Data Protection Reform – Next stop: e-Privacy Directive

(This article was originally published at the 24 February 2016 edition of EDRi-gram, the European Digital Rights fortnightly newsletter at: https://edri.org/data-protection-reform-next-stop-e-privacy-directive/ )

Did you think the data protection reform was finished? Think again. Once the agreement on the texts of the General Data Protection Regulation (GDPR) and the Data Protection Directive for Law Enforcement Agencies (LEDP) was reached, the e-Privacy Directive took its place as the next piece of European Union (EU) law that will be reviewed. The e-Privacy Directive (Directive 2002/58/EC on privacy and electronic communications) contains specific rules on data protection in the area of telecommunication in public electronic networks.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

The Directive was first launched as part of the 1999 Communications Review and aimed to provide specific data protection rules for the e-communications sector, following the entry into force of the 1995 Data Protection Directive the previous year. The Directive dropped out of the Review package quite early in the legislative process and was not finally adopted until 2002.

The new instrument needs to cover all online processing of personal data, insofar as not already covered by the GDPR. Not least because of this, the new instrument needs to be enforced by Data Protection Authorities and not Telcoms regulators, as is the case in some EU Member States. It also needs to be updated in relation to the treatment of traffic and location data, as well as other geographical information and how consent is provided in this cases. Location data – even “anonymous” location data – can raise serious security and privacy concerns.

Another element that requires considerable re-thinking is the Directive is the issue of “cookies”. A more consistent and thorough analysis needs to be done on the different types of cookies that exist (tracking cookies, non-tracking cookies, session cookies…) and how to treat them accordingly. The bad joke which consent for cookies have become, have given arguments to anti-privacy/Big Data lobbies for how (meaningless) consent is the new spam. New, clearer rules should have a focus on improving the quality of the (very frequently profoundly misleading) information given to individuals reducing the number of cookie consent requests. Generally, we advise following the recommendations set by the Article 29 Working Party on this point.

The revised instrument should state that the deliberate installation of any piece of software or hardware on any device without the knowledge or consent of the owner of the device is an unauthorised access and/or data/system interference, as defined in the Council of Europe Cybercrime Convention. Another of the topics that cannot be avoided related to the use of encryption in devices. In the new legislation legislators should consider whether attempts to remove encryption, including the installation of “backdoors”, should be explicitly forbidden. Attention to how consent is provided (and revoked) for value-added services and the harmonisation and enforcement of the “national security/pubic order/crime prevention” exemptions is also needed.
The agreed text of the GDPR was the best possible outcome in the current political scenario, bearing also in mind the heavy lobby it received. The revision of the ePrivacy Directive needs not to undermine the good parts of the GDPR while at the same time trying to fix the loopholes it has created. Some lobbies call to “leveling the playing field” in this area, which is not objectionable, as long as the playing field is levelled upwards and to the level set by the GDPR and the case law of the courts in Luxembourg and Strasbourg. That is the playing field and any policy development in this are needs to stay up to those levels of protection.

Directive 2002/58/EC on privacy and electronic communications
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML

Article 29 Working Party: Opinion 04/2012 on Cookie Consent Exemption (07.06.2012)
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf

Data Protection Regulation Update: precise implementation depends on exceptions and Recitals (19.01.2016)
http://amberhawk.typepad.com/amberhawk/2016/01/data-protection-regulation-update-precise-implementation-depends-on-exceptions-and-recitals.html

EU Data Protection Package – Lacking ambition but saving the basics (17.12.2015)
https://edri.org/eu-data-protection-package-lacking-ambition-but-saving-the-basics/

Recommendation No. R (95) 4 on the protection of personal data in the area of personal data in the area of telecommunication services
https://wcd.coe.int/com.instranet.InstraServlet?command=com.instranet.CmdBlobGet&InstranetImage=535549&SecMode=1&DocId=518682&Usage=2

(Contribution by Diego Naranjo, EDRi)

Advertisements

Interview at Críptica.org (English translation)

6912948733_c69c164f99_o

(Note: This is the English translation of the interview I did for Críptica.org, orginally in Spanish. You can find the original interview below or at the original site: http://www.criptica.org/2016/02/10/entrevista-a-diego-naranjo/ )

1. For those who do not know you, could you please present yourself?

My name is Diego Naranjo and I work as Advocacy Manager at European Digital Rights (EDRi). EDRi is an umbrella organisation of civil rights groups working for the defense of human rights in the online environment.

2. When did you become aware of the importance of protecting your privacy? Was there any specific moment that affected your current views on this subject?

The “dystopian” books 1984 by Orwell, Fahrenheit 451 by Bradbury and A brave new world by Huxley made an impact on me during my teenage years. Since then the idea of resisting the Big Brother influenced my way of thinking and marked my political positions.

3. Do you want to talk about any of the projects related with security or privacy (regardless of their technical, social or political nature) in which you are currently involved?

This year we are focusing in EDRi in a campaign against the EU PNR Directive, that may be passed in the European Parliament in the following weeks; we will also work in the review of the e-Privacy Directive, since after the initial agreement of the General Data Protection Regulation (GDPR) needs to be reviewed; finally, we will start working on the implementation of the GDPR and be alert on the attempts of establishing new data retention laws at national levels.

4. What kind of practices do you do in your every day life to protect your privacy, both in the digital and in real life?

I do similar activities in both the digital and non-digital environments:

In the online environment:

1. I only use Free Software in my computers.
2. I use end-to-end encryption (PGP) daily.
3. To communicate with friends and working colleagues I do not use Whatsapp, but Signal and Telegram instead.
4. I do not use social networks which are especially invasive as Facebook.

In the non-digital world:

1. I advocate for the use of free software tools by public institutions through my regular advocacy work, for example via proposing amendments in non-legislative reports or in the proposals of EU legislation.
2. When using snail mail, I use envelopes for private information and postcards for not so private information.
3. I try to do more meetings in person and public speaking than online, when possible.

5. What would you tell the ordinary Internet user, who says that he has “nothing to hide” or that believes that privacy is something that should worry those to “do evil things”?

This is a “zombie argument” that comes back to life after every pro-privacy initiative. The reply to that statement is that privacy is not related to “hiding things”, but with freedom of expression, freedom of assembly and other fundamental rights. Everyone should be able to talk with their friends, express their fears and opinions without being constantly under surveillance. Otherwise, this leads to self-censorship and people not being themselves. This could lead to all sort of problems, including health related ones. Would you look up the address of a clinic that performs abortions if you think your boss might be reading your private messages? Are you going to look up for information in Google about ISIS si that could lead you to be in some data base as a suspect of supporting terrorism?

This “chilling effect” can be seen in other scenes in our daily life. For example, when you drive and you notice that there is a police car driving next to you, no ones stays indifferent: You revise everything mentally: You wonder if you have the documentation of your car insurance and if your seat belt is correctly fastened, if the speed is under the limit and, generally, you put yourself in some sort of “alert mode”. If we all take our smartphone everywhere and we communicate more and more often using the Internet we can potentially have “a policeman” looking over our shoulders constantly. Who wants to live in a state of permanent alert? What kind of freedom would that be?

6. What kind of tools, habits or practices would you recommend to non-technical users to improve their privacy?

Edward Snowden has proposed several easy tips that can improve your privacy easily without being a very technical person.

For those who have what it could be called “below user level”, my recommendation would be not installing those apps that require access to your information without needing it to perform correctly (for example, the torch app which asks ro access your contacts). A step further from that would be using by default apps that are on the Free Software repository F-Droid, since they are are free and ‘gratis’, and only in case you do not find what you need going to Google Play or Apple Store.

You could also use search engine DuckDuckGo.com instead of Google, in order not to be tracked.

A step forward would be using Free Software daily. There are already many distributions out there (Ubuntu, Linux Mint…) that debunk the myth that Free Software is only for geeks.

7. To what extent do you think that the criticism of massive surveillance involves the involuntary legitimation of targeted surveillance that, nevertheless, violate rights of those affected by those measures? (Example: #Spycops case in the United Kingdom)

Indiscriminate mass surveillance is, by definition, contrary to human rights, as the courts in Strasbourg and Luxembourg have said repeatedly (cases Digital Rights Ireland and Schrems –in the CJEU, case Szabo and others in the ECtHR).

Targeted surveillance, on the other hand, is not a blank check. It must be prescribed by law and follow the criteria of necessity and proportionality. In order to be lawful targeted surveillance should include a system to prevent abuses: In cases of spying agencies (“intelligence agencies”) being the ones doing this surveillance, they must be subject to the control of the State, including judicial supervision. In the case of the surveillance performed by law enforcement agencies, this also needs to be done following the Rule of Law, including that no one si subject to surveillance without judicial authorisation and that, in some cases, this cannot be done even with that authorisation (for example, conversations between a client and their lawyer and a doctor and his patient).

8. Which institutions, acts or institutions are a threat for freedom and privacy online? Who should defend these rights?

The Internet of Things and Big Data are threats that need to be neutralised right now. The effects of these technologies lead to the creation of profiles and the ways they can be used to control population is alarming. Multinationals that make profit out of our personal data (Google, Facebook, Skype-Microsoft and others) are a constant threat, as we have seen after the Snowden revelations.

Defending these rights is the duty of citizens. Rights, as muscles, are strengthened by exercising them daily. If we do not do this, we become weaker as societies and as individuals. Since policies related to privacy are decided increasingly at the European level, we call citizens to get organised in associations and to get involved in the campaigns organised by organisations like EDRi, Xnet, Access Now, BEUC and others. If we want to shape our future freedoms in the digital world, the moment is now.

9. Do you believe that there are important differences between “traditional” political activism and the activism focused in the defense of human rights online or “hacktivism”? We at Críptica see a “gap” (generational, technical, gender based…) between both ways to intervene in politics.

Inevitably, human rights activism in the online world requires some technical skills (sometimes, very basic ones), which can leave outside some activists (for example, older generations). When this is not the case, we see that digital rights activism is identified with hackers and geeks, when it is obvious that almost everyone has a smartphone, uses e-mails and therefore the risks affect all of us.

When I introduce EDRi, I always highlight that we EDRi is a human rights organisation. Otherwise, when we talk about “digital rights” it seems like we are talking about “human rights for the developed world”, when in fact we are talking about the same human rights we already have offline, but applied to the online environment.

There is another issue, maybe more important. It is true that there are fights which are more urgent than privacy: climate change and social inequalities are two of the main ones. However, these battles are going to be fought, to an increasing extent, using digital tools. If we do not control those tools and we prevent indiscriminate surveillance we can see these fights seriously threatened and compromised.

10. Finally, what do you think should be, in your opinion, the aspects that as a political movement (from the “digital rights” organisations) we should have to improve?

1. We need to create a global discourse about surveillance and privacy which is not connected to the rhetorics of the Big Brother so we can get closer to citizens. We need to find and use positive examples (talking about freedoms rather than fears) in order to reach a wider audience.

2. Support economically (via donations, crowdfunding…) free software and privacy tools in particular, and use them. A first step could be, for example, convincing five people with whom you communicate the most to use Signal and communicating with them (sms and calls) privately. Signal is an app that is free of charge, it is free software, it is easy to use, and replaces your SMS app, so you do not need to use two different one for the same purposes.

3. We need to organise at local and national level to work on these issues, and also work in alliances at the European and international level in order to be more powerful. We need to put constant pressure on Members of the European Parliament and on the European Commission, since they are the ones that to a great extent decide on our online freedoms.

Entrevista en Criptica.org

El blog Criptica.org ha publicado una entrevista que me han hecho esta semana. (Post original en: http://www.criptica.org/2016/02/10/entrevista-a-diego-naranjo/)

6912948733_c69c164f99_o

1. Para los lectores que no te conocen, ¿podrías presentarte brevemente?

Me llamo Diego Naranjo y trabajo como Advocacy Manager para European Digital Rights (EDRi). EDRi es una federación de organizaciones no gubernamentales que trabajan en la defensa de derechos humanos en el mundo digital.

2. ¿Cuándo empezaste a ser consciente de la importancia de proteger tu privacidad? ¿Hubo algún acontecimiento concreto que determinara tu forma de pensar actual?

Sin duda, los libros del género de la “distopía” como 1984 de Orwell, “Fahrennheit 451” de Bradbury y “Un mundo feliz” de Huxley marcaron mi adolescencia. Desde entonces la idea de resistir al Gran Hermano ha influido en mi forma de pensar y ha marcado mis posiciones políticas al respecto.

3. ¿Quieres hablarnos de alguno de los proyectos relacionados con la seguridad o la privacidad (ya sean de carácter técnico, social o político) en los cuales estés involucrado actualmente?

Para este año en EDRi nos vamos a enfocar en una campaña contra la directiva EU PNR (https://edri.org/faq-pnr/), que puede ser aprobada en las próximas semanas; también trabajaremos en la reforma de la Directiva ePrivacy, que tras la aprobación del nuevo Reglamento General de Protección de Datos (GDPR, por las siglas en inglés: General Data Protection Regulation) tiene que ser revisada; finalmente, empezaremos a trabajar en los detalles sobre la implementación de la GDPR y estaremos atentos a los intentos de establecer nuevas normas de retención de datos a nivel nacional.

4. ¿Qué prácticas realizas en tu día a día para proteger tu privacidad, tanto en el entorno digital como en la vida real?

Realizo prácticas parecidas en ambos mundos (digital y no digital):

En el mundo digital:

1. Utilizo exclusivamente software libre en mis ordenadores.
2. Utilizo encriptación end-to-end (PGP) a diario.
3. En mi smartphone no utilizo Whatsapp, sino Signal y Telegram.
4. No uso redes sociales especialmente invasivas como Facebook.

En el mundo no digital:

1. Impulso la adopción de software libre por parte de instituciones públicas a través de enmiendas o propuestas en iniciativas legislativas y no legislativas de la Unión Europea.
2. Cuando uso correo ordinario, utilizo sobres para información privada, y postales para información no tan privada.
3. Intento realizar más reuniones en persona y charlas públicas que comunicaciones online.

5. ¿Qué le dirías al usuario común de Internet, que cree “no tener nada que ocultar”, o que piensa que la privacidad es una cuestión que solamente debería preocupar a “los que hacen cosas malas”?

Este es un “argumento zombie” que reaparece tras cada iniciativa pro-privacidad. La respuesta es que la privacidad no está relacionada con “ocultar cosas”, sino con la libertad de expresión, la libertad de reunión y otros derechos fundamentales. Todo el mundo debería ser capaz de hablar con sus amigos, expresar sus miedos y sus opiniones sobre cualquier tema sin ser vigilado constantemente. De lo contrario, esto lleva a que las personas se auto-censuren y dejen de ser ellos mismos. Esto puedo conllevar todo tipo de problemas, incluso de salud. ¿Seguro que buscarías la dirección de una clínica para la interrupción del embarazo si piensas que tu jefe puede estar analizando tus mensajes privados? ¿Vas a mirar información en Google sobre ISIS si eso puede llevar a que acabes en alguna base de datos como sospechoso de apoyar el terrorismo?

Este “chilling effect” lo podemos ver en otras escenas de la vida diaria. Por ejemplo, cuando conduces y ves que hay un coche de policía nadie se queda indiferente: Revisas todo, piensas si tienes la reglamentación del coche a mano, miras si vas a la velocidad permitida y, en general, te pones alerta. Si llevamos nuestro smartphone a todos lados y nos comunicamos cada vez más por Internet, podemos tener a “un policía” sobre nuestro hombro a cada segundo. ¿Quién quiere vivir en un estado de alerta permanente? ¿Qué tipo de libertad sería esa?

6. Pensando en usuarios sin formación específicamente técnica, ¿qué herramientas, hábitos o prácticas les recomendarías para mejorar su privacidad?

Edward Snowden ha propuesto varios consejos sencillos que pueden mejorar la privacidad fácilmente sin necesidad de muchos conocimientos técnicos: http://www.eldiario.es/cultura/tecnologia/privacidad/Edward-Snowden-explica-proteger-privacidad_0_457754864.html

Para los que tengan un conocimiento técnico menor que lo que se podría llamar “nivel usuario”, la recomendación es no instalar aplicaciones que requieran acceso a información cuyo uso no es necesario (ejemplo: aplicación de linterna que quiere acceder a tus contactos). Un paso más sería usar las aplicaciones que figuran en F-Droid (https://f-droid.org/), que son gratis y libres, y sólo en caso de no encontrar lo que necesitas ir a Google Play o Apple Store.

También se puede usar el buscador DuckDuckGo.com en vez de Google, para no ser rastreado.

Un paso un poco más avanzado es usar software libre. Ya hay muchas distribuciones (Ubuntu, Linux Mint…) que eliminan el mito de que el software libre es para informáticos.

7. ¿Hasta qué punto piensas que la crítica de la vigilancia masiva supone la legitimación involuntaria de formas de vigilancia individualizadas que, no obstante, siguen vulnerando los derechos de las personas afectadas? (Ejemplo: caso #Spycops en Reino Unido)

La vigilancia indiscriminada es, por definición, contraria a los derechos humanos, como han declarado reiteradamente los tribunales de Luxemburgo y Estrasburgo (casos Digital Rights Ireland y Schrems – CJEU, caso Szabo y otros en TEDH).

La vigilancia individualizada, por otro lado, no es un cheque en blanco. Debe estar previsto en una ley y seguir los criterios de necesidad y proporcionalidad. Esto debe incluir un sistema de prevención de abusos: En casos en que sean las agencias de espionaje (“agencias de inteligencia”) sean las que llevan a cabo la vigilancia, deben estar sometidas al escrutinio del Estado, incluyendo la supervisión judicial. En el caso de vigilancia por parte de fuerzas policiales, esto debe ser hecho siguiendo las normas de un Estado de Derecho, lo cual incluye que no se inicie ningún seguimiento de comunicaciones privadas sin autorización judicial y que, en ciertos casos, incluso éstas no puedan ser investigadas (por ejemplo, entre un abogado y su cliente, o entre médico y paciente).

8. A día de hoy, ¿qué instituciones, actores u organismos piensas que suponen una amenaza para la libertad y la privacidad en Internet? ¿A quién corresponde defender estos derechos?

El Internet de las Cosas (Internet of Things) es una amenaza que tiene que ser neutralizada ya mismo. Los efectos que esas tecnologías pueden tener en relación a la creación de perfiles (profiling) y como una nueva manera de control de la población es alarmante. Las multinacionales que viven de nuestros datos personales (Google, Facebook, Skype y otras) suponen una amenaza constante, como hemos visto tras las revelaciones de Snowden.

Defender estos derechos nos corresponde siempre a los ciudadanos. Los derechos, como los músculos, se fortalecen mediante su ejercicio constante. De lo contrario, nos volvemos débiles. Debido a que las políticas sobre privacidad se realizan cada vez más a nivel europeo, hacemos un llamamiento a que los ciudadanos se organicen en asociaciones y que actúen en los llamamientos a la movilización que hacemos organizaciones como EDRi, Xnet, Access Now, BEUC y otras. Si queremos perfilar nuestras futuras libertades en el mundo digital, el momento es ahora.

9. ¿Crees que existen diferencias notables entre el activismo político “tradicional” y el activismo centrado en la defensa de los derechos en Internet o el “hacktivismo”? Lo cierto es que desde Críptica observamos una “brecha” (generacional, técnica, de género…) entre ambas formas de intervención política.

Inevitablemente, el activismo de los derechos humanos en Internet requiere ciertos conocimientos técnicos (a veces, sólo muy mínimos), lo cual puede echar hacia atrás a cierta gente. Cuando no es ese el caso, nos encontramos con que este campo se identifica con hackers y geeks solamente, cuando lo cierto es que casi todos tenemos un correo electrónico y un smnartphone a mano, y por tanto los riesgos nos afectan a todos.

Cuando presento EDRi, siempre hincapié en que somos una organización de derechos humanos. De lo contrario, cuando hablamos de “derechos digitales” parece que hablamos de derechos humanos para el mundo desarrollado, cuando en realidad son solamente los derechos humanos que ya tenemos offline pero aplicados al mundo digital.

Hay otro asunto, quizá más importante. Es cierto que hay luchas más prioritarias y urgentes que la privacidad: el cambio climático y la desigualdades sociales son dos de las principales. Ahora bien, estas luchas se van a desarrollar en mayor o menor medida cada vez más usando medios digitales. Si no controlamos estas herramientas y prevenimos que exista la vigilancia masiva indiscriminada, podemos ver que esas luchas se vean amenazadas seriamente.

10. Finalmente, ¿cuáles deberían ser, según tu opinión, los aspectos que como movimiento político (desde el conjunto de las organizaciones defensoras de los “derechos digitales”) tendríamos que mejorar?

1. Tenemos que crear un discurso global sobre la vigilancia y la privacidad que se aleje de la retórica del Gran Hermano y que se acerque a los ciudadanos. Hay que usar ejemplos positivos y divertidos para poder llegar a la gente.

2. Impulsar económicamente (donaciones, crowfunding…) software libre y el uso de herramientas de privacidad. Un primer paso puede ser, por ejemplo, convencer a tus 5 contactos más utilizados de que instalen Signal y comunicarte por ellos (por mensajes y llamadas) de forma privada. Es una herramienta gratuita, fácil de usar, y que reemplaza a tu app de SMS, así que no necesitas duplicar tus apps.

3. Organizarnos en nuestras organizaciones locales y nacionales para abordar estos temas, y aliarnos a nivel europeo e internacional con otras organizaciones para aunar fuerzas. Hay que poner presión constante en los parlamentarios europeos y en la Comisión Europea, que son los que en gran medida deciden sobre nuestras libertades digitales.