Online Norwegian internet privacy protest

This post is in support of the Norwegian’s struggle for preserving internet freedom. The question concerns the choice to implement the Data Protection Directive (2006/24) into Norwegian law. Since Norway is not an EU member state they have the right to reserve themselves and not implement directives. The protest for digital privacy is an attempt by the Norwegians not to follow the same integrity-violating policies being adopted throughout Europe.  The protest action is an attempt to get the Norwegian government to state that they will not be adopting the directive.

Personvern er en grunnleggende verdi i et demokrati. Personvernet innebærer en rett til å være i fred fra andre, men også en rett til å ha kontroll over opplysninger om seg selv, særlig opplysninger som oppleves som personlige. Etter EMK artikkel 8 er personvern ansett som en menneskerettighet.

Med en mulig norsk implementering av Datalagringsdirektivet (direktiv 2006/24/EF), som pålegger tele- og nettselskap å lagre trafikkdata om borgernes elektroniske kommunikasjon (e-post, sms, telefon, internett) i inntil to år, vil nordmenns personvern bli krenket på det groveste.

Datalagringsdirektivet ble vedtatt av EU 15.mars 2006, men fremdeles har den norske regjeringen ikke offisielt tatt stilling til om direktivet skal gjøre til norsk lov eller ikke. Gjennom EØS-avtalen har Norge en reservasjonsrett. Denne har aldri før blitt brukt, men så har man heller aldri stått overfor et direktiv som representerer en så stor trussel mot demokratiets grunnleggende verdier som det datalagringsdirektivet gjør.

Vi krever at regjeringen sier ifra nå før valget om de vil gjøre datalagringsdirektivet til norsk lov eller ikke. Å ikke ta stilling, slik regjeringen har gjort i over tre år, er det samme som stilltiende aksept.

Regjeringen må ta stilling nå – si nei til datalagringsdirektivet!

Følgende støtter saken og har samme eller et lignende innlegg på sin blogg (denne listen oppdateres fortløpende):

Lars-Henrik Paarup Michelsen, 2.kandidat – Hordaland Venstre
Mads Munthe-Kaas, Bergen Venstre
Carl Christian Grøndahl, Bergen Venstre
Vox Populi; Blogger Knut Johannessen
Virrvarr; Blogger Ida Jackson
Per Aage Pleym Christensen, Liberaleren (også på VG-blogg)
Even Sandvold Roland, evensr/#drittunge
Torstein Dahle, Partileder Rødt
Robert Sørensen,
Boye Bjerkholt, Leder Skedsmo Venstre
Runar Mæland, ungdomskandidat Hordaland Venstre
Jonas Eilertsen, 1. nestleder Unge Venstre
Tanketom, Andreas H. Opsvik
Jon Lien, master på Politisk Økonomi
Svein Ølnes, It-forsker & bonde
Stian Skår Ludvigsen, Bergen Venstre
Vampus, Blogger Heidi Nordby Lunde
Bjørn Magne Solvik, høyremann i Nordkapp
Erlend Sand, Leder Europeisk Ungdom
Bjørn Stærk, Blogger
Bjørge Solli, Blogger
Bjørn Smestad, Lærer
Odd Bovim, Blogger & advokat
Unge Venstre/Den tredje vei
Pål Hivand, Blogger og kommunikasjonsrådgiver
Linn Beate Kaald Thoresen, Venstrepolitiker Oslo
Gisle Hannemyr, Forsker, informatikk/internett

Why numbers don't mean much – file sharing in Sweden

Presentation is everything. Shame that the truth may interupt an otherwise nice story. The Guardian was not alone among international media commenting on the implementation of IPRED (Directive on the enforcement of intellectual property rights) in Sweden. The article entitled Swedish internet use plummets after filesharing curb introduced began:

Internet traffic in Sweden – previously a hotbed of illicit filesharing – has fallen dramatically following the introduction of a law banning online piracy.

Lets begin with some of the obvious errors. The “hotbed of illicit filesharing” is a strange thing to call Sweden. We have a high Internet/broadband penetration and the Pirate Bay was launched and maintained by Swedes but there is no way that a county with 9 million inhabitants could be at the top of the file sharing list?

The fact that TPB was launched in Sweden does not mean that its users are Swedish or in Sweden – this is basic stuff – so did the writer want to increase the sensationalism in the article or doesn’t he understand how the Internet works? Check out this map of TPB users around the world.

TPB Tracker Geo Statistics
The statistics is now based on unique users connected per minute! Should provide alot more accurate data.
Keep in mind that a torrent client usually only connects to the tracker once every 15-20 minutes.

The next problem is that the measurements of the 30-50% drop in traffic (depending upon who you read) seems to be that the measurements where taken from a much too small sample and the drop mirrors a similar drop on the measured servers occurring at the same time last year (Sources in Swedish here).

Yes, there are file sharers in Sweden and yes one of the most popular torrent trackers was founded in Sweden. But the files are uploaded and downloaded from all locations across the world and a large dip in traffic may mean a number of things. Having said that there is no doubt that a number of users turned of their file sharing when IPRED entered into force – but only to begin searching for anonymity tools. It is extremely likely that the users who stopped file sharing will return since there is still no viable legal alternative.

The Swedish Surveillance State

I am almost ashamed for not blogging and discussing this in more detail. There have been plenty of media, discussions, and a blogging frenzy in the past two weeks…

Short of actually doing the work myself I simplified life – or gave way to my laziness and re-post this post from the EFF

A proposed new law in Sweden (voted on this week, after much delay) will, if passed, allow a secretive government agency ostensibly concerned with signals intelligence to install technology in twenty public hubs across the country. There it will be permitted to conduct a huge mass data-mining project, processing and analysing the telephony, emails, and web traffic of millions of innocent individuals. Allegedly these monitoring stations will be restricted to data passing across Sweden’s borders with other countries for the purposes of monitoring terrorist activity: but there seems few judicial or technical safeguards to prevent domestic communications from being swept up in the dragnet. Sound familiar?

The passing of the FRA law (or “Lex Orwell”, as the Swedish are calling it) next week is by no means guaranteed. Many Swedes are up in arms over its provisions (the protest Facebook group has over 5000 members; the chief protest site links to thousands of angry commenters across the Web). With the governing alliance managing the barest of majorities in the Swedish Parliament, it would only take four MPs in the governing coalition opposing this bill to effectively remove it from the government’s agenda.

As with the debate over the NSA warrantless wiretapping program in the United States, much of this domestic Swedish debate revolves around how much their own nationals will be caught up with this dragnet surveillance. But as anyone who has sat outside the US debate will know, there is a wider international dimension to such pervasive spying systems. No promise that a dragnet surveillance system will do its best to eliminate domestic traffic removes the fact that it *will* pick up terabytes of the innocent communications of, and with, foreigners – especially those of Sweden’s supposed allies and friends.

Sweden is a part of the European Union: a community of states which places a strong emphasis on the values of privacy, proportionality, and the mutual defence of those values by its members. But even as the EU aspires to being a closer, borderless community, it seems Sweden is determined to set its spies on every entry and exit to Sweden. When the citizens of the EU talk to their Swedish colleagues, what happens to their private communications then?

When revelations regarding the United Kingdom’s involvement in a UK-US surveillance agreement emerged in 2000, the European Parliament produced a highly critical report (and recommended that EU adopt strong pervasive encryption to protect its citizens’ privacy).

Back then, UK’s cavalier attitude to European communications, and its willingness to hand that data to the United States and other non-EU countries, greatly concerned Europe’s elected legislators. Already questions are being asked in the European Parliament about Sweden’s new plans and their effect on European citizen’s personal data. Commercial companies like TeliaSonera have moved servers out of Sweden to prevent their customers from being wiretapped by the Swedish Department of Defence. Sweden’s own business community have expressed concern that companies may move out of Sweden to protect their private financial data.

Sweden has often led the charge for government openness and consumer advocacy, and has, understandably, much national pride in seeing its past policies exported and reflected in Europe and beyond. Before Sweden’s MPs vote next week to allow its government surveillance access to whole Net, they should certainly consider its effect on their Swedish citizens’ privacy. But it should also ponder exactly how their vote will be seen by their closest neighbors. If the Lex Orwell passes, Sweden may not need something so sophisticated as a supercomputer to hear what the rest of the world thinks about their new values.

Are we secure yet?

Thankfully the term “war on terrorism” seems to have fallen out of fashion. Unfortunately the threat of terrorism is being used to systematically and creatively remove civil liberties. At some point a society must ask itself if the security needed to prevent terrorism is in itself an act of terrorism and repression.

Unfortunately all the silliness is not confined to high government (even though a lot of the silliness originates from there). In times of tension the wacko’s, weirdo’s and sociopaths step forward and fill the lower levels of the security system. These are the working stiffs in the security system. Heady with power and filled with self importance they are responsible for degrading ordinary people all in the name of terrorism and security. In reality it’s all for their own little ego’s.

You think I may be exaggerating?  Then give me some better explanations for these:

A man trying to fly British Airways to Dusseldorf was told that he could not board the plane wearing the t-shirt he had on. The offending t-shirt had a picture of Megatron (a 40 foot tall cartoon robot with a gun as an arm).

In Canada (Kelowna Airport, British Columbia) a PhD student was not allowed to board the plane because she wore a necklace with a pendant in the shape of a gun (a silver classic Colt45, under two inches in length with no moving parts) story and photo here.

A classic example of misguided airport security in relation to clothes is Raed Jarrar’s experience at JFK where he was forced to take off a shirt with Arabic writing on it or miss his flight; new BBC article. The story upset many people but inspired some: You can now buy t-shirts from Casual Disobedience with text “I am not a terrorist” in Arabic. I bought one and it is among my favorites.

Another classic is when John Gilmore was refused carriage by British Airways recently for declining to take off a button that read “Suspected Terrorist”.

These are only examples relating to clothes or jewelry in relation to airport security – there are plenty of stories of offending clothing (political, not sexual) that have got people detained or arrested. I think I need to develop this into a full length article…

Zero Privacy in UK

The Times has an article on the recent proposal has been put forward in England to create a massive government database holding details of every phone call, e-mail and time spent on the internet by the public.

Naturally this is all being done in the effort to fight crime and terrorism. Against what? Systems such as these are massive threats against democracy and weaken the whole legitimacy of government. Unfortunately instead of kicking and screaming most people still seem to believe that as long as they have nothing to hide then total surveillance is not a problem.

As if nothing bad ever happens to innocent people…

Suspicious travel patterns

The MI5 wants access to the Oyster travel card database to be able to trawl it for possible suspects. Today they may demand the data to track specific individuals under investigation but the change will allow them to search for unknown suspects based on “suspicious” travel patterns.

Systems such as these will make sure that people with strange travel patterns around the metropolis will be seen as being suspicious in general. If you are an oddball (in your movements around the city) you will now be able to be classed as a potential threat to national security.

Another step in the loss of anonymity, not to mention the fact that taking the scenic route to work in the morning suddenly becomes more ominous…

More at the Guardian.

Defending Security by Obscurity

Almost as soon as Google launched its “Social Graph API” the discussions began. As with other innovations in the field of social networking the Google social graph will be a potential new threat to privacy – and like everything else produced by Google it will be well-packaged and presented in a non-threatening manner.

So what is the social graph and why is it important?

Basically the social graph is a way to take existing data and to use it in new ways. By analyzing the information available the social graph will present relationships between data and people online. One of the examples used in the instructional video (found here) is this:

social graph by Google

the user Brad joins twitter and searches for friends. The social graph knows that b3 belongs to Brad (maybe his blog), from the Blog the social graph knows that Bradfitz is also Brad. Bradfitz is friends with Jane274 who is also known as Jane on twitter. Since they are friends on livejournal Brad can ask Jane to be friends on twitter.

The criticism against this model is that Jane274 may accept Bradfitz on livejournal but Jane may be trying to avoid Brad on twitter – even if they are the same people. Maybe Jane is trying to avoid Brad alltogether but has failed on livejournal? Who knows? Whatever the reason Jane may be using different names to create watertight compartments of her online life. This model of security is not particularly strong but it works reasonably well and is known as security by obscurity.

Tim O’Reilly argues that the weakness or false sense of security created by security by obscurity is dangerous and therefore social graphs should be implemented. He realises people will get hurt when the obscurity is lost but considers this to be a necessary cost of evolution

It’s a lot like the evolutionary value of pain. Search creates feedback loops that allow us to learn from and modify our behavior. A false sense of security helps bad actors more than tools that make information more visible…But even here, analogies to living things are relevant. We get sick. We develop antibodies and then we recover. Or we die.

Basically it’s evolve or die to Tim.

This is OK if you are pretty sure to be among those who survive the radical treatment. But what about those who are hurt by the treatment – what about those who die? Danah Boyd at apophenia writes:

…I’m not jumping up and down at the idea of being in the camp who dies because the healthy think that infecting society with viruses to see who survives is a good idea. I’m also not so stoked to prepare for a situation where a huge chunk of society are chronically ill because of these experiments. What really bothers me is that the geeks get to make the decisions without any perspective from those who will be marginalized in the process.

The problem is that the people who will get hurt in large scale social experiments such as these are never those who are responsible in carrying them out. The costs will be carried by those who are not techie enough to defend themselves. The experts will continue to go about their lives because they will always have the ability (time, money, knowledge) to defend themselves.

Those in the position of privilege should remember that with great strength comes great responsibility. In other words those who have the ability to create systems such as these should really think about the social implications of the tools they are creating. Not as seen from their positions of privilege but from the perspective of the users who may be hurt.

Trust no-one

The question of trust is a difficult one. The decision to trust must be made taking into consideration both now and by calculating future probabilities into the equation. Unfortunately the users of the users of Hushmail, a longtime provider of encrypted web-based email made the wrong decision.

The main selling point of Hushmail was it’s encryption which would guarantee privacy and security to the user.  Hushmail markets it’s service by saying that “not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.”

Unfortunately such promises are rarely true. In an article in Wired:

A September court document (.pdf) from a federal prosecution of alleged steroid dealers reveals the Canadian company turned over 12 CDs worth of e-mails from three Hushmail accounts, following a court order obtained through a mutual assistance treaty between the U.S. and Canada. The charging document alleges that many Chinese wholesale steroid chemical providers, underground laboratories and steroid retailers do business over Hushmail.

I have no sympathy for the drug dealers but it is important to realize that relying on free services provided by companies will never ensure a reliable infratructure – when placed under stress the private company has an obligation to make a profit, not to protect non-paying users.

Tracking Schoolchildren with RFID

It’s strange that everyone sings the praise of RFID and the main struggle seems to be how to implement the technology in as many places as possible. The Register reports that a UK school is piloting a monitoring system designed to keep tabs on pupils by tracking RFID chips in their uniforms.

According to the Doncaster Free Press, Hungerhill School is testing RFID tracking and data collection on 10 pupils within the school. It’s been developed by local company Darnbro Ltd, which says it is ready to launch the product into the £300m school uniform market.

As Bruce Schneier points out the scheme is not difficult to thwart – simply ask a friend to carry the chipped uniform into class. Despite this, the dream of using technological surveillance seems to blind people of their lack of efficiency and reliability.

The real cost is the actual lack of integrity, the high potential for abusing the system and the fundamental shift in attitude which we are pushing on the children in the project. They are being taught (indoctrinated) that technology should be used as a surveillance tool. Asking the teachers to remember their names would apparently be too much to ask for.

Employee's Privacy: No Monitoring

This comes straight from the latest EDRI newsletter:

The Welsh Government, through Carmarthenshire College, was found in breach of human rights by the European Court of Human Rights (ECHR) for having monitored one of the college employee’s e-mails, internet traffic and
telephone calls.

As the College is publicly funded, Lynette Copland sued the government for infringing Art.8 of the European Convention on Human Rights that says “everyone has the right to respect for his private and family life, his home
and his correspondence”.

The government argued that the monitoring was carried out in order to establish whether Copland had extensively used college resources for personal communication, but the court ruled that: “The court is not convinced by the government’s submission that the college was authorised under its statutory powers to do ‘anything necessary or expedient’ for the purposes of providing higher and further education, and finds the argument unpersuasive”.

Copland claimed that her correspondence had been monitored for about 18 months by the headmaster of the college who even contacted some of the people with whom she had communicated to ask for the nature of their communications. The government admitted the monitoring but stated it had lasted only a few months.

The Court ruling was that “According to the court’s case-law, telephone calls from business premises are prima facie covered by the notions of ‘private life’ and ‘correspondence’ ” and that “It follows logically that emails sent from work should be similarly protected under article eight, as should information derived from the monitoring of personal internet usage.”

“The applicant in the present case had been given no warning that her calls would be liable to monitoring, therefore she had a reasonable expectation as to the privacy of calls made from her work telephone. The same expectation
should apply in relation to the applicant’s e-mail and internet usage.”

The college had no policy to inform employees they might be monitored and Copland had received no warning on this.

“The ruling is important in that it reinforces the need for a statutory basis for any interference with respect to private use of a telecommunications system by an employee… The lawful business practice regulations [part of RIPA] allow an employer to monitor and intercept business communications, so the Court is implying that private use of a telecommunications system, assuming it is authorised via an acceptable use policy, can be protected.” said Dr Chris Pounder, a privacy specialist at Pinsent Masons.

The Court awarded Copland 3,000 Euros in damages and 6,000 Euros in costs and expenses.

European Court of Human Rights – Copland vs. The United Kingdom (3.04.2007)

EU court rules monitoring of employee breached human rights (5.04.2007)

Court of Human Rights protects the private use of the Internet (4.04.2007)

Monitoring of employee breached human rights, says European court