security

A heated debate has arisen in South Korea over the security of mobile phones.

The debate centers on mobile phones that use Code Division Multiple Access (CDMA) technology. Unlike rival systems, CDMA phones had been advertised as being highly secure due to the use of encryption for wireless transmissions. However, in a recent interview with a Korean news agency, Qualcomm chairman Irwin Jacobs admitted that it was indeed possible for calls made through CDMA mobile phones to be intercepted, particularly as the transmissions are running through wires between base stations. Jacobs also admitted that the United States government had requested that Qualcomm provide mobile phones with a higher level of security than their current CDMA versions.

The security of mobile phones has become subject of national importance in South Korea, where a number of lawmakers have made heavy use of encryption-enabled phones to prevent espionage by political rivals. The tension over this issue is such that opposition leaders have signaled that they planned a perjury lawsuit against the country's information and communications minister, Chin Dae-je, for claiming that CDMA phones could not be wiretapped.

Read Kim Sung-jin, "Wiretapping of CDMA Phone Calls Possible," Korea Times, 19 November 2003 at

[17] New privacy-friendly Cryptophone unveiled

A German company has developed a new security-friendly phone that has drawn attention from privacy advocates.

The Cryptophone was developed by a division of Berlin-based CSMK and includes free encryption software that uses two algorithms (AES and Twofish). Under the scheme, calls using the mobile handset can only be decoded by a handset or computer running the same encryption program, which can be downloaded via the Internet and run on any device that uses Microsoft Windows. The company has also made the underlying source code available for public inspection.

A number of experts have expressed hope that the new device will help protect individual privacy, but are concerned that its benefits may be undercut by various forces, including new wiretapping legislation and costs. Simon Davies of Privacy International (a GILC member) called the Cryptophone "a tremendous step forward, because the level of surveillance by authorities is breathtaking. ... I would not trust governments to leave it alone." Ian Brown from the Foundation for Information Policy Research (FIPR-a GILC member) worried that "[n]ot many average consumers will pay that kind of money. The people who will be using it are in businesses."

The official Cryptophone website is located at

See "Germany Touts High-Security Phone," Reuters, 18 November 2003 at,1282,61289,00.htm

[18] Finnish geographic kid Net tracking plan draws concern

The government of Finland is considering a proposal that will allow tracking of children using a combined mobile phone and Internet system.

Under this scheme, children would carry cellular phonesets whose geographic locations could be determined by triangulating their signals. This geolocational data would then be disseminated through the Information Superhighway. A number of details regarding the proposal remain vague, including how access to such data will be restricted and what uses may be made of child geolocational information once received. Nevertheless, the plan has drawn widespread support among policy makers in the Scandinavian country, even if it has yet to be voted upon by the Finnish legislature.

Besides the apparent privacy implications of the legislation, there are concerns that, if implemented, the scheme may have a damaging psychological impact on youth. One expert, Frank Furedi, warned that such tracking schemes teach children "to be scared of life, to distrust everyone. And that has to have a negative impact in the long run."

Read Clare Murphy, "Tracking down your child," BBC News Online, 28 October 2003 at

[19] Big Brother Awards ceremonies held recently in 4 countries

Big Brother Awards ceremonies were held recently in Germany, Spain, Switzerland and Austria. These awards, which are under the auspices of Privacy International (a GILC member), are meant to publicize some of the most significant threats to personal privacy.

In Germany, winners included a subsidiary of Deutsche Post that required employees to see a doctor if they reported sick for longer than two weeks and to waive their right to medical confidentiality. A special Politics prize was given to the German states, Bavaria, Lower Saxony, Rhineland-Palatinate and Thuringia "for their efforts, riding on the issue of fighting terrorism, to tighten their states' police laws, allowing for drastic restrictions of elementary basic rights and liberties affecting a large number of unsuspicious people." In the category of Consumer Protection, Metro AG's Future Store Initiative received an award for "propagating the use of transponders or so-called RFIDs ('Radio Frequency Identification' devices) in super markets." Other winners included GEZ (for their surveillance efforts in order to collect public radio and TV license fees), Berlin's Senator of the Interior ("for his more than dubious justification for the use of the so-called 'silent SMS' by!

Berlin police"), T-Mobile ("for storing the IP [Internet protocol] addresses of customers with flat rate contracts") and the United States government (for coercing "European and especially German airlines into granting various US authorities access to the vast amount of data related to the bookings of all passengers travelling to or via the United States").

Meanwhile, the Spanish Chapter of Computer Professionals for Social Responsibility (CPSR-a GILC member) organized the second ever Big Brother Awards Spain ceremony in Pamplona. One of the winners was the Spanish Ministry of Science and Technology (MCYT) for the controversial LSSI (short for La Ley de Servicios de la Sociedad de la Informacion y de Comercio electronico), which included the first mandatory data retention provision in Europe and imposed potentially heavy fines for various types of Internet activity. A Private Sector Prize and People's Choice Award went to Xabier Ribas, a PriceWaterhouseCoopers lawyer who threatened to sue ninety-five thousand Spanish users of peer-to-peer software in a fashion similar to that of the Recording Industry Association of America (see item [4] above). An Intrusive Technologies Prize was awarded to Microsoft for Palladium (now known as Next-Generation Secure Computing Base or NGSCB), which many experts fear will be used to control everything that users can do on their machines. On the flipside, a Mariana Pineda Prize was given to Proinnova, a group that battled fiercely against the latest European Union Directive on software patents.

In Switzerland, one of the big winners was the Swiss Ministry of Defence, which asked recruits highly intrusive questions about such subjects as their sexual preferences. Examining magistrate Treccani from Lausanne, who ordered mobile phone providers to hand over all traffic data from various specified base stations, also garnered a Big Brother Award. On the positive side, Rebekka Salome was honored (for revealing the existence of a secret database containing information about customers of the Winterthur insurance company) along with activist Daniel Costantino (who brought the aforementioned Swiss Defence Ministry recruit questioning system to light) and Anina Ruest (for her "SuPerVillainizer" program, which disrupts email surveillance routines through disinformation).

At the Austrian Big Brother Awards, the European Commission and Janelly Fourtou had the dubious distinction of being joint winners (in the Politics category) for their efforts regarding the controversial draft Intellectual Property Enforcement Directive (see item [2] above). Other awardees included the European Patent Bureau (for awarding patents to ideas and methods in information technology) and the Austrian postal service (for taking addresses provided by people who had requested mail forwarding after having recently moved and selling those addresses to direct marketing firms). On a happier note, for the first time in five years, a positive prize was given out; the so-called "defensor libertatis" award was presented to historian and well known television journalist Peter Huemer for his defense of civil rights in the information age and the freedom of communication.

The official German Big Brother Awards site is located at

See "Datenkraken-Oscars: Gebuehren fuer Big Brother," Heise Online, 24 October 2003 at

To visit the official Spanish Big Brother Awards site, click

The Swiss Big Brother Awards website is located at

For more on the Austrian Big Brother Awards, see

Read Brigitte Zarzer, "Schweinische 'Big Brother Awards'-Verleihung in Oesterreich," Heise Telepolis, 27 October 2003 at

See also


The GILC News Alert is the newsletter of the Global Internet Liberty Campaign, an international coalition of organizations working to protect and enhance online civil liberties and human rights. Organizations are invited to join GILC by contacting us at

To alert members about threats to cyber liberties, please contact members from your country or send a message to the general GILC address.

To submit information about upcoming events, new activist tools and news stories, contact:

Christopher Chiu
GILC Coordinator
American Civil Liberties Union
125 Broad Street, 17th Floor
New York, New York 10004

Or email:

More information about GILC members and news is available at

You may re-print or redistribute the GILC NEWS ALERT freely.

This edition of the GILC Alert will be found on the World Wide Web under

To subscribe to the Alert, or to change your subscription options (including unsubscribing), please visit