The SHA family (which, I suppose, should really be called the MD4 family) of
cryptographic hash functions has been under attack for a long time. In 2005, we
saw the first cryptanalysis of SHA-1 that was faster than brute force:
collisions in 2^69 hash operations, later improved to 2^63 operations. A great
result, but not devastating. But remember the great truism of cryptanalysis:
attacks always get better, they never get worse. Last week, devastating got a
whole lot closer. A new attack can, at least in theory, find collisions in 2^52
hash operations -- well within the realm of computational possibility. Assuming
the cryptanalysis is correct, we should expect to see an actual SHA-1 collision
within the year.

Note that this is a collision attack, not a pre-image attack. Most uses of hash
functions don't care about collision attacks. But if yours does, switch to SHA-2
immediately.

This is why NIST is administering a SHA-3 competition for a new hash standard.
And whatever algorithm is chosen, it will look nothing like anything in the SHA
family (which is why I think it should be called the Advanced Hash Standard, or
AHS).

A copy of this essay, with all embedded links, is
Here...
http://www.schneier.com/blog/archives/2009/06/ever_better_cry.html

Source: Bruce Schneier Blog

There's a new cryptanalytic attack on AES that is better than brute force:

"Abstract. In this paper we present two related-key attacks on the full AES. For
AES-256 we show the first key recovery attack that works for all the keys and
has complexity 2^119, while the recent attack by Biryukov-Khovratovich-Nikolic
works for a weak key class and has higher complexity. The second attack is the
first cryptanalysis of the full AES-192. Both our attacks are boomerang attacks,
which are based on the recent idea of finding local collisions in block ciphers
and enhanced with the boomerang switching techniques to gain free rounds in the
middle."

In an e-mail, the authors wrote: "We also expect that a careful analysis may
reduce the complexities. As a preliminary result, we think that the complexity
of the attack on AES-256 can be lowered from 2^119 to about 2^110.5 data and
time. We believe that these results may shed a new light on the design of the
key-schedules of block ciphers, but they pose no immediate threat for the real
world applications that use AES."

---Bruce Schneier's Cryptogram Snippet---

Agreed. While this attack is better than brute force -- and some cryptographers
will describe the algorithm as "broken" because of it -- it is still far, far
beyond our capabilities of computation. The attack is, and probably forever will
be, theoretical. But remember: attacks always get better, they never get worse.
Others will continue to improve on these numbers. While there's no reason to
panic, no reason to stop using AES, no reason to insist that NIST choose another
encryption standard, this will certainly be a problem for some of the AES-based
SHA-3 candidate hash functions.

Paper:
https://cryptolux.org/mediawiki/uploads/1/1a/Aes-192-256.pdf

Freely distribute

http://www.svnit.ac.in/CRSI/index.html

Important Dates


Last Date for receipt of Paper:        15th May 2009
Notification of acceptance:            30th June 2009
Camera Ready Submission:               10th July 2009

Last Date for Registration:            20th July 2009

Freely Distribute

http://indocrypt09.inria.fr/oc.shtml


10th International Conference on Cryptology in India
Indocrypt 2009
December 13 - 16, 2009, New Delhi, India

Submission deadline: August 14, 2009
Authors notification: September 28, 2009
Final version: October 2, 2009
Conference: December 13-16, 2009

Security researchers have developed prototype countermeasures to defend against
the recently developed cold boot crypto attack.
http://www.theregister.co.uk/2009/01/19/cold_boot_countermeasures/

OnionCat creates a transparent IP layer on top of Tor's hidden services. It
transmits any kind of IP-based data transparently through the Tor network on a
location hidden basis.  You can think of it as a point-to-multipoint VPN between
hidden services.

http://www.abenteuerland.at/onioncat/

NIST has announced 51 Round 1 SHA-3 candidates

http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/submissions_rnd1.html

an amazing list of tourist scams, cross posted from Dr. Schneier's blog.
http://www.ricksteves.com/graffiti/bestof_scams05.htm

A credit card with its own LCD display and keypad has been unveiled.

Visa says the card will cut down on online shopping fraud. It will be tested in
Britain early next year by the company MBNA.

Each card, identical in size and shape to current ones, has a 12-button keypad
and a display powered by a battery that lasts up to three years.

complete info on
URL:
http://www.dailymail.co.uk/sciencetech/article-1085642/The-new-credit-card-keypa\
d-promises-fight-online-fraud.html?ITO=1490

============================================================

            EDRi-gram

biweekly newsletter about digital civil rights in Europe

     Number 6.23, 3 December 2008


============================================================
Contents
============================================================

1. Changes in the telecom package adopted by the Council
2. French EDVIGE decree withdrawn
3. Effects of counter-terrorism legislation on freedom of the media
4. Sweden on the verge of passing the local IPRED law
5. Turkey: Another blocking order against YouTube
6. Ireland proposes to legalise covert surveillance
7. UK rejected data breach notification law
8. Parliaments seem to use very little IT technology
9. Recommended Action
10. Recommended Reading
11. Agenda
12. About

============================================================
1. Changes in the telecom package adopted by the Council
============================================================

A political agreement on the telecom package was reached by the EU Council
on 27 November 2008. Even though the final text does not support the 3
strikes measures proposed by the French Presidency, it has also deleted some
important amendments adopted by the European Parliament in order to
safeguard the citizen's fundamental rights.

Austria and Denmark have spoken up for keeping the Amendment 138 during the
Council meeting. Bulgaria, Hungary and Poland joined them in an attempt to
provide safeguards for users in the event of any attempts to sanction them
or restrict their access to content on the Internet. They asked the
exclusion of any issues related to copyright enforcement and the promotion
of creative content instead. But in the end, the Council decided the
deletion of this amendment, the only pretext expressed being that the
wording was too broad.

The new text of the modified Universal Services Directive allows the
national regulatory authorities to "promote cooperation between undertakings
providing electronic communications networks and/or services and the sectors
interested in the promotion of lawful content in electronic communication
networks and services." The adopted recitals makes it clear that any
cooperation procedures will not allow for systematic Internet monitoring and
that the Member States, and not the electronic communication providers, have
to "decide, in accordance with due process, whether content, applications or
services are lawful or harmful or not."

The decision of the Telecom Council to reject the 3 strike scheme, comes
after the EU culture ministers took a similar decision on 20 November. They
also suggested promoting legal offers of music or films on the Internet. The
EU Culture Council considered that "a fair balance between the various
fundamental rights" needs to be establishedwhile fighting online piracy,
first listing "the right to personal data protection," then "the freedom of
information" and only lastly "the protection of intellectual property".

In fact, the Commission has already sent a number of critical comments on
the French draft law on 3 strikes, suggesting a long series of changes in
order to comply with the European legislation.

The text adopted by the European Telecom Council is not so positive from
the privacy point of view. Thus, the Council has rejected the suggestion
of the Parliament to allow a study on Internet Protocol (IP) addresses and
their use that should have been promoted by the Commission.

The Council has decided to keep Art 6 par 6 (formerly amendment 181 adopted
by the European Parliament) that has been interpreted as an open door for
voluntary data retention. Thus, the German actions to push for the rejection
of the amendment 181 in the Telecom Council did not found a majority,
despite the public position of the German federal minister of economic
affairs Michael Glos. He agreed with a number of civil society
representatives that this amendment "would create unmanageable data dumps
and thus expose sensitive data on our communications and movements to risks
of abuse."

The Telecom Council has taken the European Commission's point of view in
restricting the obligation for personal data breach notification only for
electronic communication providers, thus excluding the Parliament amendment
that extended this provision also to "any company operating on the
Internet, providing services to consumers, which is the data controller and
provider of information society services."

The Council has also limited the number of cases when the notification to
the competent Authority and affected individuals is mandatory only in cases
representing "a serious risk for subscriber's privacy."

This common position adopted by the Telecom Council is a base for new
negotiations between EU Bodies, that could meetthis month. Also, a new
informal meeting of the Telecom ministers is already scheduled on 17
February. The second reading of the European Parliament on the agreed text
could take place at the beginning of 2009.

2907th Transport, Telecommunications and Energy Council meeting (provisional
version) - (27.11.2008)
http://www.consilium.europa.eu/cms3_applications/Applications/newsRoom/LoadDocum\
ent.asp?directory=en/trans/&filename=104387.pdf

European Council - Reviewed ePrivacy Directive (27.11.2008)
http://register.consilium.europa.eu/pdf/en/08/st15/st15896.en08.pdf

European Council - Reviewed Universal Service Directive (27.11.2008)
http://register.consilium.europa.eu/pdf/en/08/st15/st15899.en08.pdf

Federal government supports opposition against "voluntary data retention"
(25.11.2008)
http://www.vorratsdatenspeicherung.de/content/view/280/79/lang,en/

EU states bin telecoms 'super-regulator' idea (27.11.2008)
http://euobserver.com/19/27192

Citizen safeguards striked out in EU Council (26.11.2008)
http://www.laquadrature.net/en/citizen-safeguards-striked-out-in-EU-council

Bulgaria, Hungary, Poland - only EU members on the same page vis-a-vis
Internet content control (1.12.2008)
http://blog.veni.com/?p=898

European Council opposes Parliament on Amendment 138 (27.11.2008)
http://www.iptegrity.com/index.php?option=com_content&task=view&id=212&Itemid=9

EU ministers reject ban on free downloading (21.11.2008)
http://www.euractiv.com/en/infosociety/eu-ministers-reject-ban-free-downloading/\
article-177379

Denmark and Austria speak up for citizens rights (27.11.2008)
http://www.iptegrity.com/index.php?option=com_content&task=view&id=211&Itemid=9

Commission response to France's obligation of notification for its
"graduated response" law (only in French, 27.11.2008)
http://www.latribune.fr/entreprises/communication/telecom-internet/20081127trib0\
00314818/loi-antipiratage-sur-internet-les-observations-de-bruxelles-.html

EDRi-gram: Data breach notification - different opinions in EU bodies?
(19.11.2008)
http://www.edri.org/edri-gram/number6.22/data-breach-ec

============================================================
2. French EDVIGE decree withdrawn
============================================================

It seems the demonstrations that took place on 16 October against the EDVIGE
decree have found an echo with the French authorities. The French Government
has finally withdrawn the EDVIGE file after a very strong mobilisation of
the citizens through the "No to EDVIGE" group that gathered several
associations and unions, including EDRi-member IRIS (Imaginons un Riseau
Internet Solidaire).

The withdrawal of the decree is different from the abrogation in the sense
that the withdrawal has a retroactive character meaning that all the
information gathered since the creation of EDVIGE 1.0 has to be destroyed.
The RG file, introduced in 1991, previous to EDVIGE, will remain valid until
31 December 2009 but no information will be added to it starting with 1 July
2008.

However, the liberty advocates and associations are still vigilant and stay
careful while waiting for the occurrence of the newly envisaged file called
EDVIRSP which has not yet been published. The new version which should
exclude the collection of personal data related to health, sexuality or data
on personalities or minors below 13 is now with the French Data Protection
Authority - CNIL (Commission nationale de l'informatique et des libertis)
before being sent to the State Council.

IRIS and the rest of the "No to EDVIGE" group are still concerned by some of
the issues of the new version such as the creation of a file based on
suspicions and not facts, the collection of data related to religious
beliefs, ethnical origin, union membership, political opinions as well as
data on minors older than 13.

So, for the time being, before the issue of a new file, the data already
collected for the withdrawn EDVIGE file cannot be used which means that
the police cannot gather data at this point. However, there are concerns
that, in this case, the police will use other sources such as Cristina, a
similar file to EDVIGE, which is a defence classified file that can provide
the legal basis for the collection of data.

"We are now under a legal blur and this blur is never favourable to
liberties' said Helhne Masse-Dessen, lawyer of "No to EDVIGE" group.

IRIS Press release on the withdrawal of EDVIGE1.0 - First citizen victory
but vigilance stays in place (only in French, 20.11.2008)
http://www.iris.sgdg.org/info-debat/comm-edvige1108.html

Decree no. 2008-1199 of 19 November 2008 on the withdrawal of decree no.
2008-632 of 27 June 2008 on the creation of automatic treatment of personal
data called EDVIGE (only in French, 21.11.2008)
http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000019774085

Withdraw EDVIGE1.0 team Press Release - + No to EDVIGE ; team congratulates
itself but stays mobilized (only in French, 21.11.2008)
http://nonaedvige.ras.eu.org/spip.php?article920

The Edvige file officially withdrawn but not yet replaced (only in French,
21.11.2008)
http://www.lesechos.fr/info/france/4800116-le-fichier-edvige-officiellement-reti\
re-mais-pas-encore-remplace.htm

The Edvige file officially withdrawn, the opponents stay "vigilant" (only in
French, 20.11.2008)
http://www.google.com/hostednews/afp/article/ALeqM5gRs-meyd--OCvfnMRd3rHruoHU7Q

EDRi-gram: Protests in France against the Edvige file on St. Edwige day
(22.10.2008)
http://www.edri.org/edri-gram/number6.20/edvige-saint-edwige-day

============================================================
3. Effects of counter-terrorism legislation on freedom of the media
============================================================

A new report conducted by Privacy International (PI) for the Council of
Europe Media and Information Society Division reveals effects of new
counter-terrorism laws on media and free expression rights in European
countries.

The report "Speaking of Terror" examines how the "war on terror" has
affected access to information, the growth of incitement, glorification and
"extremism" restrictions on speech, blocking of internet sites, increased
surveillance of journalists and limits on protection of journalists'
sources. The report finds that the laws have already seriously affected
freedom of expression while providing little benefit in fighting terrorism.
The report also examines the roles of the United Nations Security Council,
European Union and Council of Europe in promoting new laws while paying
little attention to human rights.

The findings of the study reveal that international bodies including the
Council of Europe (CoE) and the European Union (EU) have adopted many
international agreements that either ignore or only pay scant attention to
fundamental human rights and the importance of a free media. Their agendas
are often driven by those countries that are most aggressive in adopting
expansive counter-terrorism laws including the UK, US and Russia. The role
of European institutions such as the EU and the CoE have resulted in greater
adoption and harmonization of these laws than most other regions.

New laws on prohibiting speech that is considered "extremist" or supporting
of terrorism have been a particular problem. These laws are used in many
jurisdictions to suppress political and controversial speech. Newspapers
have been closed and journalists arrested. Web sites are often taken down or
blocked. State secret and national security laws are regularly being used
against journalists and their sources even as access to information laws are
widely accepted and adopted across the CoE.

Protection of journalists' sources are often undermined by governments
seeking to identify officials who provide information. Even the protection
is widely recognized both in national laws and in decisions of the European
Court of Human Rights.

New anti-terrorism laws are giving authorities wide powers to conduct
surveillance. Other new laws impose technical and administrative
requirements on the ability to intercept communications and keeping
information. Of particular concern are data retention laws which require
the routine surveillance of all mobile and Internet users that can be used
to easily identify sources and journalists' investigations.

Speaking of Terror: A survey of the effects of counter-terrorism legislation
on freedom of the media in Europe
http://www.privacyinternational.org/issues/terrorism/speakingofterror.pdf

============================================================
4. Sweden on the verge of passing the local IPRED law
============================================================

The Sweden Government is to pass these days a controversial law that might
give the entertainment industry some tools to track down those that
illegally share copyrighted material on the Internet.

The law, which is based on the European Union's Intellectual Property Rights
Enforcement Directive (IPRED), has been under debate for more than a year
and claims to be essential by the Swedish industry which complains that,
presently, Sweden lacks the necessary legislation to support them: " Swedish
laws are considered something of a joke and our politicians are viewed as
arrogant for not taking this seriously. Sweden has the worst laws in this
area and, consequently, the worst problems with piracy. It is embarrassing
that Sweden has waited so long to put in place a directive that was
implemented long ago by our European neighbours." says a letter addressed to
the Swedish Government by the director and producers of the Swedish movie
"Let The Right One In".

The law, which is planned to come into force on 1 April 2009, would make it
possible for copyright holders to get a court order requesting ISPs to
provide IP addresses associated with computers which have downloaded
copyrighted material without paying for it.

The copyright holders could afterwards contact those suspected of illegal
file sharing requesting them to stop the activity. If those in question do
not comply, the copyright holders can use the information obtained from the
ISPs to sue the infringer and ask for compensation for copyright violations.
With this, the Swedish draft law would go even farther than IPRED.

The proposed law faces a large opposition from centre-right political
parties and youth organisations. More than 22 000 members have joined a
group started by Pirate Party vice-chair Christian Engstrvm on Facebook
which is called Stoppa IPRED (Stop IPRED) and which has sent e-mails of
protests to Swedish Parliament members.

"We have examples from other countries where this has amounted to the
legalization of wide-spread blackmail. Record companies get the name of
someone suspected of file sharing and send out a letter demanding 20,000
Swedish crowns (1 800 euros) or some other made up sum with the threat that
if you don't pay, we'll be taking you to court" said Engstrvm

In an attempt to answer to these concerns, according to Sveriges Radio,
justice minister Beatrice Ask, whose ministry is responsible for the law,
has asked for the deletion from the draft law of a clause making the law
enforceable retroactively, fact which would have giving the industry
the possibility to access information about people who have been illegally
downloading copyrighted material over the past few years and therefore to
take the respective people to court for actions performed in the past.
Another change that seems to have been introduced by the minister is that IP
addresses can only be given when the suspected file sharing is "of
commercial nature."

The vote of the Swedish Parliament on the matters is expected these days.

Swedish copyright laws 'a joke' (26.11.2008)
http://www.thelocal.se/15946/20081126/

Justice minister offers concessions on file sharing law (21.11.2008)
http://www.thelocal.se/15844/20081121/

Sweden judges back Pirate Hunter Act (14.11.2008)
http://www.theregister.co.uk/2008/11/14/sweden_closer_to_antipiracy_law/

Lines drawn in battle over file sharing bill (14.11.2008)
http://www.thelocal.se/15688/20081114/

Resistance mounts to new file sharing law (7.11.2008)
http://www.thelocal.se/15536/20081107/

============================================================
5. Turkey: Another blocking order against YouTube
============================================================

For the forth time in two years, on 20 November 2008, the Turkish
authorities blocked access to YouTube asserting that certain content posted
on the site was disrespectful to Kemal Mustafa Atat|rk, the Turkish
Republic's founder, or supported the outlawed Kurdistan Workers Party (PKK).
Turkey is the only country in the world banning YouTube.

"We have said it before and we say it again now - blocking access to YouTube
is wrong. It has been blocked since 5 May, as a result of an earlier court
order, and the obstinacy shown by the authorities is unacceptable. Denying
Turkish citizens access to this file-sharing site violates freedom of
information" said Reporters Without Borders.

The Cubuk magistrate court issued the latest blocking order on the basis of
article 162 of the criminal procedure law and of Law 5651 on crimes and
offences committed online which has been in force since November 2007 and
which obliges ISPs to block access to websites declared illegal. According
to this law, a public prosecutor may ban access to a website within 24 hours
if the content is considered "liable to incite suicide, paedophilia, drug
usage, obscenity or prostitution" or if it "contradicts the law of Atat|rk."

YouTube is not the only site banned by the Turkish authorities. Since 2007,
based on the same laws, about 1 000 websites which have been blocked by
Turkey's Telecommunications Directorate. Besides YouTube, recently,
nacizanebilgo.com, the Turkish popular dictionary website has also been made
inaccessible following a complaint from religious leader Adnan Oktar on the
grounds that the site editors allowed Internet users to post "insulting"
terms on him. Lawsuits initiated by Oktar have resulted in the blocking of
at least 61 websites. Other banned websites include that of a teachers'
trade union and the site of the British biologist Richard Dawkins.

"Banning YouTube, Google's blogging site, the websites of a teachers' trade
union, Richard Dawkins and even a Turkish dictionary stands alongside more
than 40 cases against writers and journalists even since the reform of the
so-called anti-Turkishness article of the penal code," stated Richard
Howitt, the vice president of the European Parliament's Human Rights
Sub-Committee.

Howitt, who is a supporter of Turkey's becoming an EU member, met Justice
Minister Mehmet Ali Sahin on 27 November in Ankara and asked him to
overturn the decision of banning the sites, in the interests of free speech,
warning about the implications of such actions upon Turkey's EU adhering
process. "As a modern country looking forward to European Union membership,
Turkey should be embracing new communications rather than putting itself in
the same bracket as some of the world's pariah states," he said.

According to Kerem Altiparmak and Yaman Akdeniz, authors of the book
"Restricted Access", Internet restrictions are against European Union
standards and Turkey could face charges at the European Courts of Human
Rights for violating the freedom of expression. The authors argue that
Turkey's current Internet regulations, besides being procedurally flawed,
are designed to censor political speech: "Clearly the current regime,
through its procedural and substantive deficiencies, is designed to censor
and silence speech. Its impacts are wide, affecting not only the freedom of
speech but also the right to privacy and fair trial. It has been reported
that prosecutors have even demanded that politicians widen the scope of the
law to include insults, defamation and terrorism. This antiquated approach
remains unacceptable in a democratic society."

The authors also point out the fact that blocking a site is also a totally
inefficient method to combat illegal content: "Blocking as a preventative
policy measure has been explicitly dismissed within the context of terrorist
use of the Internet at the level of the European Union. Furthermore,
circumvention technologies are widely available, and the filtering and
blocking mechanisms and methods currently used in Turkey are easy to
circumvent even for inexperienced Internet users." One argument in favour of
this is that even the Turkish Prime Minister Tayyip Erdogan stated to the
press that, despite the ban, he could access YouTube and even provided the
information of how to do it.

MEP urges turkey to end YouTube ban (28.11.2008)
http://www.google.com/hostednews/ukpress/article/ALeqM5j6NR6ouzA63R5vnPNxaZN306M\
MzQ

YouTube censored yet again by another court order blocking access
(25.11.2008)
http://www.rsf.org/article.php3?id_article=29421

European parliamentarians urge Turkey to remove YouTube ban (1.12.2008)
http://www.hurriyet.com.tr/english/domestic/10463374.asp?scr=1

Turkey could face charges at European court over restrictions (30.11.2008)
http://www.sundayszaman.com/sunday/detaylar.do?load=detay&link=160202

Ban on YouTube proves virtual (1.12.2008)
http://www.hurriyet.com.tr/english/domestic/10441126.asp?gid=244

EDRigram - YouTube blocked once more in Turkey (30.01.2008)
http://www.edri.org/edrigram/number6.2/youtube-turkey

============================================================
6. Ireland proposes to legalise covert surveillance
============================================================

The Irish Government has approved the outline of a Bill which, if passed by
Parliament, will permit police to break into private property to plant
covert audio bugs and video cameras. The Covert Surveillance Bill is
intended to legitimise what is already believed to be existing practice, to
make Irish law compliant with the European Convention on Human Rights and to
allow evidence obtained in this way to be used in court. Judicial approval
will be required before this can be done, except in exceptional
circumstances.

The procedure to deal with cases of exceptional urgency is too lax. Under
the Bill as it stands those cases would bypass the judicial process
entirely, so that surveillance could take place for up to 14 days without
any authorisation. There must be a question mark as to whether this
provision would be constitutional if it was used to break into and bug a
dwelling. Instead, it would be preferable to deal with cases of urgency by
permitting Gardam to commence surveillance without a judicial authorisation
but then requiring that an application be made to the District Court for
permission to continue the surveillance.

Despite its broad title, the Bill addresses only one very narrow area - the
covert surveillance of locations by devices which are physically planted in
those locations. Many other forms of surveillance - such as the use of GPS
devices to track the position of cars, the use of long range cameras and
microphones to monitor locations from a distance and live monitoring of
Internet activity - will still be entirely unregulated. As a result there
will continue to be doubt as to whether Gardam have the power to use these
types of surveillance and as to whether the resulting evidence can be used
in criminal prosecutions.

Meanwhile, although there is some legislation regulating other forms of
surveillance such as the interception of communications, data retention and
Garda use of CCTV, that legislation has developed on an ad hoc and reactive
basis with few consistent principles applying to its use or oversight. Much
of it is also out of date, most notably the 1993 interception of
communications legislation which due to technological changes no longer
adequately protects email and other Internet communications.

Considered as a whole therefore, the wider Irish law is inadequate. Given
that many of these issues were flagged by the Law Reform Commission in 1998,
it is hard to see any justification for the failure to address them to date.
Although this Bill does provide for some improvements, it is at best a
piecemeal response which will not address similar problems with other forms
of surveillance. It is clear that the time has come for comprehensive reform
of the overall law relating to surveillance. This Bill is a good first step
towards that reform. But it is only a first step, and it would be
regrettable if the government were to continue to ignore this area until
forced to act by another highly visible crime.

Government approves covert Garda measures (18.11.2008)
http://www.irishtimes.com/newspaper/breaking/2008/1118/breaking63.htm

Time to take a close look at surveillance (28.11.2008)
http://www.digitalrights.ie/2008/11/28/time-to-take-a-close-look-at-surveillance\
/

(contribution by TJ McIntyre - EDRi-member Digital Rights Ireland)

============================================================
7. UK rejected data breach notification law
============================================================

Two reports were published on 24 November 2008 by UK Ministry of Justice
related to the data breach notification law, the powers of the Government
to share data and the Information Commissioner's inspection powers and
funding arrangements.

One of the reports states that the law requiring that significant data
breaches should be notified to the Information Commissioner Office was
rejected, the ministry considering that the notification should be subject
to good practice and not to a law: "As a matter of good practice any
significant data breach should be brought to the attention of the ICO and
that organisation should work with the ICO to ensure that remedial action is
taken" says the report which adds: "The ICO will take into account the
failure of an organisation to notify any breaches of the data protection
principles when considering enforcement action."

The modification of the EU ePrivacy Directive introduces such an obligation
to telecommunications companies and Peter Hustinx, the European Data
Protection Supervisor, said in April that that law should be extended to
banks, online businesses and medical bodies.

William Malcolm from Pinsent Masons said a breach notification law might
have anyway been unnecessary as the lack of dealing with responsibly in case
of data breach would lead to a breach of the Data Protection Act anyway.

The report also announced that new laws would increase the powers of the
Government to share data, introducing a fast-track procedure to allow data
sharing when "a robust case" could be made. "We intend to bring forward
legislation to confer upon the Secretary of State a power to permit or
require the sharing of personal information between particular persons or
bodies, so long as a robust case can be made to use that power. The power
will also be used to simplify the data protection framework and remove any
unnecessary obstacles to data sharing" says the report.

The new legislation will also place a statutory duty on the ICO to prepare,
publish and review a Code on the sharing of personal data that would will
provide guidance on how organisations can share personal data and promote
good practice in the sharing of personal data. "A breach of, or compliance
with, the Code will be taken into account by the courts, the Information
Tribunal and the ICO whenever it is relevant to a question arising in legal
or enforcement proceedings".

A second report acknowledged the necessity of a framework that would
increase "public trust and confidence in the handling of personal data by
both the public and private sector." The report proposes measures
complementing ICO's present powers and ensuring it has the necessary and
effective instruments to carry out its regulatory functions.

The UK does not need a data breach notification law, says Government
(25.11.2008)
http://www.out-law.com//default.aspx?page=9619

Government announces new law for increased data sharing (25.11.2008)
http://www.out-law.com/page-9617

ICO to get powers to audit public bodies without consent (25.11.2008)
http://www.out-law.com/page-9618

The Information Commissioner's inspection powers and funding arrangements
under the Data Protection Act 1998 Summary of responses (24.11.2008)
http://www.justice.gov.uk/docs/information-commissioner-consultation-responses.p\
df

Why we don't need a security breach notification law in the UK (19.05.2008)
http://www.out-law.com/page-9128

EDRigram: Data breach notification - different opinions in EU bodies ?
(19.11.2008)
http://www.edri.org/edri-gram/number6.22/data-breach-ec

============================================================
8. Parliaments seem to use very little IT technology
============================================================

The findings of the World e-Parliament Report 2008 achieved by UNDESA and
the Inter-Parliamentary Union on the use of information and communication
technologies within 105 parliament assemblies from all over the world were
presented on 25 November 2008, at the second high-level meeting of the Board
of the Global Centre for ICT in Parliament.

The Report is the first one of this kind and was meant to assess the level
to which information and communication technologies are used by parliaments
within their activities. It also used the information exchanged during the
World e-Parliament Conference 2007 and the publicly available information
related to the topic.

The purpose of the report was to help "legislatures evaluate the potential
benefits of ICT in supporting parliament's basic values of transparency,
accessibility, accountability and effectiveness, and, at the same time, its
representative, legislative and oversight functions. Its publication is
intended to establish a shared knowledge base among the parliaments of the
world and, most importantly, promote international dialogue on these
matters." The issues tackled by the report were: the relationship between
parliaments, ICT and the information society; innovation and leadership;
management, planning and resources; infrastructures and services;
documenting the legislative process; parliamentary websites; building a
knowledge base for parliament; enhancement of the dialogue between
parliaments and citizens and cooperation and coordination.

According to the report, only 10% of the parliaments from EU, Africa, Latin
America, Australia and Canada use ICT to make their activities known to
their citizens. "For most parliaments, our survey has documented that there
is a significant gap between what is possible with ICT and what has been
accomplished," said Jeffrey Griffith, one of the authors.

The study has shown that only 43% of the parliaments stated having document
management systems and most of them find it difficult to keep their websites
up to date and accessible to the wide public. Even when the sites displayed
the texts of bills they lacked links to the relevant information.

In most cases, but not in all, the level of the ICT use by a parliament
appears to be related to the level of the national income.

In Mr. Griffith's opinion, parliaments should use a similar model to Web 2.0
techniques used by the US presidential elections but also considered that in
order to do that, strong political leadership, the active engagement of MPs
and well-trained technical staff were necessary. "Attaining a high level of
performance in the application of ICT is not only dependent on resources; it
also requires strong political leadership, active engagement of members, a
skilled secretariat, well-trained technical staff, and a sustained
commitment to the strategic implementation of information and communication
technologies in the legislative setting" says the World e-Parliament Report
2008.

During the EP conference, Mechthild Rothe, vice-president of the European
Parliament said that e-parliament strategies also had to guarantee a high
level of IT security concerning the privacy of the citizens' personal data.
She also made a presentation of the ICT tools used by the European
Parliament including RRS feeds, podcasts, online streams of plenary sessions
in 23 languages. This presentation came in contrast with the statements of
the representatives of the Egyptian Parliament and the Pan-African
Parliament who spoke of a "great digital divide" between the developed world
and African countries.

"There are technical and know-how obstacles in introducing ICT in the
parliaments of the developing world, marred by ignorance, poverty and wars,"
said Ahmed Fathy Sorour, speaker of the Egyptian Parliament who was backed
by Gertrude Mongella, President of the Pan-African Parliament. In her turn,
she talked about the lack of dialogue and parliamentary representation which
was one of the causes of conflicts such as the one presently going on in
Congo.

The survey also shows there is willingness from parliaments to improve their
use of ICT technology and their awareness of the importance of the issue.

The World e-Parliament Report 2008 also points out the "opportunities for
parliaments to benefit from cooperating at the regional and global levels in
the e-parliament domain. Existing and emerging parliamentary networks can
sustain some of these efforts, but a worldwide dialogue is becoming
increasingly essential. By offering coordinated support and training for
those parliaments with fewer resources, increasing the opportunities for
sharing expertise and software at a global level and providing greater
access to parliamentary information resources, parliaments will be better
positioned to fulfil citizens' legitimate expectations, achieve common goals
and advance the principles of the World Summit on the Information Society."

Parliaments are slow in going online, study shows (25.11.2008)
http://euobserver.com/843/27175/?rk=1

World e-Parliament Report 2008 - Executive summary
http://www.ictparliament.org/index.php?option=com_content&task=view&id=245

============================================================
9. Recommended Action
============================================================

Collective Redress: Commission seeks views on settling large scale consumer
complaints

The European Commission has published a Green Paper on Consumer Collective
Redress on how to facilitate redress in situations where large numbers of
consumers have been harmed by a single trader's practice which is in breach
of consumer law. Violations of consumer rules could include overcharging
consumers - through hidden charges or overbilling - misleading advertising
on websites, or failing to provide compulsory information on financial
products. These kinds of illegal practices, if they occur to a large number
of consumers, can cause considerable damage to consumers, generate unfair
competition and distort markets. The Green Paper identifies barriers to
effective consumer redress in terms of access, effectiveness and
affordability and presents various options to close the gaps identified. The
options set out in the Green Paper seek to ensure that consumers who are
victims of illegal commercial practices can get compensated for their
losses, while avoiding unfounded claims. Comments on the Green Paper can be
submitted until 1 March 2009.
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/08/1800&format=HTML&a\
ged=0&language=EN&guiLanguage=en

The Green Paper on Consumer Collective Redress
http://ec.europa.eu/consumers/redress_cons/greenpaper_en.pdf

============================================================
10. Recommended Reading
============================================================

EDPS sees adoption of Data Protection Framework for police and judicial
cooperation only as a first step
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Press\
News/Press/2008/EDPS-2008-11_DPFD_EN.pdf

The European Commission has published its report on the recent consultation
on the review of the PSI Directive.
http://ec.europa.eu/information_society/policy/psi/docs/pdfs/online_consultation\
/report_psi_online_consultaion_stakeholders.pdf;
http://ec.europa.eu/information_society/policy/psi/online_consultation/review_Di\
rect2008/stakeholders/index_en.htm.

============================================================
11. Agenda
============================================================

3-6 December 2008, Hyderabad, India
Third Internet Governance Forum
http://www.intgovforum.org

6 December 2008, Berlin, Germany
Open Everything
http://openeverything.mixxt.de/

9-10 December 2008, Madrid, Spain
Future Internet Assembly
http://www.future-internet.eu/home/future-internet-assembly/madrid-dec-2008.html
http://www.fi-madrid.eu/

10 December 2008, Skopje, Macedonia
Fourth International Conference e-Society.Mk.
http://www.e-society.mk/

10-11 December 2008: Tilburg, Netherlands
Tilting perspectives on regulating technologies, Tilburg Institute for Law
and Technology and Society, Tilburg University
http://www.tilburguniversity.nl/tilt/conference

27-30 December 2008 Berlin, Germany
25C3: Nothing to hide
The 25th Chaos Communication Congress
http://events.ccc.de/congress/2008/

16-17 January 2009, Brussels, Belgium
Computers, Privacy & Data Protection conference
CPDP 2009: Data Protection in A Profiled World?
http://www.cpdpconferences.org/

23 January 2008, Geneva, Switzerland
Communia Workshop - Public Broadcasting and Alternative Licensing -
Co-organized by the European Broadcasting Union and the Research Center for
Information Law at the University of St. Gallen (FIR-HSG)
http://www.communia-project.eu/node/163

28 January 2009, Europe-wide
3rd Data Protection Day
http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/Data_Pro\
tection_Day_default.asp

18-20 March 2009, Athens, Greece
WebSci'09: Society On-Line
http://www.websci09.org/

1-4 June 2009, Washington, DC, USA
Computers Freedom and Privacy 2009
http://www.cfp2009.org/

2-3 July 2009, Padova, Italy
3rd FLOSS International Workshop on Free/Libre Open Source Software
Paper submission by 31 March 2009
http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html

13-16 August 2009, Vierhouten, The Netherlands
Hacking at Random
http://www.har2009.org/

10-12 September 2009, Potsdam, Germany
5th ECPR General Conference, Potsdam
Section: Protest Politics
Panel: The Contentious Politics of Intellectual Property
First proposals to be submitted by 1 February 2009
http://www.ecpr.org.uk/potsdam/default.asp

============================================================
12. About
============================================================

EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 29 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea <edrigram@...>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request@...
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request@...
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram@...> if you have any problems with subscribing or
unsubscribing.

============================================================

            EDRi-gram

biweekly newsletter about digital civil rights in Europe

     Number 6.22, 19 November 2008


============================================================
Contents
============================================================

1. Data breach notification - different opinions in EU bodies ?
2. The EDPS' opinion on the US-EU data exchange agreement
3. Foreign P2P software producers might be liable under the French law
4. Romania adopts data retention law
5. Big Brother Awards Czech Republic 2008
6. Google executives facing trial on video posted on YouTube
7. ENDitorial: An Overheated Debate on the Rights of the Visually Impaired
8. Recommended Action
9. Recommended Reading
10. Agenda
11. About

============================================================
1. Data breach notification - different opinions in EU bodies ?
============================================================

The amendments adopted on 24 September 2008 by the European Parliament (EP)
on the ePrivacy Directive includ the obligation of information society
services providers to notify personal date related security breaches to the
national authorities. However, a recent proposal of the European Commission
seems to put the amendment back on the discussion list, reffering only to
telecom operators for such an obligation.

Following the European Data Protection Supervisor's opinion on the ePrivacy
directive in April 2008 that suggested a mandatory security breach
notification from "providers of public electronic communication services in
public networks" but also from other actors, such as "providers of
information society services which process sensitive personal data
(e.g.online banks and insurers, on-line providers on health services,
etc.)", the MEP Alexander Alvaro included amend ments on these aspects in
the report from the Standing Committee on Civil Liberties, Justice and Home
Affairs, backing up a procedure to inform users in case of security breaches
at service providers.

The amendments adopted by the European Parliament on 24 September 2008
include these additions to the text initially proposed by the Commission.

Amendements 187/rev and 184 now ask for an obligatory notification to the
national regulatory authority or the competent authority according to the
individual law of the respective Member State, of any personal data related
security breaches from any "provider of publicly available electronic
communications services, as well as any undertaking operating on the
internet and providing services to consumers, which is the data controller
and the provider of information society services."

Other amendments adopted by the EP (124 and 125) explain the procedure
following such notifications. Thus the competent authority will consider
and determine the seriousness of the breach and, if the breach is serious,
the provider will be obliged to send a notification to all persons that were
affected.

Even though it appears that the next Council of Telecoms Ministers will
agree to the EP position, the European Commission has change the legislative
texts, as a compromise between the opinions of the European Parliament and
the European Council.

The new statements of the European Commission on data security are
intriguing, as they discuss about security breaches only in case of telecom
operators:

"The Commission reaffirms the need of telecoms operators to notify
regulators and the public about security breaches. The Commission reaffirms
that notifications must, as a matter of principle, be sent to the
individuals affected by them and that the notification procedure must remain
swift, simple and effective. In order to clarify, in an objective manner,
the cases where such notifications will be required, the Commission will,
under the new legislative text, give more detailed guidance as to the
circumstances of a breach that would trigger a notification."

Since there are yet no official documents provided on the European Council
website regarding the next Council of Telecoms Ministers meeting on 27
November 2008, it is unclear whether the European Parliament's opinion will
try to be disregarded in this respect or not. In any case, the EP will have
a  second reading on the telecom package which is scheduled for April 2009.

Telecoms Reform: Commission presents new legislative texts to pave the way
for compromise between Parliament and Council (7.11.2008)
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/08/1661&format=HTML&a\
ged=0&language=EN&guiLanguage=en

European Parliament legislative resolution on ePrivacy directive
(24.09.2008)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P6-TA-2008-0\
452+0+DOC+XML+V0//EN&language=EN

Documents for the Council of Telecoms Minister on 27 November 2008
http://register.consilium.europa.eu/servlet/driver?lang=EN&typ=Advanced&cmsid=63\
9&ff_COTE_DOCUMENT=15106%2F08&ff_COTE_DOSSIER_INST=&ff_TITRE=&ff_FT_TEXT=&ff_SOU\
S_COTE_MATIERE=&dd_DATE_DOCUMENT=&dd_DATE_REUNION=&dd_FT_DATE=&fc=REGAISEN&srm=2\
5&md=100&ssf=&rc=1&nr=1&page=Detail

EDRi-gram: ePrivacy Directive debated in the EP's Civil Liberties Committee
(2.07.2008)
http://www.edri.org/edrigram/number6.13/e-privacy-review-ep

EDRi-gram: EDPS endorses data breach notification provision in ePrivacy
Directive (23.04.2008)
http://www.edri.org/edrigram/number6.8/edps-data-breach-notification

============================================================
2. The EDPS' opinion on the US-EU data exchange agreement
============================================================

On 11 November 2008, Peter Hustinx, the European Union's Data Protection
Supervisor, gave some comments to the report published on 26 June 2008 by
EU-US High Level Contact Group (HLCG) on information sharing between US-EU
on privacy and personal data protection.

According to Hustinx, a greater sharing of personal data between the
European Union and the US should be accompanied by guarantees that the
individuals whose data are exchanged may examine the exchange process and
correct eventual mistakes. He believes that US and EU should be allowed to
share individual personal data in criminal cases, only if people can take
the authorities to court when they are wronged. "Strong redress mechanisms,
including administrative and judicial remedies, should be available to all
individuals, irrespective of their nationality," says the EDPS.

With this position, he agrees with the EU request for the right to take the
authorities to court regardless of nationality of the person whose data is
processed, something that the US did not agree with. Currently, the US
Privacy Act says that only US citizens and legal permanent residents can sue
the authorities and only after having exhausted all direct actions with the
government agencies before going to court.

The EDPS thinks that in the context in which the transatlantic exchange of
information will continue to grow and include other additional sectors where
personal data are being processed, "a dialogue on 'transatlantic law
enforcement' is at the same time welcome and sensitive. It is welcome in the
sense that it could give a clearer framework to the exchanges of data that
are or will be taking place. It is also sensitive since such a framework
could legitimise massive data transfers in a field - law enforcement - where
the impact on individuals is particularly serious, and where strict and
reliable safeguards and guarantees are all the more needed."

Hustinx also wants more interest groups to be involved in the discussion
between the interested parties as well as a greater involvement of the
European Parliament. He believes transparency is necessary during the future
debates as until now HLCG has been working behind closed doors.

He expressed his concern related to the increasing demands for international
transfers of data from private companies and third parties. "It appears from
this context that the request of enforcement authorities of third countries
for personal information is constantly widening, and that it also extends
from traditional government data bases to other types of files, in
particular files of data collected by the private sector.
As an important background element, the EDPS also recalls that the issue of
transfer of personal data to third countries in the framework of police and
judicial cooperation in criminal matters is addressed in the Council
Framework Decision on the protection of personal data processed in the
framework of police and judicial cooperation in criminal matters4 that is
likely to be adopted before the end of 2008."

Hustinx's office said the report should lay at the basis of a road map
towards a legally binding agreement, in a process that should not be hasty.

Opinion of the European Data Protection Supervisor on the Final Report by
the EU-US High Level Contact Group on information sharing and privacy and
personal data protection (11.11.2008)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultati\
on/Opinions/2008/08-11-11_High_Level_Contact_Group_EN.pdf

EU Data Protection Supervisor seeks a roadmap for transatlantic data
protection (14.11.2008)
http://www.heise.de/english/newsticker/news/118902

EU privacy regulator says US must agree to data swap court action
(13.11.2008)
http://www.out-law.com//default.aspx?page=9593

============================================================
3. Foreign P2P software producers might be liable under the French law
============================================================

At the beginning of November 2008, a French court ruled that the US
companies that created p2p software can be sued in France according to
French laws.

The ruling refers to a case brought to court by the French music producers
association - SPPF (Societe de producteurs de phonogrammes francaises) in
June 2007, against open source software hub SourceForge with its hosted
project Shareaza and two other p2p software Vuze and Morpheus, to which
Limewire was added at the end of 2007.

On the basis of evidence provided by the French company Advestigo, the SPPF
accused the four plaintiffs of copyright infringement, for files having
being exchanged illegally via the Internet by means of their software. The
SPPF supports its case on the so-called Vivendi amendment to the French
DADVSI law which stipulates that "editing, making publicly available or
announcing to the public, knowingly or in any other way, software manifestly
meant to make available to unauthorised public protected works" could be
fined up to 300 000 Euro or sent to prison for 3 years. Until recently, the
case had been blocked, pending the court decision on jurisdiction but now,
with the decision of the French court, the case can be pursued. Filing the
case, the SPFF was asking "the immediate interruption of the distribution
and operation of the respective software" and 3.7 millions euro from
Morpheus, and 16.6 millions euro from Vuze.

One of the companies sued by SPFF is actively working in obtaining licensing
agreements from content providers and has recently won a decision from the
US Federal Communications Commission which ordered the ISP Comcast to cease
hindering peer-to-peer activity.

The story of Sourceforge is even more concerning as the hub for open source
software is the place from where many small businesses that cannot afford to
buy software get open source software. This is a vital part of the software
industry, and even the software industry's own anti-piracy organisation, the
BSA accepts it. The music industry has a long history in fighting
Sourceforge's Shareaza, a project for the open source development of
software for end-users, which is managed by volunteer project leaders and
developers in Europe, Australia and the US.

P2P: the French offensive against the software (only in French, 7.11.2008)
http://www.ecrans.fr/P2P-L-offensive-francaise-contre,5616.html

Music producers get green light to sue Sourceforge, Vuze (12.11.2008)
http://www.iptegrity.com/index.php?option=com_content&task=view&id=200&Itemid=9

Record Labels to Sue Vuze, Limewire and SourceForge(10.05.2008)
http://torrentfreak.com/record-labels-to-sue-vuze-limewire-and-sourceforge-08111\
4/

============================================================
4. Romania adopts data retention law
============================================================

Following the adoption of the draft law on data retention by the Chamber of
Deputies on 4 November 2008, the Romanian President made the final step
in adopting the law on 17 November.

>From now on, it is just a matter of time until the law will be published in
the Official Journal and until its entry into force (60 days from its
publication date). The Internet-related data will be kept only starting with
15 March 2009.

The lack of any relevant debates from both chambers of  the Parliament or
its commissions was not surprising. It seems that all the parties involved
in adopting the law did it only because it was based on an EU directive and
the politicians didn't see any solution to avoid it.

The Commission on Human Rights of the Chamber of Deputies gave a negative
vote to the law, but since its opinion was just consultative on this law, it
really didn't matter in the end. Also, its report contains just the negative
vote without any explanation on the matter.

The president of the IT Committee in the Chamber of Deputies, Mr. Pambuccian
has presented the draft law to the Chamber plenum as the implementation of
an "excessive directive", but obligatory according to the European law.

But there weren't too many changes after the Parliamentary debates in the
text submitted by the Government in February this year. The major change is
the reduction of the retention time from one year to 6 months. The retained
data can be accessed by prosecutors, with a proper judge-approved access
authorization, only in penal cases related to organized crime and terrorism
crimes, that are limited by the express list provided by the definition of
serious crime.

The law does not provide the reimbursement of the expenses incured by the
law enforcement, but a new provision makes it specific that any expense for
electronic communication providers related to this law application is
fiscally deductible.

Article 20 still raises concerns giving the "state institutions with
attributions in the area of national security" access to the retained data
under the conditions established by the "national legislation" in this
domain. Since no express legislation is foreseen, this leaves an open door
for further regulation in "national security" cases.

The final draft still stipulates that an intentional access to the retained
data or its transfer without a proper authorization is a crime punished with
prison from one to 5 years.

Law 298/2008 on data retention (only in Romanian, 18.11.2008)
http://www.cdep.ro/proiecte/2008/400/30/9/pr439_08.pdf

Draft data retention law file at the Chamber of Deputies (only in Romanian)
http://www.cdep.ro/pls/proiecte/upl_pck.proiect?cam=2&idp=9455

6 months for traffic data retention (only in Romanian, 17.11.2008)
http://legi-internet.ro/blogs/index.php?title=6_luni_de_pastrare_a_datelor_de_tr\
afic&more=1&c=1&tb=1&pb=1

EDRi-gram: Romanian Govt adopts Data retention law, but calls it inefficient
(27.02.2008)
http://www.edri.org/edrigram/number6.4/romania-data-retention

============================================================
5. Big Brother Awards Czech Republic 2008
============================================================

The fourth edition of Big Brother Awards was announced in the Czech Republic
in Prague on 14 November 2008. Under the direction of Czech EDRi-member
Iuridicum Remedium, seven worst perpetrators of the right to privacy were
awarded. The positive prize was granted to German Working Group on Data
Retention AK Vorrat.

The prizes were chosen by an expert jury from more than seventy nominations
submitted by the public. The jury members were Petr Krcmar (editor-in-chief,
Root.cz), Lenka Nejezchlebova (journalist, MF Dnes), Karel Neuwirth (Council
of Europe Data Protection Commissioner), Miroslav Ouzk} (member of the
European Parliament), Radek Smolmk (regional director, Symantec), Helena
Svatosova (Iuridicum Remedium) and Vaclav Vlk (lawyer).

The Municipal-Council of the city of Prague received the prize for the Worst
Public Agency for the multifunctional chip card it introduced for public
transport earlier this year. Although the card is designed to replace all
currently available season tickets, it is available only after presentation
of an ID and the signed agreement for the processing of personal data. Along
with the plans to reintroduce electronic gates in Prague underground, the
possibility to use public transport anonymously slowly diminishes.

The award in the category of the Greatest Corporate Invader was granted to
the AQUER.CZ for its products specifically aimed at devaluation of personal
privacy in terms of providing full software for complete monitoring of one's
computer activity.

Deutsche Telekom AG got the Lifetime Menace prize for the massive data loss
it incurred two years ago and willingly ignored until Der Spiegel proved the
data concerned were available for sale on the Internet. Until then, Deutsche
Telekom AG had not taken any steps to inform its customers about potential
threats that could have resulted from its failure to protect the customer's
data.

The USA government has again kept its position of the world leader in the
category of the Worst Snooper among Nations for setting bilateral agreements
on personal data transfers that were concluded between the governments of
USA and several EU member states in exchange of visa waiver. The agreement
with the Czech government is kept under secret regime and will not be
subjected to democratic vote of the Parliament. It raises fears concerning
the quality, quantity, as well as protection of the data to be transferred.

The Electronic road-toll system provided by Kapsch AG for monitoring and
regulating the traffic on the country's highways won the prize in the
category of Dangerous New Technology. The original intention to use this
system to charge extra fees from transportation entrepreneurs will soon be
extended to include every car on the road. Although the Ministry of
Transportation claims that anonymity of transport is its priority, it has
provided neither guarantees nor any information how the anonymity will be
achieved.

In the category Big Brother4s Precept of Law the award was given to the
European Commission for its proposal to introduce virtual strip search
cameras in European airports. The virtual strip search provides the airport
controllers with detailed picture of the traveler's body construction which
is in breach not only with the right to privacy but also the fundamental
principles of human dignity.

Mr Rudolf Marek was awarded in the category Boot in the Mouth for the
statement in his article in the EURO magazine on spying called "Hon na
skodnou nebo paranoia?" (Chasing the Vermints or Paranoia?), which presents
the possibility of hidden spying on employees as normal and usual, although
it is strictly prohibited by law.

At the end, the organizers were pleased to award the group of privacy
advocates AK Vorrat the Positive Winston Smith prize for its unceasing
endeavor to remedy the critical situation in the field of personal data
protection and defense of the fundamentals right to privacy not only within
the country of its origin, Germany, but within the entire Europe. The recent
successes of AK Vorrat have proven that its strong mission can mobilize tens
of thousands of people who do not hesitate to take part in process of
achieving the vision of the world we all share - world where the Big Brother
does not exist.

Big Brother Awards Czech Republic Official Web Site (only in Czech)
http://www.bigbrotherawards.cz/

Big Brother Awards Czech Republic 2007 (in English)
http://www.slidilove.cz/en/czech_big_brother_awards_2007

Root.cz (only in Czech)
http://www.root.cz/clanky/ceny-velkeho-bratra-nejvetsi-narusitele-soukromi/

Hospodarski noviny (only in Czech)
http://domaci.ihned.cz/c1-30334250-slidilem-roku-je-prazsky-magistrat-za-opencar\
d

Czech TV (only in Czech)
http://www.ct24.cz/domaci/35915-anticeny-za-slideni-patri-opencard-nebo-americke\
-vlade/video/1/

(Contribution by EDRi-member Iuridicum Remedium - Czech Republic)

============================================================
6. Google executives facing trial on video posted on YouTube
============================================================

Four former and present Google executives, including Senior Vice President
David Drummond are waiting for the confirmation of the order issued by an
Italian prosecutor to stand trial for a video on a young man with Down
syndrome posted on YouTube in November 2006.

The case caused a lot of rumours in public media in 2006 and it was already
estimated that the prosecutors action would take a lot of time before
presenting the case in front of a judge. The Google executives are to appear
in a Milan court on 3 February 2009 facing charges of defamation and failure
to exercise control over personal data. The action is the result of the
investigation initiated on the basis of a complaint filed by Vividown, an
Italian advocacy group for people with Down syndrome, and the boy's father.

The video posted on the site in 2006, filmed with a mobile phone, was
showing an Italian youth with Down syndrome humiliated by four high school
students. Google removed the video immediately after having received a
complaint from the Italian Interior Ministry. The case was reported in 2006
in EDRi-gram, which underlined the fact that some important comments were
not taken into consideration such as "the responsibility of parents and
educators, the widespread deterioration of human and social values, the
warping of culture and behavior", as explained by EDRi-member ALCEI. As in
other cases, some people are using this opportunity to control free speech.

Google stated that the case could become a worrying precedent considering
the trial against its employees is not justified. Google had already said in
July 2008, when the case became public, that it would cooperate with the
prosecutors "to show that all Googlers under investigation have no
involvement in the Vividown case." A Google spokesman also stated: "We
believe that this proceeding is not about Google Video and what happened,
but about the internet as we know it - an open and free environment."

According to the EU legislation which is implemented into the Italian law,
hosting sites don't have to monitor third-party content, but are only
required to remove any content deemed offensive when notified about it. In
this case, however, Google was treated as an Internet content provider.

Google executives to face trial in Italy: sources (5.11.2008)
http://www.reuters.com/article/americasDealsNews/idUSTRE4A48VG20081105

Four Google Officials Likely to Stand Trial in Italy (6.11.2008)
http://www.pcworld.com/article/153411/

Google Sued Over Offensive Down Syndrome Video Clip | YouTube to Moderate
All Videos Uploaded? (26.07.2008)
http://www.webtvwire.com/google-sued-over-offensive-video-italian-executives-in-\
court-over-downs-syndrome-clip/

EDRi-gram: Google accused in Italy over shock video (6.12.2006)
http://www.edri.org/edrigram/number4.23/italy_google

The "Google case" in Italy: one more excuse for censorship and repression
(26.11.2006)
http://www.alcei.org/?p=25

============================================================
7. ENDitorial: An overheated debate on the rights of the visually impaired
============================================================

The agenda of the 17th Standing Committee on Copyright and Related Rights,
that took place between 3-7 November 2008 at the WIPO headquarters in
Geneva, included the following topics: the limitations and exceptions, the
protection of audiovisual performances and the protection of broadcasting
organizations. In particular, the rights of visually impaired persons were
in focus.

This article shortly presents the events of the last day, during which the
conclusions of the meeting were agreed among the Member States, based on
proposals prepared by the chairman Mr. Jukka Liedes. This article
concentrated specifically on Limitations and exceptions and the rights of
the visually impaired.

The title "Wrangling Over the Rights of the Blind" formulated by Sherwin Siy
of Public Knowledge, sums up well the discussions of the last day. The
discussions concerning the rights of the visually impaired during the
morning session were based on the following draft conclusion:

"The Committee acknowledged the special needs of visually impaired persons
and stressed the importance of dealing with without undue delay, those needs
of the blind, visually impaired, and other disabled persons. This should
include both analysis of limitations and exceptions and the possible
establishment of a stakeholders' platform at WIPO, through which
technological, contractual and other arrangements could be facilitated to
secure access for the disabled persons to protected works."

The formulation was close to the proposal given by IFRRO, the International
Federation of Reproduction Rights Organizations. The draft conclusion had no
reference to the proposal of World Blind Union (WBU). Both the limitations
and exceptions and the contractual arrangements (voluntary licensing)
between rights holders and visually impaired were mentioned. However, due to
the debate in the morning session, the chair prepared a new draft conclusion
during the lunch break. The new formulation was the following:

"The Committee acknowledged the special needs of visually impaired persons
and stressed the importance of dealing, expeditiously and with appropriate
deliberation, with those needs of the blind, visually impaired, and other
reading-disabled persons, including discussions at the national level on
possible ways and means facilitating and enhancing access to protected
works. This should include analysis of limitations and exceptions, including
their application to the international exchange of materials in accessible
formats. This should also include the possible establishment of a
stakeholders' platform at WIPO, in order to facilitate arrangements to
secure access for disabled persons to protected works. The SCCR took note of
the paper presented by the WBU and many delegations expressed interest in
further analyzing it."

Most importantly, the paper presented by WBU was mentioned and the following
two sentences were added:
".., including discussions at the national level on possible ways and means
facilitating and enhancing access to protected works."
and
".., including their application to the international exchange of materials
in accessible formats."

During the afternoon session, France, acting on behalf of the EU Member
States, suggested the word "platform" to be changed to the word "mechanism".
Nevertheless, the word platform remained in the final conclusions. Instead,
the word "expeditiously" was changed to the phrase "without delay" and
the phrase "to secure access" to "facilitate access". Those were still minor
things.

Then started the real debate. During the afternoon session, France required
the reference to the WBU proposal and sentences ".., including discussions
at the national level on possible ways and means facilitating and enhancing
access to protected works" and ".., including their application to the
international exchange of materials in accessible formats" to be taken off.
Nevertheless, Pakistan (on behalf of Asian Member States), and Algeria (on
behalf of African Member States), and other countries such as Brazil, pushed
the European Member states to accept many of the proposals. After chop and
change, finally the reference to international exchange was left out and the
reference to WBU proposal was slightly modified.

The final conclusions on the rights of the visually impaired were the
following:

"The Committee acknowledged the special needs of visually impaired persons
and stressed the importance of dealing, without delay and with appropriate
deliberation, with those needs of the blind, visually impaired, and other
reading disabled persons, including discussions at the national and
international level on possible ways and means facilitating and enhancing
access to protected works. This should include analysis of limitations and
exceptions. This should also include the possible establishment of a
stakeholders platform at WIPO, in order to facilitate arrangements to secure
access for disabled persons to protected works. A number of delegations
referred to a paper presented by the World Blind Union (WBU) and expressed
interest in further analyzing it."

As a European citizen I was mostly confused about what happened during the
afternoon session. It is not clear to me why France (on behalf of the
European Member) opposed so aggressively the rights of the visually
impaired. James Love of KEI (James Love, 7 November 2008) wrote a
felicitous remark on the issue on the A2K-list:

"I will close with the comments from one delegation at the end of the
evening. The delegate, from a high income country, had been silent the
entire meeting, but is a country one expects to provide some moral
leadership. I said, 'why didn't you speak up? - this is a human rights
issue. She said, 'this isn't the human rights commission, - this is WIPO.'
She wasn't being ironic or critical of WIPO. She thought it was natural that
the collection society would come first on this issue. That pretty much
summed things up."

On the WIPO-websites one can find the following description with the
headline "What is WIPO"?:

"The World Intellectual Property Organization (WIPO) is a specialized agency
of the United Nations. It is dedicated to developing a balanced and
accessible international intellectual property (IP) system, which rewards
creativity, stimulates innovation and contributes to economic development
while safeguarding the public interest."

One could think that the rights of the visually impaired could easily fit in
"a balanced and accessible (IP) system, which safeguards the public
interest". In some discussions with more experienced SCCR attendees I was
told that the starting point is always that the economic interests of rights
holders have to be safeguarded. It is worth considering whether there really
is a profitable market for works of visually impaired? According to WBU only
5 % of written works are accessible for visually impaired. That could also
be seen an indication that the market is not profitable enough. So, if the
answer to the aforementioned question is negative, there has to be some
other reason for the resistance of EU Member States for the rights of the
visually impaired.

There is currently a Green paper from European Commission on exceptions
available for comments (deadline: 30 November 2008). The rights of
disabled people are also covered by the Directive 2001/29/EC on the
harmonisation of certain aspects of copyright and related rights in the
information society contains an exhaustive list of exceptions to copyright
protection.

The delegations debated on what was really said during the 17 SCCR Session.
It is good that the SCCR reached at least a consensus on what was discussed
during the meeting. That is a starting point for further work. It is also
good that the reference to the WBU treaty proposal remained, as it is a
truthful fact that "A number of delegations referred to a paper presented by
the World Blind Union (WBU) and expressed interest in further analyzing it."
Leaving the reference away could have been considered as modification of
facts. It remains to be seen if consensus on the factual content can also be
reached at some point.

After all, the conclusions of SCCR 17 can be seen both from a positive and a
negative point of view. The interpretation finally relies on the Member
States. In a world of limited resources choices have to be made. The
broadcasting treaty will be maintained on the Agenda of the next session of
the SCCR. Let's hope that the work on limitations and exceptions will,
however, continue without (undue) delay or even expeditiously.

World Intellectual Property Organization, SCCR Seventeenth Session, Geneva
(5-7.11.2008)
http://www.wipo.int/edocs/mdocs/copyright/en/sccr_17/sccr_17_www_112533.pdf

Member States Review Key Copyright Issues (10.11 2008)
http://www.wipo.int/pressroom/en/articles/2008/article_0059.html

Unpacking the WIPO SCCR Limitations and Exceptions (to copyright) agenda
http://www.keionline.org/blogs/2008/11/11/unpacking-lne/

Wrangling Over the Rights of the Blind
http://www.publicknowledge.org/node/1874

GREEN PAPER - Copyright in the Knowledge Economy COM(2008) 466/3
http://ec.europa.eu/internal_market/copyright/docs/copyright-infso/greenpaper_en\
.pdf

What is WIPO ?
http://www.wipo.int/about-wipo/en/what/

(Contribution by Anniina Huttunen - doctoral student - Helsinki University
of Technology, EDRi representative at the WIPO SCCR meeting)

============================================================
8. Recommended Action
============================================================

Alternative Consultation on EU Justice and Home Affairs Policy
The European Commission has launched a public consultation on the future
priorities in the field of Justice and Home Affairs policy. The European
Civil Liberties Network has produced an alternative questionnaire to provoke
a more wide ranging debate about EU policy and practice.
http://www.ecln.org/index.html

============================================================
9. Recommended Reading
============================================================

Monica Horten - The French law on Creation and Internet - contracting for
surveillance
http://www.iptegrity.com/pdf/Monica.Horten.creation.internet.law.2.11.2008.pdf

Monica Horten - Packaging up copyright enforcement - how the Telecoms
Package slots in the framework for a European policy to restrict Internet
content
http://www.iptegrity.com/pdf/monica.horten.telecom.package.copyright.enforcement\
.091108.pdf

Economic damage of 3 strikes
http://www.lgi.com/pdf/080904Booz_english.pdf

Analysis of recent amendments to the Telecoms Package with particular
reference to warnings and sanctions related to alleges unlawful use or
communications network
http://www.openrightsgroup.org/wp-content/uploads/tele_pkg_analysis_v41.pdf

============================================================
10. Agenda
============================================================

25-26 November 2008, Brussels, Belgium
World e-Parliament Conference 2008
http://www.ictparliament.org/worldeparliamentconference2008/

2 December 2008, Hyderabad, India
Global Internet Governance Academic Network (GigaNet)
Third Annual International Symposium
http://tinyurl.com/ynsuuf/

3-6 December 2008, Hyderabad, India
Third Internet Governance Forum
http://www.intgovforum.org

9-10 December 2008, Madrid, Spain
Future Internet Assembly
http://www.future-internet.eu/home/future-internet-assembly/madrid-dec-2008.html
http://www.fi-madrid.eu/

10 December 2008, Skopje, Macedonia
Fourth International Conference e-Society.Mk.
http://www.e-society.mk/

10-11 December 2008: Tilburg, Netherlands
Tilting perspectives on regulating technologies, Tilburg Institute for Law
and Technology and Society, Tilburg University
http://www.tilburguniversity.nl/tilt/conference

27-30 December 2008 Berlin, Germany
25C3: Nothing to hide
The 25th Chaos Communication Congress
http://events.ccc.de/congress/2008/

18-20 March 2009, Athens, Greece
WebSci'09: Society On-Line
http://www.websci09.org/

1-4 June 2009, Washington, DC, USA
Computers Freedom and Privacy 2009
http://www.cfp2009.org/

============================================================
11. About
============================================================

EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 29 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea <edrigram@...>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request@...
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request@...
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram@...> if you have any problems with subscribing or
unsubscribing.

From:
"Eugen Leitl" <eugen@...>

To:
cypherpunks@...
----- Forwarded message from rfc-editor@... -----

From: rfc-editor@...
Date: Fri, 14 Nov 2008 13:42:33 -0800 (PST)
To: ietf-announce@..., rfc-dist@...
Cc: btns@..., rfc-editor@...
Subject: [btns] RFC 5387 on Problem and Applicability Statement for
     Better-Than-Nothing Security (BTNS)


A new Request for Comments is now available in online RFC libraries.


         RFC 5387

         Title:      Problem and Applicability Statement for
                     Better-Than-Nothing Security (BTNS)
         Author:     J. Touch, D. Black, Y. Wang
         Status:     Informational
         Date:       November 2008
         Mailbox:    touch@...,
                     black_david@...,
                     yu-shun.wang@...
         Pages:      28
         Characters: 71707
         Updates/Obsoletes/SeeAlso:   None

         I-D Tag:    draft-ietf-btns-prob-and-applic-07.txt

         URL:        http://www.rfc-editor.org/rfc/rfc5387.txt

The Internet network security protocol suite, IPsec, requires
authentication, usually of network-layer entities, to enable access
control and provide security services.  This authentication can be
based on mechanisms such as pre-shared symmetric keys, certificates
with associated asymmetric keys, or the use of Kerberos (via
Kerberized Internet Negotiation of Keys (KINK)).  The need to deploy
authentication information and its associated identities can be a
significant obstacle to the use of IPsec.

This document explains the rationale for extending the Internet
network security protocol suite to enable use of IPsec security
services without authentication.  These extensions are intended to
protect communication, providing "better-than-nothing security"
(BTNS).  The extensions may be used on their own (this use is called
Stand-Alone BTNS, or SAB) or may be used to provide network-layer
security that can be authenticated by higher layers in the protocol
stack (this use is called Channel-Bound BTNS, or CBB).  The document
also explains situations for which use of SAB and/or CBB extensions
are applicable.  This memo provides information for the Internet community.

This document is a product of the Better-Than-Nothing Security Working Group of
the IETF.


INFORMATIONAL: This memo provides information for the Internet community.
It does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
   http://www.ietf.org/mailman/listinfo/ietf-announce
   http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist

For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html.
For downloading RFCs, see http://www.rfc-editor.org/rfc.html.

Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-editor@....  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.


The RFC Editor Team
USC/Information Sciences Institute


_______________________________________________
btns mailing list
btns@...
https://www.ietf.org/mailman/listinfo/btns

----- End forwarded message -----
-

From:
"Eugen Leitl" <eugen@...>

To:
cypherpunks@...
----- Forwarded message from rfc-editor@... -----

From: rfc-editor@...
Date: Fri, 14 Nov 2008 13:42:15 -0800 (PST)
To: ietf-announce@..., rfc-dist@...
Cc: btns@..., rfc-editor@...
Subject: [btns] RFC 5386 on Better-Than-Nothing Security: An Unauthenticated
     Mode of IPsec


A new Request for Comments is now available in online RFC libraries.


         RFC 5386

         Title:      Better-Than-Nothing Security: An Unauthenticated Mode
                     of IPsec
         Author:     N. Williams, M. Richardson
         Status:     Standards Track
         Date:       November 2008
         Mailbox:    Nicolas.Williams@...,
                     mcr@...
         Pages:      11
         Characters: 23103
         Updates/Obsoletes/SeeAlso:   None

         I-D Tag:    draft-ietf-btns-core-07.txt

         URL:        http://www.rfc-editor.org/rfc/rfc5386.txt

This document specifies how to use the Internet Key Exchange (IKE)
protocols, such as IKEv1 and IKEv2, to setup "unauthenticated"
security associations (SAs) for use with the IPsec Encapsulating
Security Payload (ESP) and the IPsec Authentication Header (AH).  No
changes to IKEv2 bits-on-the-wire are required, but Peer
Authorization Database (PAD) and Security Policy Database (SPD)
extensions are specified.  Unauthenticated IPsec is herein referred
to by its popular acronym, "BTNS" (Better-Than-Nothing Security).
[STANDARDS TRACK]

This document is a product of the Better-Than-Nothing Security Working Group of
the IETF.

This is now a Proposed Standard Protocol.

STANDARDS TRACK: This document specifies an Internet standards track
protocol for the Internet community,and requests discussion and suggestions
for improvements.  Please refer to the current edition of the Internet
Official Protocol Standards (STD 1) for the standardization state and
status of this protocol.  Distribution of this memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
   http://www.ietf.org/mailman/listinfo/ietf-announce
   http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist

For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html.
For downloading RFCs, see http://www.rfc-editor.org/rfc.html.

Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-editor@....  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.


The RFC Editor Team
USC/Information Sciences Institute


_______________________________________________
btns mailing list
btns@...
https://www.ietf.org/mailman/listinfo/btns

----- End forwarded message -----

Pl print and put it in the notice board.Also forward to your contacts.Thanks
vijayakumar





"DREAM IS NOT WHAT YOU SEE IN SLEEP,IS THE THING WHICH DOES NOT LET YOU
SLEEP"
DR.A.P.J ABDUL KALAM

Dr.Ambat Vijayakumar
Reader
Department of Mathematics
Cochin University of Science &Technology
Cochin-682 022
INDIA
Tel:0484-2577518(Work),0484-2862464 (work)-0484-2575288(Home): cell:
09447608851
Email:ambatvijay@... ;vambat@...
HOME PAGE :
http://maths.cusat.ac.in/vijay/

CRYPTO-GRAM

               November 15, 2008

               by Bruce Schneier
       Chief Security Technology Officer, BT
              schneier@...
             http://www.schneier.com


A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0811.html>.  These same essays appear in
the "Schneier on Security" blog: <http://www.schneier.com/blog>.  An RSS feed is
available.


** *** ***** ******* *********** *************

In this issue:
      The Skein Hash Function
      Me and the TSA
      News
      Quantum Cryptography
      The Economics of Spam
      Schneier/BT News
      The Psychology of Con Men
      Movie-Plot Threat: Terrorists Using Twitter
      Giving Out Replacement Hotel Room Keys
      P = NP?
      Comments from Readers


** *** ***** ******* *********** *************

      The Skein Hash Function



NIST is holding a competition to replace the SHA family of hash functions, which
have been increasingly under attack.

Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks,
Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). 
This is our executive summary:

"Skein is a new family of cryptographic hash functions.  Its design combines
speed, security, simplicity, and a great deal of flexibility in a modular
package that is easy to analyze.

"Skein is fast.  Skein-512 -- our primary proposal -- hashes data at 6.1 clock
cycles per byte on a 64-bit CPU.  This means that on a 3.1 GHz x64 Core 2 Duo
CPU, Skein hashes data at 500 MBytes/second per core -- almost twice as fast as
SHA-512 and three times faster than SHA-256.  An optional hash-tree mode speeds
up parallelizable implementations even more.  Skein is fast for short messages,
too; Skein-512 hashes short messages in about 1000 clock cycles.

"Skein is secure.  Its conservative design is based on the Threefish block
cipher.  Our current best attack on Threefish-512 is on 25 of 72 rounds, for a
safety factor of 2.9. For comparison, at a similar stage in the standardization
process, the AES encryption algorithm had an attack on 6 of 10 rounds, for a
safety factor of only 1.7. Additionally, Skein has a number of provably secure
properties, greatly increasing confidence in the algorithm.

"Skein is simple.  Using only three primitive operations, the Skein compression
function can be easily understood and remembered.  The rest of the algorithm is
a straightforward iteration of this function.

"Skein is flexible.  Skein is defined for three different internal state sizes
-- 256 bits, 512 bits, and 1024 bits -- and any output size.  This allows Skein
to be a drop-in replacement for the entire SHA family of hash functions.  A
completely optional and extendable argument system makes Skein an efficient tool
to use for a very large number of functions: a PRNG, a stream cipher, a key
derivation function, authentication without the overhead of HMAC, and a
personalization capability.  All these features can be implemented with very low
overhead.  Together with the Threefish large-block cipher at Skein's core, this
design provides a full set of symmetric cryptographic primitives suitable for
most modern applications.

"Skein is efficient on a variety of platforms, both hardware and software. 
Skein-512 can be implemented in about 200 bytes of state. Small devices, such as
8-bit smart cards, can implement Skein-256 using about 100 bytes of memory. 
Larger devices can implement the larger versions of Skein to achieve faster
speeds.

"Skein was designed by a team of highly experienced cryptographic experts from
academia and industry, with expertise in cryptography, security analysis,
software, chip design, and implementation of real-world cryptographic systems. 
This breadth of knowledge allowed them to create a balanced design that works
well in all environments."

NIST's deadline was the end of October.  It seems as if everyone -- including
many amateurs -- is working on a hash function.  I predicted that NIST would
receive at least 80 submissions; they actually received 64.  (Compare this to
the sixteen NIST submissions received for the AES competition in 1998.) 
Somewhat more than a third are public at this time.

The selection process will take around four years.  I've previously called this
sort of thing a cryptographic demolition derby -- last one left standing wins --
but that's only half true.  Certainly all the groups will spend the next couple
of years trying to cryptanalyze each other, but in the end there will be a bunch
of unbroken algorithms; NIST will select one based on performance and features.

NIST has stated that the goal of this process is not to choose the best standard
but to choose a good standard.  I think that's smart of them; in this process,
"best" is the enemy of "good."  My advice is this: immediately sort them based
on performance and features.  Ask the cryptographic community to focus its
attention on the top dozen, rather than spread its attention across all 64 --
although I also expect that many of the amateur submissions will be rejected by
NIST for not being "complete and proper."  Otherwise, people will break the easy
ones and the better ones will go unanalyzed.

Skein website:
http://www.schneier.com/skein.html
Source code is available on that site.

NIST's SHA-3 website:
http://csrc.nist.gov/groups/ST/hash/sha-3/index.html

SHA-3 submissions (the 27 of them that are public so far):
http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo

News articles:
http://www.networkworld.com/news/2008/102708-crypto-hash-algorithm-competition.h\
tml or http://tinyurl.com/636snh
http://technocrat.net/d/2008/10/29/52952
http://www.techworld.com/security/news/index.cfm?newsid=106319&pagtype=all or
http://tinyurl.com/67odfz

Attacks against SHA-1:
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

My liveblogging of a previous NIST hash workshop:
http://www.schneier.com/blog/archives/2005/10/nist_hash_works_1.html


** *** ***** ******* *********** *************

      Me and the TSA



There was a great article from The Atlantic about me helping evade airport
security.  We printed fake boarding passes, explained how anyone on the no-fly
list could get through security, and brought on more liquids than should be
allowed.

Kip Hawley, head of the TSA, has responded to the article on his blog.

Unfortunately, there's not really anything to his response.  It's obvious he
doesn't want to admit that they've been checking ID's all this time to no
purpose whatsoever, so he just emits vague generalities like a frightened squid
filling the water with ink.  Yes, some of the stunts in article are silly (who
cares if people fly with Hezbollah T-shirts?) so that gives him an opportunity
to minimize the real issues.

Hawley says: "Watch-lists and identity checks are important and effective
security measures. We identify dozens of terrorist-related individuals a week
and stop No-Flys regularly with our watch-list process."

It is simply impossible that the TSA catches dozens of terrorists every week. If
it were true, the administration would be trumpeting this all over the press --
it would be an amazing success story in their war on terrorism.  But note that
Hawley doesn't exactly say that; he calls them "terrorist-related individuals." 
Which means exactly what?  People so dangerous they can't be allowed to fly for
any reason, yet so innocent they can't be arrested -- even under the provisions
of the Patriot Act.

And if Secretary Chertoff is telling the truth when he says that there are only
2,500 people on the no-fly list and fewer than 16,000 people on the selectee
list -- they're the ones that get extra screening -- and that most of them live
outside the U.S., then it is just plain impossible that the TSA identifies
"dozens" of these people every week.  The math just doesn't make sense.

And I also don't believe this:  "Behavior detection works and we have 2,000
trained officers at airports today. They alert us to people who may pose a
threat but who may also have items that could elude other layers of physical
security."

It does work, but I don't see the TSA doing it properly.  (Fly El Al if you want
to see it done properly.)  But what I think Hawley is doing is engaging in a
little bit of psychological manipulation.  Like sky marshals, the real benefit
of behavior detection isn't whether or not you do it but whether or not the bad
guys *believe* you're doing it.  If they think you are doing behavior detection
at security checkpoints, or have sky marshals on every airplane, then you don't
actually have to do it.  It's the threat that's the deterrent, not the actual
security system.

This doesn't impress me, either:  "Items carried on the person, be they a 'beer
belly' or concealed objects in very private areas, are why we are buying over
100 whole body imagers in upcoming months and will deploy more over time. In the
meantime, we use hand-held devices that detect hydrogen peroxide and other
explosives compounds as well as targeted pat-downs that require private
screening."

Optional security measures don't work, because the bad guys will opt not to use
them.  It's like those air-puff machines at some airports now. They're probably
great at detecting explosive residue off clothing, but every time I have seen
the machines in operation, the passengers have the option whether to go through
the lane with them or another lane. What possible good is that?

The closest thing to a real response from Hawley is that the terrorists might
get caught stealing credit cards.  "Using stolen credit cards and false
documents as a way to get around watch-lists makes the point that forcing
terrorists to use increasingly risky tactics has its own security value."

He's right about that.  And, truth be told, that was my sloppiest answer during
the original interview.  Thinking about it afterwards, it's far more likely is
that someone with a clean record and a legal credit card will buy the various
plane tickets.

This is new:  "Boarding pass scanners and encryption are being tested in eight
airports now and more will be coming."

Ignoring for a moment that "eight airports" nonsense -- unless you do it at
every airport, the bad guys will choose the airport where you don't do it to
launch their attack -- this is an excellent idea.  The reason my attack works,
the reason I can get through TSA checkpoints with a fake boarding pass, is that
the TSA never confirms that the information on the boarding pass matches a
legitimate reservation.  If all TSA checkpoints had boarding pass scanners that
connected to the airlines' computers, this attack would not work. 
(Interestingly enough, I noticed exactly this system at the Dublin airport
earlier this month.)

And finally:  "Stopping the 'James Bond' terrorist is truly a team effort and I
whole-heartedly agree that the best way to stop those attacks is with
intelligence and law enforcement working together."

This isn't about "Stopping the 'James Bond' terrorist," it's about stopping
terrorism.  And if all this focus on airports, even assuming it starts working,
shifts the terrorists to other targets, we haven't gotten a whole lot of
security for our money.

Atlantic article:
http://www.theatlantic.com/doc/200811/airport-security

Hawley response:
http://www.tsa.gov/blog/2008/10/tsas-take-on-atlantic-article.html

Chertoff on the no-fly list:
http://www.cnn.com/2008/TRAVEL/10/22/no.fly.lists/index.html

Hawley responds to my comments in my blog.  Yes, it's really him.
http://www.schneier.com/blog/archives/2008/10/kip_hawley_resp.html#c321445 or
http://tinyurl.com/6692n5

My interview with Hawley from last year:
http://www.schneier.com/interview-hawley.html

In other news, Kip Hawley says that the TSA may loosen size restrictions on
liquids.  You'll still have to take them out of your bag, but they can be larger
than three ounces.  The reasons -- so he states -- are that technologies are
getting better, not that the threat is reduced.
http://www.tsa.gov/blog/2008/10/path-forward-on-liquids.html
I'm skeptical, of course.  But read his post; it's interesting.

The Atlantic is holding a contest, based on Hawley's comment that the TSA is
basically there to catch stupid terrorists:  "And so, a contest: How would the
Hawley Principle of Federally-Endorsed Mediocrity apply to other government
endeavors?"
http://jeffreygoldberg.theatlantic.com/archives/2008/10/new_contest_can_you_outl\
ame_th.php or http://tinyurl.com/6e5t7w
Not the same as my movie-plot threat contest, but fun all the same.

And lastly, what would the TSA make of this?
http://www.boingboing.net/2008/10/24/chanel-gun-heel.html


** *** ***** ******* *********** *************

      News


From the LEET '08 conference:  "Designing and implementing malicious hardware,"
by Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and
Yuanyuan Zhou.
http://www.usenix.org/event/leet08/tech/full_papers/king/king.pdf

Taser-proof clothing:
http://technology.newscientist.com/article/mg19626296.400

Warning poster: "In Case of Terrorist Attack, Do Not Discard Brain."
http://miscellanea.wellingtongrey.net/2008/10/12/warning-in-case-of-terrorist-at\
tack-do-not-discard-brain/ or http://tinyurl.com/5nfqfy

While I am strongly opposed to a national ID, I have consistently said that
giving strongly secured ID cards to groups like port workers is a good idea.
http://www.boston.com/news/local/massachusetts/articles/2008/10/06/high_tech_id_\
cards_rolling_out_at_ports/?rss_id=Boston.com+--+Massachusetts+news or
http://tinyurl.com/5tnznb
Me on national ID cards:
http://www.schneier.com/testimony-realid.html

In northern British Columbia, there were two pipeline bombings.  I found this
quote heartening: "Investigators are treating the explosions as acts of
vandalism, not terrorism, Shields said.  'Under the Criminal Code, it would be
characterized as mischief, which is an intentional vandalism. We don't want to
characterize this as terrorism. They were very isolated locations and there
would seem there was no intent to hurt people,' he said."
http://www.cbc.ca/canada/british-columbia/story/2008/10/16/bc-second-pipeline-ex\
plosion-dawson-creek.html or http://tinyurl.com/6dk6zm

On the other hand, in Philadelphia, a subway car design was criticized because
people can see out the front.  And, um, terrorists will be able to see out the
front too, and we all know how dangerous terrorists are.
http://www.philly.com/inquirer/local/pa/chester/20081017_SEPTA_engineers_dislike\
_new_cars__cabs.html or http://tinyurl.com/6hy5h7
Seems like the engineers have another agenda -- the cabs in the new trains are
too small -- and they're just using security as an excuse:
http://septawatch.blogspot.com/2008/10/septa-engineers-dont-want-new.html or
http://tinyurl.com/5ef8tc

And there's still considerable terrorist fear mongering in the UK:
http://news.bbc.co.uk/1/hi/uk_politics/7674775.stm

Fear-inducing story of terrorists hiding their communications in child porn
pictures.
http://www.telegraph.co.uk/news/uknews/3215115/Terrorists-use-child-porn-to-exch\
ange-information.html or http://tinyurl.com/6avucs
http://www.timesonline.co.uk/tol/news/uk/crime/article4959002.ece
http://www.foxnews.com/story/0,2933,439641,00.html
Terrorists and strangers preying on our children are two of the things that
cause the most fear in people.  Put them together, and there's no limit to what
sorts of laws you can get passed.  Comment from my blog: "Why would terrorists
hide incriminating messages inside incriminating photographs? That would be like
drug smugglers hiding kilos of cocaine in bales of marijuana."
http://www.schneier.com/blog/archives/2008/10/terrorists_and_2.html#c319818 or
http://tinyurl.com/5rwjvy

Remotely eavesdropping on keyboards, from 30 feet away in another room:
http://www.theregister.co.uk/2008/10/20/keyboard_sniffing_attack/
http://news.bbc.co.uk/2/hi/technology/7681534.stm
http://lasecwww.epfl.ch/keyboard/

ANSI Cyberrisk Calculation Guide
http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211600\
785 or http://tinyurl.com/5enqj6
http://webstore.ansi.org/cybersecurity.aspx

I generally avoid commenting on election politics -- that's not what Crypto-Gram
is about -- but this comment by Barack Obama on security and trade-offs is worth
discussing:
http://www.schneier.com/blog/archives/2008/10/barak_obama_dis.html

Cryptographers have long joked about rubber-hose cryptanalysis: basically,
beating the keys out of someone.  Seems that this might have actually happened
in Turkey:
http://news.cnet.com/8301-13739_3-10069776-46.html

Chilling story of a death-row inmate with a contraband cell phone.
http://www.statesman.com/news/content/news/stories/local/10/21/1021deathrow.html
or http://tinyurl.com/5vsagj
If we can't keep contraband out of prisons, how can we possibly hope to keep it
out of airports?

This is a story of how smart people can be neutralized through stupid
procedures.
http://consumerist.com/5069018/how-outsourced-call-centers-are-costing-millions-\
in-identity-theft or http://tinyurl.com/59p6ww

It's not a new scam to switch bar codes and buy merchandise for a lower value,
but how do you get away with over $1M worth of merchandise with this scam?  That
requires a lot of really clueless checkout clerks.
http://www.daytondailynews.com/n/content/oh/story/news/local/2008/10/24/ddn10240\
8tidwellweb.html?imw=Y or http://tinyurl.com/696xy7

Video of talk on barcode hacks:
http://video.google.com/videoplay?docid=-5716320056489246991&hl=en

Keeping America safe from terrorism by monitoring distillery webcams: a bizarre
story that ended up being rather mundane.
http://www.schneier.com/blog/archives/2008/10/keeping_america.html

"A Look at Terrorist Behavior: How They Prepare, Where They Strike," by Brent
Smith, National Institute of Justice Journal, No. 260, 2008.
http://www.ncjrs.gov/pdffiles1/nij/222900.pdf

How Terrorist Groups End: Lessons for Countering al Qa'ida, by Seth G. Jones and
Martin C. Libicki, RAND Corporation, 2008.
http://www.rand.org/pubs/monographs/2008/RAND_MG741-1.pdf

Duplicating keys from photographs:
http://www.physorg.com/news144519246.html
http://vision.ucsd.edu/~blaxton/pagePapers/laxton_wang_savage_ccs2008.pdf or
http://tinyurl.com/5nvru9

A U.S. court ruled that hashing equals searching.  Good, and interesting,
ruling.
http://www.schneier.com/blog/archives/2008/11/us_court_rules.html

India has experienced an ill effect of banning security research. Terrorists
have figured out how to clone cell phone SIM cards.  The good guys didn't know
this was possible, because they can't do the research:  "The experts said no one
has actually done any research on SIM card cloning because the activity is
illegal in the country."
http://timesofindia.indiatimes.com/PDATOI/pdaarticleshow/3670337.cms
If the good guys can't even participate, the bad guys will always win.

More anti-terror law mission creep in the U.K.  The laws are being used to catch
people putting trash cans out on the wrong day.
http://scotlandonsunday.scotsman.com/scotland/Town-halls-resort-to-spy.3906463.j\
p or http://tinyurl.com/64wmh2
http://www.dailymail.co.uk/news/article-1082225/March-dustbin-Stasi-Half-council\
s-use-anti-terror-laws-watch-people-putting-rubbish-wrong-day.html?ITO=1490 or
http://tinyurl.com/5aw4qg

Aspidistra, a fascinating story of a man-in-the-middle attack using radio from
World War II.
http://en.wikipedia.org/wiki/Aspidistra_(transmitter)
http://www.schneier.com/blog/archives/2008/11/aspidistra.html

WPA Cracked:
http://arstechnica.com/articles/paedia/wpa-cracked.ars/1
http://dl.aircrack-ng.org/breakingwepandwpa.pdf
http://isc.sans.org/diary.html?storyid=5300&rss
http://gizmodo.com/5078317/wpa-wi+fi-security-gets-cracked-your-network-is-no-lo\
nger-secure or http://tinyurl.com/5qc26g
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleI\
d=9119258 or http://tinyurl.com/56rzgr
http://www.heise-online.co.uk/news/WPA-alleged-to-be-crackable-in-less-than-15-m\
inutes--/111906 or http://tinyurl.com/6o63ko

Censorship in Dubai is transparent, and includes an appeals process:
http://www.schneier.com/blog/archives/2008/11/censorship_in_d.html

Reading a letter from the envelope it was in:
http://www.physorg.com/news145517878.html

Using the incremental update feature of PDF files to watch a malware author
create his exploit:
http://blog.didierstevens.com/2008/11/10/shoulder-surfing-a-malicious-pdf-author\
/ or http://tinyurl.com/684s8t

Reducing the risk of human extinction:
http://www.upmc-biosecurity.org/website/resources/publications/2007_orig-article\
s/2007-10-15-reducingrisk.html or http://tinyurl.com/675nkm


** *** ***** ******* *********** *************

      Quantum Cryptography



Quantum cryptography is back in the news, and the basic idea is still
unbelievably cool, in theory, and nearly useless in real life.

The idea behind quantum crypto is that two people communicating using a quantum
channel can be absolutely sure no one is eavesdropping. Heisenberg's uncertainty
principle requires anyone measuring a quantum system to disturb it, and that
disturbance alerts legitimate users as to the eavesdropper's presence.  No
disturbance, no eavesdropper -- period.

This month we've seen reports on a new working quantum key-distribution network
in Vienna, and a new quantum key-distribution technique out of Britain. Great
stuff, but headlines like the BBC's "'Unbreakable' encryption unveiled" are a
bit much.

The basic science behind quantum crypto was developed, and prototypes built, in
the early 1980s by Charles Bennett and Giles Brassard, and there have been
steady advances in engineering since then. I describe basically how it all works
in Applied Cryptography, 2nd Edition (pages 554-557). At least one company
already sells quantum-key distribution products.

Note that this is totally separate from quantum computing, which also has
implications for cryptography. Several groups are working on designing and
building a quantum computer, which is fundamentally different from a classical
computer. If one were built -- and we're talking science fiction here -- then it
could factor numbers and solve discrete-logarithm problems very quickly. In
other words, it could break all of our commonly used public-key algorithms. For
symmetric cryptography it's not that dire: A quantum computer would effectively
halve the key length, so that a 256-bit key would be only as secure as a 128-bit
key today. Pretty serious stuff, but years away from being practical. I think
the best quantum computer today can factor the number 15.

While I like the science of quantum cryptography -- my undergraduate degree was
in physics -- I don't see any commercial value in it. I don't believe it solves
any security problem that needs solving. I don't believe that it's worth paying
for, and I can't imagine anyone but a few technophiles buying and deploying it.
Systems that use it don't magically become unbreakable, because the quantum part
doesn't address the weak points of the system.

Security is a chain; it's as strong as the weakest link. Mathematical
cryptography, as bad as it sometimes is, is the strongest link in most security
chains. Our symmetric and public-key algorithms are pretty good, even though
they're not based on much rigorous mathematical theory. The real problems are
elsewhere: computer security, network security, user interface and so on.

Cryptography is the one area of security that we can get right. We already have
good encryption algorithms, good authentication algorithms and good
key-agreement protocols.  Maybe quantum cryptography can make that link
stronger, but why would anyone bother? There are far more serious security
problems to worry about, and it makes much more sense to spend effort securing
those.

As I've often said, it's like defending yourself against an approaching attacker
by putting a huge stake in the ground. It's useless to argue about whether the
stake should be 50 feet tall or 100 feet tall, because either way, the attacker
is going to go around it. Even quantum cryptography doesn't "solve" all of
cryptography: The keys are exchanged with photons, but a conventional
mathematical algorithm takes over for the actual encryption.

I'm always in favor of security research, and I have enjoyed following the
developments in quantum cryptography. But as a product, it has no future. It's
not that quantum cryptography might be insecure; it's that cryptography is
already sufficiently secure.

News:
http://news.bbc.co.uk/2/hi/science/nature/7661311.stm
http://news.cnet.com/8301-1009_3-10064219-83.html?part=rss&subj=news&tag=2547-1_\
3-0-5 or http://tinyurl.com/4bzpwb
http://www.theregister.co.uk/2008/10/09/quantum_crypto_turbo_charged/

Quantum cryptography bibliography:
http://www.cs.mcgill.ca/~crepeau/CRYPTO/Biblio-QC.html

Commercialization:
http://www.magiqtech.com/

Quantum computing:
http://en.wikipedia.org/wiki/Quantum_computer

More commentary on news articles here:
http://www.schneier.com/blog/archives/2008/10/quantum_cryptog.html

This essay previously appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2008/10/securi\
tymatters_1016 or http://tinyurl.com/4beb94


** *** ***** ******* *********** *************

      The Economics of Spam



Researchers infiltrated the Storm worm and monitored its doings.

"After 26 days, and almost 350 million e-mail messages, only 28 sales resulted
-- a conversion rate of well under 0.00001%. Of these, all but one were for
male-enhancement products and the average purchase price was close to $100.
Taken together, these conversions would have resulted in revenues of $2,731.88
-- a bit over $100 a day for the measurement period or $140 per day for periods
when the campaign was active. However, our study interposed on only a small
fraction of the overall Storm network -- we estimate roughly 1.5 percent based
on the fraction of worker bots we proxy. Thus, the total daily revenue
attributable to Storm's pharmacy campaign is likely closer to $7000 (or $9500
during periods of campaign activity). By the same logic, we estimate that Storm
self-propagation campaigns can produce between 3500 and 8500 new bots per day.

"Under the assumption that our measurements are representative over time (an
admittedly dangerous assumption when dealing with such small samples), we can
extrapolate that, were it sent continuously at the same rate, Storm-generated
pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a
year. This number could be even higher if spam-advertised pharmacies experience
repeat business. A bit less than "millions of dollars every day," but certainly
a healthy enterprise."

Of course, the authors point out that it's dangerous to make these sorts of
generalizations:  "We would be the first to admit that these results represent a
single data point and are not necessarily representative of spam as a whole.
Different campaigns, using different tactics and marketing different products
will undoubtedly produce different outcomes. Indeed, we caution strongly against
researchers using the conversion rates we have measured for these Storm-based
campaigns to justify assumptions in any other context."

Spam is all about economics.  When sending junk mail costs a dollar in paper,
list rental, and postage, a marketer needs a reasonable conversion rate to make
the campaign worthwhile.  When sending junk mail is almost free, a one in ten
million conversion rate is acceptable.

http://www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamalytics.pdf
http://voices.washingtonpost.com/securityfix/2008/11/study_spam_still_profitable\
_at.html or http://tinyurl.com/5flska
http://www.theregister.co.uk/2008/11/10/storm_botnet_spam_economics/


** *** ***** ******* *********** *************

      Schneier/BT News

Book review of "Schneier on Security":
http://books.slashdot.org/article.pl?sid=08/10/20/1344203

Schneier interview from Dr. Dobb's Journal.
http://www.ddj.com/security/210605067
Way back before the first edition of Applied Cryptography, Dr. Dobb's Journal
published my first writings about cryptography.

Schneier interview from Datamation:
http://itmanagement.earthweb.com/secu/article.php/3784506/Bruce+Schneier:+Securi\
ng+Your+PC+and+Your+Privacy.htm or http://tinyurl.com/5at67q

Schneier audio interview about my talk at the RSA Conference in London last
month:
https://365.rsaconference.com/blogs/podcast_series_rsa_conference_europe_2008/20\
08/10/26/session-preview-with-bruce-schneier or http://tinyurl.com/5faqps

An article of mine on choosing good passwords appeared in the Guardian.
http://www.guardian.co.uk/technology/2008/nov/13/internet-passwords
http://www.hindu.com/thehindu/holnus/008200811130924.htm
Nothing I haven't said before.


** *** ***** ******* *********** *************

      The Psychology of Con Men



Great story:  "My all-time favourite [short con] only makes the con artist a few
dollars every time he does it, but I absolutely love it. These guys used to go
door-to-door in the 1970s selling lightbulbs and they would offer to replace
every single lightbulb in your house, so all your old lightbulbs would be
replaced with a brand new lightbulb, and it would cost you, say $5, so a
fraction of the cost of what new lightbulbs would cost. So the man comes in, he
replaces each lightbulb, every single one in the house, and does it, you can
check, and they all work, and then he takes all the lightbulbs that he's just
taken from the person's house, goes next door and then sells them the same
lightbulbs again. So it's really just moving lightbulbs from one house to
another and charging people a fee to do it."

http://www.abc.net.au/rn/lawreport/stories/2008/2376933.htm


** *** ***** ******* *********** *************

      Movie-Plot Threat: Terrorists Using Twitter



The notion that it is somehow worrisome that terrorists might use Twitter is
ridiculous.  Of course the bad guys will use all the communications tools
available to the rest of us. They have to communicate, after all.  They'll also
use cars, water faucets, and all-you-can-eat buffet lunches.  So what?

This commentary is dead on:  "Steven Aftergood, a veteran intelligence analyst
at the Federation of the American Scientists, doesn't dismiss the Army
presentation out of hand. But nor does he think it's tackling a terribly
seriously threat. 'Red-teaming exercises to anticipate adversary operations are
fundamental. But they need to be informed by a sense of what's realistic and
important and what's not,' he tells Danger Room. 'If we have time to worry about
'Twitter threats' then we're in good shape. I mean, it's important to keep some
sense of proportion.'"

http://www.computerweekly.com/Articles/2008/10/28/232944/terrorists-could-use-tw\
itter-for-attacks-says-us-intelligence.htm or http://tinyurl.com/6nuglt
http://www.fas.org/irp/eprint/mobile.pdf
http://www.fas.org/blog/secrecy/2008/10/twitter.html
http://blog.wired.com/defense/2008/10/terrorist-cell.html


** *** ***** ******* *********** *************

Giving Out Replacement Hotel Room Keys



It's a tough security trade-off.  Guests lose their hotel room keys, and the
hotel staff needs to be accommodating.  But at the same time, they can't be
giving out hotel room keys to anyone claiming to have lost one.  Generally,
hotels ask to see some ID before giving out a replacement key and, if the guest
doesn't have his wallet with him, have someone walk to the room with the key and
check their ID.

This normally works pretty well, but there's a court case in Brisbane right now
about a hotel giving a room key to someone who ended up sexually attacking the
woman who had rented the room.  "In civil action launched yesterday, the woman
alleges the man was given the spare access key to her room by a hotel staffer."

The article doesn't say what kind of authentication the hotel requested or
received.

http://www.brisbanetimes.com.au/news/queensland/room-key-given-to-rapist-hotel-g\
uest/2008/10/29/1224956099579.html or http://tinyurl.com/6gkzda


** *** ***** ******* *********** *************

      P = NP?



People have been sending me a paper that "proves" that P != NP.  These sorts of
papers make the rounds regularly, and my advice is to not pay attention to any
of them.   G.J. keeps a list of these papers -- he has 43 so far -- and points
out:  "The following paragraphs list many papers that try to contribute to the
P-versus-NP question. Among all these papers, there is only a single paper that
has appeared in a peer-reviewed journal, that has thoroughly been verified by
the experts in the area, and whose correctness is accepted by the general
research community: The paper by Mihalis Yannakakis. (And this paper does not
settle the P-versus-NP question, but 'just' shows that a certain approach to
settling this question will never work out.)"

Of course, there's a million-dollar prize for resolving the question -- so
expect the flawed proofs to continue.

The latest paper:
http://arxiv.org/abs/0810.5056

Woeginger's list:
http://www.win.tue.nl/~gwoegi/P-versus-NP.htm

The Millennium Prize:
http://www.claymath.org/millennium/


** *** ***** ******* *********** *************

      Comments from Readers



There are hundreds of comments -- many of them interesting -- on these topics on
my blog. Search for the story you want to comment on, and join in.

http://www.schneier.com/blog


** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security: computer and otherwise.  You
can subscribe, unsubscribe, or change your address on the Web at
<http://www.schneier.com/crypto-gram.html>.  Back issues are also available at
that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable.  Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of the best
sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish algorithms.  He is
the Chief Security Technology Officer of BT (BT acquired Counterpane in 2006),
and is on the Board of Directors of the Electronic Privacy Information Center
(EPIC).  He is a frequent writer and lecturer on security topics.  See
<http://www.schneier.com>.

Crypto-Gram is a personal newsletter.  Opinions expressed are not necessarily
those of BT.

Copyright (c) 2008 by Bruce Schneier.

http://packetstormsecurity.org/papers/attack/icd-study.pdf

Abstract—Our study analyzes the security and privacy properties
of an implantable cardioverter defibrillator (ICD). Introduced
to the U.S. market in 2003, this model of ICD includes
pacemaker technology and is designed to communicate wirelessly
with a nearby external programmer in the 175 kHz frequency
range. After partially reverse-engineering the ICD’s communications
protocol with an oscilloscope and a software radio, we
implemented several software radio-based attacks that could
compromise patient safety and patient privacy. Motivated by
our desire to improve patient safety, and mindful of conventional
trade-offs between security and power consumption for resourceconstrained
devices, we introduce three new zero-power defenses
based on RF power harvesting. Two of these defenses are humancentric,
bringing patients into the loop with respect to the security
and privacy of their implantable medical devices (IMDs). Our
contributions provide a scientific baseline for understanding the
potential security and privacy risks of current and future IMDs,
and introduce human-perceptible and zero-power mitigation
techniques that address those risks. To the best of our knowledge,
this paper is the first in our community to use general-purpose
software radios to analyze and attack previously unknown radio
communications protocols

============================================================

            EDRI-gram

biweekly newsletter about digital civil rights in Europe

     Number 6.20, 22 October 2008


============================================================
Contents
============================================================

1. Some amendments of the EP voted Telecom package still worrying
2. The PNR scheme entirely changed by the European Council
3. International Action Day "Freedom not Fear" - 11.10.2008
4. Freedom not Fear Prague: Do It Yourself Carnival burst in the city center
5. New Dutch Notice-and-Take-Down Code Raises Questions
6. Protests in France against the Edvige file on St. Edwige day
7. German court says ISPs do not violate the law by storing IP addresses
8. British court: people are bound to reveal computer encryption key
9. ENDitorial: Seizures and other abuses - from bad to worse
10. Recommended Reading
11. Agenda
12. About

============================================================
1. Some amendments of the EP voted Telecom package still worrying
============================================================

Some of the amendments passed by the European Parliament (EP) on the Telecom
package are still worrying the civil rights groups, both on data retention
and IP issues. Also, the fact that some amendments of the EP do not appear
in the new document of the European Council working party on
Telecommunications and the Information Society creates more confusion.

According to information from Patrick Breyer from the German Working Group
on Data Retention, amendment 181 passed by the European Parliament
regarding directive 2002/58/EC could be read to legalise "voluntary" blanket
data retention practices as currently practised in the US. The amendment
would make the entire regulation of traffic data in Article 6 of the
directive meaningless. It is not restricted to times when an actual network
error occurs but would allow a general collection of traffic data on the
grounds of them being useful for "security purposes". It does not set a time
limit, either.

Amendment 181 added in the Article 6 the following text: " Without
prejudice to compliance with the provisions other than Article 7 of
Directive 95/46/EC and Article 5 of this Directive, traffic data may be
processed  for the legitimate interest of the data controller for the
purpose of implementing technical measures to ensure the network and
information security, as defined by Article 4 (c) of Regulation (EC)
460/2004 of the European Parliament and of the Council of 10 March 2004
establishing the European Network and Information Security Agency, of a
public electronic communication service, a public or private electronic
communications network, an information society service or related terminal
and electronic communication equipment, except where such interests are
overridden by the interests for the fundamental rights and freedoms of the
data subject. Such processing must be restricted to that which is strictly
necessary for the purposes of such security activity."

It seems that a majority of the EU member states are already critical to
this amendment.

But other amendments on the 3 strikes approach have come back on the agenda.
On 14 October 2008, the European Council Working Party on Telecommunications
and the Information Society issued a document that eliminated, without any
explanation or justification, the pro-Bono amendment 166 (Article 32a) of
the Universal Access directive (Harbour report) in the Telecoms Package
reiterating the European Parliament's opposition to the 3-strikes measures
system.

The article in question that said: "Article 32a Access to content, services
and applications Member States shall ensure that any restrictions to users'
rights to access content, services and applications, if they are necessary,
shall be implemented by appropriate measures, in accordance with the
principles of proportionality, effectiveness and dissuasiveness. These
measures shall not have the effect of hindering the development of the
information society, in compliance with Directive 2000/31/EC, and shall not
conflict with citizens' fundamental rights, including the right to privacy
and the right to due process" and which was voted by a clear majority in the
Parliament, simply lacks from the recent European Council document without
any explanation whatsoever.

The document includes some other amendments which pave the way for the
3-strike system, imposing costs on ISPs and removing the oversight by the
European Commission and national Regulators meant to protect users from
content filtering.

At the same time, the article designed to support the French graduated
response measures, (the co-operation Amendment 112 - Article 33 (2a) is
kept.

Some of the state members, such as UK, Ireland, Germany, Austria and Hungary
have reserves concerning the European Council document but the French
government is pushing to see its system imposed on all EU members.

In an attempt to influence the German government's position, a seminar, "on
the development of Creative content online" was organized by the French
embassy in Berlin with the title "Can the Olivennes agreement set the course
for the digital future?". During the seminar, German MEP Ruth Hieronymi
clearly stated that co-operation amendment 112 of the Harbour report in the
Telecoms Package provided the basis for the graduated response in EU law. "I
am absolutely convinced, that the legal framework is there, to fashion a
model like Olivennes that is compatible with European law" she stated in
relation to the Telecoms Package.

The MEP also claimed personal responsibility for the withdrawal of Amendment
132 in the Framework directive which opposed graduated response, and was in
direct conflict with Amendment 112 and the other pro-Olivennes measures.

Hieronymi's comments show that the attempt to insert graduated response and
copyright enforcement measures into the Harbour report was deliberate. Which
means that a vote for the directive as it is now, will clearly be a vote for
graduated response.  Unless there is no opposition form the governments
having shown some reserves, the law imposing the graduated response will be
passed to all EU countries by December, as the Council seems to have decided
to negotiate the document and not send it back to the EP for a second
reading.

European Council set to overturn Parliament on 3-strikes (15.10.2008)
http://www.iptegrity.com/index.php?option=com_content&task=view&id=181&Itemid=9

Working Party on Telecommunications and Information Society - Compromise
Proposal for the consolidated version of the proposal amending directive
2002/22/EC (10.10.2008)
http://www.iptegrity.com/pdf/European.Council.Universal.Service.Directive.pdf

"Co-operation" amendment WAS designed to support 3-strikes (17.10.2008)
http://www.iptegrity.com/index.php?option=com_content&task=view&id=183&Itemid=9

EDRIgram: EP votes Telecoms Package (8.10.2008)
http://www.edri.org/edrigram/number6.19/ep-votes-telecom-package

============================================================
2. The PNR scheme entirely changed by the European Council
============================================================

The European Council has started re-writing from scratch the European
Commission's proposal for an EU-PNR scheme as a result of several EU
governments' intention to go further in this matter.

Some European governments, with the UK in the lead, want to extend the PNR
scheme used now under the US-EU agreement to all types of travel (air, land
and sea), not only in and out the EU borders but between EU countries and
even within each country. They also want the data and information gathered
to be used not just for entry-exit, but also for any law enforcement
purpose.

The declared purpose of collecting the data is "the prevention, detection,
investigation, prosecution and punishment of terrorism and a group of other
serious offences, defined by reference to the list in the Framework Decision
on the European Arrest Warrant." However, there is an additional statement
which gives more freedom to control: "The instrument would of course cover
the reporting and prosecution of other offences brought to light during
controls." While the PIUs (Passenger Information Units) collect the data
from airlines and assess the passengers, "competent national authorities"
(i.e. police, security agencies) would be allowed to use the data for other
purposes than for assessing security risks for flights.

The list of data to be collected practically covers the same 19 sets of data
under the US-EU PNR agreement. Also, there will be two transmissions of the
data, one 48 hours before the flight take off and one when the flight is all
boarded.

The procedure for analysing the "terrorist or criminal threat" will include
a first analysis "based on risk indicators" (such as source country or
destination) "pre-established by the competent (national) authorities" and a
second one based on "national, international and European files". However,
the issue here is that the 27 EU countries have watch lists which are
extremely different. Hence, the proposal suggests the necessity of
developing "common methods and indicators".

As some of the State Members do not wish to extend the scheme to flights
inside the EU space, the text proposes that the choice of individual states
to take the measure at the national level should be "explicitly recognised".
This means that actually the PNR will be collected by all Member States on
all flights in and out of the EU and if a Member State wants to survey
intra-community flights as well, it can very well do it.

EU-PNR scheme being re-written by the Council (4.10.2008)
http://www.statewatch.org/news/2008/oct/04eu-pnr-rewrite.htm

EDRIgram - Dispute between UK government and EU over the use of PNR
(27.08.2008)
http://www.edri.org/edrigram/number6.16/uk-eu-pnr

Observatory: EU surveillance of passengers (PNR)
http://www.statewatch.org/eu-pnrobservatory.htm

============================================================
3. International Action Day "Freedom not Fear" - 11.10.2008
============================================================

The first worldwide protests against surveillance measures such as the
collection of all telecommunications data, the surveillance of air
travellers and the biometric registration of citizens were held on 11
October 2008 under the motto "Freedom not Fear - Stop the surveillance
mania!". In at least 15 countries citizens demanded a cutback on
surveillance, a moratorium on new surveillance powers and an independent
evaluation of existing surveillance powers. "A free and open society cannot
exist without unconditionally private spaces and communications", explains
an international memorandum.

The greatest protest march against surveillance in Germany's history took
place in Berlin. Participants in the 2 km long peaceful protest march
carried signs reading "You are Germany, you are a suspect", "No Stasi 2.0 -
Constitution applicable here", "Fear of Freedom?" and "Glass citizens,
brittle democracy". Apart from related music tracks, loud chants of
"Belittle it today, be under surveillance tomorrow" or "We are here and we
are loud because they are stealing our data" could be heard. During the
protests, which were supported by more than 100 civil liberties groups,
professional associations, unions, political parties and other
organisations, artists played parodies on surveillance society.

In their final speeches in front of the Brandenburg Gate, the
organisers called for political consequences: padeluun of civil
liberties group FoeBuD said that in view of the mass protests
politicians needed to react now and repeal the blanket retention of
all telecommunications data introduced in 2006. Patrick Breyer of German
Working Group on Data Retention (AK Vorrat) presented a five point plan
according to which surveillance should be reduced, existing laws should be
evaluated and plans for new surveillance measures should
be halted. In the course of a "new, freedom-loving security policy"
specific preventive measures such as youth projects should be
invested in and the "real problems" of people such as poverty and
education should be focused on. Ricardo Cristof Remmert-Fontes of AK Vorrat
announced further action and invited participants to join parties held in
seven participating clubs in Berlin under the motto "The long night of
surveillance".

In other countries, the following events took place in the course of
yesterday's "Freedom not Fear" day: Protest event with music and
several art performances in Den Haag, lectures in Rome, surveillance
camera mapping in Madrid, art performances in front of Parliament in
Vienna, protest rallies in Paris, Prague, Sofia and Stockholm, the
distribution of privacy software in Copenhagen, informative events
in Guatemala City and Buenos Aires as well as a projection of light
onto Toronto's Town Hall. In London, the construction of a surveillance
state was opposed by creating a massive collage of photos on Parliament
Square showing the prime minister and the action day's motto "Freedom not
Fear".

Before the action day, Arbeitskreis Vorratsdatenspeicherung had
warned of a "surveillance avalanche in Germany": According to the
group, the German Parliament has tightened surveillance and control
over citizens at least 21 times in the past 10 years. At least 18
more surveillance proposals are presently on the political agenda,
for example the blanket collection of air travellers' data and the
transfer of personal data to the US.

In an opinion published on 14 October 2008, the competent Advocate General
at the European Court of Justice considered that the EU directive on data
retention was enacted on the correct legal basis. The German Working Group
on Data Retention pointed out that the Advocate General's opinion only
concerns the action brought by the Irish government which is
limited to formal issues. It is not concerned with the fact that registering
the telecommunications behaviour and movements of the entire EU population
in the absence of any reasonable suspicion is clearly disproportionate and
violates human rights.

If the Court follows the Advocate General's opinion and dismisses Ireland's
suit, it will need to consider the compatibility with human rights in a
second proceeding. This second proceeding is likely to be initiated by the
German Federal Constitutional Court where a suit of more than 34 000
citizens against data retention is pending.

In another case, The German Federal Constitutional Court is expected to
decide shortly on an application for a preliminary injunction against the
German law on data retention. The application is directed mainly against the
retention of Internet access, anonymizing services and e-mail data which is
to become effective on 1 January 2009. The Constitutional Court's final
judgement will probably be passed after the European Court of Justice has
decided on the human rights issues.

International Action Day "Freedom not fear - Stop the surveillance mania!"
on 11 October 2008
http://www.vorratsdatenspeicherung.de/content/view/242/144/lang,en/

Freedom Not Fear: the Big Picture unveiled on Parliament Square (11.10.2008)
http://www.openrightsgroup.org/2008/10/11/freedom-not-fear-the-big-picture-unvei\
led-on-parliament-square/

Advocate General Bot considets that the directive on data retention is
founded on an appropriate legal basis  (14.10.2008)
http://curia.europa.eu/en/actu/communiques/cp08/aff/cp080070en.pdf

Constitutional complaint filed against German Telecomms Data Retention Act
http://www.vorratsdatenspeicherung.de/content/view/184/79/lang,en/

(contribution by German Working Group on Data Retention)

============================================================
4. Freedom not Fear Prague: Do It Yourself Carnival burst in the city center
============================================================

On 11 October 2008 Prague hosted the DIY Carnival which marched through the
city centre in the name of the worldwide initiative "Freedom not Fear".

Starting with a concert of several music groups on the river island
Stvanice, more than 1000 people wearing masks outnumbered crowds of tourists
on the fancy streets of the Old Town and protested against increasing
surveillance within the society. The colourful parade ended up at sunset,
but some of the participants reunited later that night on the occasion of
Big Brother Awards benefit concert which was organized by EDRi member
Iuridicum Remedium.

"The recent level of restrictions which criminalize majority of our society
is alarming. It is another step towards state where police is competent to
arbitrary bully people on the streets," said Jan Nemec, the spokesman of the
Freedom not Fear initiative in Prague, in his public speech. "Let your
voices be heard and express your resolute protest against these oppressive
measures," called Jan Nemec on the participants.

However, the organization of the DIY Carnival did not go that smoothly as
might be observed from its results. The parade had to take an alternative
route, because the municipal authorities banned the original one on the
bases of their fear that the carnival could turn into a street party.

Subsequently, the organizers have lodged an appeal with the court that was
later dismissed. The final decision is still pending, though. "The hearing
on the ban took place on Friday, just one day after we received an email
notification, while the rules of the administrative court grant at least ten
days for preparation," commented the first instance decision Helena
Svatosova, lawyer from the NGO Iuridicum Remedium, who initiated proceedings
in this  matter before the Highest Administrative Court.

(contribution by Vaclav Mlynarik - EDRi-member Iuridicum Remedium)

============================================================
5. New Dutch Notice-and-Take-Down Code raises questions
============================================================

Dutch government and leading market participants have adopted a new
Notice-and-Take-Down Code of Conduct. The Code seeks to clarify the
responsibilities of internet intermediaries (hosting providers in
particular) when confronted with a notice that online information is
punishable (under Dutch penal law) or unlawful. Reactions to the code
are mixed. Many hosting providers have not signed the Code. Others have
called it symbolic. In fact, the Code seems to obscure the current legal
obligations of internet service providers with regard to punishable and
unlawful material. Unfortunately, the Code does not even mention the
right to freedom of expression and the issue of censorship.

Although the code has no legal status, it goes further than the Dutch law in
a number of ways. The Code states that a notice of a public prosecutor
that material is punishable cannot be questioned by a provider, because
the public prosecutor has already established its illegal character.

However, a recent academic study of the Centre for Cybercrime Studies
(Cycris), commissioned by the Dutch government, revealed the inadequacy
of Dutch laws concerning Notice and Takedown. In particular, it found
that the public prosecutor does not have an adequate legal instrument to
order material to be taken down. The study concluded that "there are
insufficient guarantees built into the process to protect the interests
of Internet users and the information freedoms". The Dutch government
has responded that it is reviewing the relevant laws, but it has
completely ignored the problem in the context of this new Code.

In the case of notices of punishable and unlawful material from others
than the public prosecutor the Code provides that an intermediary will
remove the material if it is 'unequivocally' punishable or unlawful. If
not, the party seeking removal can either seek involvement of law
enforcement agencies or start a civil procedure. There is no explicit
mention of a put-back procedure. The Code does state that intermediaries
have to be careful not to remove more content than the notice points to.
The Code does not change the circumstances under which rights holders
can retrieve identifying data of alleged infringers of copyright. For
this reason, BREIN, the representative of the rights holders in the
Netherlands, has made clear it sees the current Code as unsatisfactory.

To complicate matters, the Code introduces the concept of 'undesirable'
or 'harmful' material. It defines this as material that is not illegal
or unlawful under Dutch law, but material that a provider itself does
not want to host, because of its 'undesirable' or 'harmful' character.
The Code states that the provider is free to develop such criteria and
treat notices of 'undesirable' or 'harmful' material the same way as
notices of illegal material. Clearly, government involvement in this
part of the Code of Practice is problematic from the perspective of
freedom of expression. The Code does not clarify which categories of
content can legitimately be considered as 'undesirable' or 'harmful' by
an intermediary. And unfortunately, the Code does not explicitly forbid
law enforcement agencies to send notices of 'undesirable' or 'harmful'
material, whereas such notices would seem to be illegal.

The Code was adopted in the context of the National Infrastructure
Cybercrime, a public private partnership, which includes several branches of
the Dutch Government, major broadband providers such as KPN, XS4all, and
cable providers. There is no official list of participants in the Code.

Notice-And-Take-Down Code of Conduct (9.10.2008)
http://www.samentegencybercrime.nl/UserFiles/File/NTD_Gedragscode_Opmaak_Engels.\
pdf

Dutch 'Notice-and-Take-Down' Code of Conduct issued (14.10.2008)
http://www.saferinternet.org/ww/en/pub/insafe/news/articles/1108/notice_and_take\
_down.htm

Cycris Research on art. 54a of the Dutch Penal Code (13.05.2008)
http://www.cycris.nl/news/7/39

Hosters en Brein sluiten piraterij-compromis (In Dutch only) (9.10.2008)
http://webwereld.nl/articles/53058/hosters-en-brein-sluiten-piraterij-compromis.\
html

(Contribution by Joris van Hoboken - EDRi-member Bits of
Freedom -Netherlands)

============================================================
6. Protests in France against the Edvige file on St. Edwige day
============================================================

As previously announced in EDRi-gram, St. Edwige day in France was a day of
protests against the file project called Edvige, a file that would gather
information on any person, including minors, considered by the police as a
"suspect" capable of disrupting the public order.

On 16 October, on St. Edwige day, demonstrations against the introduction of
the Edvige file were organised in Paris, Agen, Bordeaux, Strasbourg,
Saint-Etienne, Lyon and other big cities in France by the "Non ` Edvige"
group that included La Ligue des Droits de L'Hommes (The League of Human
Rights), FSU, CGT, CFDT, Aides and French EDRi-member IRIS.

The project had already been modified in September into the so called
EDVIRSP file. However, even the new version was considered unacceptable by
the opponents of the project especially because it involves gathering data
on minors who are considered by the police a public threat.

The "Non ` Edvige" petition is asking for the cancellation of the entire
project. It remains to be seen if the demonstrations that took place on 16
October will find any echo with the French authorities.

On Saint Edwige, the anti-Edvige march on the streets (only in French,
16.10.2008)
http://www.lemonde.fr/web/son/0,54-0@2-3224,63-1107874@51-1090646,0.html

Saint Edwige: the anti-Edvige in the street (only in French,17.10.2008)
http://www.top-logiciel.net/news-article.storyid-3044.htm

On Saint Edwidge: I don't want Edvige ! (only in French, 17.10.2008)
http://www.youtube.com/watch?v=94hUZr6FxLc&feature=user

EDRIgram - French file EDVIGE revised after huge civil society mobilization
(only in French, 24.09.2008)
http://www.edri.org/edrigram/number6.18/edvige-revised

============================================================
7. German court says ISPs do not violate the law by storing IP addresses
============================================================

On 30 September 2008, the Munich District Court decided in a provisional
ruling that website operators were not violating the data protection
legislation when storing IP addresses of their visitors as IP addresses
alone are not considered personal data.

The case was brought to the court by an individual who argued that storing
IP addresses in log files by a web publisher represents a privacy violation
because the information could be used to identify him and relate his
identity to his web surfing activity. The court dismissed his arguments and
ruled against his claim.

The court considers IP addresses are not personal data under the German
Privacy Act because the information cannot be easily used to determine a
person's identity and an ISP could not tell a third party who was using a
particular IP address at a particular time without a legal basis. Such
information is provided by ISPs only when ordered by a court.

The ruling also said that IP addresses lacked the necessary quality of
"determinability" to be personal data, meaning the identity of the person
behind the information cannot be established without a significant effort
and by using "normally available knowledge and tools."

However, we should not over-estimate the relevance of this decision.It was
taken by a local court with no IT experts and the judge did not discuss the
dissenting decisions from higher level Berlin courts. The decision only
applies to dynamic IP addresses.

Privacy activists have argued that IP addresses should count as personal
data under data protection legislation. The Article 29 Working Party has
also said that IP addresses should be treated as personal data by ISPs and
search engines, even if they are not always personal data. "Unless the
Internet Service Provider is in a position to distinguish with absolute
certainty that the data correspond to users that cannot be identified, it
will have to treat all IP information as personal data, to be on the safe
side. These considerations will apply equally to search engine operators,"
said a report issued by the Article 29 Working Party in April.

Regarding the fact that IP addresses are not considered personal data by
some, in an interview given to EurActiv on the data protection rules, the
European Data Protection Supervisor Peter Hustinx explained : "As of today
there is some uncertainty, and this is why we will probably see a study from
the Commission to shed light on this. But the common view of the data
protection specialists is that in many situations IP addresses are personal
data. Therefore websites, Internet Service Providers and other parties
should ensure data protection compliance. This is an important thing to
emphasise." He also believes that The European Commission
should clarify the application of existing data protection rules in relation
to RFID in order to avoid "big social dangers".

German court says IP addresses in server logs are not personal data
(14.10.2008)
http://www.out-law.com/page-9505

Hustinx: Tracking people 'easier' with RFID (3.10.2008)
http://www.euractiv.com/en/infosociety/hustinx-tracking-people-easier-rfid/artic\
le-176220

AG, Munich: IP addresses may be used by Web site operators are stored (only
in German, 7.10.2008)
http://www.kremer-legal.com/2008/10/07/ag-munchen-ip-adressen-durfen-von-website\
-betreibern-gespeichert-werden-volltext/

============================================================
8. British court: people are bound to reveal computer encryption key
============================================================

Two persons were denied by the court the right to silence in relation to the
encryption key they were asked to reveal to the police.

The men had brought as argument to the court that handing over the encrypted
key for the data in their computers would mean forcing them to incriminate
themselves. Defendants have a right to silence and to refuse to divulge
information that could be used as evidence against them.

The Court of Appeal however considered that an encryption password is not
incriminating information in itself and that the key as well as the
information in the computers existed independently from the men just like
any key to a drawer and its content. Therefore, the men had no right to deny
the police the encryption keys.

The two men had been arrested the police for having been involved with a
person who was subject to a control order under anti-terrorism legislation
and their computers had been seized. The police had sent notices ordering
the men to disclose the passwords in the interest of national security and
the prevention or detection of crime. The authorities can ask disclosure of
such keys because, in terms of the law, the information on the computers is
already in the possession of the police and an order for password disclosure
can be made, if "no alternative, reasonable method of gaining access to it
or making it intelligible is available" as expressed by Mr Justice
Penry-Davey in the Court of Appeal.

According to the Regulation of Investigatory Powers Act (RIPA), the refusal
to reveal a decryption key can be punished with imprisonment up to 5 years.
The clause covering this measure has been included in RIPA act since 2007
but has not been activated until 1 October 2008 because, last year, the Home
Office considered that the encryption was not as popular as it had been
predicted. Part III of RIPA was activated after a period of consultation.
People receiving notice from the police are bound to reveal the encryption
keys or render the requested material intelligible by authorities.

The clause has been criticised by civil liberties activists and security
experts who consider that the measure affects privacy and can lead to
persons being forced to incriminate themselves. An argument against the
action is also that passwords can be forgotten and people may pretend to
have forgotten or really forget them.

According to the Home Office, the process will be overseen by the
Interception of Communications Commissioner, the Intelligence Services
Commissioner and the Chief Surveillance Commissioner and complaints about
demands for information will be made by the Investigatory Powers Tribunal.
The Home Office considers that the actions are consistent with the European
Convention on Human Rights and the UK Human Rights Act as long as the demand
for decryption is "both necessary and proportionate". "The measures in Part
III are intended to ensure that the ability of public authorities to protect
the public and the effectiveness of their other statutory powers are not
undermined by the use of technologies to protect electronic information,"
stated the Home Office.

But besides the concerns raised by civil liberties activists, there are also
voices that warn the measure may even lead to hiding more material from the
Police.

"I think putting the powers on the statute book will make it more, not less,
likely that police will encounter encrypted material because people will
become aware of dual key systems and see how easy they are to use,"
commented security expert Dr Richard Clayton.

Court of Appeal orders men to disclose encryption keys (16.10.2008)
http://www.out-law.com//default.aspx?page=9514

England and Wales Court of Appeal (Criminal Division) Decisions (9.10.2008)
http://www.bailii.org/ew/cases/EWCA/Crim/2008/2177.html

RIPA could be challenged on human rights (24.01.2008)
http://www.out-law.com/page-8826

Law requiring disclosure of decryption keys in force (2.10.2007)
http://www.out-law.com/page-8515

============================================================
9. ENDitorial: Seizures and other abuses - from bad to worse
============================================================

Two recent episodes (that are not "isolated cases") show, again, how
distortions in Italian laws and in their application can lead to all sorts
of abuses - as discussed before. The problem is that these abuses are not
only continuing, but getting worse.

One is explained in a recent article and is obviously (no matter how it's
disguised) a case of censorship.

The other case we are discussing here, if taken as a single episode, could
be seen as a comedy of errors. A website for the exchange of music was
"seized" - that is to say, access was blocked. It was soon moved to another
address, and later the "seizure" was revoked. So it didn't suffer any
serious damage and it may have gained some publicity as a result of the
protest in Italy and elsewhere caused by the attempt to choke it. The
instigators of the repression (as usual, the lobbies of music majors) were
(in this case and so far) defeated and ridiculed. But the procedures in this
grotesque affair reveal several alarming abuses.

Many problems, for many years, have been caused by an awkward peculiarity of
the Italian legislation, that treats copyright infringement as a criminal
offence. And it has always been an awful abuse to seize computers, servers
etcetera with a brutal procedure that is useless for investigation purposes
and dramatically harmful not only for suspects who are "innocent until
proven guilty", but also for people and organizations who are not involved
in the facts (or assumptions) being investigated.

In recent years this abuse has taken a new twist, that queerly extends the
"seizure" concept to the suppression of a website or if, as in this case,
the website isn't in Italy, to force Italian internet providers to block
access (or even, as in this example, to arbitrarily re-route the "traffic"
to another foreign website, dedicated to persecuting people who are trying
to access the blacklisted source).

It would be dangerous to underestimate the implications of these behaviors,
too easily supported by internet providers, who care about their selfish
interests above the rights of their customers. They go far beyond the
consequences of individual episodes, suggesting criteria and procedures that
can be extended to the repression of any unwelcome opinion or information,
as well as of enterprises competing with "favored" interests.

To make things even worse, in this case the attack was on a site that
doesn't offer file sharing, but information on where resources can be found.
This could lead to the absurdity of turning not only connection providers,
but also search engines, into censors, spies and "sheriffs" of the net for
inquiries and prohibitions originating in any country and extending beyond
its borders.

In a "package of rules" recently approved (September 24, 2008) by the
European Union Parliament "measures that would have allowed a control on
internet users were rejected." Specifically, "the MEPs rejected the idea
that ISPs should filter all downloads and punish the infringers of copyright
rules, being thus transformed into a sort of online police."

Of course it remains to be seen if and how "good intentions" will be
applied, but in the meantime Italian authorities, once again, appear to be
peculiarly prone in obeying the whims and wishes of the "owners of ideas"
and not as careful as they should in ensuring freedom of opinion and civil
rights.

An update on the Italian PirateBay case (8.10.2008)
http://www.edri.org/edrigram/number6.19/update-piratebay-italy

The European Parliament voted the Telecoms Package (8.10.2008)
http://www.edri.org/edrigram/number6.19/ep-votes-telecom-package

ENDitorial: A stupid law and a perverse "criminal" sentence (24.09.2008)
http://www.edri.org/edrigram/number6.18/stupid-law-italy

(contribution by Giancarlo Livraghi - EDRi-member ALCEI - Italy)

============================================================
10. Recommended Reading
============================================================

The Council of Europe launched, in close cooperation with European online
game designers and publishers and with Internet service providers, two sets
of guidelines which aim to encourage respect and promote privacy, security
and freedom of expression.

Human Right Guidelines for Online games providers
http://www.coe.int/t/dghl/standardsetting/media/Doc/H-Inf(2008)008_en.pdf

Human Right Guidelines for Internet service providers
http://www.coe.int/t/dghl/standardsetting/media/Doc/H-Inf(2008)009_en.pdf

============================================================
11. Agenda
============================================================

24 October 2008, Bielefeld, Germany
Big Brother Awards Germany 2008
http://www.BigBrotherAwards.de/

25 October 2008, Vienna, Austria
Big Brother Awards Austria 2008
http://www.BigBrotherAwards.at/

3-7 November 2008, Geneva, Switzerland
Standing Committee on Copyright and Related Rights : Seventeeth Session
http://www.wipo.int/meetings/en/details.jsp?meeting_id=16828

13-14 November 2008, Chisinau, Moldova
IFLA/EBLIDA/eIFL Conference on copyright and libraries
Copyright: Enabling Access or Creating Roadblocks for Libraries?
Registration by 1 November 2008
http://www.eblida.org/index.php?page=draft-programme-2

25-26 November 2008, Brussels, Belgium
World e-Parliament Conference 2008
http://www.ictparliament.org/worldeparliamentconference2008/

3-6 December 2008, Hyderabad, India
Third Internet Governance Forum
http://www.intgovforum.org

9-10 December 2008, Madrid, Spain
Future Internet Assembly
http://www.future-internet.eu/home/future-internet-assembly/madrid-dec-2008.html
http://www.fi-madrid.eu/

10-11 December 2008: Tilburg, Netherlands
Tilting perspectives on regulating technologies, Tilburg Institute for Law
and Technology and Society, Tilburg University
http://www.tilburguniversity.nl/tilt/conference

27-30 December 2008 Berlin, Germany
25C3: Nothing to hide
The 25th Chaos Communication Congress
http://events.ccc.de/congress/2008/

18-20 March 2009, Athens, Greece
WebSci'09: Society On-Line
http://www.websci09.org/

1-4 June 2009, Washington, DC, USA
Computers Freedom and Privacy 2009
http://www.cfp2009.org/

============================================================
12. About
============================================================

EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 28 members based or with offices in 17 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 2.0 License. See the full text at
http://creativecommons.org/licenses/by/2.0/

Newsletter editor: Bogdan Manolea <edrigram@...>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request@...
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request@...
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram@...> if you have any problems with subscribing or
unsubscribing.

CRYPTO-GRAM

                 October 15, 2008

                by Bruce Schneier
        Chief Security Technology Officer, BT
               schneier@...
              http://www.schneier.com


A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0810.html>.  These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>.  An RSS feed is available.


** *** ***** ******* *********** *************

In this issue:
       The Seven Habits of Highly Ineffective Terrorists
       The Two Classes of Airport Contraband
       News
       The More Things Change, the More They Stay the Same
       NSA's Warrantless Eavesdropping Targets Innocent Americans
       Schneier/BT News
       Taleb on the Limitations of Risk Management
       "New Attack" Against Encrypted Images
       Nonviolent Activists Are Now Terrorists
       Does Risk Management Make Sense?
       Comments from Readers


** *** ***** ******* *********** *************

       The Seven Habits of Highly Ineffective Terrorists



Most counterterrorism policies fail, not because of tactical problems,
but because of a fundamental misunderstanding of what motivates
terrorists in the first place. If we're ever going to defeat terrorism,
we need to understand what drives people to become terrorists in the
first place.

Conventional wisdom holds that terrorism is inherently political, and
that people become terrorists for political reasons. This is the
"strategic" model of terrorism, and it's basically an economic model. It
posits that people resort to terrorism when they believe -- rightly or
wrongly -- that terrorism is worth it; that is, when they believe the
political gains of terrorism minus the political costs are greater than
if they engaged in some other, more peaceful form of protest. It's
assumed, for example, that people join Hamas to achieve a Palestinian
state; that people join the PKK to attain a Kurdish national homeland;
and that people join al-Qaida to, among other things, get the United
States out of the Persian Gulf.

If you believe this model, the way to fight terrorism is to change that
equation, and that's what most experts advocate. Governments tend to
minimize the political gains of terrorism through a no-concessions
policy; the international community tends to recommend reducing the
political grievances of terrorists via appeasement, in hopes of getting
them to renounce violence. Both advocate policies to provide effective
nonviolent alternatives, like free elections.

Historically, none of these solutions has worked with any regularity.
Max Abrahms, a predoctoral fellow at Stanford University's Center for
International Security and Cooperation, has studied dozens of terrorist
groups from all over the world. He argues that the model is wrong. In a
paper published this year in International Security that -- sadly --
doesn't have the title "Seven Habits of Highly Ineffective Terrorists,"
he discusses, well, seven habits of highly ineffective terrorists. These
seven tendencies are seen in terrorist organizations all over the world,
and they directly contradict the theory that terrorists are political
maximizers:

Terrorists, he writes, (1) attack civilians, a policy that has a lousy
track record of convincing those civilians to give the terrorists what
they want; (2) treat terrorism as a first resort, not a last resort,
failing to embrace nonviolent alternatives like elections; (3) don't
compromise with their target country, even when those compromises are in
their best interest politically; (4) have protean political platforms,
which regularly, and sometimes radically, change; (5) often engage in
anonymous attacks, which precludes the target countries making political
concessions to them; (6) regularly attack other terrorist groups with
the same political platform; and (7) resist disbanding, even when they
consistently fail to achieve their political objectives or when their
stated political objectives have been achieved.

Abrahms has an alternative model to explain all this: People turn to
terrorism for social solidarity. He theorizes that people join terrorist
organizations worldwide in order to be part of a community, much like
the reason inner-city youths join gangs in the United States.

The evidence supports this. Individual terrorists often have no prior
involvement with a group's political agenda, and often join multiple
terrorist groups with incompatible platforms. Individuals who join
terrorist groups are frequently not oppressed in any way, and often
can't describe the political goals of their organizations. People who
join terrorist groups most often have friends or relatives who are
members of the group, and the great majority of terrorist are socially
isolated: unmarried young men or widowed women who weren't working prior
to joining. These things are true for members of terrorist groups as
diverse as the IRA and al-Qaida.

For example, several of the 9/11 hijackers planned to fight in Chechnya,
but they didn't have the right paperwork so they attacked America
instead. The mujahedeen had no idea whom they would attack after the
Soviets withdrew from Afghanistan, so they sat around until they came up
with a new enemy: America. Pakistani terrorists regularly defect to
another terrorist group with a totally different political platform.
Many new al-Qaida members say, unconvincingly, that they decided to
become a jihadist after reading an extreme, anti-American blog, or after
converting to Islam, sometimes just a few weeks before. These people
know little about politics or Islam, and they frankly don't even seem to
care much about learning more. The blogs they turn to don't have a lot
of substance in these areas, even though more informative blogs do exist.

All of this explains the seven habits. It's not that they're
ineffective; it's that they have a different goal. They might not be
effective politically, but they are effective socially: They all help
preserve the group's existence and cohesion.

This kind of analysis isn't just theoretical; it has practical
implications for counterterrorism. Not only can we now better understand
who is likely to become a terrorist, we can engage in strategies
specifically designed to weaken the social bonds within terrorist
organizations. Driving a wedge between group members -- commuting prison
sentences in exchange for actionable intelligence, planting more double
agents within terrorist groups -- will go a long way to weakening the
social bonds within those groups.

We also need to pay more attention to the socially marginalized than to
the politically downtrodden, like unassimilated communities in Western
countries. We need to support vibrant, benign communities and
organizations as alternative ways for potential terrorists to get the
social cohesion they need. And finally, we need to minimize collateral
damage in our counterterrorism operations, as well as clamping down on
bigotry and hate crimes, which just creates more dislocation and social
isolation, and the inevitable calls for revenge.

http://maxabrahms.com/pdfs/DC_250-1846.pdf

This essay previously appeared on Wired.com.
http://www.wired.com/print/politics/security/commentary/securitymatters/2008/10/\
securitymatters_1002
or http://tinyurl.com/3vf3x5

Interesting rebuttal:
http://www.cambridgeblog.org/2008/10/can-terror-be-understood/


** *** ***** ******* *********** *************

       The Two Classes of Airport Contraband



Airport security found a jar of pasta sauce in my luggage last month. It
was a 6-ounce jar, above the limit; the official confiscated it, because
allowing it on the airplane with me would have been too dangerous. And
to demonstrate how dangerous he really thought that jar was, he blithely
tossed it in a nearby bin of similar liquid bottles and sent me on my way.

There are two classes of contraband at airport security checkpoints: the
class that will get you in trouble if you try to bring it on an
airplane, and the class that will cheerily be taken away from you if you
try to bring it on an airplane. This difference is important: Making
security screeners confiscate anything from that second class is a waste
of time. All it does is harm innocents; it doesn't stop terrorists at all.

Let me explain. If you're caught at airport security with a bomb or a
gun, the screeners aren't just going to take it away from you. They're
going to call the police, and you're going to be stuck for a few hours
answering a lot of awkward questions. You may be arrested, and you'll
almost certainly miss your flight. At best, you're going to have a very
unpleasant day.

This is why articles about how screeners don't catch every -- or even a
majority -- of guns and bombs that go through the checkpoints don't
bother me. The screeners don't have to be perfect; they just have to be
good enough. No terrorist is going to base his plot on getting a gun
through airport security if there's a decent chance of getting caught,
because the consequences of getting caught are too great.

Contrast that with a terrorist plot that requires a 12-ounce bottle of
liquid. There's no evidence that the London liquid bombers actually had
a workable plot, but assume for the moment they did. If some copycat
terrorists try to bring their liquid bomb through airport security and
the screeners catch them -- like they caught me with my bottle of pasta
sauce -- the terrorists can simply try again. They can try again and
again. They can keep trying until they succeed. Because there are no
consequences to trying and failing, the screeners have to be 100 percent
effective. Even if they slip up one in a hundred times, the plot can
succeed.

The same is true for knitting needles, pocketknives, scissors,
corkscrews, cigarette lighters and whatever else the airport screeners
are confiscating this week. If there's no consequence to getting caught
with it, then confiscating it only hurts innocent people. At best, it
mildly annoys the terrorists.

To fix this, airport security has to make a choice. If something is
dangerous, treat it as dangerous and treat anyone who tries to bring it
on as potentially dangerous. If it's not dangerous, then stop trying to
keep it off airplanes. Trying to have it both ways just distracts the
screeners from actually making us safer.

http://www.cnn.com/2008/US/01/28/tsa.bombtest/index.html
http://www.homelandstupidity.us/2007/10/25/tsa-screeners-fail-most-bomb-tests/
or http://tinyurl.com/4npg9o
http://www.homelandstupidity.us/2006/10/31/tsa-screeners-still-fail-to-find-guns\
-bombs/
or http://tinyurl.com/3ephgq
http://www.boston.com/news/local/articles/2003/10/16/logan_screeners_fail_weapon\
s_tests/
or http://tinyurl.com/r5gu

This essay originally appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2008/09/securi\
tymatters_0918
or http://tinyurl.com/4m6vvj


** *** ***** ******* *********** *************

       News


According to U.S. government documents, fear of terrorism could cause a
psychosomatic epidemic:
http://blog.wired.com/27bstroke6/2008/09/terrorism-fear.html

GPS spoofing:
http://philosecurity.org/2008/09/07/gps-spoofing
http://www.ne.anl.gov/capabilities/vat/spoof.html

NSA -- and others -- snooping on cell phone calls with off-the-shelf
technology:
http://news.cnet.com/8301-13739_3-10030134-46.html

The NSA teams up with the Chinese government to limit Internet anonymity:
http://www.schneier.com/blog/archives/2008/09/the_nsa_teams_u.html

The Pentagon's World of Warcraft Movie-Plot threat:
http://www.schneier.com/blog/archives/2008/09/the_pentagons_w.html

TSA employees are bypassing airport screening.
http://www.9news.com/news/article.aspx?storyid=99941&catid=339
This isn't a big deal.  Screeners have to go in and out of security all
the time as they work.  Yes, they can smuggle things in and out of the
airport.  But you have to remember that the airport screeners are
trusted insiders for the system: there are a zillion ways they could
break airport security.  On the other hand, it's probably a smart idea
to screen screeners when they walk through airport security when they
aren't working at that checkpoint at that time.  The reason is the same
reason you should screen everyone, including pilots who can crash their
plane: you're not screening screeners (or pilots), you're screening
people wearing screener (or pilot) uniforms and carrying screener (or
pilot) IDs.  You can either train your screeners to recognize authentic
uniforms and IDs, or you can just screen everybody.  The latter is just
easier.  But this isn't a big deal.

I can think of specific instances where the ability to unlock your door
over the Internet can be useful, but in most places it's not a good idea.
http://www.theinquirer.net/gb/inquirer/news/2008/09/04/unlock-house-via-internet
or http://tinyurl.com/4rsyve
http://treocentral.com/content/Stories/1999-1.htm

India using brain scans to prove guilt in court.
http://www.nytimes.com/2008/09/15/world/asia/15brainscan.html
The pseudo-science here is even worse than for lie detectors.
http://www.thehindu.com/2008/09/08/stories/2008090854420400.htm

People have been asking me to comment about Sarah Palin's Yahoo e-mail
account being hacked.  I've already written about the security problems
with "secret questions" back in 2005:
http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
More commentary:
http://www.freedom-to-tinker.com/blog/felten/how-yahoo-could-have-protected-pali\
ns-email
or http://tinyurl.com/4689km

The $20M camera system at New York's Freedom Tower is pretty sophisticated.
http://cityroom.blogs.nytimes.com/2008/09/24/unblinking-eyes-for-20-million-at-f\
reedom-tower/
or http://tinyurl.com/53e52c

We're developing a pre-crime detector that detects hostile thoughts.
http://www.newscientist.com/blogs/shortsharpscience/2008/09/precrime-detector-is\
-showing-p.html
or http://tinyurl.com/53ftps
http://www.foxnews.com/printer_friendly_story/0,3566,426485,00.html

Spykee is your own personal robot spy.  It takes pictures and movies
that you can watch on the Internet in real time or save for later.  You
can even talk with whoever you're spying on via Skype.  Only $300.
http://www.spykeeworld.com/
http://www.robotsrule.com/html/spykee.php
http://www.amazon.com/gp/offer-listing/B000N6470A?tag=counterpane

Security maxims from Roger Johnston.  Funny, and all too true.
http://www.ne.anl.gov/capabilities/vat/seals/maxims.html

Send your personalized message to TSA X-ray screeners using metal plates
you can put in your carry-on luggage.
http://blog.makezine.com/archive/2008/09/metal_plates_send_message.html
or http://tinyurl.com/4ro8es
http://www.nytimes.com/idg/IDG_852573C400693880002574D70000A2FB.html

Another bomb scare.  Hot dogs this time.
http://www.philly.com/philly/blogs/phillies_zone/Just_Hot_Dogs_Folks.html
or http://tinyurl.com/5xpzsp
http://www.nytimes.com/aponline/us/AP-ODD-Hot-Dog-Scare.html

The Hackers Choice has released a tool allowing people to clone and
modify electronic passports.  The problem is self-signed certificates.
A CA is not a great solution, and the link gives a good explanation as
to why.  "So what's the solution? We know that humans are good at Border
Control. In the end they protected us well for the last 120 years. We
also know that humans are good at pattern matching and image
recognition. Humans also do an excellent job 'assessing' the person and
not just the passport. Take the human part away and passport security
falls apart."
http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html
or http://tinyurl.com/4l49v4
http://www.theregister.co.uk/2008/09/30/epassport_hack_description/

Hand grenades are now weapons of mass destruction:
http://www.schneier.com/blog/archives/2008/10/hand_grenades_a.html

MI6 camera -- including secrets -- sold on eBay.  The buyer turned the
camera in to the police.
http://www.techcrunch.com/2008/09/30/top-secret-mi6-camera-sold-to-the-highest-b\
idder-on-ebay/
or http://tinyurl.com/4n5ov2
http://gizmodo.com/5056749/mi6-camera-with-secret-images-bought-on-ebay-for-30
or http://tinyurl.com/4pj5jh

"Scareware" vendors sued -- it's about time.
http://voices.washingtonpost.com/securityfix/2008/09/microsoft_washington_state_\
tar.html
or http://tinyurl.com/3pxho4

This is clever: bank robber hires accomplices on Craigslist.
http://www.king5.com/topstories/stories/NW_100108WAB_monroe_robber_floating_esca\
pe_TP.ce3930c1.html
or http://tinyurl.com/3h8wfe

New cross-site request forgery attacks.
http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-\
site-request-forgery-attacks
or http://tinyurl.com/4ubb2f
http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf

"Clickjacking" is a stunningly sexy name, but the vulnerability is
really just a variant of cross-site scripting.  We don't know how bad it
really is, because the details are still being withheld.  But the name
alone is causing dread.  Here's a good Q&A on the vulnerability:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleI\
d=9115818&source=NLT_SEC&nlid=38
or http://tinyurl.com/3rmfac
http://www.cgisecurity.org/2008/10/interview-jerem.html
http://hackademix.net/2008/09/27/clickjacking-and-noscript/

Turns out you can add anyone's number to -- or remove anyone's number
from -- the Canadian do-not-call list. You can also add (but not remove)
numbers to the U.S. do-not-call list, though only up to three at a time,
and you have to provide a valid e-mail address to confirm the addition.
   Here's my idea.  If you're a company, add every one of your customers
to the list.  That way, none of your competitors will be able to cold
call them.
https://www.lnnte-dncl.gc.ca/
https://www.donotcall.gov/register/reg.aspx

Chinese monitoring Skype messages:
http://arstechnica.com/news.ars/post/20081002-skype-security-flub-leads-to-disco\
very-of-chinese-monitoring.html
or http://tinyurl.com/4pgn2j

According to a massive report from the National Research Council, data
mining for terrorists doesn't work.
http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news&tag=2547-1\
_3-0-20
or http://tinyurl.com/4klgqe
http://arstechnica.com/news.ars/post/20081009-analysis-data-mining-doesnt-work-f\
or-spotting-terrorists.html
or http://tinyurl.com/4azsds
http://www.nap.edu/catalog.php?record_id=12452

Interesting paper by Adam Shostack on threat modeling at Microsoft:
http://blogs.msdn.com/sdl/attachment/8991806.ashx

Elcomsoft is claiming that the WPA protocol is dead, just because they
can speed up brute-force cracking by 100 times using a hardware
accelerator.  Why exactly is this news?  Yes, weak passwords are weak --
we already know that.  And strong WPA passwords are still strong.  This
seems like yet another blatant attempt to grab some press attention with
a half-baked cryptanalytic result.
http://www.elcomsoft.com/edpr.html?r1=pr&r2=wpa
http://mobile.slashdot.org/mobile/08/10/12/1724230.shtml
http://www.theregister.co.uk/2008/10/10/graphics_card_wireless_hacking/
http://www.schneier.com/essay-148.html

Clever counterterrorism attack against the IRA: set up a laundromat, and
watch who has bomb residue on their clothes:
http://www.schneier.com/blog/archives/2008/10/clever_countert.html

There's a new chip-and-pin scam in the UK.  The card readers were hacked
when they were built, "either during the manufacturing process at a
factory in China, or shortly after they came off the production line."
It's being called a "supply chain hack."  Sophisticated stuff, and yet
another demonstration that these all-computer security systems are full
of risks.
http://online.wsj.com/article/SB122366999999723871.html
http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and\
-pin-scam-has-netted-millions-from-British-shoppers.html
http://www.telegraph.co.uk/news/worldnews/asia/pakistan/3173161/Credit-card-scam\
-How-it-works.html
BTW, what's it worth to rig an election?
http://www.schneier.com/essay-046.html

BART, the San Francisco subway authority, has been debating allowing
passengers to bring drinks on trains.  There are all sorts of good
reasons why or why not -- convenience, problems with spills, and so on
-- but one reason that makes no sense is that terrorists may bring
flammable liquids on board.  Yet that is exactly what BART managers
said.  No big news -- we've seen stupid things like this regularly since
9/11 -- but this time people responded:  "Added Director Tom Radulovich,
'If somebody wants to break the law and bring flammable liquids on, they
can. It's not like al Qaeda is waiting in their caves for us to have a
sippy-cup rule.'  Directing his comments to BART administrators, he
said, 'You know, it's just fearmongering and you should be ashamed.'
Terrorist fear mongering seems to be working less well.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/10/10/BAB813EELU.DTL


** *** ***** ******* *********** *************

       The More Things Change, the More They Stay the Same



Guess the year:  "Murderous organizations have increased in size and
scope; they are more daring, they are served by the most terrible
weapons offered by modern science, and the world is nowadays threatened
by new forces which, if recklessly unchained, may some day wreck
universal destruction. The Orsini bombs were mere children's toys
compared with the later developments of infernal machines. Between 1858
and 1898 the dastardly science of destruction had made rapid and
alarming strides..."

No, that wasn't a typo.  "Between 1858 and 1898...."  This quote is from
Major Arthur Griffith, "Mysteries of Police and Crime," London, 1898,
II, p. 469.  It's quoted in: Walter Laqueur, "A History of Terrorism,"
New Brunswick/London, Transaction Publishers, 2002.

http://query.nytimes.com/mem/archive-free/pdf?res=9907E7D8153DE633A25757C0A9659C\
94689ED7CF
or http://tinyurl.com/3wn2ct
http://www.amazon.com/History-Terrorism-Walter-Laqueur/dp/0765807998/ref=pd_bbs_\
sr_1?ie=UTF8&s=books&qid=1223482236&sr=8-1
or http://tinyurl.com/46s7ny


** *** ***** ******* *********** *************

       NSA's Warrantless Eavesdropping Targets Innocent Americans



Remember when the U.S. government said it was only spying on terrorists?
   Anyone with any common sense knew it was lying -- power without
oversight is always abused -- but even I didn't think it was this bad:

"Faulk says he and others in his section of the NSA facility at Fort
Gordon routinely shared salacious or tantalizing phone calls that had
been intercepted, alerting office mates to certain time codes of 'cuts'
that were available on each operator's computer.

"'Hey, check this out,' Faulk says he would be told, 'there's good phone
sex or there's some pillow talk, pull up this call, it's really funny,
go check it out. It would be some colonel making pillow talk and we
would say, "Wow, this was crazy",' Faulk told ABC News."

Warrants are a security device.  They protect us against government
abuse of power.

http://www.nytimes.com/2008/10/10/washington/10nsa.html
http://abcnews.go.com/Blotter/story?id=5987804&page=1
http://www.upi.com/Top_News/2008/10/10/Spy_agency_accused_of_improper_listening/\
UPI-99751223644874/
http://www.reuters.com/article/domesticNews/idUSTRE4990CD20081010


** *** ***** ******* *********** *************

       Schneier/BT News


Schneier is speaking at the 30th International Conference of Data
Protection and Privacy Commissioners on 15 October in Strasbourg, France.
http://www.privacyconference2008.org/

Schneier is speaking at the European Security and Information System
Congress on 17 October in Monaco.
http://cms.event-catalyst.com/assises/home.aspx

Schneier is speaking at RSA Europe on 28 October in London.
http://www.rsaconference.com/2008/Europe/Home.aspx

Schneier is speaking at the 22nd Large Installation System
Administration Conference on 13 November in San Diego, CA.
http://usenix.org/events/lisa08/

Schneier was interviewed by Telecom Asia:
http://www.telecomasia.net/article.php?id_article=10230

Schneier was interviewed by the Irish Times:
http://www.irishtimes.com/newspaper/finance/2008/1003/1222959300589.html
or http://tinyurl.com/4ccjmw

Schneier was interviewed by Dr. Dobb's Journal:
http://www.ddj.com/security/210605067

My essay on chemical plants and security for the Guardian.  Nothing I
haven't said before.
http://www.schneier.com/essay-243.html


** *** ***** ******* *********** *************

       Taleb on the Limitations of Risk Management



Nice paragraph on the limitations of risk management in this
occasionally interesting interview with Nicholas Taleb:

"Because then you get a Maginot Line problem. [After World War I, the
French erected concrete fortifications to prevent Germany from invading
again -- a response to the previous war, which proved ineffective for
the next one.] You know, they make sure they solve that particular
problem, the Germans will not invade from here. The thing you have to be
aware of most obviously is scenario planning, because typically if you
talk about scenarios, you'll overestimate the probability of these
scenarios. If you examine them at the expense of those you don't
examine, sometimes it has left a lot of people worse off, so scenario
planning can be bad. I'll just take my track record. Those who did
scenario planning have not fared better than those who did not do
scenario planning. A lot of people have done some kind of "make-sense"
type measures, and that has made them more vulnerable because they give
the illusion of having done your job. This is the problem with risk
management. I always come back to a classical question. Don't give a
fool the illusion of risk management. Don't ask someone to guess the
number of dentists in Manhattan after asking him the last four digits of
his Social Security number. The numbers will always be correlated. I
actually did some work on risk management, to show how stupid we are
when it comes to risk."

http://www.portfolio.com/views/columns/the-world-according-to/2008/08/14/Intervi\
ew-With-Nassim-Nicholas-Taleb
or http://tinyurl.com/5eazpu


** *** ***** ******* *********** *************

       "New Attack" Against Encrypted Images



In a blatant attempt to get some PR, a researcher at PMC Ciphers has
figured out that encrypting data with ECB mode results in ciphertext
patterns.

Yeah, we already knew that.

And -1 point for a security company requiring the use of JavaScript, and
not failing gracefully for a browser that doesn't have it enabled.  And
-- ahem -- what is it with that photograph in the paper?  Couldn't the
researchers have found something a little less adolescent?

For the record, I doghoused PMC Ciphers back in 2003:  "PMC Ciphers. The
theory description is so filled with pseudo-cryptography that it's funny
to read. Hypotheses are presented as conclusions. Current research is
misstated or ignored. The first link is a technical paper with four
references, three of them written before 1975. Who needs thirty years of
cryptographic research when you have polymorphic cipher theory?"

I didn't realize it at the time, but PMC Ciphers responded to my
doghousing them.  Funny stuff.

http://www.techworld.com/security/news/index.cfm?newsid=105263
http://www.turbocrypt.com/vpics/9a8f098c615a425eab6d17c804dd67ae/whitepapers/bac\
kup_attack.pdf
or http://tinyurl.com/3fe64r

Doghouse and response:
http://www.schneier.com/crypto-gram-0303.html#4
http://www.ciphers.de/eng/content/Backround-Info/Bruce-Schneiers-comments.html
or http://tinyurl.com/52ymfo

When I posted this on my blog, three new commenters using dialups at the
same German ISP showed up to defend the paper.  What are the odds?
http://www.schneier.com/blog/archives/2008/10/new_attack_agai.html


** *** ***** ******* *********** *************

       Nonviolent Activists Are Now Terrorists



This is an abomination:  "The Maryland State Police classified 53
nonviolent activists as terrorists and entered their names and personal
information into state and federal databases that track terrorism
suspects, the state police chief acknowledged yesterday."

Why did they do that?  "Both Hutchins and Sheridan said the activists'
names were entered into the state police database as terrorists partly
because the software offered limited options for classifying entries."

I know that once we had this "either you're with us or with the
terrorists" mentality, but don't you think that -- just maybe -- the
software should allow for a little bit more nuance?

http://www.washingtonpost.com/wp-dyn/content/article/2008/10/07/AR2008100703245_\
pf.html
or http://tinyurl.com/3znjv7


** *** ***** ******* *********** *************

       Does Risk Management Make Sense?



We engage in risk management all the time, but it only makes sense if we
do it right.

"Risk management" is just a fancy term for the cost-benefit tradeoff
associated with any security decision. It's what we do when we react to
fear, or try to make ourselves feel secure. It's the fight-or-flight
reflex that evolved in primitive fish and remains in all vertebrates.
It's instinctual, intuitive and fundamental to life, and one of the
brain's primary functions.

Some have hypothesized that humans have a "risk thermostat" that tries
to maintain some optimal risk level. It explains why we drive our
motorcycles faster when we wear a helmet, or are more likely to take up
smoking during wartime. It's our natural risk management in action.

The problem is our brains are intuitively suited to the sorts of risk
management decisions endemic to living in small family groups in the
East African highlands in 100,000 BC, and not to living in the New York
City of 2008. We make systematic risk management mistakes --
miscalculating the probability of rare events, reacting more to stories
than data, responding to the feeling of security rather than reality,
and making decisions based on irrelevant context. And that risk
thermostat of ours? It's not nearly as finely tuned as we might like it
to be.

Like a rabbit that responds to an oncoming car with its default predator
avoidance behavior -- dart left, dart right, dart left, and at the last
moment jump -- instead of just getting out of the way, our Stone Age
intuition doesn't serve us well in a modern technological society. So
when we in the security industry use the term "risk management," we
don't want you to do it by trusting your gut. We want you to do risk
management consciously and intelligently, to analyze the tradeoff and
make the best decision.

This means balancing the costs and benefits of any security decision --
buying and installing a new technology, implementing a new procedure or
forgoing a common precaution. It means allocating a security budget to
mitigate different risks by different amounts. It means buying insurance
to transfer some risks to others. It's what businesses do, all the time,
about everything. IT security has its own risk management decisions,
based on the threats and the technologies.

There's never just one risk, of course, and bad risk management
decisions often carry an underlying tradeoff. Terrorism policy in the
U.S. is based more on politics than actual security risk, but the
politicians who make these decisions are concerned about the risks of
not being re-elected.

Many corporate security decisions are made to mitigate the risk of
lawsuits rather than address the risk of any actual security breach. And
individuals make risk management decisions that consider not only the
risks to the corporation, but the risks to their departments' budgets,
and to their careers.

You can't completely remove emotion from risk management decisions, but
the best way to keep risk management focused on the data is to formalize
the methodology. That's what companies that manage risk for a living --
insurance companies, financial trading firms and arbitrageurs -- try to
do. They try to replace intuition with models, and hunches with
mathematics.

The problem in the security world is we often lack the data to do risk
management well. Technological risks are complicated and subtle. We
don't know how well our network security will keep the bad guys out, and
we don't know the cost to the company if we don't keep them out. And the
risks change all the time, making the calculations even harder. But this
doesn't mean we shouldn't try.

You can't avoid risk management; it's fundamental to business just as to
life. The question is whether you're going to try to use data or whether
you're going to just react based on emotions, hunches and anecdotes.

This essay appeared as the first half of a point-counterpoint with
Marcus Ranum in Information Security magazine.
http://searchsecurity.techtarget.com/loginMembersOnly/1,289498,sid14_gci1332745,\
00.html?


** *** ***** ******* *********** *************

       Comments from Readers



There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and join in.

http://www.schneier.com/blog


** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise.  You can subscribe, unsubscribe, or change your address
on the Web at <http://www.schneier.com/crypto-gram.html>.  Back issues
are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable.  Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of the
best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish algorithms.
He is the Chief Security Technology Officer of BT (BT acquired
Counterpane in 2006), and is on the Board of Directors of the Electronic
Privacy Information Center (EPIC).  He is a frequent writer and lecturer
on security topics.  See <http://www.schneier.com>.

Crypto-Gram is a personal newsletter.  Opinions expressed are not
necessarily those of BT.

Copyright (c) 2008 by Bruce Schneier.

FIRST ANNOUNCEMENT:
NATIONAL SEMINAR ON INFORMATION THEORY
December 9-10, 2008
Department of Mathematics, CUSAT
Co Organisers: Centre for Bio Informatics, University of
Kerala,Department of Computer Applications, CUSAT.
This seminar is organised to celebrate the 60th year of birth of
Information Theory, due to Claude E. Shannon's fundamental contributions.
Speakers :
Prof. K. R. Parthasarathy, ISI, Delhi
Prof . C. E. Venimadhavan, CSA, IISc., Bangalore
DR.Achuth Sankar S. Nair, Centre for Bio Informatics, University of Kerala ,
Trivandrum
Registration:
All interested to participate should register latest by 25th November 2008 .
Number of
participants will be limited. Reg. Fee: Rs 300/ ( without accommodation).
Application for registration shall consist of the details such as name,
affiliation, academic
experience, contact address ( with e-mail id ) etc.
Basic knowledge of information theory/ coding theory/ cryptography is desirable.
ORGANISING COMMITTEE:
A.Krishnamoorthy, Head, Dept. of Mathematics , CUSAT --- CHAIRMAN
M.Jathavedan.
R.S.Chakravarty
M N N Namboothiri
B.Lakshmy
G.Santhoshkumar, Computer Science , CUSAT.
B.Kannan, Computer Applications , CUSAT.
K.V.Pramod, Computer Applications , CUSAT.
Pravas.K
Viji .M.
Pramod P.K
Tonny.K.B
Manikandan.R.
Convenor: A.Vijayakumar , Department of Mathematics, CUSAT
( 0484-2862464, 09447608851, email : nsitmathcusat@...)


--- On Thu, 10/9/08, A.Vijayakumar <vijay@...> wrote:

> From: A.Vijayakumar <vijay@...>
> Subject: NATIONALSEMINAR ON INFORMATION THEORY, 9-10, DEC 2008
> To: faculty@...
> Cc: argopal@..., abhilash@...
> Date: Thursday, October 9, 2008, 12:03 PM
> Pl see the attchmnt and forward to your contacts as
> well.Thanks.
> vijayakumar
>
>
>
> "DREAM IS NOT WHAT YOU SEE IN SLEEP,IS THE THING WHICH
> DOES NOT LET YOU
> SLEEP"
> DR.A.P.J ABDUL KALAM
>
> Dr.Ambat Vijayakumar
> Reader
> Department of Mathematics
> Cochin University of Science &Technology
> Cochin-682 022
> INDIA
> Tel:0484-2577518(Work),0484-2862464
> (work)-0484-2575288(Home): cell:
> 09447608851
> Email:ambatvijay@... ;vambat@...
> HOME PAGE :
> http://maths.cusat.ac.in/vijay/

============================================================

            EDRI-gram

biweekly newsletter about digital civil rights in Europe

     Number 6.19, 8 October 2008


============================================================
Contents
============================================================

1. The European Parliament voted the Telecoms Package
2. Sarkozy snubbed by Barroso in the three strikes approach
3. The European Union wants to introduce virtual body screening in airports
4. First meeting of the Fundamental Rights Platform
5. Social Networks - on the European Commission's Agenda
6. Third Phorm trials started, but privacy concerns remained
7. RapidShare needs to check every file for copyright infringement
8. Serbia: Conference on Regulation of online Freedom of Expression
9. An update on the Italian PirateBay case
10. Recommended Action
11. Recommended Reading
12. Agenda
13. About

============================================================
1. The European Parliament voted the Telecoms Package
============================================================

The Package of rules governing the Internet and telecoms sectors proposed by
the European Commission in view of supporting competition and providing
clearer information and a wider range of services to consumers was approved
by the European Parliament on 24 September 2008, in the first reading. The
measures that would have allowed a control on Internet users were rejected.

The package including four legislative proposals was proposed on 13 November
2007 and had in view the establishment of a new EU telecoms authority, the
introduction of functional separation in order to boost competition, a
review of radio-spectrum management and a range of consumer protection
measures.

Following a strong pressure from the consumers, privacy groups and telecoms
industry, the MEPs rejected the idea that ISPs should filter all downloads
and punish the infringers of anti-piracy rules, being thus transformed into
a sort of online police.

The key amendments in this respect were Amendment 166 to the Harbour
report and Amendment 138 to the Trautmann report, both adopted by the EP.
"They state that users' access may not be restricted in any
way that infringes their fundamental rights, and (166) that any
sanctions should be proportionate and (138) require a court order.
They both reinforce the principle established on April 9th in the Bono
report, that the Parliament is against cutting off people's Internet
access as a sanction for copyright infringement. Cutting off Internet
access was not explicitly in the Telecoms Package, but it did open the door
to 3-strikes. These amendments close that door." as Monica Horten correctly
points out.

The EP decided that personal data processing should not require the user's
prior consent. Also, there was no clear decision on the issue of whether IP
addresses should be considered as personal data.

However, the EP approved the application of a prior consent clause to
software such as cookies, which are installed in the users' computers and
which provide information on their behaviour to the companies having created
them, such as search engines. Another amendment requires the telecom
companies to inform the national telecom regulators if they suffered serious
data security breaches, that might affect their users' privacy.

The Parliament's vote was welcomed by most interested parties being
considered as a good step in the direction of privacy, the protection of
personal data, and principles of proportionality and separation of powers.

The European consumers organisation, BEUC stated: "Today MEPs voted to
reinforce consumer rights and competition in telecoms markets across Europe.
We hope the Council will follow the same line towards improving and
facilitating consumers' daily lives. Many consumers still suffer from
problems with their telecom providers: from complicated information to very
long-term contracts, not to mention difficulties in switching. Concretely,
thanks to today's move, consumers could benefit from more transparent
information about tariffs and conditions of contracts."

La Quadrature du Net, the group of citizens acting for individual rights and
freedoms and supported by French as well as international NGOs, wanted to
thank "all MEPs who have worked in this direction, and all citizens who
mobilized en masse to alert their delegates on these issues. We'd like to
thank particularly the MEPs who have been able to reconsider their positions
as they became aware of the risks to the rights and freedoms of their
fellow-citizens." However, the body still warns on some issues of concern
particularly that of the danger that the adopted Amendment 138 may be
withdrawn. Amendment 138 states that no restriction on the rights and
freedoms of end users can be taken without prior decision of the judicial
authority, only in cases when public safety is concerned.

There is strong support for the adoption of the telecoms package by the end
of the mandate of the present Parliament, at the middle of 2009. The next
step in this issue will be the next Telecoms Council which is planned for
the end of November.

Parliament backs major telecoms, Internet overhaul (25.09.2008)
http://www.euractiv.com/en/infosociety/parliament-backs-major-telecoms-internet-\
overhaul/article-175719?Ref=RSS

MEPs back altered telecoms reform (25.09.2008)
http://www.out-law.com/page-9456

European Parliament votes against 3-strikes (24.09.2008)
http://www.iptegrity.com/index.php?option=com_content&task=view&id=173&Itemid=9

Telecoms Package : European democracy's victory already threatened
(26.09.2008)
http://www.laquadrature.net/en/telecoms-package-european-democracys-victory-alre\
ady-threatened

EDRIgram: The telecom package debated by the European Parliament
(10.09.2008)
http://www.edri.org/edrigram/number6.17/telecom-package-debated

============================================================
2. Sarkozy snubbed by Barroso in the three strikes approach
============================================================

Barroso, President of the European Commission has refused French President
Sarkozy's request to withdraw Amendment 138 included in the Telecoms Package
recently voted by the European Parliament.

Amendment 138 which basically reinstates the legal issue of the freedom to
communicate of Internet users, reaffirming that only threats to public
security can justify the restriction to the free circulation of information
on the Internet without a court decision, was voted with a large majority by
the MEPs, fact which largely displeased EU French presidency who has
continuously pushed and pressed for the application of the three strike
approach introduced by its "Criation et Internet" draft bill.

Sarkozy sent a letter to Barroso asking for the withdrawal of the amendment
which would force France to give up its draft law. If the Commission does
not reject the amendment, France would be in the position to obtain the
refusal of the entire Telecoms Package which would practically be
impossible. Therefore, Sarkozy is trying to obtain the withdrawal of the
amendment by the Council of Ministers during the meeting scheduled for 27
November, before the second reading of the European Parliament that will
take place during the first term of 2009. "Sarkozy tries to force his way
through in Council, and his close staff does not hide that they want to
subsequently outstrip the European Parliament by having the French bill
adopted in emergency procedure before the second reading on the Telecoms
Package" says La Quadrature du Net.

But Mr. Barroso, president of the EC sent a non-receipt denial by reminding
the French President that the amendment was voted with 573 pro votes against
74 and stating that the EC will "respect this democratic decision of the
European Parliament" adding that the "amendment is a significant reminder of
the legal principles that are inherent keys to the legal order of the
European Union, especially as regards the citizens' fundamental rights".

The position was stranghtned by the European Commission spokesman for
information society issues,  Martin Selmayr that said: "The European
Commission respects this democratic decision of the European Parliament. In
our opinion this amendment is an important re-affirmation of the basic
principles of the rule of law in the EU, in particular the fundamental
rights of its citizens."

The European Commission has therefore accepted the amendment thus forcing
France to accept the report. The Commission has invited France to discuss
the issue at the Council of Ministers meeting where an agreement has to be
reached between the Council and the EP in order to pass the Telecoms
Package. As the Commission has no legislative power it can only act as
negotiator between the two bodies. If France goes on with its plans to
present its Creation et Internet draft law on 18 November, it might be under
violation of a European provision in progress of being adopted.

"The French President seems to have too soon forgotten how the European
Union institutions work by pretending to ignore the co-decision principle"
stated MEP Guy Bono, co-author of the amendment.

On the other hand, the British Government which in July seemed ready to
pursue a gradual response approach for p2p users now denies any such
attempt. The British Prime Minister stated in a response to a petition
asking him not to force ISPs to spy on their users for the purpose of
monitoring copyrighted content. "Unfortunately, much of the media reports
around this issue have been incorrect. There are no proposals to make ISPs
liable for the content that travels across their networks. Nor are there
proposals for ISPs to monitor customer activity for illegal downloading, or
to enforce a '3 strikes' policy."

Letter from Sarkozy to Barrosso (only in French)
http://www.ecrans.fr/IMG/pdf/Lettre_Barroso.pdf

President Sarkozy requires the withdrawal of Amendment 138 (only in
French, 4.10.2008)
http://www.numerama.com/magazine/10783-President-de-l-UE-Sarkozy-exige-le-retrai\
t-de-l-amendement-138.html

Gradual response: Barroso said no to Nicolas Sarkozy (only in French,
6.10.2008)
http://www.numerama.com/magazine/10791-URGENT-Riposte-Graduee-Barroso-dit-non-a-\
Nicolas-Sarkozy.html

UK Prime Minister Denies Three Strikes Proposal... After Europe Tossed It
(5.10.2008)
http://www.zeropaid.com/news/9791/UK+Prime+Minister+Denies+Three+Strikes+Proposa\
l...+After+Europe+Tossed+It/

Graduated response: Europe must resist Sarkozy's authoritarianism
(6.10.2008)
http://www.laquadrature.net/en/graduated-reponse-europe-must-resist-sarkozys-aut\
horitarianism

Graduated Response : The Lesson (7.10.2008)
http://www.laquadrature.net/en/graduated-response-lesson

EDRIgram: French law on 'graduate response' opposed by ISOC Europe
(10.09.2008)
http://www.edri.org/edrigram/number6.17/3strikes-opposed-isoc-europe

============================================================
3. The European Union wants to introduce virtual body screening in airports
============================================================

A draft European Commission regulation has in view the introduction of
millimetre wave imaging scanners in airports to be used "individually or in
combination, as a primary or secondary means and under defined conditions".
The scanner will provide a "virtual strip search" of travellers within the
EU.

The regulation is meant to be introduced in all the EU countries by the end
of April 2010. The new technology creates an image of an unclothed body. The
system has already been tested on a voluntary basis at Heathrow's Terminal
Four.

The procedure involves the beaming of electromagnetic waves of passengers
the result being a virtual three-dimensional "naked" image from
reflected energy. The black and white images obtained are alarmingly graphic
raising privacy concerns.

The European Union follows the example of the Unites States where scanners
have been used in New York and Los Angeles airports because the technology
shows body contours thus revealing any possible hidden objects such as guns
or knives.

The draft regulation has raised a lot of concern from the privacy advocates.
"I don't think people are aware of what these scanners can do and how
demeaning it is to have your body on display. Heathrow was right to
discontinue their use and they should not be used in Britain except as an
alternative to strip searches" said Gareth Crossman, Director of Policy at
Liberty. In his turn, Tony Bunyan, the editor of Statewatch, believes the
technology would subject "people including women, old people and children to
such a shameful and undignified experience" adding: "It would appear that
this is yet another case of 'if it is technologically possible it should be
used' without any consideration of proportionality, privacy and civil
liberties."

Concerns over the safety of the new technology to be introduced have also
been expressed. Paolo Costa, Chairman of the European Parliament's Transport
Committee wrote a letter to the Commission in which he addressed several
questions related to the procedure such as whether the technology is safe
from the health point of view or the way in which the images will be stored
and destroyed.

UK Shadow Home Secretary Dominic Grieve wanted to emphasise the fact that,
even if the scanners may prove to be effective security instruments, the UK
government has to take into consideration first the UK security requirements
"rather than the dictates of Brussels" and that the implementation must be
done "in a proportionate manner". "Ministers need to explain publicly and
transparently what these proposals are and why they are suitable to the UK"
he added.

Another concern was expressed by Timothy Kirkhope, a Conservative Euro-MP
from the transport committee who is worried that the new security
regulations may be introduced without discussions or without consulting the
public. "It must not be the case that unelected Commission officials, or
security bureaucrats, can introduce these measures without elected MEPs or
MPs being able to anything about it," he said.

Commission Regulation of supplementing the common basic standards on civil
aviation security laid down in the Annex to Regulation (EC) No 300/2008
http://www.statewatch.org/news/2008/sep/eu-com-aviation-security.pdf

ACLU Backgrounder on Body Scanners and "Virtual Strip Searches" (6.06.2008)
http://www.aclu.org/privacy/35540res20080606.html

Paolo Costa's letter to the European Commission (26.09.2008)
http://www.statewatch.org/news/2008/sep/eu-com-aviation-security-costa-letter.pd\
f

EU to introduce 'virtual strip searches' at airports by 2010 (1.10.2008)
http://www.telegraph.co.uk/news/worldnews/europe/3110533/EU-to-introduce-virtual\
-strip-searches-at-airports-by-2010.html

============================================================
4. First meeting of the Fundamental Rights Platform
============================================================

On 7-8 October 2008 the European Union Agency for Fundamental Rights (FRA)
held the first meeting of its Fundamental Rights Platform (FRP) in Vienna.

Representatives from about 100 NGOs and other Fundamental Rights
Organisations - EDRi amongst them - were invited to discuss and make
suggestions on potential strategic objectives of the Agency and for
priorities for the FRA Work Program 2009 and 2010.

The Fundamental Rights Platform is part of FRAs newly defined structure
and focus. With a Council Regulation of February 2007 the former
European Monitoring Centre on Racism and Xenophobia (EUMC)  got an
increased thematic area of operation and was renamed to European Union
Agency for Fundamental Rights.

By a Council Decision of February 2008 a Multi-annual Framework for
the work of FRA in the years 2007-2012 was established, which served as
a basis for the discussions of the platform on the strategic direction
and thematic priorities of the Agency.

The discussions of the FRP were organised in four working groups. The
rapporteurs of these groups will create a common report, which will be
presented to the FRA management board on 23 October 2008.

Amongst the main strategic objectives that were discussed in the working
groups was, that FRA should work on increasing the visibility of Fundamental
Rights issues, increase their recognition in the EU policy making process
and that it should maintain its monitoring function and its role as a
Fundamental Rights watchdog.

The thematic priorities of FRAs work in the coming years are predefined
by the Multi-annual framework adopted by the European Council. While
most participants agreed, that it should be avoided to create a kind of
shopping list of most important Fundamental Rights issues, topics like
data protection and privacy, children's rights, rights of migrants and
access to justice were expressed by participants to be important to be
addressed by the Agency as well as by the members of the Fundamental
Rights Platform.

Next steps to be taken by the FRP will be to define its organisational
structures and mechanisms of representation. In November 2008 the FRA will
begin to draft its 2010 work program. A consultation process on this will
start at the beginning of  2009 and there will be a meeting of the FRP in
2009 as well, where the necessary decisions on the organisational and
representative structures can be taken.

European Union Agency for Fundamental Rights
http://fra.europa.eu/

Council Regulation establishing FRA
http://fra.europa.eu/fra/material/pub/FRA/reg_168-2007_en.pdf

FRA Multi-annual framework
http://fra.europa.eu/fra/index.php?fuseaction=content.dsp_cat_content&catid=471f\
0d2f0ed70

(contribution by Andreas Krisch - EDRi)

============================================================
5. Social Networks - on the European Commission's Agenda
============================================================

Viviane Reding, Commissioner for Information Society and Media, gave her
first public speech on social networks at the Safer Internet Forum on 26
September 2008, which confirms the interest of the EU bodies on this topic.

The commissioner emphasized the growth of the social networks in Europe:
"56% of the European online population visited social networking sites last
year and the number of regular users is forecast to rise from today's 41.7
million to 107.4 million in the next four years. In 2007 9.6 million British
belonged to the country's social networking community, with 8.9 million and
France and 8.6 million in Germany. In Europe users spend 3 hours per month
on average on social networking sites according to comscore.com."

While praising their success in promoting cultural diversity and enhanced
interactivity and, at the same time, in bringing new economic opportunities
for the European industry, Reading mentioned also the new issues raised by
the social networks on data privacy and protection of minors.

On the occasion of this event, the submissions to the public consultation
on Age Verification, Cross Media Rating and Social Networking initiated
earlier this year by the EC were made public.

Other EU bodies, such as ENISA have called for new legislation that would
regulate social networking sites. According to its recent report, ENISA
pointed out that social networking sites such as Facebook and MySpace need
more regulation to protect their users against security risks.

But the Commissioner took the stance of self-regulation in relation to
social networking and announced that the Commission wants to act as a
facilitator: "For this purpose the Commission has convened a Social
Networking Task Force, which held two meetings in 2008 with 17 operators of
social networking sites used by under-18s (e.g. MySpace, Facebook, YouTube,
Bebo, Hyves, StudiVZ, and Skyrock), a number of researchers and child
welfare organisations. The objective is to agree on voluntary guidelines for
use of social networking sites by children, to be adopted voluntarily by the
European industry."

The European Commissioner speech and announced actions seem to forget
about the security and privacy issues raised by the use of the social
networks, focusing and involving only child welfare organisations.

The importance of the privacy aspects of the online social networks is
emphasized by the European Data Protection Authorities gathered in the
plenary of the Article 29 Working Party, that have announced that it is
preparing an opinion on online social networks. The working party has sent
out a questionnaire on data protection and privacy related issues to Social
Network Services and a consolidated version of the opinion is being
prepared.

Social Networking Sites: Commissioner Reding stresses their economic and
societal importance for Europe (26.09.2008)
http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/08/587&format=HTML&\
aged=0&language=EN&guiLanguage=en

Consultation Age Verification, Cross Media Rating and Social Networking -
submissions
http://ec.europa.eu/information_society/activities/sip/public_consultation/index\
_en.htm

The Article 29 Working Party- 67 plenary session (2.10.2008)
http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_02_10_08_en.pdf

EDRi-gram: Social networking sites might be regulated in EU (4.06.2008)
http://www.edri.org/edrigram/number6.11/social-networking-eu

============================================================
6. Third Phorm trials started, but privacy concerns remained
============================================================

Following a complaint placed in July 2008 by campaigners against the British
companies BT and Phorm for their allegedly illegal secret ISP-level adware
trials, the London Police decided not to investigate the case arguing there
had been implied consent of their customers. BT started its third trial of
Phorm technology on 30 September, this time asking the consumers to opt-in.

Phorm is used to monitor a user's web browsing history, taking a copy of the
places the user goes to and search terms he (she) looks for. Then, adverts
related to that history are placed on websites that have signed up to use
Phorm, such as BT, Talk Talk and Virgin.

Phorm has been criticised being considered to break laws on unwarranted
interception of data. Privacy advocates are also concerned by the
information that the technology gathers about a user's web browsing habits.

"The matter will not be investigated by the City of London Police as it has
been decided that no Criminal Offence has been committed. One of the main
reasons for this decision is the lack of Criminal Intent on behalf of BT and
Phorm Inc in relation to the tests. It is also believed that there would
have been a level of implied consent from BT's customers in relation to the
tests, as the aim was to enhance their products" wrote detective sergeant
Barry Murray in an email to Alex Hanff, the anti-Phorm campaigner having
compiled the dossier against the two companies.

In the police's opinion, the matter is considered a civil dispute and "there
is no suggestion that Criminal Intent exists." Nicholas Bohm, lead counsel
of the Foundation for Information Policy Research, considers the police's
explanation "pathetic" and argues that Phorm breaks several criminal laws,
especially if there is no consent. "City of London Police's response
expresses massive disinterest in what occurred. Saying that BT customers
gave implied consent is absurd. There was never any behaviour by BT
customers that could be interpreted as implied consent because they were
deliberately kept in the dark. As for the issue of whether there was
criminal intent, well, they intended to intercept communications. That was
the purpose of what they were doing. To say that there was no criminal
intent is to misunderstand the legal requirements for criminal intent" he
said.

In February, after the first two trials of the technology used to intercept
and profile subscribers' Internet usage, BT and Phorm were advised by the
Home Office that the technology was covered by the Regulation of
Investigatory Powers Act (RIPA), governing wiretapping. The system could be
legal if consent was obtained but it appears that no consent had been asked
during those trials.

The Information Commissioner Office (ICO) asked in April 2008 that Phorm
ad-targeting system should be "opt in" and stated it would monitor Phorm
trials and commercial rollout to ensure the observation of the data
protection laws. ICO said that after its discussions with Phorm, there
appeared to be no infringement of the laws regarding personal data.

Information Society Commissioner Viviane Reding had asked the UK Government
to give, by the end of August, an explanation of how Phorm's technology
conformed with EU data protection and privacy laws. The Department for
Business, Enterprise and Regulatory Reform (BERR) responded in
September, basically considering that Phorm's products are capable of being
operated with the users' knowledge and consent, and if the users are
"presented with an unavoidable statement about the product and asked to
exercise a choice about whether to be involved."

But, as Nicholas Bohm has shown, unless the ISPs have the explicit consent
of both the customers whose profile is used as well as the advertising
websites using it, they are likely to commit an offence under the Regulation
of Investigatory Powers Act (RIPA). "The inevitable conclusion is that an
ISP who operates the Phorm system will commit offences under RIPA s1 on a
large scale. Phorm is inciting the commission of those offences, which is
itself an offence at common law (and will be an offence under section 44 of
the Serious Crime Act 2007 when it is brought into force to replace the
common law offence)" said Bohm.

The question is whether UK authorities are aware that communications between
Internet users and website owners during web browsing are legally private
just like the communications between any two private people. They think
future Phorm deployments can be legal. On the other hand, they refused to
make public their answer to the European Commission about the first two
secret trials.

Without having a clear answer on these issues, BT started on 30 September a
new trial of the Phorm technology, this time by asking consent to its users
for the participation in the trial. The company has even envisaged
incentives such as offering to donate to charities if its users opt to let
their Internet use profile for advertisers, an upgrade to a faster broadband
package at no extra cost, a reduction in the bill, free music or anti-virus
software download vouchers or others.

Digital rights campaigners have fought against Phorm for some time now and
have shown that there is no protection for UK citizens from corporations
wanting to illegally intercept private communications.

The European Commission lawyers are analysing the UK government's
explanation of why no action has been taken.

Phorm warned about web data rules (9.04.2008)
http://news.bbc.co.uk/2/hi/technology/7339263.stm

Police drop BT-Phorm probe (22.09.2008)
http://www.theregister.co.uk/2008/09/22/bt_phorm_police_drop/

Phorm mulls incentives for ad targeting wiretaps (26.09.2008)
http://www.theregister.co.uk/2008/09/26/phorm_webwise_incentives_survey/

4 good reasons not to take part in the BT Webwise trial (30.09.2008)
http://www.openrightsgroup.org/2008/09/30/4-good-reasons-not-to-take-part-in-the\
-bt-webwise-trial/

What BERR want from Phorm - and what we think they're missing (19.09.2008)
http://www.openrightsgroup.org/2008/09/19/what-berr-want-from-phorm-and-what-we-\
think-theyre-missing/

The Phorm "Webwise" System (18.05.2008)
http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf

EDRi-gram: UK: Phorm targeted advertising practices - under pressure
(28.03.2008)
http://www.edri.org/edrigram/number6.6/phorm-uk-ifpr

============================================================
7. RapidShare needs to check every file for copyright infringement
============================================================

A Hamburg court in Germany has ruled that the free file-hosting service
RapidShare.de is not doing enough to combat piracy, so they should check
content for copyright infringement before it is made available on the
Internet .

The decision was given in the legal conflict between RapidShare and GEMA, a
German copyright collective organisation, that has been going fro some
years. RapidShare already has a system in place to check against the
uploading of already deleted material. The system is based on a MD5 Hash
filter, but it was not considered enough by the court because any file can
be changed with just a few bytes in order to bypass the filter.

Not even the fact that the company has six employees working full time to
remove infringing content was enough for the court that claimed that
RapidShare has to "pro actively check content before publishing it" if there
had been similar infringements in the past. They also have the obligation
to log the IP addresses of alleged infringers.

The judge also ruled that Rapidshare cannot argue that it is impossible to
stay in business if it would have to check every single file: "A business
model that doesn't use common methods of prevention cannot claim the
protection of the law."

The decision will be impossible to implement in the case of the password
protected archives that can't be checked for copyright infringement. Also,
the case could have limited effects to the Internet free file-hosting, since
RapidShare has its main office in Switzerland and there are other
free-hosting services available in almost every corner of the world.

Hamburg decision on RapidShare.de (only in German, 2.07.2008)
http://webhosting-und-recht.de/urteile/Oberlandesgericht-Hamburg-20080702.html

Court: Rapidshare has to check all uploads for copyright infringement
(30.09.3008)
http://www.p2p-blog.com/item-859.html

Rapidshare Loses in Court - Must Proactively Remove Copyrighted Content
(1.10.2008)
http://www.zeropaid.com/news/9781/Rapidshare%20Loses%20in%20Court%20-%20Must%20P\
roactively%20Remove%20Copyrighted%20Content

EDRi-gram: RapidShare sues German rights holder association (9.05.2007)
http://www.edri.org/edrigram/number5.9/rapidshare-gema

============================================================
8. Serbia: Conference on Regulation of online Freedom of Expression
============================================================

On 8 and 9 September 2008, the Faculty of Political Sciences of the
University of Belgrade hosted the international conference on regulation of
freedom of expression on the Internet, organized by the Programme in
Comparative Media Law and Policy (PCMLP) of the University of Oxford.
EDRi-member Metamorphosis Foundation participated with a presentation of the
Macedonian experiences in this area.

The dean of the Faculty of political sciences Milan Podunavac reported that
as part of the efforts to overcome the negative legacy from the Serbian
past-as a postwar, post-dictatorial and post-communist society-the faculty
intends to introduce a subject for media law and new media law. The
Ambassador of the Council of Europe (CoE), Constantin Jerokostopulos,
indicated that the freedom of expression and communication must be
respected, with an exception of the contents defined as illegal by the law.

Jelena Surculija, Assistant Minister of Telecommunications and Information
Society and PCMLP representative for Serbia pointed out that regulatory
challenges include authenticity of the information and availability of
content published abroad in countries where such content is illegal. She
differentiated between blogging as form of expression dealing mainly with
personal information and perceptions, including publishing on
Facebook.com-like systems, and citizen journalism as a new form of
journalism which for the time being remains unacknowledged due to issues of
ethics and media registration.

Prof. David Goldberg from the University of Oxford started with the basic
assumption that "blogging is simply a form of expression, of writing, and as
such it is entitled to maximum protection." He pointed out that it is a
"misleading metaphor to speak about 'balance.' The default position is
promotion of freedom of expression with some very limited exceptions."
Speaking about the challenges, prof. Goldberg suggested the possible need to
define a new term for political blogs - plogs, and also noted that current
estimates on the number of blogs probably underestimate their quantity,
considering also the fact that "22 of the 100 most popular websites are
blogs."

Referring to a recent UK case when a convicted criminal posted a threat to
his arresting officer ("PC Lloyd, God help your newborn baby") and was
charged under Telecommunications Act, prof. Goldberg stated that there's "no
need for new laws, there's plenty of legislation lying around" which can be
used to tackle the blogging-related problems. On the other hand, the need
for anti-SLAP legislation-preventing centers of power such as corporations
to use strategic lawsuits against the public-grows, to insure freedom of
expression for the individual authors or content providers.

Council of Europe Expert Ad Van Loon also pointed out that human rights
protection, and especially freedom of expression, lies at the core of the
CoE regulatory framework for content on the internet. These rights remain
under threat in countries which do no meet their international obligations,
but can also be influenced by other factors, such as copyright.

Legal experts Slobodan Kremenjak, Attorney-at-Law, and Snezana
Smolovic-Green from the Association of the Independent Electronic Media
presented the legal framework for protection of personal data and privacy
protection in online and offline media. Serbian institutions responsible for
these areas include the Ombudsman and the Representative for information of
public importance. In this context, prof. Dirk Voorhoof from the University
of Gent Belgium pointed out that the related right to anonymity can be
jeopardized by various threats, both legal and technical.

Media law expert Inger Hoedt-Rasmussen provided insight in the Danish
experiences in the area of protection of rights of children on the
internet, based on the premise that bad things are just a small part of the
possibilities offered by the new technologies. The threats can be minimized
through awareness raising and increasing of knowledge much better than
through state mechanisms of control and censorship. She noted that kids as
digital natives have far more knowledge and skills about the new
technologies than their parents who attempt to help them. The dangers, such
as paedophile predators, did not appear because of the internet, they were
part of life in the past too. Caregivers had modes of preventing such
threats in the past, such as instructing choir boys when going on tour to
immediately report if some "uncle" follows them around claiming he's very
interested in music.

During the panel devoted to regulation and/or self-regulation on the
internet, Andrei Richter, the director of the Moscow Media Law and Policy
Institute pointed out the serious issues present in Russia and the
Commonwealth of Independent States. The most drastic example is the arrest
and murder of the owner of the website Ingushetia.ru. He referred to the
little known fact that Belarus is among the most productive post-Soviet
republics in terms of internet content production, second only to EU-member
Baltic States, while the states of Central Asia, which have very liberal
legislative framework, lag behind. Prof. Richter pointed out that repressive
legal frameworks often take the back seat to education levels and cultural
factors in preventing content creation, which in turn incites freedom of
expression. Due to its size, Russia has the largest content production in
absolute terms, and "it is clear that (the Government) cannot control the
internet any more." Influencing factor is whether the states treat the
internet as mass media or not, which implies varied status in legislative
terms. For instance in Georgia where mass media have nominal protection this
leads to increased freedom of expression on the internet. In Russia, sadly
"the whole system of self-regulation consists of a telephone call from the
security services." Participants in the discussion concurred that the
situation in Serbia used to be similar.

Metamorphosis Foundation representative Filip Stojanovski spoke about the
situation in Macedonia as an example of a Western Balkans country. In
general, there is no formal regulation of the internet. ISPs claim that they
do not filter the content published on their servers, and remove content
only by court order. In some cases the generally accepted value of freedom
of expression leads to tolerance to forms of hate speech. Lack of official
standards for the governmental websites combined with the silence of the
administration makes it harder for the citizens to get the information from
the state structures. Spam is a form of regulated content - forbidden by the
Law on Electronic Communications (2005) but to the best of the public
knowledge, the regulatory body in charge of enforcing this law (aek.mk)
has not implemented these provisions so far. Positive examples of
self/regulation include the house rules of blogging service Blogeraj, the
efforts to increase privacy protection by the Directorate for Personal Data
Protection and the NGO sector, chiefly the project Children's Rights on the
Internet - Safe and Protected.

Slobodan Markovic, president of the Center for Internet Development from
Belgrade addressed freedom of expression issues related to the internet
domain names. On global level ICANN implements the Domain Name Dispute
Resolution Policies. Through an inclusive consensus building process, the
relevant stakeholders in Serbia established a new domain registrar. The
mechanism for resolution of disputes relies on court arbitration, which is
part of the original contract for purchase of domains. In a similar painless
fashion the process of migration from the old .yu to the new .rs top domain
is taking place. The owners of the old domains have an advantage in the
process of (re)registration, and the old addresses will remain valid for
about a year more.

Participants in the conference included representatives of the state
institutions, regulatory bodies, the nongovernmental and the business sector
of Serbia. Both the panels and the subsequent discussions served to pass on
the knowledge helpful to inciting reform processes toward the harmonization
of the legal and institutional frameworks with the European standards.

Conference Agenda (08.09.2008)
http://pcmlp.socleg.ox.ac.uk/html/Sept08agenda.pdf

Serbia: Conference on Regulation of Freedom of Expression on the Internet
(22.09.2008)
http://www.metamorphosis.org.mk/content/view/1241/lang,en/

(contribution by Filip Stojanovski - EDRi-member Metamorphosis Foundation -
Macedonia)

============================================================
9. An update on the Italian PirateBay case
============================================================

The Bergamo Criminal Court overrules the seizure, but establishes a case law
that is a violation of civil rights.

On 16 August 2008 ALCEI reported to the Italian Data Protection Authority
the violations of law contained in the pre-emptive seizure order issued by
the Justice for preliminary investigation of the Bergamo Tribunal. In that
report, ALCEI pointed out that:

- the wrong and manipulative extension of the provision that disciplines
a pre-emptive seizure to include the hijacking of online traffic;

- the enforcement of a court order outside Italian jurisdiction and,
what's even worse, not based on any actual criminal offense, but on
"statistical" hypotheses based on data that have no scientific reliability;

- the misconduct by the Bergamo Guardia di Finanza that, without any court
order, ordered internet access providers to redirect all requests of
connection from Italy to the thepiratebay.org website to another site,
placed in the UK and managed by an organization backed by music industry.

While we are waiting for the decision of the Data Protection Authority (that
we hope will come soon) the Bergamo Court has overruled the pre-emptive
seizure order with a decision that, instead of solving the problems arising
from the first decision, creates worst issues. The Bergamo Court, in fact,
has overuled the seizure, but only on the legal basis. As it has been
pointed
out by ALCEI, that "seizure" cannot be interpreted as "traffic hijacking".

But the court did not, as it should have done, evaluate first of all the
lack of Italian jurisdiction. By not doing so, the Bergamo tribunal has
created a dangerous case law that, by reciprocity, allows any foreign
magistrate to investigate and take to court an Italian citizen, with the
additional absurdity that even in the absence of any evidence that a crime
has been committed, a legal prosecution can be based on hypothetical
"statistic calculation".

Furthermore, by asserting the validity of the public prosecutor
investigation, the Court has de facto established the automatic liability
not only of internet providers, but also of search engines, and the
possibility of using, as an investigative tool, data and information with no
solid ground.

And also, by saying that even if pre-emptive seizure has been wrongly
enforced , it is "in theory compatible with" sect.14D.L.VO 70/03 (EU
E-commerce directive implementation, dealing with ISP liability), the Court
of Bergamo on the one hand allows "owners of ideas" to push for an
additional and barbaric copyright law amendment while, on the other hand, it
reaffirms an obvious error of interpretation of law by affirming the role of
ISPs as "sheriffs of the net".

ALCEI expresses serious concern about this court decision that fails to
offer clear references for citizens and enterprises, increases confusion and
the perception that, when copyright is involved, law is not "equal for all".

ALCEI - An update on the Piratebay case (8.10.2008)
http://www.alcei.org/?p=38

ALCEI Press release - The Piratebay case.  The Bergamo Criminal Court
overrules the seizure, but establishes a case law that is a violation of
civil rights. (only in Italian, 7.10.2008)
http://www.alcei.it/index.php/archives/132

ALCEI : Dangerous Ordinance on PirateBay (only in Italian, 8.10.2008)
http://punto-informatico.it/2430933/PI/News/alcei-pericolosa-ordinanza-sulla-bai\
a.aspx

EDRi-gram: Italian justice wants to "seize" a foreign website (27.08.2008)
http://www.edri.org/edrigram/number6.16/italy-blocks-piratebay

(contribution by EDRi-member ALCEI - Italy)

============================================================
10. Recommended Action
============================================================

Consultation on the early challenges regarding the "Internet of Things"
http://ec.europa.eu/information_society/tl/activities/consultations/index_en.htm

Commission consults on how to put Europe into the lead of the transition to
Web 3.0 (29.09.2008)
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/08/1422&format=HTML&a\
ged=0&language=EN&guiLanguage=en

============================================================
11. Recommended Reading
============================================================

FOI in the EU: When is a "document" not a "document"? by Tony Bunyan

The European Commission has put forward a number of changes to the
Regulation on access to EU documents adopted in 2001. Controversially it
proposes to change the definition of a "document" which in turn affects
which would or would not be listed on its public register of documents. Does
this have anything to do with the fact that the European Ombudsman has just
ruled that the Commission must abide by the existing definition of a
"document" in the Regulation and that it must list all the documents it
holds on its
public register?
http://www.statewatch.org/news/2008/sep/foi-in-the-eu-what-is-a-document.pdf

============================================================
12. Agenda
============================================================

10-11 October 2008, Paris, France
The Exchange and Storage of Data - Issues of Sovereignty, European and
International Technical Cooperation, and Fundamental Human Rights
http://www.libertysecurity.org/article2224.html

11 October 2008, Worldwide
Action day "Freedom not fear"
Protests, demonstrations and activities against the surveillance mania
http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2008

13-15 October 2008, Strasbourg, France
First PrivacyOS "Open Space" Conference
EDRi is a partner of the PrivacyOS project - a thematic network for privacy
protection infrastructure within the current European Commission4s ICT
Policy Support Programme.
http://www.privacyos.de/index.php?option=com_content&view=section&layout=blog&id\
=3&Itemid=37

15-17 October 2008, Strasbourg, France
30th International Data Protection and Privacy Conference
http://www.privacyconference2008.org/

18 October 2008, Berne, Switzerland
Big Brother Awards Switzerland 2008
http://www.BigBrotherAwards.ch/

20-21 October 2008, Strasbourg, France
European Dialogue on Internet Governance (EuroDIG)
http://www.eurodig.org/

20-21 October 2008, Amsterdam, Netherlands
Marking the public domain: relinquishment & certification
Third Communia Workshop
http://communia-project.eu/node/109

21 October 2008, Brussels, Belgium
Workshop "International Transfers of Personal Data"
Organized by the European Commission with the Article 29 Data Protection
Working Party and the United States Department of Commerce's International
Trade Administration.
http://ec.europa.eu/justice_home/news/events/news_events_en.htm#personal_data_wo\
rkshop

22 October 2008, Brussels, Belgium
New Legal Requirements for the Electronic Communications Sector:
Security Breach Notification, Content Filtering and Data Retention
http://www.fitce.be/node/151

24 October 2008, Bielefeld, Germany
Big Brother Awards Germany 2008
http://www.BigBrotherAwards.de/

25 October 2008, Vienna, Austria
Big Brother Awards Austria 2008
http://www.BigBrotherAwards.at/

13-14 November 2008, Chisinau, Moldova
IFLA/EBLIDA/eIFL Conference on copyright and libraries
Copyright: Enabling Access or Creating Roadblocks for Libraries?
Registration by 1 November 2008
http://www.eblida.org/index.php?page=draft-programme-2

25-26 November 2008, Brussels, Belgium
World e-Parliament Conference 2008
http://www.ictparliament.org/worldeparliamentconference2008/

3-6 December 2008, Hyderabad, India
Third Internet Governance Forum
http://www.intgovforum.org

9-10 December 2008, Madrid, Spain
Future Internet Assembly
http://www.future-internet.eu/home/future-internet-assembly/madrid-dec-2008.html
http://www.fi-madrid.eu/

10-11 December 2008: Tilburg, Netherlands
Tilting perspectives on regulating technologies, Tilburg Institute for Law
and Technology, and Society, Tilburg University
http://www.tilburguniversity.nl/tilt/conference

27-30 December 2008 Berlin, Germany
25C3: Nothing to hide
The 25th Chaos Communication Congress
http://events.ccc.de/congress/2008/

18-20 March 2009, Athens, Greece
WebSci'09: Society On-Line
http://www.websci09.org/

============================================================
13. About
============================================================

EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 28 members based or with offices in 17 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 2.0 License. See the full text at
http://creativecommons.org/licenses/by/2.0/

Newsletter editor: Bogdan Manolea <edrigram@...>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request@...
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request@...
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram@...> if you have any problems with subscribing or
unsubscribing

http://arxiv.org/abs/0809.3408

Can Eve control PerkinElmer actively-quenched single-photon detector?

Authors: Vadim Makarov, Andrey Anisimov, Sebastien Sauge

(Submitted on 19 Sep 2008)

Abstract: We show how PerkinElmer SPCM-AQR detector module can
be controlled by an eavesdropper using bright optical pulses, by
exploiting an obscure flaw in the detector electrical circuit. First
experimental results are reported. This loophole may make possible an
attack against quantum cryptosystems that use these detectors.

Comments: 2 pages, 3 figures. Accepted for poster presentation
at the SECOQC international conference in Vienna, October 8-10, 2008

_________

Quantum Hacking


http://www.iet.ntnu.no/groups/optics/qcr/

============================================================

            EDRI-gram

biweekly newsletter about digital civil rights in Europe

     Number 6.18, 24 September 2008


============================================================
Contents
============================================================

1. Google reduces search data retention time to 9 months, but not enough
2. International workshop in Budapest challenges data retention
3. Spain: Indexing torrent files is not copyright infringement
4. The EU commissioners ask for a friendly environment in online retailing
5. French file EDVIGE revised after huge civil society mobilization
6. House of the German Pirate Party spokesman raided by Police
7. European Competition Commissioner: We investigate Google-Yahoo deal
8. ENDitorial: A stupid law and a perverse "criminal" sentence
9. Recommended Reading
10. Agenda
11. About


============================================================
1. Google reduces search data retention time to 9 months, but not enough
============================================================

Following the demands of EU privacy protection authorities, Google announced
on 9 September it would reduce the search data retention time from 18 to 9
months.

This is the second reduction Google applies in the past 2 years, having
already reduced the retention period from indefinite to 18 months in 2007.
However, the company still does not meet the Article 29 Working Party's
recommendations.

On 4 April 2008, the Article 29 Working Party published an opinion on search
engines, recommending a maximum retention period of 6 months and reaffirming
the applicability of the European data protection law. "Search engine
providers must delete or irreversibly anonymise personal data once they no
longer serve the specified and legitimate purpose they were collected for."

As a result, on 8 September 2008, Google answered announcing that the IP
addresses associated with requests on the search engine will be anonymised
after 9 months and that a link to Google's privacy policy appeared now on
its homepage.

The company did not provide any details regarding the way this anonymisation
will work which, taking into consideration previous statements, will just
consist in deleting the last 8 bits of a user's IP address. But if this does
not go together with the anonymisation of the cookie values, then the entire
process is useless, as Christopher Soghoian, a student fellow at Harvard
University's Berkman Center for Internet and Society explains: "Even though
the 9-month-old search logs have been 'anonymized', because the cookie
values remain, it is trivial to match the newer search results to the older
searches, and thus completely reverse the anonymization process."

Although the Article 29 Working Party has appreciated Google's willingness
to collaborate with data protection authorities, they consider there are
still strong disagreements. Alex Turk, chairman of the Article 29 Working
Party, says in a public press release on 16 September 2008 that despite the
progress done, Google has still a lot of work to do to guarantee the rights
of Internet users and the respect of their privacy.

Some of the issues that raise concern are that Google considers that the
European law on data protection is not applicable to itself and that IP
addresses are confidential data, but not personal data. The company has not
offered a clear justification for retaining personal data beyond the
recommended 6 months period and has not made any improvement to its
anonymisation mechanisms, which are still insufficient. Furthermore, it did
not show any intention to improve and clarify the methods used to gather the
consent of its users. The Article 29 Working Party established in 2007 that
the IP address is related to an "identifiable person", and should thus be
considered personal data. Therefore, Google should ask its users' prior
permission before storing the information.

Google argued there was a question of quality of service. "While we're glad
that this will bring some additional improvement in privacy, we're also
concerned about the potential loss of security, quality, and innovation that
may result from having less data. (...) As the period prior to anonymisation
gets shorter, privacy benefits are less significant and the utility lost
from the data grows" wrote Peter Fleisher, the company's global privacy
lawyer on the Google blog.

Another step to protect user privacy (9.08.2008)
http://googleblog.blogspot.com/2008/09/another-step-to-protect-user-privacy.html

Google cuts data retention after EU privacy warning (10.09.2008)
http://euobserver.com/22/26718

Google tries to please privacy watchdogs (10.09.2008)
http://www.euractiv.com/en/infosociety/google-tries-please-privacy-watchdogs/art\
icle-175214

Article 29 Working Party - Google: The Beginning of a Dialogue (16.09.2008)
http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_16_09_08_en.pdf

Debunking Google's log anonymization propaganda (11.09.2008)
http://news.cnet.com/8301-13739_3-10038963-46.html?tag=mncol;title

EDRi-gram: Google limits the search data retention period (28.03.2007)
http://www.edri.org/edrigram/number5.6/google-data-retention

============================================================
2. International workshop in Budapest challenges data retention
============================================================

70 international experts and e-activists met in Budapest on Friday 19
September to discuss EU-wide policies on data retention and to develop
strategies for defending and enhancing privacy. Hosted by the Center for
Media and Communication Studies (CMCS) at the Central European
University in Budapest, the workshop "Data retention on the Internet:
Challenges for small, alternative and citizen-based internet service
providers (ISPs)" brought together scholars, lawyers, policy experts,
digital rights advocates and a large number of grassroots/activist ISPs.
EDRI was represented through its board member Meryem Marzouki and Digital
Rights Ireland, Electronic Frontier Finland, Iuridicum Remedium, Netzwerk
Neue Medien and Greennet.

According to European Union (EU) Directive 2006/24/EC, all
telecommunication operators and ISPs in the EU have to retain the email
and telephone connection data of their customers and users for up to two
years. Data about every citizen's communication is stored without a
specific reason. According to workshop participant TJ McIntyre from
Digital Rights Ireland, this allows the creation of a "comprehensive
digital dossier about every individual."

Workshop participants exchanged information about the implementation of
the Directive in different EU member states and explored options of
challenging data retention on three different levels: legal complaints
and court cases, technological by-passes, and public campaigns. On the
legal side, the workshop brought together organizations that are
challenging data retention laws in five different countries and allowed
them to exchange experiences and increase future collaborations. In the
technical realm, different options of minimizing the risks of data
retention, or circumventing it altogether, were introduced. The workshop
also contributed to the preparation for an international day of action
against data retention - entitled "Freedom not Fear" - on 11
October. Many of the groups and organizations that were represented at
the workshop agreed to organize a protest action or a public event on
that day.

The workshop was the first to bring together members of non-commercial
ISPs from different countries with members of international campaigns
and NGOs to discuss together the new policy environment and this
sector's particular concerns. The EU directive forces these ISPs to
compromise on their most fundamental objective - protecting their users'
privacy from state and corporate data gathering. Grassroots ISPs
continued to meet on the weekend following the workshop and developed
strategies on how to maximise privacy protection despite data retention
obligations.

The workshop was organized by Arne Hintz (CMCS), Oliver Leistert
(University of Paderborn), and Maxigas (Zold Pok/Green Spider), in
collaboration with the Association for Progressive Communications (APC)
and EDRI. It was supported financially by the Dutch Internet provider
XS4ALL, the Open Society Institute (OSI), and APC.

Center for Media and Communication Studies
http://cmcs.ceu.hu

Association for Progressive Communications
http://www.apc.org

Zold Pok (Green Spider)
http://www.zpok.hu

EU directive paints alternative ISPs black (3.08.2008)
http://www.apc.org/en/news/security/europe/eu-directive-paints-alternative-isps-\
black

EDRi-gram - Telecom data retention
http://www.edri.org/issues/privacy/dataretention

(Contribution by Arne Hintz - Center for Media and Communication Studies)

============================================================
3. Spain: Indexing torrent files is not copyright infringement
============================================================

The case of Sharemula.com, the eDonkey website publishing links allowing
users to download movies, music and software has been recently dismissed by
the Provincial Court of Madrid which ruled that the website was operating
legally.

The case had been brought to court by the Federacisn Antipiraterma
(Anti-piracy Federation) in 2006 when 15 people were arrested in Spain in
relation with the operation of the site. The Spanish Brigade of
Technological Investigations had claimed that the site was illegal and asked
for its closure.

A year ago, a Madrid court dismissed the case deciding that the site and its
administrators had not infringed any law as the site included no illegal
content. It had only links to P2P downloads which had no commercial purposes
either.

The entertainment industry, including Columbia, Disney Company Iberia,
Twentieth Century Fox, Warner, Universal, Paramount, Sony, MGM and others
were very displeased with the court's ruling and appealed the decision.

But the Provincial Court of Madrid rejected all allegations concluding
that indexing torrent files can not be viewed as copyright infringement. The
court found Sharemula as not responsible for where the links went and
considered that whether the site made profit or not was irrelevant. This
court's decision is final and cannot be appealed.

"The hearing confirms the position of the defense that linking to P2P
networks does not constitute a criminal offense," said David Bravo, a lawyer
in the case who emphasized the fact that the website only linked to files
that were hosted elsewhere, on computers of P2P users, and did not store any
copyrighted material itself.

This decision represents good news for P2P-site administrators and may be a
good basis for the upcoming cases against The Pirate Bay and Mininova in
Europe.

Auto final AP Madrid caso Sharemula (only in Spanish, 19.09.2008)
http://derecho-internet.org/proyectos/procedimientos-libres/browser/defensa-webs\
-enlaces/resoluciones/formato-pdf/2008-09-11_auto_ap-madrid-s-2.pdf

Linking to P2P Downloads Confirmed Legal in Spain (19.09.2008)
http://torrentfreak.com/linking-to-p2p-downloads-confirmed-legal-in-spain-080919\
/

Spanish Court Dismisses Piracy Case against Sharemula.com (24.10.2007)
http://www.whichwebsite.com/2007/Oct/spanish_court_dismisses_piracy_case_against\
_sharemula.html

EDRi-gram: Website with P2P download links found legal by Spanish court
(24.10.2007)
http://www.edri.org/edrigram/number5.20/p2p-website-legal-spain

============================================================
4. The EU commissioners ask for a friendly environment in online retailing
============================================================

A roundtable on online retailing with the interested private companies,
including online music providers, and consumers organisations took place at
the European Commission in Brussels on 17 September 2008 with competition
commissioner Neelie Kroes and internal market commissioner Charlie McCreevy.

Ms Kroes expressed her concern regarding the barriers in buying music
online: "Why is it possible to buy a CD from an online retailer and have it
shipped to anywhere in Europe, but it is not possible to buy the same music,
by the same artist, as an electronic download with similar ease? (...) Why
do pan-European services find it so difficult to get a pan-European license?
Why do new, innovative services find licensing to be such a hurdle?"

The commissioner believes there are many reasons for this situation,
including tax systems, consumer protection laws, guarantees and after-sales
service. One of the issues she wanted to discuss was related to the
competition rules for companies that enter into distribution agreements. She
expressed her intention to check out whether the provisions for Internet
sales were observed adding: "if I hear that these rules are not being
respected, then I will look into these allegations immediately. And if I
find any company to have breached the rules, I will ask the Commission to
act and punish the companies concerned."

She added that consideration had to be given on whether companies should
exclude Internet-only retailers from their distribution system. "I have
heard today from companies who think that that is the best way to protect a
brand image. I have also heard from companies that use internet only
retailers but impose strict conditions on them. And I have also heard from
consumers who believe that consumers should have the right to choose."

During the debate, the issue was considered as more complex as the rights
and the licensing agreements were more complicated. "The world is always
more complicated than we would like it to be. But that is no excuse for
inaction. Collecting societies and music labels have come a long way since
1851, the time of Bourget and his sugared water, but the world has changed
around them. Artists have changed, distribution has changed, and consumers
have changed. There is a perception, though, that the collecting societies
and the music labels have not" was Mrs. Kroes' comment. She considers the
collecting societies have a vital responsibility in looking after the
interests of artists. "That is only right because music is a vital part of
our society and our culture. It always has been and it always will be. But
where regional monopolies are not necessary - in the online world - then I
want to hear more about whether the current system really helps the artists
and whether it serves the consumer." She warned that the commission would
intervene if musicians, record labels and retailers were not able to
overcome their differences and produce a more consumer-friendly environment
for digital music distribution.

In his turn, McCreevy stated he had never thought " the internet was going
to be such a stumbling block. This magical creation - invented by people who
hadn't been born 50 years ago and developed by people, some of whom hadn't
been born 25 years ago - has no natural physical frontiers or boundaries
like traditional markets. But somehow it has been trapped and parcelled up
by a whole series of barriers."

In his opinion, it was worth considering "the idea that every single owner
of a copyright - from authors and composers to music publishers and record
labels - should license downloads individually through a collecting society
that has an exclusive mandate for each of the 27 national territories."

Along with Apple and EMI, the meeting was attended also by Alcatel-Lucent,
Ebay, Louis Vuitton, Fiat and UK consumer watchdog Which? as the problems
of online retailing are not limited to music.

A commission report on the subject will be drafted later this year with Mr
Jagger's and the others' participation and the EU executive will require
responses to that report from stakeholders by 15 October 2009. Later on,
the European Commission will present its legislative proposals on Internet
retailing.

Mick Jagger in Brussels for online retailing chat (18.09.2008)
http://euobserver.com/19/26771

Competition commissioner Neelie Kroes's closing remarks at Online Commerce
Roundtable (17.09.2008)
http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/08/437&format=HTM\
L&aged=0&language=EN&guiLanguage=en

European Commissioner for Internal Market and Services Charlie McCREEVY's
closing remarks at Online Commerce Roundtable (17.09.2008)
http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/08/439&format=HTM\
L&aged=0&language=EN&guiLanguage=en

============================================================
5. French file EDVIGE revised after huge civil society mobilization
============================================================

Following a very strong opposing movement, the decree allowing the creation
of EDVIGE file has been abandoned by the French Government, but it will be
replaced by a modified project called now EDVIRSP.

On 1 July 2008, the French Government had announced a project creating a
huge database, EDVIGE (Exploitation documentaire et valorisation de
l'information ginirale - Documentary exploitation and valorisation of
general information) which would have systematically gathered information on
any person having applied for or exercised a political, union or economical
mandate or playing a significant institutional, economical, social or
religious part as well as information on any person considered by the police
as a "suspect" potentially capable of disrupting the public order.

The decree was very rapidly and strongly opposed by a large number of
associations, organizations, political parties, unions and individuals.
Almost 200 000 signatures and 1200 associations have supported a petition
against the decree and 12 organizations, among which four main labour
unions, main Lesbian and Gay associations, the French Human Rights League,
and French EDRi-member IRIS, have filed a complaint before the French
highest administrative court to have this decree cancelled. As a result, the
French Government has given up the decree and the prime minister's office
announced on 18 September a new decree having in view a modified file called
EDVIRSP (Exploitation documentaire et valorisation de l'information relative
` la sicuriti publique - Documentary exploitation and valorisation of
information related to public security).

Differently from EDVIGE, the new file will explicitly exclude information
related to people's health or sexual orientation, but will keep other
sensitive personal data such as ethnical origin, as well as political,
philosophical, religious opinions or union affiliation. In addition, it
will no longer allow police to collect data in the same file on people
belonging to political parties, unions or religious groups only because of
their activities. The criteria for data gathering will be related to
perceived security threats.

Although a first victory for the opponents of EDVIGE, the new decree is
still far from being satisfactory. The new text still allows the police to
store data on minors starting the age of 13 if they are considered a threat
to public safety. A "right to oblivion" was also introduced meaning the data
gathered on minors is to be deleted when coming of age 18, except for the
case when a new element occurs between 16 and 18, where the data is deleted
at 21.

The 12 organizations having filed the complaint against EDVIGE, together
with the large coalition of petition signatories, consider it is
unacceptable for the database to include minors, especially when they
haven't committed any offence, and ask for stronger guarantees that
citizens' rights and freedoms would be respected, starting from their right
to the presumption of innocence. They continue to call for the withdrawal of
the entire decree.

The new project has been sent to The French Data Protection Authority
(Commission nationale de l'informatique et des libertis) which should give
its opinion in a month.

Opponents to the database have called for a day of demonstrations on 16
October, on the occasion of Sainte Edwige's day of the Roman Catholic
calendar.

Files: from Edvige to EDVIRSP, a capital change (only in French, 21.09.2008)
http://www.rue89.com/philippe-madelin/2008/09/21/fichiers-dedvige-a-edvirsp-un-c\
hangement-capital

Edvige:"insufficient rebound" (SM) (only in French, 20.09.2008)
http://www.lefigaro.fr/flash-actu/2008/09/20/01011-20080920FILWWW00552-edvigerec\
uls-insuffisants-sm.php

EDVIGE file becomes EDVIRSP (only in French, 20.09.2008)
http://tempsreel.nouvelobs.com/actualites/societe/20080920.OBS1990/le_fichier_ed\
vige_devient_edvirsp.html

Edvige file : the opponents stay vigilant (only in French, 19.09.2008)
http://www.lemonde.fr/societe/article/2008/09/19/fichier-edvige-les-opposants-de\
meurent-vigilants_1097398_3224.html

RAS - Petition in order to obtain the abandoning of EDVIGE file (only in
French)
http://nonaedvige.ras.eu.org/

France drops plan for political database after row (18.09.2008)
http://www.reuters.com/article/technologyNews/idUSLI3864020080918

EDRi-gram: ENDitorial: Massive mobilization against EDVIGE, the new French
database (16.07.2008)
http://www.edri.org/edrigram/number6.14/edvige-french-database

============================================================
6. House of the German Pirate Party spokesman raided by Police
============================================================

The Bavarian Police searched the house of the German Pirate Party spokesman
on the 11 September 2008, searching for information on some leaked plans
regarding a Skype wire tap project, that were published by the Party.

The Pirate Party published some documents received from an anonymous
whistleblower that show the Bavarian government plans to develop a Trojan
horse able to eavesdrop on Skype conversations. Police wanted to find out
the source of that information and they searched the house of the spokesman
and took away a server, but this was fully encrypted, so there are little
chances to discover the source.

The search seems to be related to the two documents leaked on January 2008
that were present on the Internet and then posted on Wikileaks website. The
first document is a communication by the Bavarian Ministry of Justice to the
prosecutors' office, relating to cost distribution for the interception
licenses between the police and the prosecution. The second document
allegedly presents the offer made by Digitask, the German company developing
the technology, holding information on pricing and the license model,
high-level technology descriptions and other details.

The recent action by the police has little chances to find the
whistleblower, but confirm the authenticity of the documents. "A brave
person leaks documents to the Pirate Party, to inform the public about a
procedure of the Bavarian Government, which is highly likely to violate the
constitution. Now this persons is hunted like a criminal. Private rooms are
raided, servers get seized." stated Andreas Popp, the Chairman of the
Bavarian Pirate Party.

German cyberplods raid Pirate Party on Skype Trojan mole hunt (18.09.2008)
http://www.theregister.co.uk/2008/09/18/german_police_raid_pirate_party/

Pirate Party Official Raided after Uncovering State Trojan (17.09.2008)
http://torrentfreak.com/pirate-party-official-raided-after-uncovering-state-troj\
an-080917/

Chairman of the Koln Pirate Party condemned house search (only in German,
18.09.2008)
http://pressemitteilung.ws/node/136096

Skype and SSL interception letters (24.01.2008)
http://wikileaks.org/wiki/Skype_and_SSL_Interception_letters_-_Bavaria_-_Digitas\
k

============================================================
7. European Competition Commissioner: We investigate Google-Yahoo deal
============================================================

Google announced in June that it had struck a deal with Yahoo, so it would
sell ads on Yahoo website in return for a share of the profits. The EU
anti-competition authorities confirms that they are investigating the deal
between the two majors in the online advertising.

The major competitors claimed that this new deal gives a dominant position
for Google. This is why the agreement has also been investigated for some
months by the US Department of Justice that hired a well-known Washington
litigator to oversee the anti-trust proceedings.

Although the companies said that the deal would have effect only in Canada
and the United States, The World Association of Newspapers called for a
investigation from the EU authorities, claiming: "it would hurt Yahoo's
ability to compete against Google in the future."

Jonathan Todd, a spokesman for European Competition Commissioner Neelie
Kroes, confirmed the investigation :"In mid-July, we decided to open a
preliminary investigation on our own initiative into potential effects of
the Google-Yahoo agreement on competition in the European Economic Area
(EEA) market."

Google claimed that the deal would have no effect on the EEA market, since
"the agreement is limited in scope to Yahoo's U.S. and Canadian websites",
while Yahoo showed his cooperation with the EU authorities stating that the
company "has been and will continue to work with the relevant regulatory
agencies to provide officials with the necessary information about this
business agreement, which we believe will strengthen competition in search
and make advertisements more relevant for our users."

As it was the case with the Google - Doubleclick deal, it seems that both
the US and EU authorities will not investigate the privacy issues of the new
Google-Yahoo agreement, even though serious concerns have already been
expressed.

EDRi-member Joris van Hoboken points out the Google blog entry related to
the Google-Yahoo deal that claims: "neither company has access to
personally identifiable user information from the other company", giving no
explanation on what the two companies understand by "personally identifiable
information". Since server logs are not considered by Google as personally
identifiable information, it could be possible that the present deal gives
Google access to Yahoo search data.

EU competition officials probing Google-Yahoo deal (15.09.2008)
http://www.reuters.com/article/internetNews/idUSBRU00674420080915?pageNumber=1&v\
irtualBrandChannel=10003

European regulators investigate Google-Yahoo advertising deal (16.09.2008)
http://www.guardian.co.uk/business/2008/sep/16/google.yahoo

The Google-Yahoo Deal and the Privacy of End-Users (20.09.2008)
http://www.jorisvanhoboken.nl/?p=189

============================================================
8. ENDitorial: A stupid law and a perverse "criminal" sentence
============================================================

There is no censorship in Italy, but...

"Censorship" was abolished and outlawed in Italy sixtytwo years
ago. Freedom of the press and of personal opinion is not only established by
the Constitution, but also deeply rooted in custom and in all perceptions of
civil society. There are, however, some worrying facts. The concentration in
a few hands of a large part of the information system. A general,
"centralized" myopia of the "dominant culture", that is partly deliberate
manipulation and partly unintentional ignorance. A sly, apparently
"benevolent", culture of superficiality and vagueness that tends to lull,
confuse and subdue.

A disturbing maverick, in this context, is the internet. Originally
feared, later ambiguously applauded, anyhow misunderstood, the net remains
annoying for those who are in the habit of having control and are irritated,
if not scared, by a tool that they can't dominate or "tame".

It would be long to repeat here what I have written several times,
since I published Cassandra in 1996 and continued with eighty articles in
Italian (thirteen also in English) in the "freedom and censorship" section
of my website. But a recent episode deserves some comment.

In this ambiguous context there are laws and "norms" that are poorly
conceived and applied even worse. One, in particular, is the law on
"clandestine press" (1948) to which was added, fiftythree years later (2001)
a clumsy definition of "authorization" for "journalistic publications"
online.

Before we get into this specific subject, let's look at two articles
of the Italian Constitution.

In Article 3 it is stated that +All citizens have equal social
status and are equal before the law.; But this isn't quite so. There are
laws (in addition to "social status") that make some citizens "more equal
than others". And there are several formally organized categories that have
improper and unreasonable privileges. In addition to all sorts of
limitations (or bureaucratic hindrance) of free enterprise, in business,
society and culture, that everyone agrees should be removed, but de facto
remain - and sometimes get worse.

In Article 21 it is stated that +Everyone has the right to freely
express thoughts in speech, writing, and by all other communication.; Also
that +The press may not be controlled by authorization or submitted to
censorship.; But this isn't quite so. There are "authorization" rules (as
well as other hindrances and privileges) that get in the way of freedom of
information and communication (generally defined as "freedom of the press"
ever since the concept was established in 1848 by the "Statuto Albertino" -
that in 1861 became the Constitution of what was, at the time, the Kingdom
of Italy.)

Within this framework, let's get to the specific case that has,
quite rightly, caused a wave of protest and indignation - and to the two
awkward laws that have made it possible. The facts are reported (not always
accurately) in several online documents. (see the end of the article)

A "criminal sentence" issued by a Court in Modica (Sicily) on 8 May 2008
condemned historian Carlo Ruta, defining his website "clandestine press"
because it wasn't formally "authorized" as a newspaper or a magazine. (The
site was no longer active. It had been "seized" by the
police, by order of the Modica Court, in 2004).

One of the absurdities in this Court decision is that the website
was defined as "testata giornalistica" because it had a "heading". By that
criterion, any publicly available correspondence written on "letterhead"
could be criminally condemned as "clandestine press".

I leave it to historians of law and politics to try to understand
why, when fascism had been defeated and censorship had been abolished, in
1948 a law was passed that restricts press freedom and is in contrast to
Article 21 of the Constitution.

But let me "try to guess" why in April 2001 the Italian government
proposed, and parliament "distractedly" approved, a poorly conceived (and
never properly amended) law that extends press regulation to online
communication.

All governments and all political parties and parliamentary groups
have always declared that they don't intend to limit or control in any way
the freedom of the press and, generally, of opinion. On the sincerity and
coherence of such statements we can have some doubts, but let's assume that
the purpose of the messy 2001 law was not censorship. The idea was to extend
to online newspapers and magazines the ambiguous "benefits" (subsidies) that
exists for print - as well as the "responsibility" controls (a system that
has already caused several distortions and manipulations in its
"traditional" definition).

This means that an online "newspaper" or "magazine" must be
"registered" as such - and the editor must be a member of an officially
regulated association called Ordine dei Giornalisti, a privileged "caste"
that many agree should be abolished, but in spite of its absurdity continues
to exist. The consequence is that, if the unclear text of the law is
interpreted extensively, approximately five million Italian websites could
be declared "illegal".

That law has been in existence for five years and there has been no
"extermination" of Italian online activity. But the fact remains that, by
this or other means, "errors" are possible. Several other flaws in law or
regulation have been used to "blacklist" or "seize" online activities that
were disliked by authorities or powerful private lobbies.

What makes the "Modica affair" unique is that, so far, it's the only
case of the 1948 "clandestine press" law and its 2001 extension being
applied to a website. Obviously protest and indignation must not relate only
to this individual case, but above all to its general implications.

The editor-owner of that website is not in jail. The "penalty" is a
250 euro fine, plus legal expenses. But obviously the problem is that, for
totally unacceptable reasons, he has a "criminal" record and his site has
disappeared.

It's rather nearsighted to be complaining about this episode after
having paid little attention to the fact that there is a nonsensical, and
never properly amended, law. And there are other situations of Italian, or
even foreign, websites being "removed" or made inaccessible, for a variety
of unreasonable motives, with a too easy "voluntary" cooperation of internet
providers who are more concerned with the protection of their business than
with the rights and privacy of their customers.

Why was there such a violent aggression on that particular website?
It's improper to "guess" making unproven assumptions. But the fact is that
the "cancelled" content was about collusion of politics with mafia -
probably irksome for some powerful interests. But let's assume, for the sake
of this argument, that it was only a "mistake" in the interpretation of an
unclear law. The fact remains that such "errors" are possible - and
unacceptable in a civilized country.

There are many "tricks" that make it possible to limit, though not
totally destroy, freedom of opinion and information.

There is, by the way, a not irrelevant "technical detail". It is
possible, by several different means, to make available online whatever has
been "prohibited". "Seizing" or "cancelling" has little, if any, effect on
criminals or other "wrongdoers". This sort of persecution is very painful
for honest people who want to freely express "uncomfortable" opinions,
irrelevant for the mischievous, ranging from the extreme of terrorism and
organized crime to all sorts of frauds and spamming.

In the (unproven) hypothesis of an absurd legal procedure being
influenced by someone who wants to remove uncomfortable information or
opinion, the irony is that it backfires, because the resulting "noise"
spreads more widely than the original source. But that, of course, doesn't
justify the perversity of the Court's decision or the clumsiness of the law.

It's hard to tell how much all this is caused by the ignorance of
"powerful" people who don't understand what the net is and how it works - or
by an insidious desire to repress freedom of opinion and control sources of
information. But the fact is that, no matter how disguised, repressive
intentions exist even in the most free and open societies - and watchdogs
need to be consistent over time, with constant observation of how things
evolve, not just short-lived "indignation" over an occasional episode, soon
to be forgotten while abuses continue. And we should never forget that
censorship isn't only evil, it is also stupid.

Cassandra (1996)
http://gandalf.it/free/casseng.htm

Bad legislation - again (05.2001)
http://gandalf.it/offline/off37-en.htm

Italy - blog condemned for clandestine press (only in Italian,16.06.2008)
http://punto-informatico.it/2321322/PI/News/italia-blog-condannato-stampa-clande\
stina.aspx

"Clandestine press": an unacceptable decision (only in Italian, 9.09.2008)
http://www.mcreporter.info/stampa/c_ruta2.htm

Only a journalist can run a website in Italy? (21.05.2008)
http://blog.andreamonti.eu/?p=64

(Contribution by Giancarlo Livraghi - EDRi-member ALCEI Italy)

============================================================
9. Recommended Reading
============================================================

The Shape of Things to Come by Tony Bunyan

Seven years from 11 September 2001 and from the launch of the "war on
terorism" this major new report The Shape of Things to Come (60 pages)
examines the proposals of the Future Group and their effect on civil
liberties. It shows how European governments and EU policy-makers are
pursuing unfettered powers to access and  gather masses of personal data on
the everyday life of everyone - on the grounds that we can all be safe and
secure from perceived "threats".

The Statewatch report calls for a "meaningful and wide-ranging debate"
before it is "too late" for privacy and civil liberties.

Press release
http://www.statewatch.org/news/2008/sep/the-shape-of-things-to-come-prel.pdf
Eight page Conclusions
http://www.statewatch.org/news/2008/sep/the-shape-of-things-to-come-conclusions.\
pdf
Copy of full report (pdf)
http://www.statewatch.org/analyses/the-shape-of-things-to-come.pdf

============================================================
10. Agenda
============================================================

24-28 September 2008, Athens, Greece
World Summit on the Knowledge Society
http://www.open-knowledge-society.org/summit.htm

30 September 2008, Vienna, Austria
Book launch and award presentation, quintessenz writing contest:
"At the end of the line" - a science fiction anthology pertaining
to civil rights, surveillance and data protection
http://sf.quintessenz.at/

11 October 2008, Worldwide
Action day "Freedom not fear"
Protests, demonstrations and activities against the surveillance mania
http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2008

13-15 October 2008, Strasbourg, France
First PrivacyOS "Open Space" Conference
EDRi is a partner of the PrivacyOS project - a thematic network for privacy
protection infrastructure within the current European Commission4s ICT
Policy Support Programme.
http://www.privacyos.de/index.php?option=com_content&view=section&layout=blog&id\
=3&Itemid=37

15-17 October 2008, Strasbourg, France
30th International Data Protection and Privacy Conference
http://www.privacyconference2008.org/

18 October 2008, Berne, Switzerland
Big Brother Awards Switzerland 2008
http://www.BigBrotherAwards.ch/

20-21 October 2008, Strasbourg, France
European Dialogue on Internet Governance (EuroDIG)
http://www.eurodig.org/

20-21 October 2008, Amsterdam, Netherlands
Marking the public domain: relinquishment & certification
Third Communia Workshop
http://communia-project.eu/node/109

21 October 2008, Brussels, Belgium
Workshop"International Transfers of Personal Data"
Organized by the European Commission with the Article 29 Data Protection
Working Party and the United States Department of Commerce's International
Trade Administration.
http://ec.europa.eu/justice_home/news/events/news_events_en.htm#personal_data_wo\
rkshop

24 October 2008, Bielefeld, Germany
Big Brother Awards Germany 2008
http://www.BigBrotherAwards.de/

25 October 2008, Vienna, Austria
Big Brother Awards Austria 2008
http://www.BigBrotherAwards.at/

3-6 December 2008, Hyderabad, India
Third Internet Governance Forum
http://www.intgovforum.org

9-10 December 2008, Madrid, Spain
Future Internet Assembly
http://www.future-internet.eu/home/future-internet-assembly/madrid-dec-2008.html
http://www.fi-madrid.eu/

10-11 December 2008: Tilburg, Netherlands
Tilting perspectives on regulating technologies, Tilburg Institute for Law
and Technology, and Society, Tilburg University
http://www.tilburguniversity.nl/tilt/conference

27-30 December 2008 Berlin, Germany
25C3: Nothing to hide
The 25th Chaos Communication Congress
http://events.ccc.de/congress/2008/

18-20 March 2009, Athens, Greece
WebSci'09: Society On-Line
http://www.websci09.org/

============================================================
11. About
============================================================

EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 28 members based or with offices in 17 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 2.0 License. See the full text at
http://creativecommons.org/licenses/by/2.0/

Newsletter editor: Bogdan Manolea <edrigram@...>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request@...
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request@...
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram@...> if you have any problems with subscribing or
unsubscribing


----- End forwarded message -----

--- On Mon, 9/22/08, A.Vijayakumar <vijay@...> wrote:

45th and 46th Known Mersenne Primes Discovered
Computers at the UCLA Department of Mathematics recently discovered the
45th known Mersenne prime, 243,112,609 - 1, a prime with almost 13 million
digits, while the 46th known Mersenne prime, 237,156,667 - 1, which has
over 11 million digits, was discovered later by a computer in Cologne,
Germany  (a Mersenne prime is one of the form 2p -1 , where p is prime).
Both discoveries are part of the Great Internet Mersenne Prime Search
(GIMPS), a distributed computing project. The larger prime was the first
known prime of 10 million digits or more, which earned the UCLA Department
of Mathematics a prize of US$50,000 from the Electronic Frontier
Foundation. Edson Smith, of the UCLA Mathematics Computing Group who
installed and maintained the searching software at UCLA, has posted a FAQ
about the discovery. GIMPS founder George Woltman says that the project
will soon offer a prize of $150,000 for the discovery of the first
100-million digit prime. [Item posed 9/17/08]





"DREAM IS NOT WHAT YOU SEE IN SLEEP,IS THE THING WHICH DOES NOT LET YOU
SLEEP"
DR.A.P.J ABDUL KALAM

Dr.Ambat Vijayakumar
Reader
Department of Mathematics
Cochin University of Science &Technology
Cochin-682 022
INDIA
Tel:0484-2577518(Work),0484-2862464 (work)-0484-2575288(Home): cell:
09447608851
Email:ambatvijay@... ;vambat@...
HOME PAGE :
http://maths.cusat.ac.in/vijay/

Moderator Note: The lecture is open for public.(For public circulation)


The Students, Old Students and Staff
of
Department of Mathematics
Cochin University of Science & Technology
cordially invite you to

Professor Wazir Hasan Abdi Memorial Lecture - The Ninth in the Series
by
Prof. R. Balasubramanian

(Director, The Institute of Mathematical Sciences, Chennai)
at
9.30 a.m.

on
27th  September 2008


Title:  Some Problems in Cryptography

Schedule:  Lecture l – 10.15 a.m. to 11.30 a.m.
              Lecture 2 – 11.45 a.m. to 1 p.m.
Venue:  Mathematics Auditorium



NB: There will be a memorial meeting at 9.30a.m.






"DREAM IS NOT WHAT YOU SEE IN SLEEP,IS THE THING WHICH DOES NOT LET YOU
SLEEP"
DR.A.P.J ABDUL KALAM

Dr.Ambat Vijayakumar
Reader
Department of Mathematics
Cochin University of Science &Technology
Cochin-682 022
INDIA
Tel:0484-2577518(Work),0484-2862464 (work)-0484-2575288(Home): cell:
09447608851
Email:ambatvijay@... ;vambat@...
HOME PAGE :
http://maths.cusat.ac.in/vijay/

CRYPTO-GRAM

                September 15, 2008

                by Bruce Schneier
        Chief Security Technology Officer, BT
               schneier@...
              http://www.schneier.com


A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0809.html>.  These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>.  An RSS feed is available.


** *** ***** ******* *********** *************

In this issue:
       New Book: Schneier on Security
       Identity Farming
       BT, Phorm, and Me
       Security ROI
       Diebold Finally Admits its Voting Machines Drop Votes
       News
       Full Disclosure and the Boston Fare Card Hack
       Contest: Cory Doctorow's Cipher Wheel Rings
       Schneier/BT News
       Photo ID Checks at Airport
       Mental Illness and Murder
       Movie-Plot Threats
       Comments from Readers


** *** ***** ******* *********** *************

       New Book: Schneier on Security



I have a new book coming out: "Schneier on Security."  It's a collection
of my essays, all written from June 2002 to June 2008.  They're all on
my website, so regular readers won't have missed anything if they don't
buy this book.  But for those of you who want my essays in one
easy-to-read place, or are planning to be shipwrecked on a desert island
without Web access and would like to spend your time there pondering the
sorts of questions I discuss in my essays, or want to give copies of my
essays to friends and relatives as gifts, this book is for you.  There
are only 90 shopping days before Christmas.

The hardcover book retails for $30, but Amazon is already selling it for
$20.  If you want a signed copy, e-mail me.  I'll send you a signed copy
for $30, including U.S. shipping, or $40, including shipping overseas.
Yes, Amazon is cheaper -- and you can always find me at a conference and
ask me to sign the book.

Book:
http://www.schneier.com/book-sos.html

Essays:
http://www.schneier.com/essays.html

Order on Amazon.com:
http://www.amazon.com/exec/obidos/ASIN/0470395354/counterpane/


** *** ***** ******* *********** *************

       Identity Farming



Let me start off by saying that I'm making this whole thing up.

Imagine you're in charge of infiltrating sleeper agents into the United
States. The year is 1983, and the proliferation of identity databases is
making it increasingly difficult to create fake credentials. Ten years
ago, someone could have just shown up in the country and gotten a
driver's license, Social Security card and bank account -- possibly
using the identity of someone roughly the same age who died as a young
child -- but it's getting harder. And you know that trend will only
continue. So you decide to grow your own identities.

Call it "identity farming." You invent a handful of infants. You apply
for Social Security numbers for them. Eventually, you open bank accounts
for them, file tax returns for them, register them to vote, and apply
for credit cards in their name. And now, 25 years later, you have a
handful of identities ready and waiting for some real people to step
into them.

There are some complications, of course. Maybe you need people to sign
their name as parents -- or, at least, mothers. Maybe you need to
doctors to fill out birth certificates. Maybe you need to fill out
paperwork certifying that you're home-schooling these children. You'll
certainly want to exercise their financial identity: depositing money
into their bank accounts and withdrawing it from ATMs, using their
credit cards and paying the bills, and so on. And you'll need to
establish some sort of addresses for them, even if it is just a mail drop.

You won't be able to get driver's licenses or photo IDs in their name.
That isn't critical, though; in the U.S., more than 20 million adult
citizens don't have photo IDs. But other than that, I can't think of any
reason why identity farming wouldn't work.

Here's the real question: Do you actually have to show up for any part
of your life?

Again, I made this all up. I have no evidence that anyone is actually
doing this. It's not something a criminal organization is likely to do;
twenty-five years is too distant a payoff horizon. The same logic holds
true for terrorist organizations; it's not worth it. It might have been
worth it to the KGB -- although perhaps harder to justify after the
Soviet Union broke up in 1991 -- and might be an attractive option for
existing intelligence adversaries like China.

Immortals could also use this trick to self-perpetuate themselves,
inventing their own children and gradually assuming their identity, then
killing their parents off. They could even show up for their own
driver's license photos, wearing a beard as the father and blue spiked
hair as the son. I'm told this is a common idea in Highlander fan fiction.

The point isn't to create another movie plot threat, but to point out
the central role that data has taken on in our lives. Previously, I've
said that we all have a data shadow that follows us around, and that
more and more institutions interact with our data shadows instead of
with us. We only intersect with our data shadows once in a while -- when
we apply for a driver's license or passport, for example -- and those
interactions are authenticated by older, less-secure interactions. The
rest of the world assumes that our photo IDs glue us to our data
shadows, ignoring the rather flimsy connection between us and our
plastic cards. (And, no, REAL-ID won't help.)

It seems to me that our data shadows are becoming increasingly distinct
from us, almost with a life of their own. What's important now is our
shadows; we're secondary. And as our society relies more and more on
these shadows, we might even become unnecessary.

Our data shadows can live a perfectly normal life without us.

Data shadow essay:
http://www.schneier.com/essay-219.html

Interesting commentary.
http://www.examiner.com/x-536-Civil-Liberties-Examiner~y2008m9d4-Im-not-myself-t\
oday-or-manufacturing-a-new-you
or http://tinyurl.com/5g883m

This essay  previously appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2008/09/securi\
tymatters_0904
or http://tinyurl.com/5kmh2s


** *** ***** ******* *********** *************

       BT, Phorm, and Me



Over the past year I have gotten many requests, both public and private,
to comment on the BT and Phorm incident.

I was not involved with BT and Phorm, then or now.  Everything I know
about Phorm and BT's relationship with Phorm came from the same news
articles you read.  I have not gotten involved as an employee of BT. But
anything I say is -- by definition -- said by a BT executive.  That's
not good.

So I'm sorry that I can't write about Phorm.  But -- honestly -- lots of
others have been giving their views on the issue.

http://www.schneier.com/blog/archives/2008/09/bt_phorm_and_me.html


** *** ***** ******* *********** *************

       Security ROI



Return on investment, or ROI, is a big deal in business. Any business
venture needs to demonstrate a positive return on investment, and a good
one at that, in order to be viable.

It's become a big deal in IT security, too. Many corporate customers are
demanding ROI models to demonstrate that a particular security
investment pays off. And in response, vendors are providing ROI models
that demonstrate how their particular security solution provides the
best return on investment.

It's a good idea in theory, but it's a mostly bunk in practice.

Before I get into the details, there's one point I have to make. "ROI"
as used in a security context is inaccurate. Security is not an
investment that provides a return, like a new factory or a financial
instrument. It's an expense that, hopefully, pays for itself in cost
savings. Security is about loss prevention, not about earnings. The term
just doesn't make sense in this context.

But as anyone who has lived through a company's vicious end-of-year
budget-slashing exercises knows, when you're trying to make your
numbers, cutting costs is the same as increasing revenues. So while
security can't produce ROI, loss prevention most certainly affects a
company's bottom line.

And a company should implement only security countermeasures that affect
its bottom line positively. It shouldn't spend more on a security
problem than the problem is worth. Conversely, it shouldn't ignore
problems that are costing it money when there are cheaper mitigation
alternatives. A smart company needs to approach security as it would any
other business decision: costs versus benefits.

The classic methodology is called annualized loss expectancy (ALE), and
it's straightforward. Calculate the cost of a security incident in both
tangibles like time and money, and intangibles like reputation and
competitive advantage. Multiply that by the chance the incident will
occur in a year. That tells you how much you should spend to mitigate
the risk. So, for example, if your store has a 10 percent chance of
getting robbed and the cost of being robbed is $10,000, then you should
spend $1,000 a year on security. Spend more than that, and you're
wasting money. Spend less than that, and you're also wasting money.

Of course, that $1,000 has to reduce the chance of being robbed to zero
in order to be cost-effective. If a security measure cuts the chance of
robbery by 40 percent -- to 6 percent a year -- then you should spend no
more than $400 on it. If another security measure reduces it by 80
percent, it's worth $800. And if two security measures both reduce the
chance of being robbed by 50 percent and one costs $300 and the other
$700, the first one is worth it and the second isn't.

The key to making this work is good data; the term of art is "actuarial
tail." If you're doing an ALE analysis of a security camera at a
convenience store, you need to know the crime rate in the store's
neighborhood and maybe have some idea of how much cameras improve the
odds of convincing criminals to rob another store instead. You need to
know how much a robbery costs: in merchandise, in time and annoyance, in
lost sales due to spooked patrons, in employee morale. You need to know
how much not having the cameras costs in terms of employee morale; maybe
you're having trouble hiring salespeople to work the night shift. With
all that data, you can figure out if the cost of the camera is cheaper
than the loss of revenue if you close the store at night -- assuming
that the closed store won't get robbed as well. And then you can decide
whether to install one.

Cybersecurity is considerably harder, because there just isn't enough
good data. There aren't good crime rates for cyberspace, and we have a
lot less data about how individual security countermeasures -- or
specific configurations of countermeasures -- mitigate those risks. We
don't even have data on incident costs.

One problem is that the threat moves too quickly. The characteristics of
the things we're trying to prevent change so quickly that we can't
accumulate data fast enough. By the time we get some data, there's a new
threat model for which we don't have enough data. So we can't create ALE
models.

But there's another problem, and it's that the math quickly falls apart
when it comes to rare and expensive events. Imagine you calculate the
cost -- reputational costs, loss of customers, etc. -- of having your
company's name in the newspaper after an embarrassing cybersecurity
event to be $20 million. Also assume that the odds are 1 in 10,000 of
that happening in any one year. ALE says you should spend no more than
$2,000 mitigating that risk.

So far, so good. But maybe your CFO thinks an incident would cost only
$10 million. You can't argue, since we're just estimating. But he just
cut your security budget in half. A vendor trying to sell you a product
finds a Web analysis claiming that the odds of this happening are
actually 1 in 1,000. Accept this new number, and suddenly a product
costing 10 times as much is still a good investment.

It gets worse when you deal with even more rare and expensive events.
Imagine you're in charge of terrorism mitigation at a chlorine plant.
What's the cost to your company, in money and reputation, of a large and
very deadly explosion? $100 million? $1 billion? $10 billion? And the
odds: 1 in a hundred thousand, 1 in a million, 1 in 10 million?
Depending on how you answer those two questions -- and any answer is
really just a guess -- you can justify spending anywhere from $10 to
$100,000 annually to mitigate that risk.

Or take another example: airport security. Assume that all the new
airport security measures increase the waiting time at airports by --
and I'm making this up -- 30 minutes per passenger. There were 760
million passenger boardings in the United States in 2007. This means
that the extra waiting time at airports has cost us a collective 43,000
years of extra waiting time. Assume a 70-year life expectancy, and the
increased waiting time has "killed" 620 people per year -- 930 if you
calculate the numbers based on 16 hours of awake time per day. So the
question is: If we did away with increased airport security, would the
result be more people dead from terrorism or fewer?

This kind of thing is why most ROI models you get from security vendors
are nonsense. Of course their model demonstrates that their product or
service makes financial sense: They've jiggered the numbers so that they do.

This doesn't mean that ALE is useless, but it does mean you should 1)
mistrust any analyses that come from people with an agenda and 2) use
any results as a general guideline only. So when you get an ROI model
from your vendor, take its framework and plug in your own numbers. Don't
even show the vendor your improvements; it won't consider any changes
that make its product or service less cost-effective to be an
"improvement." And use those results as a general guide, along with risk
management and compliance analyses, when you're deciding what security
products and services to buy.

Articles:
http://communities.intel.com/openport/blogs/it/2008/08/25/are-security-roi-figur\
es-meaningless
or http://tinyurl.com/4k8aqt
http://communities.intel.com/openport/blogs/it/2007/08/14/the-problem-of-measuri\
ng-information-security
or http://tinyurl.com/47e8yv
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/677-BS\
I.html
or http://tinyurl.com/4gyo4g
http://taosecurity.blogspot.com/2007/07/are-questions-sound.html
http://www.bloginfosec.com/2007/07/13/bejtlich-and-business-will-it-blend/
or http://tinyurl.com/3hol5r
http://blog.vorant.com/2007/07/my-input-to-roi-spat.html
http://taosecurity.blogspot.com/2007/07/no-roi-no-problem.html
http://chuvakin.blogspot.com/2007/07/security-roi-pile-up.html
http://taosecurity.blogspot.com/2007/07/security-roi-revisited.html
http://www.pcis.com/web/vvblog.nsf/dx/how-to-calculate-return-on-investment-roi-\
for-web-security
or http://tinyurl.com/3elh37

An example to laugh at:
http://www.postini.com/services/roi_calculator.html

This essay previously appeared in CSO Magazine.
http://www.csoonline.com/article/446866/Security_ROI_Fact_or_Fiction_


** *** ***** ******* *********** *************

       Diebold Finally Admits its Voting Machines Drop Votes



Premier Election Solutions, formerly called Diebold Election Systems,
has finally admitted that a ten-year-old error has caused votes to be
dropped.

It's unclear if this error is random or systematic.  If it's random -- a
small percentage of all votes are dropped -- then it is highly unlikely
that this affected the outcome of any election.  If it's systematic -- a
small percentage of votes for a particular candidate are dropped -- then
it is much more problematic.

Ohio is trying to sue.

In other news, election officials sometimes take voting machines home
for the night.

http://www.networkworld.com/news/2008/082208-e-voting-vendor-programming-errors-\
caused.html
or http://tinyurl.com/69wzb2
http://www.theregister.co.uk/2008/08/26/decade_old_evoting_error/
http://www.engadget.com/2008/08/23/diebold-comes-clean-admits-that-its-e-voting-\
machines-are-fault/
or http://tinyurl.com/5fxkdp
http://voices.washingtonpost.com/the-trail/2008/08/21/ohio_voting_machines_conta\
ined.html
or http://tinyurl.com/57ckcu
http://www.mcclatchydc.com/election2008/story/48508.html

http://thelede.blogs.nytimes.com/2008/08/19/mom-can-my-voting-machine-spend-the-\
night/index.html
or http://tinyurl.com/6jtxze

My 2004 essay on election technology:
http://www.schneier.com/crypto-gram-0411.html#1


** *** ***** ******* *********** *************

       News



The provisional, 8,000-man Cyber Command has been ordered to stop all
activities, just weeks before it was supposed to be declared operational.
http://blog.wired.com/defense/2008/08/air-force-suspe.html

The continuing cheapening of the word "terrorism."  Illegally diverting
water is terrorism:
http://www.abc.net.au/news/stories/2008/08/15/2336850.htm
Anonymously threatening people with messages on playing cards, like the
Joker in The Dark Knight, is terrorism:
http://www.wsls.com/sls/news/local/new_river_valley/article/giles_county_teens_f\
ace_terrorism_related_charges/15587/
or http://tinyurl.com/6lsxgf
Walking on a bicycle path is terrorism:
http://www.timesonline.co.uk/tol/news/uk/article579334.ece
I've written about this sort of thing before:
http://www.schneier.com/blog/archives/2008/04/terroristic_thr.html
http://www.schneier.com/blog/archives/2008/07/random_stupidit.html

Cyberattack against Georgia preceded real attack:
http://www.nytimes.com/2008/08/13/technology/13cyber.html

Adi Shamir gave an invited talk at the Crypto 2008 conference about a
new type of cryptanalytic attack called "cube attacks."  He claims very
broad applicability to block ciphers, stream ciphers, hash functions,
etc.  In general, anything that can be described with a low-degree
polynomial equation is vulnerable: that's pretty much every LFSR scheme.
   The attack doesn't apply to any block cipher -- DES, AES, Blowfish,
Twofish, anything else -- in common use; their degree is much too high.
   (The paper was rejected from Asiacrypt, demonstrating yet again that
the conference review process is broken.
http://www.schneier.com/blog/archives/2008/08/adi_shamirs_cub.html
http://www.theregister.co.uk/2008/08/26/shamir_cube_attack/
http://arstechnica.com/news.ars/post/20080825-stream-ciphers-cower-before-adi-sh\
amirs-cube-attack.html
or http://tinyurl.com/65fmty
http://groups.google.com/group/sci.crypt/msg/7065f9a4289581f1
http://www.mail-archive.com/cryptography@metzdowd.com/msg09686.html
http://www.mail-archive.com/cryptography@metzdowd.com/msg09685.html
Paper is online:
http://eprint.iacr.org/2008/385

A security assessment of the Internet Protocol:
http://www.cpni.gov.uk/Docs/InternetProtocol.pdf

Nice article on personal surveillance from the London Review of Books.
http://www.lrb.co.uk/v30/n16/soar01_.html

Ah, the TSA.  They break planes:
http://www.aero-news.net/index.cfm?ContentBlockID=340a79d6-839a-470d-b662-944325\
cea23d
or http://tinyurl.com/6c93ss
Then they try to blame someone else:
http://abcnews.go.com/Blotter/story?id=5624381&page=1
They harass innocents, and it's easy to sneak by them:
http://edition.cnn.com/2008/US/08/19/tsa.watch.list/index.html
How to sneak lock picks past the TSA:
http://www.i-hacked.com/content/view/267/48

Here's some good TSA news:  "A federal appeals court ruled this week
that individuals who are blocked from commercial flights by the federal
no-fly list can challenge their detention in federal court."
http://arstechnica.com/news.ars/post/20080820-ruling-says-federal-courts-can-hea\
r-no-fly-lawsuits.html
or http://tinyurl.com/5drxbu

MI5 on terrorist profiling: there is no profile.
http://www.guardian.co.uk/uk/2008/aug/20/uksecurity.terrorism1

Interesting paper -- "Challenges and Directions for Monitoring P2P File
Sharing Networks or Why My Printer Received a DMCA Takedown Notice":
http://dmca.cs.washington.edu/dmca_hotsec08.pdf
http://dmca.cs.washington.edu/

Red light cameras don't work: the solution to one problem causes another:
http://www.schneier.com/blog/archives/2008/08/red_light_camer.html

How to doctor photographs without Photoshop: it's all about the captions.
http://morris.blogs.nytimes.com/2008/08/11/photography-as-a-weapon/

Laptops aboard the International Space Station have been infected with
the W32.Gammima.AG worm.  And it's not the first time this sort of thing
has happened.
http://www.spaceref.com/news/viewnews.html?id=1305
http://blog.wired.com/27bstroke6/2008/08/virus-infects-s.html
http://news.bbc.co.uk/2/hi/technology/7583805.stm

An airplane was forced to land when one of the passengers had an extreme
allergic reaction to a jar of mushroom soup that was leaking the cabin.
   See, the TSA told you that liquids were dangerous.
http://www.examiner.ie/breaking/ireland/mhqlojkfidql/

Border Gateway Protocol (BGP) attacks are serious stuff.  It's a
man-in-the-middle attack.  "The Internet's Biggest Security Hole" (the
title of that first link) has been that interior relays have always been
trusted even though they are not trustworthy.
http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html
http://blog.wired.com/27bstroke6/2008/08/how-to-intercep.html
http://www.doxpara.com/?p=1231

A British bank bans a man's password:
http://news.bbc.co.uk/2/hi/uk_news/england/hereford/worcs/7585098.stm

Voting machine comic.  You know your industry has problems when
mainstream comic strips make fun of you.
http://www.mycomicspage.com/features/68/feature_items/379490?msg_id=88619,379490
or http://tinyurl.com/4alujd

Software to facilitate retail tax fraud:
http://www.nytimes.com/2008/08/30/technology/30zapper.html

Here's how to suck data off cell phones.  Moral: don't give someone your
phone unless you trust him.
http://news.cnet.com/8301-1009_3-10028589-83.html
http://www.physorg.com/news139460365.html

Throughout history, many diaries have been written in code.
http://news.bbc.co.uk/today/hi/today/newsid_7586000/7586683.stm

Here's a new paper on the perception and reality of privacy policies:
"What Californians Understand About Privacy Online," by Chris Jay
Hoofnagle and Jennifer King.
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1262130

Using shredded checks as packaging material seems like a really dumb idea.
http://consumerist.com/5040975/whh-ranch-company-uses-shredded-checks-as-package\
-cushioning
or http://tinyurl.com/6fvauz

Bumblebees making security trade-offs:
http://news.bbc.co.uk/1/hi/sci/tech/7596808.stm

Identifying people using gait analysis, from overhead camera and even
from satellite:
http://www.schneier.com/blog/archives/2008/09/gait_analysis_f.html
http://technology.newscientist.com/channel/tech/mg19926725.800

The Rock Phish Gang is improving its fraud software:
http://www.theregister.co.uk/2008/09/05/rock_phish_and_asprox_team_up/
http://www.rsa.com/blog/blog_entry.aspx?id=1338

On 60 Minutes, in an interview with Scott Pelley, reporter Bob Woodward
claimed that the U.S. military has a new secret technique that's so
revolutionary, it's on par with the tank and the airplane.
http://www.schneier.com/blog/archives/2008/09/secret_military.html

A Mythbusters episode on RFID security was killed by lawyers under
pressure from the credit card industry.  Or maybe not; the person who
started this rumor has retracted his comments.  Or maybe those same
lawyers made him retract his comments.  Don't they know that security by
gag order never works, except temporarily?
http://www.tomshardware.com/news/Mythbuster-RFID-HOPE,6313.html
http://news.cnet.com/8301-13772_3-10030509-52.html
http://consumerist.com/5043831/mythbusters-gagged-credit-card-companies-kill-epi\
sode-exposing-rfid-security-flaws
or http://tinyurl.com/56awfq
http://www.youtube.com/watch?v=-St_ltH90Oc

Good essay on DNA matching and the birthday paradox:
http://freakonomics.blogs.nytimes.com/2008/08/19/are-the-fbis-probabilities-abou\
t-dna-matches-crazy/
or http://tinyurl.com/6fcgpc

Turning off fire hydrants in the name of terrorism:
http://www.schneier.com/blog/archives/2008/09/turning_off_fir.html

"The terrifying cost of feeling safer," from the Sydney Morning Herald:
http://business.smh.com.au/business/the-terrifying-cost-of-feeling-safer-2008082\
6-435l.html
or http://tinyurl.com/4463gx

The Doghouse: Tornado Plus Encrypted USB Drive
http://blogs.techrepublic.com.com/security/?p=573&tag=nl.e019

NSA snooping on cell phone calls without a warrant.
http://news.cnet.com/8301-13739_3-10030134-46.html

The UK Ministry of Defense loses a memory stick with military secrets on
it.  It's not the first time this has happened.
http://news.bbc.co.uk/2/hi/uk_news/england/cornwall/7605923.stm
I've written about this general problem before: we're storing ever more
data in ever smaller devices.
http://www.schneier.com/essay-105.html
The solution? Encrypt them.
http://www.schneier.com/essay-199.html


** *** ***** ******* *********** *************

       Full Disclosure and the Boston Fare Card Hack



In eerily similar cases in the Netherlands and the United States, courts
have recently grappled with the computer-security norm of "full
disclosure," asking whether researchers should be permitted to disclose
details of a fare-card vulnerability that allows people to ride the
subway for free.

The "Oyster card" used on the London Tube was at issue in the Dutch
case, and a similar fare card used on the Boston "T" was the center of
the U.S. case. The Dutch court got it right, and the American court, in
Boston, got it wrong from the start -- despite facing an open-and-shut
case of First Amendment prior restraint.

The U.S. court has since seen the error of its ways -- but the damage is
done. The MIT security researchers who were prepared to discuss their
Boston findings at the DefCon security conference were prevented from
giving their talk.

The ethics of full disclosure are intimately familiar to those of us in
the computer-security field.  Before full disclosure became the norm,
researchers would quietly disclose vulnerabilities to the vendors -- who
would routinely ignore them. Sometimes vendors would even threaten
researchers with legal action if they disclosed the vulnerabilities.

Later on, researchers started disclosing the existence of a
vulnerability but not the details.  Vendors responded by denying the
security holes' existence, or calling them just theoretical.  It wasn't
until full disclosure became the norm that vendors began consistently
fixing vulnerabilities quickly.  Now that vendors routinely patch
vulnerabilities, researchers generally give them advance notice to allow
them to patch their systems before the vulnerability is published.  But
even with this "responsible disclosure" protocol, it's the threat of
disclosure that motivates them to patch their systems.  Full disclosure
is the mechanism by which computer security improves.

Outside of computer security, secrecy is much more the norm.  Some
security communities, like locksmiths, behave much like medieval guilds,
divulging the secrets of their profession only to those within it.
These communities hate open research, and  have responded with
surprising vitriol to researchers who have found serious vulnerabilities
in bicycle locks, combination safes, master-key systems, and many other
security devices.

Researchers have received a similar reaction from other communities more
used to secrecy than openness.  Researchers -- sometimes young students
-- who discovered and published flaws in copyright-protection schemes,
voting-machine security and now wireless access cards have all suffered
recriminations and sometimes lawsuits for not keeping the
vulnerabilities secret.  When Christopher Soghoian created a website
allowing people to print fake airline boarding passes, he got several
unpleasant visits from the FBI.

This preference for secrecy comes from confusing a vulnerability with
information *about* that vulnerability.  Using secrecy as a security
measure is fundamentally fragile.  It assumes that the bad guys don't do
their own security research.  It assumes that no one else will find the
same vulnerability.  It assumes that information won't leak out even if
the research results are suppressed.  These assumptions are all incorrect.

The problem isn't the researchers; it's the products themselves.
Companies will only design security as good as what their customers know
to ask for.  Full disclosure helps customers evaluate the security of
the products they buy, and educates them in how to ask for better
security.  The Dutch court got it exactly right when it wrote: "Damage
to NXP is not the result of the publication of the article but of the
production and sale of a chip that appears to have shortcomings."

In a world of forced secrecy, vendors make inflated claims about their
products, vulnerabilities don't get fixed, and customers are no wiser.
Security research is stifled, and security technology doesn't improve.
The only beneficiaries are the bad guys.

If you'll forgive the analogy, the ethics of full disclosure parallel
the ethics of not paying kidnapping ransoms.  We all know why we don't
pay kidnappers: It encourages more kidnappings.  Yet in every kidnapping
case, there's someone -- a spouse, a parent, an employer -- with a good
reason why, in this one case, we should make an exception.

The reason we want researchers to publish vulnerabilities is because
that's how security improves. But in every case there's someone -- the
Massachusetts Bay Transit Authority, the locksmiths, an election machine
manufacturer -- who argues that, in this one case, we should make an
exception.

We shouldn't.  The benefits of responsibly publishing attacks greatly
outweigh the potential harm. Disclosure encourages companies to build
security properly rather than relying on shoddy design and secrecy, and
discourages them from promising security based on their ability to
threaten researchers.  It's how we learn about security, and how we
improve future security.

http://blog.wired.com/27bstroke6/2008/08/eff-to-appeal-r.html

London's Oyster Card:
http://www.schneier.com/essay-229.html
http://zoeken.rechtspraak.nl/resultpage.aspx?snelzoeken=true&searchtype=ljn&ljn=\
BD7578&u_ljn=BD7578
or http://tinyurl.com/43vqp8

Boston's fare card:
http://blog.wired.com/27bstroke6/2008/08/computer-scient.html
http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html
http://blog.wired.com/27bstroke6/2008/08/federal-judge-t.html
http://www.groklaw.net/article.php?story=20080819142913408

Full disclosure:
http://www.schneier.com/essay-146.html
http://www.schneier.com/crypto-gram-0111.html#1
http://www.eff.org/files/filenode/MBTA_v_Anderson/letter081208.pdf

Locks and full disclosure:
http://news.cnet.com/8301-1009_3-10002138-83.html?tag=mncol
http://www.slate.com/id/2195862/
http://www.theglobeandmail.com/servlet/story/RTGAM.20080711.wlpicking11/EmailBNS\
tory/lifeMain/
or http://tinyurl.com/6mm7qv
http://www.schneier.com/crypto-gram-0302.html#1
http://www.crypto.com/papers/kiss.html
http://www.crypto.com/papers/flattery.html
http://www.wired.com/culture/lifestyle/news/2004/09/64987
http://www.crypto.com/papers/safelocks.pdf
http://www.crypto.com/masterkey.html
http://blog.wired.com/27bstroke6/2008/08/medeco-locks-cr.html
http://en.wikipedia.org/wiki/Lock_bumping

Other reactions to full disclosure:
http://compsci.ca/blog/lanschool-threatens-compscica-with-legal-actions/
or http://tinyurl.com/3pbrvw
http://www.freedom-to-tinker.com/?p=1265
http://www.schneier.com/blog/archives/2006/11/forge_your_own.html

Secrecy and security:
http://www.schneier.com/crypto-gram-0205.html#1

Matt Blaze has a good comment on the topic.
http://www.crypto.com/blog/security_through_restraining_orders/

This essay previously appeared on Wired.com.
http://www.wired.com/politics/security/commentary/securitymatters/2008/08/securi\
tymatters_0821
or http://tinyurl.com/5beqak


** *** ***** ******* *********** *************

       Contest: Cory Doctorow's Cipher Wheel Rings



Cory Doctorow wanted a secret decoder wedding ring, and he asked me to
help design it.  I wanted something more than the standard secret
decoder ring, so this is what I asked for: "I want each wheel to be the
alphabet, with each letter having either a dot above, a dot below, or no
dot at all.  The first wheel should have alternating above, none, below.
   The second wheel should be the repeating sequence of above, above,
none, none, below, below.  The third wheel should be the repeating
sequence of above, above, above, none, none, none, below, below, below."
   (I know it sounds confusing, but look at the chart.)

So that's what he asked for, and that's what got.  And now it's time to
create some cryptographic applications for the rings.  Cory and I are
holding an open contest for the cleverest application.

I don't think we can invent any encryption algorithms that will survive
computer analysis -- there's just not enough entropy in the system --
but we can come up with some clever pencil-and-paper ciphers that will
serve them well if they're ever stuck back in time.  And there are
certainly other  cryptographic uses for the rings.

Here's a way to use the rings as a password mnemonic:  First, choose a
two-letter key.  Align the three wheels according to the key.  For
example, if the key is "EB" for eBay, align the three wheels AEB.  Take
the common password "PASSWORD" and encrypt it.  For each letter, find it
on the top wheel.  Count one letter to the left if there is a dot over
the letter, and one letter to the right if there is a dot under it.
Take that new letter and look at the letter below it (in the middle
wheel).  Count two letters to the left if there is a dot over it, and
two letters to the right if there is a dot under it.  Take that new
letter (in the middle wheel), and look at the letter below it (in the
lower wheel).  Count three letters to the left if there is a dot over
it, and three letters to the right if there is a dot under it.  That's
your encrypted letter.  Do that with every letter to get your password.

"PASSWORD" and the key "EB" becomes "NXPPVVOF."

It's not very good; can anyone see why?  (Ignore for now whether or not
publishing this on a blog makes it no longer secure.)

How can I do that better?  What else can we do with the rings?  Can we
incorporate other elements -- a deck of playing cards as in Solitaire,
different-sized coins to make the system more secure?

Post your contest entries as comments to Cory's blog post or send them
to cryptocontest@....  Deadline is October 1st.

Good luck, and have fun with this.

Decoder rings:
http://en.wikipedia.org/wiki/Secret_decoder_ring

Chart and photo:
http://www.flickr.com/photos/doctorow/2816467273/
http://www.flickr.com/photos/doctorow/2817314740/

Solitaire:
http://www.schneier.com/solitaire.html

Entries:
http://www.boingboing.net/2008/09/05/help_design_a_cipher.html
mailto:cryptocontest@...


** *** ***** ******* *********** *************

       Schneier/BT News



Schneier will be speaking at the World Economic Forum Annual Meeting of
the New Champions, in Tianjin, China on 27 September.
http://www.weforum.org/en/events/AnnualMeetingoftheNewChampions2008/index.htm
or http://tinyurl.com/5ccexn


** *** ***** ******* *********** *************

       Photo ID Checks at Airport



The TSA is tightening its photo ID rules at airport security.
Previously, people with expired IDs or who claimed to have lost their
IDs were subjected to secondary screening. Then the Transportation
Security Administration realized that meant someone on the government's
no-fly list -- the list that is supposed to keep our planes safe from
terrorists -- could just fly with no ID.

Now, people without ID must also answer personal questions from their
credit history to ascertain their identity. The TSA will keep records of
who those ID-less people are, too, in case they're trying to probe the
system.

This may seem like an improvement, except that the photo ID requirement
is a joke. Anyone on the no-fly list can easily fly whenever he wants.
Even worse, the whole concept of matching passenger names against a list
of bad guys has negligible security value.

How to fly, even if you are on the no-fly list: Buy a ticket in some
innocent person's name. At home, before your flight, check in online and
print out your boarding pass. Then, save that web page as a PDF and use
Adobe Acrobat to change the name on the boarding pass to your own. Print
it again. At the airport, use the fake boarding pass and your valid ID
to get through security. At the gate, use the real boarding pass in the
fake name to board your flight.

The problem is that it is unverified passenger names that get checked
against the no-fly list. At security checkpoints, the TSA just matches
IDs to whatever is printed on the boarding passes. The airline checks
boarding passes against tickets when people board the plane. But because
no one checks ticketed names against IDs, the security breaks down.

This vulnerability isn't new. It isn't even subtle. I wrote about it in
2003, and again in 2006. I asked Kip Hawley, who runs the TSA, about it
in 2007. Today, any terrorist smart enough to Google "print your own
boarding pass" can bypass the no-fly list.

This gaping security hole would bother me more if the very idea of a
no-fly list weren't so ineffective. The system is based on the faulty
notion that the feds have this master list of terrorists, and all we
have to do is keep the people on the list off the planes.

That's just not true. The no-fly list -- a list of people so dangerous
they are not allowed to fly yet so innocent we can't arrest them -- and
the less dangerous "watch list" contain a combined 1 million names
representing the identities and aliases of an estimated 400,000 people.
There aren't that many terrorists out there; if there were, we would be
feeling their effects.

Almost all of the people stopped by the no-fly list are false positives.
It catches innocents such as Ted Kennedy, whose name is similar to
someone's on the list, and Yusuf Islam (formerly Cat Stevens), who was
on the list but no one knew why.

The no-fly list is a Kafkaesque nightmare for the thousands of innocent
Americans who are harassed and detained every time they fly. Put on the
list by unidentified government officials, they can't get off. They
can't challenge the TSA about their status or prove their innocence.
(The U.S. 9th Circuit Court of Appeals decided this month that no-fly
passengers can sue the FBI, but that strategy hasn't been tried yet.)

But even if these lists were complete and accurate, they wouldn't work.
Timothy McVeigh, the Unabomber, the D.C. snipers, the London subway
bombers and most of the 9/11 terrorists weren't on any list before they
committed their terrorist acts. And if a terrorist wants to know if he's
on a list, the TSA has approved a convenient, $100 service that allows
him to figure it out: the Clear program, which issues IDs to "trusted
travelers" to speed them through security lines. Just apply for a Clear
card; if you get one, you're not on the list.

In the end, the photo ID requirement is based on the myth that we can
somehow correlate identity with intent. We can't. And instead of wasting
money trying, we would be far safer as a nation if we invested in
intelligence, investigation and emergency response -- security measures
that aren't based on a guess about a terrorist target or tactic.

That's the TSA: Not doing the right things. Not even doing right the
things it does.

My previous articles on the subject:
http://www.schneier.com/crypto-gram-0308.html#6
http://www.schneier.com/blog/archives/2006/11/forge_your_own.html
http://www.schneier.com/interview-hawley.html

This article originally appeared in the L.A. Times:
http://www.latimes.com/news/opinion/la-oe-schneier28-2008aug28,0,3099808.story
or http://tinyurl.com/6dmcl4


** *** ***** ******* *********** *************

       Mental Illness and Murder



Contrary to popular belief, homicide due to mental illness is declining,
at least in England and Wales:  "The rate of total homicide and the rate
of homicide due to mental disorder rose steadily until the mid-1970s.
From then there was a reversal in the rate of homicides attributed to
mental disorder, which declined to historically low levels, while other
homicides continued to rise."

Remember this the next time you read a newspaper article about how
scared everyone is because some patients escaped from a mental
institution:  "We are convinced by the media that people with serious
mental illnesses make a significant contribution to murders, and we
formulate our approach as a society to tens of thousands of people on
the basis of the actions of about 20. Once again, the decisions we make,
the attitudes we have, and the prejudices we express are all entirely
rational, when analysed in terms of the flawed information we are fed,
only half chewed, from the mouths of morons."

Articles:
http://bjp.rcpsych.org/cgi/content/abstract/193/2/130
http://www.badscience.net/2008/08/the-news-you-didnt-read/

Paper and press release:
http://www.scribd.com/doc/4805076/Homicide-due-to-mental-disorder-in-England-and\
-Wales-over-50-years
or http://tinyurl.com/3w553h
http://www.rcpsych.ac.uk/pressparliament/pressreleases2008/bank2008/prhomicide.a\
spx
or http://tinyurl.com/3l3e3l


** *** ***** ******* *********** *************

       Movie-Plot Threats



We spend far more effort defending our countries against specific
movie-plot threats, rather than the real, broad threats. In the US
during the months after the 9/11 attacks, we feared terrorists with
scuba gear, terrorists with crop dusters and terrorists contaminating
our milk supply. Both the UK and the US fear terrorists with small
bottles of liquid. Our imaginations run wild with vivid specific
threats. Before long, we're envisioning an entire movie plot, without
Bruce Willis saving the day. And we're scared.

It's not just terrorism; it's any rare risk in the news. The big fear in
Canada right now, following a particularly gruesome incident, is random
decapitations on intercity buses. In the US, fears of school shootings
are much greater than the actual risks. In the UK, it's child predators.
And people all over the world mistakenly fear flying more than driving.
But the very definition of news is something that hardly ever happens.
If an incident is in the news, we shouldn't worry about it. It's when
something is so common that its no longer news -- car crashes, domestic
violence -- that we should worry. But that's not the way people think.

Psychologically, this makes sense. We are a species of storytellers. We
have good imaginations and we respond more emotionally to stories than
to data. We also judge the probability of something by how easy it is to
imagine, so stories that are in the news feel more probable -- and
ominous -- than stories that are not. As a result, we overreact to the
rare risks we hear stories about, and fear specific plots more than
general threats.

The problem with building security around specific targets and tactics
is that its only effective if we happen to guess the plot correctly. If
we spend billions defending the Underground and terrorists bomb a school
instead, we've wasted our money. If we focus on the World Cup and
terrorists attack Wimbledon, we've wasted our money.

It's this fetish-like focus on tactics that results in the security
follies at airports. We ban guns and knives, and terrorists use
box-cutters. We take away box-cutters and corkscrews, so they put
explosives in their shoes. We screen shoes, so they use liquids. We take
away liquids, and they're going to do something else. Or they'll ignore
airplanes entirely and attack a school, church, theatre, stadium,
shopping mall, airport terminal outside the security area, or any of the
other places where people pack together tightly.

These are stupid games, so let's stop playing. Some high-profile targets
deserve special attention and some tactics are worse than others.
Airplanes are particularly important targets because they are national
symbols and because a small bomb can kill everyone aboard. Seats of
government are also symbolic, and therefore attractive, targets. But
targets and tactics are interchangeable.

The following three things are true about terrorism. One, the number of
potential terrorist targets is infinite. Two, the odds of the terrorists
going after any one target is zero. And three, the cost to the terrorist
of switching targets is zero.

We need to defend against the broad threat of terrorism, not against
specific movie plots. Security is most effective when it doesn't require
us to guess. We need to focus resources on intelligence and
investigation: identifying terrorists, cutting off their funding and
stopping them regardless of what their plans are. We need to focus
resources on emergency response: lessening the impact of a terrorist
attack, regardless of what it is. And we need to face the geopolitical
consequences of our foreign policy.

In 2006, UK police arrested the liquid bombers not through diligent
airport security, but through intelligence and investigation. It didn't
matter what the bombers' target was. It didn't matter what their tactic
was. They would have been arrested regardless. That's smart security.
Now we confiscate liquids at airports, just in case another group
happens to attack the exact same target in exactly the same way. That's
just illogical.

This essay originally appeared in The Guardian.  Nothing I haven't
already said elsewhere.
http://www.guardian.co.uk/technology/2008/sep/04/terrorism.terrorismandtravel
or http://tinyurl.com/6hmuqs


** *** ***** ******* *********** *************

       Comments from Readers



There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and join in.

http://www.schneier.com/blog


** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise.  You can subscribe, unsubscribe, or change your address
on the Web at <http://www.schneier.com/crypto-gram.html>.  Back issues
are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable.  Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of the
best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish algorithms.
He is the Chief Security Technology Officer of BT (BT acquired
Counterpane in 2006), and is on the Board of Directors of the Electronic
Privacy Information Center (EPIC).  He is a frequent writer and lecturer
on security topics.  See <http://www.schneier.com>.

Crypto-Gram is a personal newsletter.  Opinions expressed are not
necessarily those of BT.

Copyright (c) 2008 by Bruce Schneier.

http://eprint.iacr.org/2008/385

Itai Dinur and Adi Shamir

Abstract: Almost any cryptographic scheme can be described by \emph{tweakable
polynomials} over $GF(2)$, which contain both secret variables (e.g., key bits)
and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is
allowed to tweak the polynomials by choosing arbitrary values for the public
variables, and his goal is to solve the resultant system of polynomial equations
in terms of their common secret variables. In this paper we develop a new
technique (called a \emph{cube attack}) for solving such tweakable polynomials,
which is a major improvement over several previously published attacks of the
same type.
[Truncated]

http://blog.wired.com/gadgets/2008/09/hacker-says-sec.html

As telephone conversations have moved to the Internet, so have those who want to
listen in. But the technology needed to do so would entail a dangerous expansion
of the government's surveillance powers

By Whitfield Diffie and Susan Landau

http://www.sciam.com/article.cfm?id=internet-eavesdropping