Taller de Activismo Digital – Sevilla, 1 de Junio 2017

(Publicado en: http://madafrica.es/ataya/2017/06/06/derechos-digitales/ )

Diego Naranjo , miembro de Derechos Digitales Europeos (European Digital Rights, EDRi) dirigió el talller sobre Derechos Digitales organizado por MadAfrica en el Nuevo Ateneo Tierra y Libertad. El taller se dividió en dos partes: una general para centrar la atención en los asuntos generales resultados con los derechos digitales, y una segunda parte práctica con consejos de autodefensa en internet.

Durante la primera parte, Diego presentó cómo la defensa de los derechos digitales no es más que la defensa de los derechos humano en internet. En un mundo donde los colectivos sociales se organizan y se comunican cada vez más usando la mediación de la tecnología, es necesario saber cómo funciona la tecnología y cómo usarla adecuadamente. Diego comenzó la charla con un vídeo de una asociación danesa de protección de los consumidores en el que, bajo el método de cámara oculta, se muestra cómo reaccionarías si en tu panadería te pidieran tanta información íntima como una app cualquiera. Luego contó la influencia de redes sociales en la creación de perfiles (con 300 “me gusta” Facebook te conoce mejor que nadie) y cómo se utilizan los ataques terroristas para lanzar políticas de vigilancia sobre todos los ciudadanos.

Durante la segunda parte, Diego compartió con nosotros una serie de consejos generales y específicos para todos, que puedes ver en esta presentación online. Diego insistió en que la cuestión no era volverse paranoico y coger miedo a la tecnología, sino empoderarse y dar pequeños pasos para alcanzar una mejor protección de nuestra privacidad. Así, recomendó el uso de la app de mensajería Signal frente a Whatsapp o Telegram, recomendó el uso de redes virtuales privadas (VPNs), uso de Firefox como navegador seguro (añadiéndole extensiones como https everywhere, privady badger o ublock) y  uso de TOR para una navegación totalmente anónima. Diego comentó la importancia de usar un gestor de claves como KeePassX para poder tener claves fuertes y diferentes en todas las plataformas y servicos online pero a la vez sólo tener que recordar una clave nada más. Finalmente, Diego recomendó el cifrado de teléfonos y ordenadores y mantener los equipos actualizados.

Las preguntas del público se refirieron a cómo afrontar demandas de claves en puestos fronterizos y posibilidades legales para negarse, cómo reaccionar frente a abusos con nuestros datos y preguntas generales sobre aspectos prácticos comentados durante la charla. La presentación completa se puede descargar aquí.

Para acabar, Diego se mostró dispuesto a responder por email (diego [punto] naranjo [arroba] edri [punto] org) a cualquier pregunta relativa a la charla, propuso algunas películas sobre derechos digitales (Citizen Four (Laura Poitras), Snowden (Oliver Stone)….) y agradeció la invitación al evento por la importancia de los derechos digitales en nuestras vidas.

Puedes seguir a Diego en Twitter en @DNBSevilla y ver sus presentaciones aquí: www.diegonaranjo.eu.

Advertisements

Intervention at Mydata 2016 Helsinki on data protection, privacy and encryption

 

After the adoption of the EU General Data Protection Regulation – what next? Join DR.  MALTE BEYER-KATZENBERGER (Policy officer, European Commission, DG CONNECT), KASPAR KALA (Advisor at Ministry of Economic Affairs and Communications), TARU RASTAS (Senior Adviser in the Finnish Ministry of Transport and Communications), PHILIPPE DE BACKER (Belgian State Secretary for the Fight against Social Fraud, Privacy and North Sea), DIEGO NARANJO (Advocacy Manager of EDRi), JARNO LIMNÉLL (Professor of Cyber Security, Aalto University) in a Panel Discussion on policy making for personal data at the mydata2016 conference.

MyData 2016 was an international conference that focuses on human centric personal information management.
MyData is an initiative to help people gain more control over their personal data.

Are you a terrorist? PechaKucha Brussels 2016 on PNR and profiling

Last January my colleague from EDRi Maryant Fernández and I participated in a Pecha Kucha event with the occassion of the CPDP Conference. In a Pecha Kucha event speakers need to do a presentation based on 20 images, using 20 seconds for each of them. Since the conference is focused on data protection and privacy, we decided to do ours about anti-terrorism laws and the use of profiling techniques, including profiling.

CJEU hearing on the EU Canada PNR agreement: Still shady

(Originally published at https://edri.org/cjeu-hearing-on-the-eu-canada-pnr-agreement-still-shady/)

The European Court of Justice (CJEU) had a hearing on 5 April to decide about the referral made on 25 November by the European Parliament on the EU-Canada agreement on Passenger Name Records (PNR). Passenger Name Records (PNR) include information provided by passengers and collected by air carriers for commercial purposes, such as, but not only, the date of the trip and complete itinerary, the name and contact information, the form of payment, frequent flyer information, meal preferences and medical information. In some cases, the airlines will have access to other data such as hotel bookings, car rentals, train journeys, travel associates, etc. This provides a massive insight into the private life of an individual.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

The agreement between the EU and Canada allows for the transfer and processing of PNR data of passengers flying between the EU and Canada. The result of the referral of the agreement to the CJEU could impact the proposal for an EU PNR Directive (Fight against terrorism and serious crime: use of passenger name record (PNR) data (procedure file 2011/0023(COD)), that was adopted by the European Parliament’s Civil Liberties Committee on 15 July 2015, and which may be scheduled to be voted in the European Parliament’s plenary session on 27-28 April 2016. The narrow vote (32 in favor, 26 against, no abstentions) in favour happened despite the rejection of this same EU PNR proposal by the same Committee in 2014 and despite the CJEU ruling invalidating the Data Retention Directive.

During the hearing, many crucial issues came up:

Firstly, the European Commission (EC) argued before the Court that PNR data is “anonymised” after 30 days and that, as a result, the CJEU judgment invalidating the data retention Directive is not applicable in this case. However, the EC fails to see that the PNR data is only “masked out” – depersonalised by masking certain identifiers. This is not anonymisation. The EU PNR Directive contains similar clauses and the European Data Protection Supervisor (EDPS) Opinion 5/2015 of 24 September 2015 said that they were glad that the mention to anonymous data was taken off the proposal since “(i)ndeed, the data at stake could not be considered as anonymous since they would still be re-identifiable.”

Secondly, the EC quoted the EU anti-terrorism coordinator saying that the number of convinctions based on PNR are irrelevant”. This just does not make sense. If the goal is to find suspects, and there are no convictions based on the PNR data used, the collection and processing of PNR data could well not be “necessary” nor “genuinely meet objectives of general interest recognised by the Union” as Article 52.1 of the Charter of Fundamental Rights states for any limitation for fundamental rights.

Thirdly, during the hearing Member States defended the agreement based on different reasons. The Spanish representative stated that the data retention period of 5 years is absolutely necessary for criminal investigations. Why not five and a half years, as it is the case currently under the PNR agreement with Australia… or 15 years, as under the PNR agreement with the USA? Why not 20 years? Or maybe just 3? Is the standard “whatever-length-we-randomly-decide-each-time”?

Fourthly the issue of the independent supervisory authority was also highlighted during the hearing. The EDPS reiterated the views expressed in their Opinion on the agreement of 30 September 2013 and said that the oversight in Canada PNR is not an equivalent independent authority, which was refuted by the EC during the hearing. The EDPS Opinion explicitly regretted the fact that “oversight may take place (…) by a (non independent) authority created by administrative means”. The EDPS also noted the “limitations of judicial review with respect to judicial redress”.

In sum, the hearing has shown once again that PNR profiling is a not a necessary and proportionate means to prevent international crime and terrorism in the EU. The Advocate General of the Court will announce his opinion on 13 June 2016.

EU-Canada agreement on PNR referred to the CJEU: What’s next? (03.12.2014)
https://edri.org/eu-canada-agreement-on-pnr-referred-to-the-cjeu-whats-next/

Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record
http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2012657%202013%20REV%201

EU PNR Document Pool
https://edri.org/eu-pnr-document-pool/

Opinion of the European Data Protection Supervisor on the Proposals for Council Decisions on the conclusion and the signature of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data (30.09.2013)
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2013/13-09-30_Canada_EN.pdf

Steve Peers: The Domino Effect: how many EU treaties violate the rights to privacy and data protection (25.11.2014)
http://eulawanalysis.blogspot.be/2014/11/the-domino-effect-how-many-eu-treaties.html

Bruce Schneier: Refuse to be terrorised (24.08.2006)
https://www.schneier.com/essays/archives/2006/08/refuse_to_be_terrori.html

Mass surveillance through PNR is facing closure: EU-Canada agreement is put to testing (in German) (05.04.2016)
https://digitalegesellschaft.de/2016/04/vds-reisedaten-kanada-eugh/

(Contribution by Diego Naranjo, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

Interview at Críptica.org (English translation)

6912948733_c69c164f99_o

(Note: This is the English translation of the interview I did for Críptica.org, orginally in Spanish. You can find the original interview below or at the original site: http://www.criptica.org/2016/02/10/entrevista-a-diego-naranjo/ )

1. For those who do not know you, could you please present yourself?

My name is Diego Naranjo and I work as Advocacy Manager at European Digital Rights (EDRi). EDRi is an umbrella organisation of civil rights groups working for the defense of human rights in the online environment.

2. When did you become aware of the importance of protecting your privacy? Was there any specific moment that affected your current views on this subject?

The “dystopian” books 1984 by Orwell, Fahrenheit 451 by Bradbury and A brave new world by Huxley made an impact on me during my teenage years. Since then the idea of resisting the Big Brother influenced my way of thinking and marked my political positions.

3. Do you want to talk about any of the projects related with security or privacy (regardless of their technical, social or political nature) in which you are currently involved?

This year we are focusing in EDRi in a campaign against the EU PNR Directive, that may be passed in the European Parliament in the following weeks; we will also work in the review of the e-Privacy Directive, since after the initial agreement of the General Data Protection Regulation (GDPR) needs to be reviewed; finally, we will start working on the implementation of the GDPR and be alert on the attempts of establishing new data retention laws at national levels.

4. What kind of practices do you do in your every day life to protect your privacy, both in the digital and in real life?

I do similar activities in both the digital and non-digital environments:

In the online environment:

1. I only use Free Software in my computers.
2. I use end-to-end encryption (PGP) daily.
3. To communicate with friends and working colleagues I do not use Whatsapp, but Signal and Telegram instead.
4. I do not use social networks which are especially invasive as Facebook.

In the non-digital world:

1. I advocate for the use of free software tools by public institutions through my regular advocacy work, for example via proposing amendments in non-legislative reports or in the proposals of EU legislation.
2. When using snail mail, I use envelopes for private information and postcards for not so private information.
3. I try to do more meetings in person and public speaking than online, when possible.

5. What would you tell the ordinary Internet user, who says that he has “nothing to hide” or that believes that privacy is something that should worry those to “do evil things”?

This is a “zombie argument” that comes back to life after every pro-privacy initiative. The reply to that statement is that privacy is not related to “hiding things”, but with freedom of expression, freedom of assembly and other fundamental rights. Everyone should be able to talk with their friends, express their fears and opinions without being constantly under surveillance. Otherwise, this leads to self-censorship and people not being themselves. This could lead to all sort of problems, including health related ones. Would you look up the address of a clinic that performs abortions if you think your boss might be reading your private messages? Are you going to look up for information in Google about ISIS si that could lead you to be in some data base as a suspect of supporting terrorism?

This “chilling effect” can be seen in other scenes in our daily life. For example, when you drive and you notice that there is a police car driving next to you, no ones stays indifferent: You revise everything mentally: You wonder if you have the documentation of your car insurance and if your seat belt is correctly fastened, if the speed is under the limit and, generally, you put yourself in some sort of “alert mode”. If we all take our smartphone everywhere and we communicate more and more often using the Internet we can potentially have “a policeman” looking over our shoulders constantly. Who wants to live in a state of permanent alert? What kind of freedom would that be?

6. What kind of tools, habits or practices would you recommend to non-technical users to improve their privacy?

Edward Snowden has proposed several easy tips that can improve your privacy easily without being a very technical person.

For those who have what it could be called “below user level”, my recommendation would be not installing those apps that require access to your information without needing it to perform correctly (for example, the torch app which asks ro access your contacts). A step further from that would be using by default apps that are on the Free Software repository F-Droid, since they are are free and ‘gratis’, and only in case you do not find what you need going to Google Play or Apple Store.

You could also use search engine DuckDuckGo.com instead of Google, in order not to be tracked.

A step forward would be using Free Software daily. There are already many distributions out there (Ubuntu, Linux Mint…) that debunk the myth that Free Software is only for geeks.

7. To what extent do you think that the criticism of massive surveillance involves the involuntary legitimation of targeted surveillance that, nevertheless, violate rights of those affected by those measures? (Example: #Spycops case in the United Kingdom)

Indiscriminate mass surveillance is, by definition, contrary to human rights, as the courts in Strasbourg and Luxembourg have said repeatedly (cases Digital Rights Ireland and Schrems –in the CJEU, case Szabo and others in the ECtHR).

Targeted surveillance, on the other hand, is not a blank check. It must be prescribed by law and follow the criteria of necessity and proportionality. In order to be lawful targeted surveillance should include a system to prevent abuses: In cases of spying agencies (“intelligence agencies”) being the ones doing this surveillance, they must be subject to the control of the State, including judicial supervision. In the case of the surveillance performed by law enforcement agencies, this also needs to be done following the Rule of Law, including that no one si subject to surveillance without judicial authorisation and that, in some cases, this cannot be done even with that authorisation (for example, conversations between a client and their lawyer and a doctor and his patient).

8. Which institutions, acts or institutions are a threat for freedom and privacy online? Who should defend these rights?

The Internet of Things and Big Data are threats that need to be neutralised right now. The effects of these technologies lead to the creation of profiles and the ways they can be used to control population is alarming. Multinationals that make profit out of our personal data (Google, Facebook, Skype-Microsoft and others) are a constant threat, as we have seen after the Snowden revelations.

Defending these rights is the duty of citizens. Rights, as muscles, are strengthened by exercising them daily. If we do not do this, we become weaker as societies and as individuals. Since policies related to privacy are decided increasingly at the European level, we call citizens to get organised in associations and to get involved in the campaigns organised by organisations like EDRi, Xnet, Access Now, BEUC and others. If we want to shape our future freedoms in the digital world, the moment is now.

9. Do you believe that there are important differences between “traditional” political activism and the activism focused in the defense of human rights online or “hacktivism”? We at Críptica see a “gap” (generational, technical, gender based…) between both ways to intervene in politics.

Inevitably, human rights activism in the online world requires some technical skills (sometimes, very basic ones), which can leave outside some activists (for example, older generations). When this is not the case, we see that digital rights activism is identified with hackers and geeks, when it is obvious that almost everyone has a smartphone, uses e-mails and therefore the risks affect all of us.

When I introduce EDRi, I always highlight that we EDRi is a human rights organisation. Otherwise, when we talk about “digital rights” it seems like we are talking about “human rights for the developed world”, when in fact we are talking about the same human rights we already have offline, but applied to the online environment.

There is another issue, maybe more important. It is true that there are fights which are more urgent than privacy: climate change and social inequalities are two of the main ones. However, these battles are going to be fought, to an increasing extent, using digital tools. If we do not control those tools and we prevent indiscriminate surveillance we can see these fights seriously threatened and compromised.

10. Finally, what do you think should be, in your opinion, the aspects that as a political movement (from the “digital rights” organisations) we should have to improve?

1. We need to create a global discourse about surveillance and privacy which is not connected to the rhetorics of the Big Brother so we can get closer to citizens. We need to find and use positive examples (talking about freedoms rather than fears) in order to reach a wider audience.

2. Support economically (via donations, crowdfunding…) free software and privacy tools in particular, and use them. A first step could be, for example, convincing five people with whom you communicate the most to use Signal and communicating with them (sms and calls) privately. Signal is an app that is free of charge, it is free software, it is easy to use, and replaces your SMS app, so you do not need to use two different one for the same purposes.

3. We need to organise at local and national level to work on these issues, and also work in alliances at the European and international level in order to be more powerful. We need to put constant pressure on Members of the European Parliament and on the European Commission, since they are the ones that to a great extent decide on our online freedoms.

Entrevista en Criptica.org

El blog Criptica.org ha publicado una entrevista que me han hecho esta semana. (Post original en: http://www.criptica.org/2016/02/10/entrevista-a-diego-naranjo/)

6912948733_c69c164f99_o

1. Para los lectores que no te conocen, ¿podrías presentarte brevemente?

Me llamo Diego Naranjo y trabajo como Advocacy Manager para European Digital Rights (EDRi). EDRi es una federación de organizaciones no gubernamentales que trabajan en la defensa de derechos humanos en el mundo digital.

2. ¿Cuándo empezaste a ser consciente de la importancia de proteger tu privacidad? ¿Hubo algún acontecimiento concreto que determinara tu forma de pensar actual?

Sin duda, los libros del género de la “distopía” como 1984 de Orwell, “Fahrennheit 451” de Bradbury y “Un mundo feliz” de Huxley marcaron mi adolescencia. Desde entonces la idea de resistir al Gran Hermano ha influido en mi forma de pensar y ha marcado mis posiciones políticas al respecto.

3. ¿Quieres hablarnos de alguno de los proyectos relacionados con la seguridad o la privacidad (ya sean de carácter técnico, social o político) en los cuales estés involucrado actualmente?

Para este año en EDRi nos vamos a enfocar en una campaña contra la directiva EU PNR (https://edri.org/faq-pnr/), que puede ser aprobada en las próximas semanas; también trabajaremos en la reforma de la Directiva ePrivacy, que tras la aprobación del nuevo Reglamento General de Protección de Datos (GDPR, por las siglas en inglés: General Data Protection Regulation) tiene que ser revisada; finalmente, empezaremos a trabajar en los detalles sobre la implementación de la GDPR y estaremos atentos a los intentos de establecer nuevas normas de retención de datos a nivel nacional.

4. ¿Qué prácticas realizas en tu día a día para proteger tu privacidad, tanto en el entorno digital como en la vida real?

Realizo prácticas parecidas en ambos mundos (digital y no digital):

En el mundo digital:

1. Utilizo exclusivamente software libre en mis ordenadores.
2. Utilizo encriptación end-to-end (PGP) a diario.
3. En mi smartphone no utilizo Whatsapp, sino Signal y Telegram.
4. No uso redes sociales especialmente invasivas como Facebook.

En el mundo no digital:

1. Impulso la adopción de software libre por parte de instituciones públicas a través de enmiendas o propuestas en iniciativas legislativas y no legislativas de la Unión Europea.
2. Cuando uso correo ordinario, utilizo sobres para información privada, y postales para información no tan privada.
3. Intento realizar más reuniones en persona y charlas públicas que comunicaciones online.

5. ¿Qué le dirías al usuario común de Internet, que cree “no tener nada que ocultar”, o que piensa que la privacidad es una cuestión que solamente debería preocupar a “los que hacen cosas malas”?

Este es un “argumento zombie” que reaparece tras cada iniciativa pro-privacidad. La respuesta es que la privacidad no está relacionada con “ocultar cosas”, sino con la libertad de expresión, la libertad de reunión y otros derechos fundamentales. Todo el mundo debería ser capaz de hablar con sus amigos, expresar sus miedos y sus opiniones sobre cualquier tema sin ser vigilado constantemente. De lo contrario, esto lleva a que las personas se auto-censuren y dejen de ser ellos mismos. Esto puedo conllevar todo tipo de problemas, incluso de salud. ¿Seguro que buscarías la dirección de una clínica para la interrupción del embarazo si piensas que tu jefe puede estar analizando tus mensajes privados? ¿Vas a mirar información en Google sobre ISIS si eso puede llevar a que acabes en alguna base de datos como sospechoso de apoyar el terrorismo?

Este “chilling effect” lo podemos ver en otras escenas de la vida diaria. Por ejemplo, cuando conduces y ves que hay un coche de policía nadie se queda indiferente: Revisas todo, piensas si tienes la reglamentación del coche a mano, miras si vas a la velocidad permitida y, en general, te pones alerta. Si llevamos nuestro smartphone a todos lados y nos comunicamos cada vez más por Internet, podemos tener a “un policía” sobre nuestro hombro a cada segundo. ¿Quién quiere vivir en un estado de alerta permanente? ¿Qué tipo de libertad sería esa?

6. Pensando en usuarios sin formación específicamente técnica, ¿qué herramientas, hábitos o prácticas les recomendarías para mejorar su privacidad?

Edward Snowden ha propuesto varios consejos sencillos que pueden mejorar la privacidad fácilmente sin necesidad de muchos conocimientos técnicos: http://www.eldiario.es/cultura/tecnologia/privacidad/Edward-Snowden-explica-proteger-privacidad_0_457754864.html

Para los que tengan un conocimiento técnico menor que lo que se podría llamar “nivel usuario”, la recomendación es no instalar aplicaciones que requieran acceso a información cuyo uso no es necesario (ejemplo: aplicación de linterna que quiere acceder a tus contactos). Un paso más sería usar las aplicaciones que figuran en F-Droid (https://f-droid.org/), que son gratis y libres, y sólo en caso de no encontrar lo que necesitas ir a Google Play o Apple Store.

También se puede usar el buscador DuckDuckGo.com en vez de Google, para no ser rastreado.

Un paso un poco más avanzado es usar software libre. Ya hay muchas distribuciones (Ubuntu, Linux Mint…) que eliminan el mito de que el software libre es para informáticos.

7. ¿Hasta qué punto piensas que la crítica de la vigilancia masiva supone la legitimación involuntaria de formas de vigilancia individualizadas que, no obstante, siguen vulnerando los derechos de las personas afectadas? (Ejemplo: caso #Spycops en Reino Unido)

La vigilancia indiscriminada es, por definición, contraria a los derechos humanos, como han declarado reiteradamente los tribunales de Luxemburgo y Estrasburgo (casos Digital Rights Ireland y Schrems – CJEU, caso Szabo y otros en TEDH).

La vigilancia individualizada, por otro lado, no es un cheque en blanco. Debe estar previsto en una ley y seguir los criterios de necesidad y proporcionalidad. Esto debe incluir un sistema de prevención de abusos: En casos en que sean las agencias de espionaje (“agencias de inteligencia”) sean las que llevan a cabo la vigilancia, deben estar sometidas al escrutinio del Estado, incluyendo la supervisión judicial. En el caso de vigilancia por parte de fuerzas policiales, esto debe ser hecho siguiendo las normas de un Estado de Derecho, lo cual incluye que no se inicie ningún seguimiento de comunicaciones privadas sin autorización judicial y que, en ciertos casos, incluso éstas no puedan ser investigadas (por ejemplo, entre un abogado y su cliente, o entre médico y paciente).

8. A día de hoy, ¿qué instituciones, actores u organismos piensas que suponen una amenaza para la libertad y la privacidad en Internet? ¿A quién corresponde defender estos derechos?

El Internet de las Cosas (Internet of Things) es una amenaza que tiene que ser neutralizada ya mismo. Los efectos que esas tecnologías pueden tener en relación a la creación de perfiles (profiling) y como una nueva manera de control de la población es alarmante. Las multinacionales que viven de nuestros datos personales (Google, Facebook, Skype y otras) suponen una amenaza constante, como hemos visto tras las revelaciones de Snowden.

Defender estos derechos nos corresponde siempre a los ciudadanos. Los derechos, como los músculos, se fortalecen mediante su ejercicio constante. De lo contrario, nos volvemos débiles. Debido a que las políticas sobre privacidad se realizan cada vez más a nivel europeo, hacemos un llamamiento a que los ciudadanos se organicen en asociaciones y que actúen en los llamamientos a la movilización que hacemos organizaciones como EDRi, Xnet, Access Now, BEUC y otras. Si queremos perfilar nuestras futuras libertades en el mundo digital, el momento es ahora.

9. ¿Crees que existen diferencias notables entre el activismo político “tradicional” y el activismo centrado en la defensa de los derechos en Internet o el “hacktivismo”? Lo cierto es que desde Críptica observamos una “brecha” (generacional, técnica, de género…) entre ambas formas de intervención política.

Inevitablemente, el activismo de los derechos humanos en Internet requiere ciertos conocimientos técnicos (a veces, sólo muy mínimos), lo cual puede echar hacia atrás a cierta gente. Cuando no es ese el caso, nos encontramos con que este campo se identifica con hackers y geeks solamente, cuando lo cierto es que casi todos tenemos un correo electrónico y un smnartphone a mano, y por tanto los riesgos nos afectan a todos.

Cuando presento EDRi, siempre hincapié en que somos una organización de derechos humanos. De lo contrario, cuando hablamos de “derechos digitales” parece que hablamos de derechos humanos para el mundo desarrollado, cuando en realidad son solamente los derechos humanos que ya tenemos offline pero aplicados al mundo digital.

Hay otro asunto, quizá más importante. Es cierto que hay luchas más prioritarias y urgentes que la privacidad: el cambio climático y la desigualdades sociales son dos de las principales. Ahora bien, estas luchas se van a desarrollar en mayor o menor medida cada vez más usando medios digitales. Si no controlamos estas herramientas y prevenimos que exista la vigilancia masiva indiscriminada, podemos ver que esas luchas se vean amenazadas seriamente.

10. Finalmente, ¿cuáles deberían ser, según tu opinión, los aspectos que como movimiento político (desde el conjunto de las organizaciones defensoras de los “derechos digitales”) tendríamos que mejorar?

1. Tenemos que crear un discurso global sobre la vigilancia y la privacidad que se aleje de la retórica del Gran Hermano y que se acerque a los ciudadanos. Hay que usar ejemplos positivos y divertidos para poder llegar a la gente.

2. Impulsar económicamente (donaciones, crowfunding…) software libre y el uso de herramientas de privacidad. Un primer paso puede ser, por ejemplo, convencer a tus 5 contactos más utilizados de que instalen Signal y comunicarte por ellos (por mensajes y llamadas) de forma privada. Es una herramienta gratuita, fácil de usar, y que reemplaza a tu app de SMS, así que no necesitas duplicar tus apps.

3. Organizarnos en nuestras organizaciones locales y nacionales para abordar estos temas, y aliarnos a nivel europeo e internacional con otras organizaciones para aunar fuerzas. Hay que poner presión constante en los parlamentarios europeos y en la Comisión Europea, que son los que en gran medida deciden sobre nuestras libertades digitales.

FAQ: Passenger Name Records (PNR)

(Originally published at: https://edri.org/faq-pnr/)

The European Union will adopt soon a Directive on the long-term storage and use of “Passenger Name Records” (PNR) for the purpose of profiling individuals as possible serious criminals or terrorists.

What is a Passenger Name Records (PNR)?

Passenger Name Records (PNR) include information provided by passengers and collected by air carriers for commercial purposes. PNR can contain several pieces of additional information such as dates, itinerary and contact details. All PNR data is stored in airlines’ databases.

PNR was originally intended to be used only as a record that contains the itinerary for a passenger or for a passengers traveling as part of a group. The idea was to allow the exchange of reservation information between airlines in case passengers required using different companies in order to reach their final destination.  The PNR is created when someone books a flight. At that moment, the travel agent or the website managing the trip creates a PNR in a  computer reservation system (CRS).

What kind of data is included?

Passenger Name Records (PNR) now can include every type of data provided by the passengers, such as, but not only, the date of the trip and complete itinerary, the name and contact information, the form of payment, frequent flyer information, meal preferences and medical information. In some cases, the airlines will have access to other data such as hotel bookings, car rentals, train journeys, travel associates, etc.

Optionally, agencies may also require more data, such as fare details, tax amounts paid, the form of payment used, further contact details, age details if it is relevant to the travel, frequent flyer data and special Service Requests.

The full list of data required by the EU PNR Directive is:

  1. PNR record locator
  2. Date of reservation/issue of ticket
  3. Date(s) of intended travel
  4. Name(s)
  5. Address and contact information (t elephone number, e-mail address)
  6. All forms of payment information, including billing address
  7. Complete travel itinerary for specific PNR
  8. Frequent flyer information
  9. Travel agency/travel agent
  10. Travel status of passenger, including confirmations, check-in status, no show or go show information
  11. Split/divided PNR information
  12. General remarks (including all available information on unaccompanied minors under 18 years, such as name and gender of the minor, age, language(s) spoken, name and contact details of guardian on departure and relationship to the minor, name and contact details of guardian on arrival and relationship to the minor, departure and arrival agent)
  13. Ticketing field information, including ticket number, date of ticket issuance and one-way tickets, Automated Ticket Fare Quote fields
  14. Seat number and other seat information
  15. Code share information
  16. All baggage information
  17. Number and other names of travellers on PNR
  18. Any Advance Passenger Information (API) data collected (inter alia document type, document number, nationality, country of issuance, date of document expiration, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time, arrival time)
  19. All historical changes to the PNR listed in numbers 1 to 18

What does PNR add in terms of prevention of terrorism and transnational crimes to other existing systems?

Nothing. There are other ways to access this type of information. For example, law enforcement agencies and intelligence agencies can require to access PNR data via a court order, following the regular procedures prescribed by law.

Furthermore, other measures that authorities can use to identify subjects who may be involved in criminal activity, such as the Schengen Information System(1), the Visa Information System(2), Eurodac(3) and ECRIS(4)  and API data (Advance Passenger Information).

Is it true that PNR will help to stop terrorists?

No. In many of the recent terrorist attacks the terrorists had already been flagged as people who needed further tracking.  Thus, the attackers from the last terrorist incident in Paris were already known to French authorities and details of their travels were also known (7). An EU PNR Directive would not have brought any more security, only more risks. For example, there have already been cases of people being wrongly labeled on these lists based on profiling schemes and, consequently, handed over to repressive regimes and tortured (8).

Rather than creating new surveillance measures, the EU should look for more active and effective cooperation between law enforcement agencies in the EU(5)(6).

Has the EU PNR Directive been proved to be effective, proportionate or necessary?

No. The Directive is being adopted despite concerns raised by the Fundamental Rights Agency (FRA), the European Data Protection Supervisor (EDPS) and Article 29 Working Party. A study undertaken for the Council of Europe explained that “no serious, verifiable evidence has been produced by the proponents of compulsory suspicionless data collection to show that data mining and profiling by means of the bulk data in general, or the compulsory addition of bulk PNR data to the data mountains already created in particular, is even suitable to the ends supposedly being pursued –let alone that it is effective”.(9)

However, the supporters for PNR seem to follow the unquestioning belief that any form of long-term data storage – including PNR – will be valuable.

What is EDRi’s view on PNR systems?

The right to privacy and the right to data protection are fundamental rights. They are not just a social convention, but legally enforceable rights, enshrined in the Treaties, laws and the Charter of Fundamental Rights. In line with the Charter of Fundamental Rights, infringements of fundamental rights (by long-term storage of such data) are only permissible if they “genuinely meet objectives of general interest”. PNR does not respect this principle.

What are the main problems of the EU PNR proposal?

  • Unlawful Blanket Data Retention: After the European Court of Justice ruling that the invalidated the Data Retention Directive, it is difficult to believe that the current PNR proposal would be considered lawful.
  • Excessive Data Retention Period: Even if the retention of data would be considered legitimate, in the PNR context the proposed five-year period significantly longer than could be reasonably deemed as necessary or proportionate. In the European Court hearing on data retention, neither the European Commission nor the individual Member States were able to give any justification for the retention periods demanded.
  • Lack of concrete protections from arbitrariness: In the text, it is unclear how the profiling will be done.
  • There are existing measures (VIS(10), SIS(11) and API(12) which already provide sufficient information: There is no evidence on whether another system would be needed.
  • Lack of evidence showing that these measures are effective, necessary and proportionate in the investigation or prevention of serious crimes: From the European Commission’s own impact assessment (13), there is no concrete evidence on the actual usefulness of PNR collection for the tackling of serious crime or terrorist offences. It is particularly worrying that the European Commission states in its proposal that “PNR data is unverified information provided by passengers” (14) while remaining convinced – despite their questionable accuracy – it could be used in real time “to prevent a crime”.
  • Lack of proportionality: Fundamental Rights Agency (FRA), the European Data Protection Supervisor (EDPS) and Article 29 Working Party agree on the lack of proportionality of the proposal. The proposed EU PNR system foresees data collection and analysis for all passengers on international flights without any sort of targeting.
  • Excessive costs: Transposing such Directive will bring significant costs for Member States. The high expenditure is confirmed by the European Commission’s impact assessment, which put the cost at hundreds of millions of euro.

Twitter_tweet_and_follow_banner


1 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/borders-and-visas/schengen-information-system/index_en.htm

2 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/borders-and-visas/visa-information-system/index_en.htm

3 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/asylum/identification-of-applicants/index_en.htm

4 http://ec.europa.eu/justice/criminal/european-e-justice/ecris/index_en.htm

5 http://www.euractiv.com/sections/justice-home-affairs/verhofstadt-calls-creation-eu-intelligence-agency-319630

6 http://www.statewatch.org/news/2009/apr/ep-study-leas-exchange-info-data.pdf

7 http://www.dailymail.co.uk/news/article-3320070/The-deadly-blunders-run-Paris-terrorist-centre-international-manhunt-stopped-released-French-police-Belgian-border-hours-deadly-attacks.html

8 http://www.coe.int/t/dghl/standardsetting/media/cdmsi/Rule_of_Law_Internet_Digital_World.pdf

9 https://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD%282015%2911_PNR%20draft%20report%20Douwe%20Korff%20&%20Marie%20Georges_15%2006%202015.pdf

10 http://europa.eu/legislation_summaries/justice_freedom_security/free_movement_of_persons_asylum_immigration/l14517_en.htm

11 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/borders-and-visas/schengen-information-system/index_en.htm

12 http://www.icao.int/Security/FAL/Documents/2010%20API%20Guidelines%20Final%20Version.ICAO.2011%20full%20×2.pdf

13 European Commission impact assessment on the proposal for an EU PNR Directive: http://ec.europa.eu/smart-regulation/impact/ia_carried_out/docs/ia_2011/sec_2011_0132_en.pdf

14 Commission proposal for a Directive on the use of Passenger Name records, Page 3: http://ec.europa.eu/home-affairs/news/intro/docs/com_2011_32_en.pdf