Friday, December 03, 2004

GTA - Global Trustmark Alliance

Richard Swetenham at QuickLinks reports on the creation of a new global umbrella group of trustmark organisations, called the Global Trustmark Alliance, GTA. From the GTA website, the GTA has been

"created to encourage cross border e-commerce by fostering consumer trust, encouraging good online business practices, and discouraging the development of burdensome disparate governmental regulation.

Members are local trustmark organizations worldwide and other organizations supporting the development of online trustmarks. Once fully operational, participating businesses in these member trustmark organizations will agree to abide by an international code of conduct for cross-border transactions, to participate in out-of-court dispute resolution procedures based on code standards, and to display an international seal on their website signaling their participation in the GTA"

Ed Felten calls for EULA doghouse

Having looked through Ben Edelman's assessment of Claria's (formerly Gator) end user licence agreement (EULA), entitled Gator's EULA Gone Bad, Edward Felten has some thoughts:

"To the extent that the EULA gives Gator legal leverage over its users, that leverage could be used to deter criticism of Gator, and not just lawsuits. Experience has shown that some companies, especially ones with dodgy products, do use what legal leverage they have against their critics. If I planned to criticize Gator in detail, I would worry about this issue.

There are two solutions to this overEULAfication problem. A court could throw out this kind of egregious EULA, or at least narrow its scope. Alternatively, users could raise the price of this behavior by refusing to use overEULAfied products. Realistically, this will only happen if users are given the tools to do so.

The best kind of tool for this purpose is information. I would love to see a "EULA doghouse" site that listed products with excessive EULAs, or that rated products by the content of their EULAs. At the very least, EULA evaluation could become standard procedure for people writing reviews of software products. Unfortunately, there hasn't been much progress on this front."

He suggested the EULA doghouse in more detail last week but I missed it at the time.

The Economics of Privacy

I've just re-discovered Alessandro Acquisti's page of links to resources on the economics of privacy. Excellent.

Kahle to appeal

Brewster Kahle has confirmed he will appeal the recent dismissal of his challenge to the Copyright Term Extension Act of 1998.

Who owns the knowledge economy?

Richard Clayton at FIPR tells me that an interesting website, The Corner House has just published a briefing paper from Peter Drahos and John Braitwaite,

Who Owns the Knowledge Economy?
Political Organising Behind TRIPS.


This is a substantial edited extract from their excellent book, Information Feudalism, published by Earthscan in 2002 and is well worth a read if you're interested in the international power dynamics underlying developments in intellectual property law. The Corner House summary of the paper follows:

"TRIPS -- the World Trade Organisation's agreement on Trade-Related Aspects of Intellectual Property Rights -- was the most important agreement on intellectual property of the 20th century. It revolutionised the way that property rights in information were defined and enforced. TRIPS effectively globalises the set of intellectual property principles it contains, because most countries are members of, or are seeking membership of, the World Trade Organisation that administers TRIPS.

When TRIPS was signed by more than one hundred government ministers in April 1994, the United States, the European Community and Japan had the world's dominant software, pharmaceutical, chemical and entertainment industries between them and the world's most important trade marks. The rest of the world had nothing much to gain by agreeing to terms of trade for intellectual property that offered these countries so much protection. Why did states sign up to TRIPS?

They did so because of a failure of democratic processes, both nationally and internationally. This enabled a small group of men within the United States to capture the US trade-agenda-setting process; then, in partnership with European and Japanese multinationals, to draft intellectual property principles that became the blueprint for TRIPS. The resistance of other countries was crushed through US trade power.

This briefing paper explores the background to TRIPS and the corporate political organising that orchestrated and paved the way for the agreement."

Fingerprint system crash

It seems that the UK's national automated fingerprint identification system (Nafis) crashed on Wednesday, the 24th of November and was shut down until this Monday, 29th November. It's a coincidence that it happened in ths same week that the benefits system crashed and must have been a major pain particularly for the scenes of crimes officers who need it for their day to day work, as well as numerous others in the law enforcement chain.

Whilst sympathising with the folks who needed the system to work, you can't help but think of the irony that almost exactly a month earlier, on Monday, the 25th of October, the EU's Council of justice and home affairs ministers were deciding, at a meeting in Luxembourg, to force though fingerprints on passports for all EU citizens. The UK system, according to the Independent article, has 4 million entries and operated effectively trouble free until the recent crash. What happens when a system with entries relating to a population of 450 million collapses?

Thursday, December 02, 2004

Firstly thanks to Yiango Yiangoullis for prompting me to enable an RSS feed. I know this blog is in need of a major overall to make it more user friendly. I'm sorry I have not had the time to do this yet but as an interim measure I've enabled Blogger's Atom site feed. The site feed link is on the left hand side of the page - scroll down and you'll find it at the bottom of my list of links. (I know - a red button would be easier to find...)

Secondly the latest edition of EDRI-gram is essential reading. It covers a range of really important stories from the shenanigans about rushing through biometrics (fingerprints and digital photographs) on EU passports through to a ISP in Belgium being ordered by a court to cut off P2P users.

Andreas Dietl, EDRI EU Affairs Director, covers the politics of the fingerprints in passports and hopefully he won't mind if I quote that section in full:

"1. Rush vote European Parliament on biometrics ============================================================

It is likely that the Council of European Justice and Home Affairs ministers will adopt a regulation tomorrow, on 3 December 2004, to fingerprint all EU citizens and residents, to take digital photographs of their faces and to store these data in a gigantic database of 450 million EU citizens. This will be the last step of a procedure that has exploited the democratic deficit of the European Union to an unheard extreme.

Today the European Parliament adopted the proposal but introduced a large number of limitations. MEPs voted to clearly limit the kinds of information to be stored on the passports, they voted against the storage of the data in a central database and in favour of giving Data Protection Authorities oversight over the whole process. But it is unlikely that the Council will take any of these amendments into consideration. Under the European Union's consultation procedure the Council can globally reject all of the Parliament's amendments. Though it is mandatory to at least look at the parliamentary suggestions, it will be almost impossible to do so in this case, since the Council plans to adopt its own plan tomorrow.

Members of the European Parliament were deeply angered by the Council's sudden and belated change of the draft that the Parliament had to vote on. On 25 October 2004, while the Parliament's LIBE (Civil Liberties, Justice and Home Affairs) Committee was voting on its report on the biometric issues, the EU's Justice and Home Affairs ministers met behind closed doors in Luxembourg. They decided to considerably change the document that LIBE was just voting on: Fingerprints were introduced as a second obligatory biometric identifier, and the data were to be stored in a central database. The draft Regulation adopted by the Council was transmitted to the Parliament only a month later, on 26 November 2004.

The Council then black-mailed the Parliament's Conference of Presidents, the body taking decisions on the plenary agenda, to behave as if the proposal had not undergone any significant changes and to leave it on the agenda of the plenary session of 1 and 2 December. If the Presidents had refused, the Council threatened to delay the introduction of the co-decision procedure for immigration and asylum issues. In stead of giving parliament this important power on 1 January, it was to be delayed to 1 April 2005. And if Parliament had decided to refer the new proposal back to the LIBE committee, the Council announced it would just completely ignore Parliament, under some obscure procedure.

More than seventy civil society organisations from the EU and abroad, nine national or regional Data Protection Commissioners and more than two hundred concerned citizens have signed an open letter by Privacy International, Statewatch and European Digital Rights opposing this proposal. It seems, however, quite unlikely that the Justice and Home Affairs Ministers of the European Union will take the declared will of the EU Parliament or of Civil Society into account when introducing the obligation to fingerprint all their citizens and to store their data in a central database.

PI, Statewatch and EDRI Open Letter (30.11.2004) http://www.edri.org/campaigns/biometrics/0411

EU governments blackmail European Parliament into quick adoption of its report on biometric passports (27.11.2004) http://www.statewatch.org/news/2004/nov/12biometric-passports-blackmail.htm

Council Draft regulation on biometric passports (23.11.04) http://www.statewatch.org/news/2004/nov/biometric-proposal.pdf

Parliament report on the Commission proposal for a Council regulation on standards for security features and biometrics in EU citizen's passports, including voting list and all amendments (25.11.2004) http://www.edri.org/files/BioPass_AllAmend_VoteList.pdf

Provisional agenda for the meeting of the JHA Council (2-3.12.2004) http://www.eu2004.nl/default.asp?CMS_TCP=tcpAsset&id=1FA5E817CB12484F986BEE41DBF7B5A9X1X56197X36

JHA Council press conference video stream (available after 2 December, 20:00, for one week) http://europa.eu.int/comm/ebs/bottom_schedule.cfm?jour=5&semaine=49&annee=2004#s37732

(Contribution by Andreas Dietl, EDRI EU Affairs Director)"

The Council of Ministers need to read the relevant sections of Ross Anderson's book and Bruce Schneier's too. Or perhaps just giving them an opportunity to sit down without any advisers and simply talk to Ross and Bruce about the differences between the realities and the illusion of security would be a first step?

Wednesday, December 01, 2004

Nice quote from Paul Goldstein's Copyright's Highway: From Guttenberg to the Celestial Jukebox (1994) - he says copyright's goal is to give

"the public the widest variety of literary and artistic works at the lowest possible price." (p228)

On p224: "The capacity of the celestial jukebox to post a charge for access, and to shut off service if a subscriber does not pay his bills, should substantially reduce the spectre of transaction costs. As these costs dissolve, so, too, should the perceived need for safety valves like fair use. Indeed the economic logic of the celestial jukebox....might produce a law that contains no exemptions from liability at all.... as supplliers oblige their subscribers contractually to pay for now exempted uses of copyrighted material..... One problem with this logic is that the celestial jukebox will not entirely replace traditional copyright markets... Also, some of the 1976 Act's exemptions are there, not because of transaction costs, but because certain uses and users serve socially valuable ends. The statuatory exemption for classroom performances of copyrighted works in nonprofit educational institutions is one example. If copyright owners try to circumvent these copyright exemptions by contract - and there is every reason to expect they will - Congress will have to reconsider the distributional aspects of its copyright agenda and decide whether to outlaw such contracts...."

Goldstein would firmly reject Larry Lessig's notions about copyright extension being unnecessary. He is of the opinion that technological development eroded copyright revenues because e.g. people got used to using the VCR without paying for copies because Congress did not act quickly enough to deal with it. And once people are used to getting something for "free" they will not want to pay for it and Congress is unlikely to make them. So he says hand out the copyright scope extensions to prevent damage to copyright holders, then assess later the effect. Lessig on the other hand would say avoid handing out monoplies until the real effect of the technological development can be evaluated. After all, Jack Valenti was against VCRs and now videos provide huge revenues for the movie industry.

Goldstein's book is terrific, though I don't agree with his proposition that we should expand intellectual property laws until they do some noticable damage. Partly because there is very little empirical evidence/study of the impact of IP and partly because the onus should be on those who wish to change the law to demonstrate that the change deals with a particular problem or can demonstrably bring about a positive effect.

Goldstein concludes the book on p236: ".. and true to copyright's historic logic that the best prescription for connecting authors to their audiences is to extends rights into every corner where consumers derive value from literary and artistic works. If history is any measure, the result should be to promote political as well as cultural diversity, ensuring a plenitude of voices, with all the chance to be heard." Hmmmm.
Just came across MIT's MedialabThinkcycle project, described on the home page as

"an academic, non-profit initiative engaged in supporting distributed collaboration towards design challenges facing underserved communities and the environment. ThinkCycle seeks to create a culture of open source design innovation, with ongoing collaboration among individuals, communities and organizations around the world."

Nice idea. Practical open source learning and problem solving. Apparently it has come up with such things as a simple and effective water purification process, which can be used in areas of the world where clean water is not readily available.
Simon Davies of Privacy International wrote an ID card FAQ paper in 1996(!) providing an analysis of the key aspects of ID cards and related technologies. Many of the issues remain current.
Michael Madison, a law professor at the University of Pittsburgh is disappointed by the Kahle v Ashcroft decision.

"The disappointing result in Kahle v. Ashcroft [pdf of the opinion available from Joe Gratz], rejecting constitutional challenges to changes to copyright law that dramatically decrease the likelihood that copyrighted works will fall into the public domain, highlights an issue considered more leisurely in a recent piece in the Fordham Law Review by NYU law professor Diane Zimmerman: Is the public domain constitutionally required? Do we have to have it? The argument of the various “Ashcroft” cases (Eldred, Golan, Kahle) boils down, I think, to the position that it is, and that we do: The public domain is itself a sort of fact, or an idea, or a thing, that is a given feature of the universe and that Congress lacks the power to take away.

As a philosophical matter, I want to chew on that a little bit. Is the public domain really “out there” in that sense, growing (theoretically) bit by bit with the accretion of new material? Or do we (we as society, or we as Congress) make the public domain, and if we do, how do we make it, and what legal and other limits constrain our behavior? As a litigation tactic, I wonder whether the implicit framing of these cases as preservation of “The Public Domain” (initial caps, like “Yosemite Valley” or “Yellowstone National Park") is really the most effective strategy. We know from the Court majority in Eldred v. Ashcroft itself that “The Public Domain” doesn’t sell as an intuitive matter."
TT Arvind over at UEA's law blog, Displacement of Concepts, seems to think everyone needs to worry about English defamation law, in the wake of the outcome of the UK Court of Appeal Lewis v King case a few weeks ago.

I notice that my link to the decision at the UK Court Service now finds a page that tells you that the page has been moved due to a re-structuring of the website and gives a link to the Court Service home page. After an irritating 10 minutes searching I gave up and looked up the decision at the exellent Bailii site, where I located it in 10 seconds. The UK Court Service has a "Tell us what you think" link on their homepage, so I did, possibly unfairly? I've found them very useful in the past.

Anyway, after that unnecessary distraction, back to the subject at hand. TT Arvind also raised another defamation decision, Richardson v Schwarzenegger in the UK High Court, shortly after the Lewis decision. Both cases related to alleged defamatory statements in the US later published on the Internet. The Richardson decision deals with jurisdiction in Internet defamation cases from point 19 to point 31. The High Court judge, Mr justice Eady, said that

"First, it is well settled now that Internet publication takes place in any jurisdiction where the words are read or downloaded: see e.g. Gutnick v Dow Jones [2002] HCA 56; Lewis v King [2004] EWCA Civ 1329. There is no 'single publication rule' applying to trans-national libels."

Point 24. gives his clinching argument in favour of asserting jurisdiction over the alleged defamation - the claiment is a UK citizen, who works, resides and has an established reputation in the UK and has no comparable connections with the US or other jurisdictions.

And the UEA blog sums up the rest of the decision quite nicely,

"As the judge pointed out, in essence the court was being asked to subject to its jurisdiction a foreign spokesman for a foreign politician who was asked in a foreign location during a foreign domestic election campaign by a foreign newspaper to respond to a number of allegations, which he did with a generic statement not specifically naming the claimant. It was being asked to do this only because he could, at the time, have foreseen that that statement would be published on the internet and subsequently republished in England. Yet the court - despite its obvious sympathy for the defendant - held that under English law, this is exactly what it was required to do. The principles of legal responsibility for publication were settled, and an application of these made it clear that English courts could exercise jurisdiction."

And TT Arvind is concerned about the overall effect of the Lewis and Richardson cases:

"So let's put these two rulings together. If you say anything about anyone who has a reputation in England, and you could have foreseen that that statement would go up on the web, you're likely to be sued for libel in England. It doesn't matter that everyone concerned was in the US, it doesn't matter that you were talking to a US newspaper with no print circulation or target audience in England, it doesn't matter that what you said was permitted comment in US law and dealt with mainly US issues. You could still be dragged through expensive and lengthy proceedings in the English courts. Notwithstanding the protestations of the court in Lewis, a free-for-all is exactly what this creates.

On the bright side, though, this could mean that England is on its way to becoming a haven for American celebrities frustrated by the difficulty public figures have in suing for defamation in the US. If anyone wants to look for employment openings in libel litigation in London, this would be a good time."
I rediscovered the ICANN song this morning. Wonderful.
Ross Anderson mentions some of the problems of the biometric identification techniques, so beloved of Tony Blair and David Blunkett and their pending ID card information system disaster, in his terrific book Security Engineering. For example iris scanners can be defeated by photographs or printed contact lenses. There are also systems issues eg. if one biometric technique, such as iris scanning, becomes the standard and everyone uses it, then terrorists can get Tony Blair's or George Bush's (but not David Blunkett's) from high quality photographs put out by their PR people! Fingerprint scanners don't work so well with the elderly or manual workers. Iris scanners don't work so well with dark eyed people such as Asians. That instantly raised questions relating to discrimination and racism. And the bad guys will get good ID anyway, through identity theft, forgery, having genuine IDs issued by overworked or even a small number of incompetent or corrupt government employees or by social engineering (my ID got stolen can you give me a temporary one while I'm waiting for the new one to come through?). Maybe if Blair , Blunkett and co. had a paint-by-numbers version of Ross's book read to them as a bedtime story, they might think twice about blowing mountains of taxpayers money on stupid ID schemes, in an attempt to create the illusion that they are 'doing something' about terrorism, immigration, benefit fraud, public services, social cohesion, parking fines, TV licenses, etc., etc, etc..

Tuesday, November 30, 2004

Michael Geist's terrific BNA Internet Law News points to the story of a user of the P2P file sharing software called "Winny" who has just been handed a 1 year suspended jail sentence.

I'm not sure where that leaves the software's creator, Tokyo University academic, Isamu Kaneko, who is facing trial for making a copyright infringement tool available to the public.
The Times have a report on the proposed ID card fines too.
The fine for refusing to register for an ID card will apparently be £2500. The estimated initial £39 fee, which came down to £35 as late as last week is now extimated in the published notes with the legislation as £85. Watch for that to creep up.

Some conspiracy theorists are seeing ID cards as Tony Blair's way of trying to ensure Gordon Brown never becomes prime minister - by the time the national ID card starts to really come crashing down around them, Tony Blair will be seeing out his final term in Downing Street and Labour will just get voted out of power at the following election.

A bit fanciful for me that one. Now David Blunkett seeing the ID card as his platform to launch a leadership bid, post Blair, would be a bit closer to the mark.

Monday, November 29, 2004

Kazaa and the music industry are heading for a Sydney court room today.
Brewster Kahle and the Stanford Center for Internet and Society have lost the first round of their challenge to the Sony Bono Copyright Term Extension Act of 1998.
The E-Lawlibrary weblog
John was railing against the Intellectual Property Protection Act in the US in the Observer yesterday:

"the IPPA in its current form proposes to make it a criminal offence to skip over adverts in digitally recorded content. If passed, this would mean that American viewers would be allowed to skip or block material containing sex, violence and bad language, but could be prosecuted if they so much as dared to skip an advertisement.

How's that for effrontery? But there's more - the PIRATE Act, for example, which would allow the Justice Department to file civil suits against copyright infringers. What this means is that the record and movie studios, blanching at their mounting legal bills, have pushed an act that would essentially turn the US Justice Department into their in-house litigation section.

Verily, you couldn't make this stuff up. Another section of the IPPA would make it a criminal offence to share any digital content with anyone. This is intended to stop people illicitly sharing music and movie files via peer-to-peer networks. But, as drafted, the act would actually criminalise the Apple iTunes store - that agreeable poster-child for legitimate music downloading."

Not to mention emailing your parents with a picture of their grandchildren...
The Times says the government's sums on the costing of the proposed ID card system don't add up because they don't include the costs of actually implementing the systems, let alone maintaining them.
There have been some dirty tricks going on at WIPO meetings on the proposed broadcasting treaty this week. Apparently, EFF and Public Knowledge tabled papers have been surrepticiously stolen and binned and the chair has been engaging in autocratic "democracy" with an agenda. Cory and others are blogging proceedings.
Speaking of biometric identifying documents, I ran a workshop at the weekend with a group of Open University associate lecturers on the UK's proposed national identity card. We focussed on the practicalities of the technology and didn't get into the complex debate on potential civil liberties implications.

I did a survey before we began and found about 28% of the audience were in favour of the proposals, 28% were undecided and 44% were against. Interestingly enough, at the end of the workshop we checked again and these numbers were unchanged. Yet nearly eveyone in the room was convinced that:

The national ID card is a "solution" looking to solve a huge range of problems (terrorism, benefit fraud, immigration, NHS and other public service access, unpaid parking fines... the list is endless)in vague unspecified ways.

That in their current stage of development biometric technologies are unreliable.

There is not a computer scientist in the world that could secure a centralised database of the size and complexity and with the remote access requirements of that needed to underpin the proposed ID card.

That the government has not got the best record in commissioning and implementing large information systems and has not done anything on this scale before.

That ID card system trials were severely hampered by technical problems, didn't get started until 3 months after the proposed start date, were rushed and had nowhere near the planned 10000 volunteers that were initally planned to include.

That at least one of the large existing goverment IT systems that the national ID card systmem will have to talk to, the benefits system, failed catatrophically just last week.

That the proposed system completely fails to solve any of the problems it is allegedly intended to deal with and in many instances will make the situation worse e.g. in relation to the already over-worked law enforcement authorities, who whilst processing the 20 to 95% of us who will have serious errors in our electronic profiles, will be so swamped with electronic garbage that they won't have sufficient time/resources to engage in the kind of intelligent policing required to target and apprehend so-called "bad actors."

That the system is so complex and so insecure, due to the need for hundreds of thousands (if not millions) of people in public service jobs requiring access just to do their job, that it will be error prone and repeatedly subject to malicious changes and intent, by a small number of inside and possiblly a larger number of external bad actors.

That there will be a whole serious of complex emergent properties, some positive and some negative.

That it will cost an absolute fortune and that it is clearly not worth the money, let alone the other costs alluded to above.

So why, amongst a group of smart, thoughtful people from a wide range of backgrounds (technology, science, arts, business, social science, languages) were 27% still in favour at the end of the discussions? This has to do with values and emotions rather than practicalities. And you see that's the thing - security, which is what a large part of the ID card debate is often reduced to, is about feelings as much as reality. On each occasion that I've done this workshop asking people to think about the practical implications of deploying the technologies in the way that is proposed, those in favour of the ID card rarely change their minds. Largely because the idea of an identity card "feels" right.

Tony Blair and David Blunkett understand the power of emotions and tailor their pro ID card campaign accordingly with soundbites like "nothing to hide, nothing to fear," which though meaningless, taps into people's feelings. The anti campaign are severely on the defensive, since they have not come up with anything like an equivalent soundbite, with the requisite pithiness. All I can offer is Jeffrey Rosen's "people have a right to avoid being judged out of context in a world of short attention spans." That takes 5 seconds to say. Blair and Blunkett's takes 1 second. Sadly 5 seconds is too long and in today's world if you have to explain, you've lost the argument...
Dr. Steve Peers, Professor of Law, University of Essex has written quite a damning critique of this proposed imposition of biometrics on EU passports, concluding:

"The proposed Regulation on EU passports, with or without mandatory fingerprinting requirements, exceeds the legal powers conferred upon the Community to adopt measures concerning checks at external borders. It furthermore exceeds any other powers conferred upon the Community.

If the Regulation includes mandatory fingerprinting requirements, it would also breach the principle of proportionality that is a requirement for the legality of Community acts, and the general principles of Community law, which include the protection of the right to private life."
An Open Letter to the European Parliament on Biometric Registration of all EU Citizens and Residents from the European Digital Rights coalition of civil liberties groups.

To the Members of the European Parliament,

We the undersigned are calling on you to reject the 'Draft Council Regulation on standards for security features and biometrics in passports and travel documents issued by Member States'. This is an unnecessary and rushed policy that will have hazardous effects on Europeans' right to privacy. This policy process requires additional oversight, and the eventual systems established will require significant controls and a strong legal framework to ensure that this is a proportionate response to the war on terrorism. In particular, we call for the removal of the requirement for fingerprinting all EU citizens.

We are quite alarmed by the political dynamics at play in this policy decision.



* The Council of the European Union pressed the European Parliament into including the Coelho reports on biometric identifiers on the agenda for the mini-session on Wednesday, 1 December 2004.

* Behind closed doors on October 25 the Justice and Home Affairs Council decided to introduce mandatory fingerprinting for all EU citizens into the draft regulation.

* The Parliament's response to this significant shift in policy is even more alarming: a majority of the Presidents of the Political Groups acccepted the claim that the change was not sufficient grounds for the report to be sent back to the LIBE Committee for further consideration.

* If the Presidents had refused to accept, the Council would have called for an urgency procedure.

* If the Presidents had refused, the Council would have also delayed the introduction of the co-decision procedure for immigration and asylum issues to April 1 instead of January 1.

These dynamics are irresponsible and unhealthy for a functioning democratic system.

Securing our passports from fraudulent use is indeed a pressing need, particularly considering the substantial number of blank passports lost every year. The proposed policy that is being presented to you for review will however have significant implications. This policy is dependent on an unprepared and under-developed technological infrastructure. It will therefore lead to an increased risk of abuse.

We are calling on the European Parliament to reject this policy. The European Parliament needs to provide sunlight to this policy process through oversight and an open deliberative process.

We are calling on the European Parliament to reject this policy. The case still has not been made openly and clearly as to why biometric passports are required. There is a lack of adequate safeguards. We urge the Parliament to oppose the creation of an EU-wide database of personal data. We further urge the Parliament to oppose mandatory fingerprinting as an unnecessary and disproportionate act. Finally, we are calling on the Parliament to reserve the right to question the legal basis of the proposal.

The European Parliament needs to provide sunlight to this policy process through oversight and an open deliberative process.
A Dangerous Policy

The grounds for changing our passport standards are many and varied. Yet the proposed changes in this policy are without foundation. U.S. law does require biometric passports programmes to be in place by the Autumn of 2005 in order for countries to remain part of the Visa-Waiver Programme. U.S. law also required the standard for these programmes to be established by the International Civil Aviation Organization. However, neither the U.S. nor the ICAO requires biometric passports in the form proposed by the Council.

We would like to take this opportunity to remind you that

* The Council is calling for the use of two biometrics, when the U.S. and the ICAO only require one, and this only involves a digital photograph. The inclusion of a fingerprint biometric is unprecedented.

* The U.S. has no intentions of implementing fingerprints in their passports. [1]

* The ICAO has itself noted that some States are legally barred from storing biometrics. [2]

* The U.S. Department of Homeland Security and the Department of State note that privacy issues need to be resolved prior to the implementation of these systems.[3]

* The French Government reached a similar conclusion, requiring that any implementation of biometric techniques is systematically subject to prior agreement from its national privacy commission.[4]

* The legal basis offered by the Commission and Council is fundamentally flawed. A legal analysis by Professor Steve Peers (University of Essex) concludes that: "The proposed Regulation on EU passports, with or without mandatory fingerprinting requirements, exceeds the legal powers conferred upon the Community to adopt measures concerning checks at external borders. It furthermore exceeds any other powers conferred upon the Community. If the Regulation includes mandatory fingerprinting requirements, it would also breach the principle of proportionality that is a requirement for the legality of Community acts, and the general principles of Community law, which include the protection of the right to private life."[5]

We are thus alarmed by the omission of these facts from the current debates.
Problematic Technologies

Lurking behind this policy is the creation of an EU-wide database system that will store the personal information of over 450 million people. This database is neither required nor is it technologically desirable. The European Commission previously advocated a centralised database solution, but even then the Commission noted that further research is necessary to "examine the impact of the establishment of such a European Register on the fundamental rights of European citizens, and in particular their right to data protection."[6]

Centralised EU databases covering passports, visa and residence permits will be linked through SIS II. This risks becoming a mass surveillance infrastructure tracking the movements of all residents and citizens. Plans to give access to all law enforcement and internal security agencies risks the misuse of sensitive personal information. To date, there have been too few studies, if any, of these problems and challenges. Policy as important and far-reaching as this requires more care before being adopted.

We would like to further remind you that the risks to privacy are well known. In particular, European Privacy and Data Protection Commissioners have long warned of the dangers of biometric data collection.

* The Article 29 Working Party on Data Protection rightly notes that fingerprints are usually collected from criminals. The increased collection of highly personal information will de-sensitize us to the effect that this processing will have on our daily life.[7]

* This proposal may not make us any safer and may in fact create more risks, and even greater potential of reuse and abuse. Centralised databases are prone to abuse, and fingerprints can easily be collected without consent, and are thus ideal for additional surveillance.[7]

* Even face recognition technology reveals racial or ethnic origin, [7] which under EU law is of a highly sensitive nature and deserves even greater privacy protection.

Additionally, the International Conference on Data Protection and Privacy Commissioners in 2003 declared that

"In the fight against terrorism and organized crime, countries should determine their responses paying full regard to fundamental data protection principles, which are integral parts of the values being defended."

They recommend that in situations where there are required interventions into the right to privacy,

"they should take place within a framework taking data protection into account, e.g. on the basis of an international agreement stipulating adequate data protection requirements, including clear purpose limitation, adequate and non-excessive data collection, limited data retention time, information provision to data subjects, the assurance of data subject rights and independent supervision."

The current proposal does not sufficiently address these most basic requirements. It lacks a legal framework to protect privacy rights. This deficiency is inexcusable, particularly as the personal information of Europeans is collected and transferred abroad.
Greater Implications

When the U.S. implemented its mass fingerprinting and face-scanning programme for all visitors, the world responded with alarm. All visitors over the age of 13 will now have their fingerprints taken and stored for 75 to 100 years by the Department of Homeland Security, and will be shared with other government departments and agencies, and other governments.[8]

The Council's proposed policy goes well beyond this already problematic US-VISIT programme. The U.S. Government is not fingerprinting its own citizens. The EU policy intends to fingerprint all EU citizens, residents, and visitors. The secondary effect of this policy is that whenever EU citizens travel abroad (not necessarily to the United States), they will again be required to register their fingeprints and face-scans with foreign governments as their passports are verified. As a result, the EU is drastically enlarging the US-VISIT programme by turning it against its own citizens and then globalising this practice.

We would also like to point to the practical implications of this policy.

* Citizens will now have to present themselves at an 'enrolment centre' to be 'processed and have their fingerprints taken by their National passport authority every time they want a passport. Previously, passport renewal could be achieved remotely, even through the post. The increased administrative costs to the authorities and to individuals are likely to be significant.

* The complexities of the database systems involved in the registration, issuance, and verification processes are unprecedented.

* There is no legal framework in this policy to prescribe how this information may be collected, processed, and transferred.

* Error rates in fingerprinting are significant, and poorly understood. Two percent of the general population do not even have fingerprints, while certain ethnic, and demographic groups are more difficult to fingerprint than others.[9] According to a recent overview of the current technological systems, the error rates are far from being minor, with false match error rates across products tested averaged 18 percent.[10]

According to one expert, our understanding of fingerprints "is dangerously flawed and risks causing miscarriages of justice".[10] Amongst the many cases of mistaken identification through fingerprinting, we would like to remind the Parliament of the recent case of Brandon Mayfield. After the Madrid Bombings of March 11, 2004, Spanish National Police managed to lift a fingerprint from an unexploded bomb. Three highly skilled FBI fingerprint experts declared that Oregon lawyer Brandon Mayfield's fingerprint matched. U.S. officials called it "absolutely incontrovertible" and a "bingo match." As a former U.S. soldier, his fingerprint was on the national fingerprint system. Mayfield was imprisoned for two weeks. The fingerprint, however, was not his. According to one law professor,

"The Mayfield misidentification also reveals the danger that extraneous knowledge might influence experts' evaluations. If any of those FBI fingerprint examiners who confidently declared the match already knew that Mayfield was himself a convert to Islam who had once represented a convicted Taliban sympathizer in a child custody dispute, this knowledge may have subconsciously primed them to "see" the match. ... No matter how accurate fingerprint identification turns out to be, it cannot be as perfect as they claim." [11]

When all of his personal information was combined, however, the FBI was convinced. Yet according to a recent panel of experts, they were wrong.[12] As we increase the database collection of biometric information away from criminals and other select groups, errors are likely to increase. The technology in our midst, and our methods, are not perfect.

The Council and the Commission are busy implementing many other systems of surveillance that will involve increased personal data collection, data mining, and data sharing. These policies together ensure that instead of achieving certainty and security, we only create more risk, danger, misplaced suspicion and abuse.
Greater Oversight is Required

The fatal flaw in this entire policy process is the lack of adequate supervision, oversight, and deliberation. This must be rectified. We call on the European Parliament to play this key role in democratic process.

We call on the European Parliament to:

* Re-establish essential safeguards for the proposed systems, including those that were set out in the Parliament's report, and in particular the abandonment of an EU-wide database.

* Require and/or establish a legal framework for the collection and use of personal information in travel documents and border programmes. This framework must be consistent with the European Convention of Human Rights, and in particular Article 8. This would include requiring clearer statements of purpose and use, so that the data collected is not used for generalised surveillance or other purposes.

* Require that this legal framework also ensure that the systems supporting this policy are secure, with clear lines of accountability, and that the collection procedures are well understood. Only then can we begin to understand the complexity of the system involved, and in turn the potentially severe cost implications.

* Call for the establishment of mechanisms for the oversight of the planning, implementation, testing, and use of biometrics in travel documents.

* Remove the unnecessary requirement of mass fingerprinting of EU residents and citizens.

* Review the technological implications of this and related policies. In establishing what could be one of the largest database systems in existence, we are alarmed by the lack of publication, public discourse, and scrutiny of the costs and implications of this policy. We need valid research of the problem, which can then be relayed to the Parliament, focussing on cost implications, legal implications, technological implications, and potentials for abuse.

* Call on the research and policy community to propose alternative solutions that are privacy-friendly. Alternative systems and technologies exist, as we already see that the U.S. is not intending on generating a fingerprint registry. Innovative solutions must be brought to the forefront to preserve European values, rights, democratic standards, and laws.

* Question the legal basis of the proposal in the first place.

The EU is embarking on a policy that will make our most personal information the currency of travel, while creating one of the world's largest surveillance infrastructures. This is unprecedented and unnecessary.

These are serious times and we need serious policy based on effective deliberation. Rushing this policy through the European Parliament is not required, when careful scrutiny is necessary. The EU's respect for privacy is often considered the global gold-standard, and yet now the EU is revolutionising surveillance. When combined with data profiling and data sharing proposals also being developed by the Commission and the Council, Europe faces the real prospect of creating a surveillance behemoth.

We call on MEPs to oppose this proposed policy, and we look forward to working with you in the future on establishing effective policies for securing our societies whilst simultaneously securing our rights and liberties.

Signed,

Gus Hosein
Privacy International

Tony Bunyan
Statewatch


Statewatch

Andreas Dietl
European Digital Rights

Additional Endorsements

(Individuals or organisations who wish to endorse this letter are kindly asked to send an e-mail to brussels email)
References

[1] U.S. Department of State, Abstract of Concept of Operations for the Integration of Contactless Chip in the U.S. Passport. Washington, April 26, 2004.

[2] ICAO BIOMETRICS DEPLOYMENT OF MACHINE READABLE TRAVEL DOCUMENTS ICAO TAG MRTD/NTWG TECHNICAL REPORT: Development and Specification of Globally Interoperable Biometric Standards for Machine Assisted Identity Confirmation using Machine Readable Travel Documents. Montreal: ICAO, May 12, 2003. ver 1.9.

[3] Tom Ridge and Colin Powell, Dear Mr. Chairman, letter to the Chairman of the House Committee of the Judiciary. Washington, D.C.: 2004. Archived at http://www.house.gov/judiciary/ridge031704.pdf

[4] French Government, Implementation of Biometric Techniques on French Airports. Cairo, Egypt: Presented to the ICAO summit in Cairo. March 18, 2004, FAL/12-IP/24. Archived at http://www.icao.int/icao/en/atb/fal/fal12/documentation/fal12ip024_en....

[5] Steve Peers, Commission’s EU biometric passport proposal exceeds the EC’s powers. Statewatch, November 26 2004. Archived at http://www.statewatch.org/news/2004/nov/11biometric-legal-analysis-htm...

[6] Commission of the European Communities, Proposal for a Council Regulation on standards for security features and biometrics in EU citizens' passports. Brussels: The European Commission, February 18 2004, COM(2004)116final. Archived at http://register.consilium.eu.int/pdf/en/04/st06/st06406-re01.en04.pdf

[7] Article 29 Working Party, Working document on biometrics. Brussels: Article 29 Data Protection Working Party, August 1, 2003. Archived at http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp8...

[8] Privacy International, The enhanced US border surveillance system: an assessment of the implications of US-VISIT. London, September 28, 2004. Archived at http://www.privacyinternational.org/issues/terrorism/rpt/dangers_of_vi...

[9] United States General Accounting Office, Technology Assessment: Using Biometrics for Border Security, November 2002.

[10] Fingerprint Verification Competition 2004, Open Category Results: Average results over all databases, Preliminary results.

[11] J.L. Mnookin, "The Achilles' Heel of Fingerprints". Washington Post, May 29, 2004.

[12] B. Harden. "FBI Faulted in Arrest of Ore. Lawyer." Washington Post, November 16, 2004.