Amelia Andersdotter - Internet

IGF 2013 närmar sig

Mattias Bjärnemalm — Thu, 17 Oct 2013 11:23:31 +0000

Språk Svenska

Jag har alltid varit en smula avundsjuk på min chef för alla de internetkonferenser som hon blir inbjuden till runtom i världen. Så när hon föreslog att jag skulle följa med till årets upplaga av Internet Governance Forum var jag inte sen att instämma i att det var en mycket bra idé. Att årets konferens skulle hållas på Bali gjorde inte mitt intresse mindre.

Årets konferens är den åttonde konferensen sedan FN instiftade evenemanget år 2006. IGF är ett internationellt dialogforum för internet policy som sammanför olika aktörer i den multi-stakeholder-modell som reglerar nätet. Även om konferensen inte har något beslutsmandat är det utan tvekan en av de viktigaste mötesplatserna för att stämma av hur utvecklingen av nätet kommer gå de kommande åren. Detta är andra gången Amelia deltar på IGF. Förra året var hon en av öppningstalarna och fick en hel del uppskattning och uppmärksamhet runtom på nätet för sitt framförande. Framförallt hennes parafrasering på George Michael verkade fastna hos många:

Video of dIDA1LaTlX0

Du kan se hela hennes öppningstal här och om du verkligen är intresserad hittar du öppningsceremonin i sin helhet här (och om du ser ända fram till slutet kommer du höra Vint Cerf kommentera Amelias tal med: "I dont think I'm going to successfully top that last speech").

Men det var då och nu är nu. I år kommer Amelia inte hålla något öppningsanförande, men däremot kommer hon medverka i en panel om Cyberspace Governance som anordnas av KAIST och modereras av internetpionjären Kilnam Chon.

För den som inte har möjligheten att åka till Bali kan det även vara bra att veta att man kan delta på merparten av konferensens workshops på distans. Mer information om det hittar du här.

European Innovation Summit 5: Standardisation for innovation empowerment

Amelia Andersdotter — Tue, 08 Oct 2013 09:24:26 +0000

Språk Svenska

During the 5th European Innovation Summit, I was invited to present my views on standardisation processes and innovation. Standardisation is a very important activity and allows for open platforms that can be used by different parties. However, standardisation can also be a political point - laws are effectively the way we standardise behavioural norms for society. My address therefore focused on this issues, but was free form and therefore it is recollected from memory:

Address:

Standardisation is a clearly convenient tool, but it's important to remember that not all standardisation is always done on a purely technical level. Opting for a particular standardised norm can also be a political choice, and so we have in the European Union the situation that many of the north-eastern member states, like Finland and the Baltics, have railroads that are built according to an old Soviet or Russian standard width rather than the European standard width. It is clear that for the purposes of logistics, it was politically appropriate in each of those regions to pick one width for the railroads and stick with it. Now there is a frenetic discussion in the Baltics about whether to adapt their railroads to European standard widths. From a cost perspective that is unlikely to be beneficial. It costs a lot of money to build infrastructure. On the other hand, they may wish to have a larger exchange of goods with their European Union peers than with Russia, and from that political perspective of integration the discussion of railroad width makes sense. This is to show that standardisation can affect norms, economies and the perceived identities of entire nation states.

In the information technology field, which is where I do most of my political work, we have some notable instances where technical standards impose or codify behavioural norms that we may want to take a serious look at politically. I have been dedicating some time to the EME standardisation process at World Wide Web Consortium - to my understanding, this standardisation process pretends to enforce a behavioural norm over which we have no political consensus. It is either an overhaul of what is technically possible within the framework of broadcasting, or it is a process that risks removing many of our citizens' legal rights to engage with cultural material for parody, political discourse, quoting and further creativity. In Europe, this is a particular problem because our legal framework is already fragmented. But we also have some member states where the freedom to use culture for political and society discourse is especially important - Poland being the notable example of where this freedom is even enshrined in the Constitution.

We may want to have a serious political discussion about which type of norms we want to be codified in technology. It is clear that communications technologies for a large extent define the boundaries of what is possible in terms of human interactions, and as democratically elected representatives it may not at all be desirable that we outsource the responsibility of setting these norms to some technical consortia.

Similarly, we have had problems with tracking and tracing, which is actually illegal in the European Union if the consent of the private person is not obtained. Here we have seen very little standardisation going on, and projects by industry to follow the law have fell short of success. When the legislators make norms for society and decide on a particular route to follow, one has to ask if it is not appropriate for those same legislators to follow up on the norms. Ultimately it matters much for what society we are getting which behavioural norms we advance and which liberties and freedoms in the communications that citizens get.

The discussion prior to my intervention and afterwards was highly focused on the project Open-Stand.org, a community for innovation which is founded on the W3C, IEEE, and other standard organisations that are independent from governmentally ran standardisation institutions (in Sweden IIS, I think, and in the EU ETSI, for telecommunications).

The commentary was centered on how Open-Stand was agreed upon, and also the wide adoption of the Ethernet standard in various places in society. The Commission presented the advancements of their multi-stakeholder group for ICT standardisation. One thing which struck me was the unification idea: the idea of total unification is indeed very appealing, and it is nice to know that you are part of a standardisation group which reaches every place in society (like Ethernet). On both a technical and a political level, one can argue that complete unification of technologies is not necessarily desirable: we may want different systems in cars from what we have in washing machines. For instance. On unification theories in general much can be said, and many observations can be made both economically and socially. A problem which is intellectually satisfying ("how do we unify the theories of everything?") can have a practically undesirable result (string theory comes to mind). In principle, I was left with the feeling that maybe we focus too much on what is intellectually satisfying and too little on what is practically desirable. We also, but this is a more general problem that I also raised in my intervention, don't define what is the actual direction we want to move. The political leadership, or moral leadership as it were, is lacking somehow and that is one of the problems that the Pirate Party could reresent a solution to.

BRUCON Keynote on e-ID

Amelia Andersdotter — Sat, 05 Oct 2013 21:37:35 +0000

Språk Engelska

I had the big privilege of getting to attend the BruCon Conference in Gent on September 26 2013. It's an annual security conference which is attended by professionals, students and academics in the field. I had chosen to speak about the first eight articles of the electronic identification and trust services regulation at the conference. They cover electronic identification, and I am particularly critical of some of the Commission's policy choices in the file. As it turns out, there is also much that can be said about the articles regulating trust services (or "certification authorities" as they are more commonly known in other circles). In addition there were some questions raised by the audience that I will try to cover below. If I forget a particular question it's not out of malice. The address is as I have written it, not necessarily as I spoke it.

Address:

I'm very happy to be here and to be able to speak to you all today. I have opted for talking today about the electronic identification regulation which was proposed by the European Commission last year in July[1]. I've been working with this in the parliament for the past year and it's in many ways a good illustration of many big questions that are facing society about the internet, identity, surveillance, privacy, security and how these things relate to individuals and their socities.

So, first of all, what does the regulation aim to do? The regulation aims to give people in different member states a way of accessing eGovernment services in other European countries. When a specific eGovernment service in member state A requires authentication, the regulation means to make it possible for a citizen of member state B to access this service with the their member state B issued electronic identification. The problem is that member states have chosen many different ways of issuing electronic identification. Another problem is that there is a general perception that electronic identification has not been very successfully implemented or adopted by citizens or consumers. Rather than using government issued identification on the internet, citizens feel more comfortable relying on their Facebook-login or, in many cases, creating different logins for every site.

There's been some pushes towards stuff like OpenID on the internet, but OpenID often doesn't fulfill the requirements that a government would have on its own services. Tax declarations online, for instance, you want to be able to ensure that they are actually made by the person who should be making them. Same with some health care things.

But electronic identification is also something that we expect to apply on companies. The European Union is moving towards eProcurement[2], which is when companies have to participate in procurement on the internet, and so we need verifiable ways of ensuring that the public authority which is procuring is in contact with the right entrepreneur.

The solutions often rely somehow on certificates, and therefore the Commission has also aimed to regulate what they call ”trusted service providers”. These trusted service providers would be more known in common technical language as ”certificate authorities”. Many member states rely on what they call ”qualified certificate authorities”. In practise, the qualification in this case just means that the member state recognises the qualified certificate as secure and reliable in a given transaction with the government. The rules for how to qualify certificates are derived from a European law from 1999, and was never really used in all member states – for instance in my country, Sweden.

Qualified TSPs have also suffered a number of problems which are undesirable from the point of view of good governance. The DigiNotar failure[3] in the Netherlands was clearly unconvenient from the perspective of the government.

And so we had this proposal that tried to create interoperability between different member states solutions for electronic identification, and fix the problem of vulnerable CAs.

The regulation was proposed in two different parts: the first part of the regulation covered electronic identification, and the second part covered more or less CAs, or trusted service providers[4]. Then there were about 20 articles – which for referens is many – covering various forms of qualified things that the Commission envisaged would be necessary in the future, digitally boosted Europe[5].

Electronic identification is a touchy subject in many member states. In some member states, like Ireland and Great Britain, government issued ID-cards are completely rejected by citizens and people in those countries every time they're proposed[6]. In other member states, like Germany and many central European countries they have constitutions which require different parts of the government not to cross-run databases of citizens: effectively, every citizen or resident will have a health care persona, a social service persona, an educational system persona, and so forth, because the idea is that if the government can collect too much information about every citizen in the same place this could lead to very negative consequences for the citizen if the government starts acting arbitrarily or against the interests of the citizens[7]. In other member states, like Sweden, Estonia or Finland, we have personal registration numbers that are unique and for every individual and that helps the government cross-run databases when necessary. In at least Sweden this used to not be too easy to do, but with information technologies being deployed very quickly in all parts of society it should be a relatively trivial exercise to completely map any citizen in Sweden with respect to their interactions with any public service or authority.

The European Commission's proposal evaded most of these difficulties and was largely a roadmap to how one makes different types of electronic stamps, signatures and identification procedures that public authorities later have to consider ”truthful”. Basically a set of technical criteria for what is to be considered authentic and genuine in different member states.

This led to much confusion in the European Parliament. We are not a technical institution, but a political institution and we cannot consider ourselves being the best agents to make technical decisions for what is true and genuine and what is not true or genuine. It is even a fact that the different member states use different systems for establishing what is true or genuine, so with the many different backgrounds of members of the european parliament we had problems seeing what the purpose was of this file or why it was politically interesting.

But it turned out that the European Union has sponsored a lot of research into why there is a potentially large political impact of this file.

So the first thing is that identity in general is a highly philosophical concept – who am I? What are we? What is Europe? Many people spend entire life-times pondering these issues, and most of us never reach any satisfactory answers.

So after we understand that we don't have any good answers to the question on who we are, comes the second question – what is my identity in relation to the government. This is where the different member states have adopted very different approaches, and so different cultural backgrounds give many different answers.

It's a question that the Commission had hoped to avoid by introducing an interoperability framework for all the various Member State solutions, so that everyone could keep their own solution while at the same time allowing their citizens to interact with the public services of other member states. However, the European Commission has also sponsored a rather large body of reserach in this field in the past years, and so when I met representatives from the Future Identities in the Information Society (FIDIS)[8] and Attribution-Based Credentials For Trust (ABC4Trust)[9] projects I was given to understand that the Commission had actually rather cautiously decided to discard most of the big investments they had themselves made in figuring out how to make authentication of citizens work online in a secure and primarily privacy-friendly way.

The problem with governments is that we are forced to interact with them in a number of circumstances. We can't help providing lots of information about ourselves, our families, our wage situation, housing, et c to the tax office. The tax office could be said to legitimately need this information, but so it's a lot of information about us as persons which if it is arbitrarily spread could lead to negative consequences for us in our working life, with our friends, family or other things. We generally expect confidentiality of some sort from our tax authorities. Similarly health or dental care services – we more or less have to interact with these public services, at least until we're legally adult. Schools, social services, the job centre.

The government will normally run all these public services, and the general privacy friendly idea is that because it is now so easy to cross-run and cross-reference databases, the interactions need to be unlinkable. It should not be possible to find out that you, the citizen, in the same day ordered a chlamydia test on a public health service website and then filled in your tax returns or requested a building permit for a veranda extension on your summer house.

The idea of unlinkability is particularly strong in the German constitution. In Germany it is mandated by constitution that public authorities don't cross-run or profile their own citizens based on the totality of their interactions with public authorities. And so – if you had an encounter with a law enforcement officer, but you also had to go to the hospital, neither the hospital nor police will or should normally be allowed to find out that you visited the other. Unlinkability in this case means that you stop one party which is very powerful from getting too much information and therefore much more power about another party which is very weak.

In Sweden we have many specialised laws for government registers where we restrict the ability of a public authority to cross-run their databases with those of another public authority or service. However, the unique identifiers of all citizens makes it both convenient and easy to do such a mash-up should one want to. So the idea of unlinkability exists, in the law, but the databases over citizens' interactions with the government are not technically constructed in a way which is suitable for living up to the spirit of the law, as it were. Also because public authorities apparently frequently sell data about citizens to private companies[10], it is always possible to aggregate or mash-up the data through a third-party private actor.

But EU research projects had made another insight: in order to reduce the size of databases, and therefore reduce the harm of security breaches or data leaks, and protect the privacy of the users and the confidentiality of the interactions, one could use something called ”anonymous authentication” or ”attribution-based credentials”. This is when you would provide only the information necessary for a specific purpose to identify yourself. If it was needed for me to demonstrate that I am legally allowed to buy tobacco products, I would demonstrate that I am in fact not born in 1995 or after, rather than demonstrating that I am born on August 30th 1987. The resulting data trail from me would be information about ”someone born before 1995 used this service” rather than ”Amelia Andersdotter, 1987-08-30 used this service”. While in the first case, it's relatively difficult even after a data leak to link the use of the service back to me as a person. In the second case, it is of course inevitable that such a link arises.

To me, at that time, and this was October or November 2012, it seemed counterintuitive that the Commission had disregarded its own research programs, and that we further were not considering the institutional effects of the law proposal we had before us. Also, I am very privacy minded, and I believe that preservation of privacy is an essential aspect of maintaining a good power balance between individuals, groups, governments and companies. Individuals and groups of individuals need privacy in themselves, and for themselves.

So I wanted, politically, to advance the idea of unlinkability and attribution-based credentials. The problem is I had this messy and seemingly very technical file that made little sense.

For those of you who are unfamiliar with the parliaments' work, we are allowed to make any and however large changes in a text proposed by the European Commission that we wanted. But it requires us to know the nature of the changes we want to do. Often work in the European Parliament rather becomes a changing of some semantic things in the proposal, rather than an overhaul of political and technical direction.

At the same time that I was working on this in the European Parliament, I was looking a lot for information about different systems in member states. An Austrian colleague helped me find more info about the Austrian eID – it's not seen as a succees because only 10% of all Austrians use it, there's no real service market around it, it's based on smartcards, I guess. In Sweden they had worked really hard for several years to put up a SAML2 federation [with SAML being just a generic standard for authenticating users in a system], which could replace other forms of e-authentication online. A friend of mine was upset with that because SAML2 systems keep track of who the user interacts, and so rather than the unlinkability I described above you have perfect linkability.

I also am upset – I think the decision to use this particular standard in Sweden is derived from complete idiocy and lack of attention. It is obvious that most citizens will not like for there to be an IT-guy running a database over all of their interactions with the government. Swedish municipalities and regions were also not so happy with the government for pushing that kind of tracking of public interactions – municipalities and regions deal with citizens in their day to day affairs, so they have to have a system they trust and that citizens trust and that makes citizens trust them.

Sweden had investigated this topic for 3 or 4 years before they made the decision[11]. Nowhere in 4 years and thousands of pages of text do they envisage that HOW the authentication works may affect how it is perceived. Apparently the reason for this decision is two-fold: first some tech guy runs a system at a Swedish university which is SAML2. It works for him to manage I guess students, teachers, et c, and so he assumes it will also run a nation state well. But a state and all of its public services at every level of governance is a very different place from a university. While I can relate to why, as a technical guy, you wouldn't think about things like that, it is completely mind-boggling to me why no one in the government thought about this either! That is really extremely worrying.

The universal identifier in Sweden, which I mentioned and that makes linkability very easy between databases in Sweden, has been controversial for many years. A lot of people want it gone. So these tech guys have requested to have the universal identifier out of the government e-authentication system and succeeded. And then when I asked them ”how could you mistake a government for a university?” they said actually they make it more difficult with tracking because the unique identifier isn't there. I woke up a few months later, early in the morning, and thought, well they've actually just replaced the universal identifier with themselves. Either you have a number which allows you to connect databases easily with each other, or you have an IT guy who keeps track of all your databases.

In general the Swedish system has given me some big pains: another time that I woke up early in the morning because of this system was when I realized someone had told me we were setting up this nifty SAML-thing because the military liked it. It dawned on me suddenly, three months after, that there are good reason to question why the military, out of all institutions you normally find in a state, would want to have an easy way of tracing and making a database of all citizen interactions with all public institutions all the time.

Some people I knew wanted to become part of this new tracking federation because they were upset with the tracking and wanted to find a way to hack the system and make it useless so that it would go away. In that particular case I had a minor existential crisis: the nature of decision making has been studied for a long time, and this group of people had made a classical trade-off between compromise and ethics as described by Max Weber, a German political scientist from sometime way back[12]. Compromise versus ethics means the process of reaching a decision: you have to reach a decision, but you have to do it with others, so you may have to compromise to get a decision. How much do you water down your ethics to reach the decision you have to make?

This group didn't want a bad tracker. So they wanted to become a good tracker. But what is a good tracker? Someone who can be trusted not to use all the highly personal information about how citizens do or have to interact with governments for unpleasant things, that don't sell this information, and so forth. Also generally if you have a big database normally the government will have access to it whenever they want. So choosing to be a ”good tracker” will always mean that you are participating in the tracking – it's a compromise you make with your anti-tracking ethics to ensure that there is an option which is less bad than other options that may exist. But then again, if it's a bad system to run a government on, maybe one shouldn't compromise in that way. The ethical thing to do is to not participate in a tracking and tracing system, because ultimately it's the tracking and tracing in themselves that are problematic, not which particular entity is doing it.

The other thing is that some parliamentarians in national parliament in Sweden had been very clear with wanting ”the same” system online and offline[13]. And so I thought, what does ”the same” mean in this case? I have a national ID card from Sweden and most people I show it to will remember that my picture is very bad – it really is spectacularly bad – but not exactly how (many people have asked me to show it twice, for instance), or they extract the information they require and then they forget. This is because my ID card is normally read by humans. For all commercial transactions, when I buy tobacco for instance, actually no information about me as such is stored. If you ask the shop attendants 2 hours later, chances are they will have already forgotten even that someone authenticated themselves for a tobacco purchase in their very shop. So there's not really that much tracing of the use of an ID card by a central authority. Electronically it's much more difficult to ensure that there's no central agent tracing all the times authentication happens. Humans also learn to recognise each other after some time – I can go to my dentist and they recognise me by face. A computer might learn this if it is located in the same room as me, but if it's a server on which the government service for health care and which is not in the same city as me, chances are more slim.

So the systems online and offline would by definition not be ”the same” but then which sameness does one want: the same in that the privacy of the individual is somehow protected and the general institutional power balance that has been carefully deviced over many hundreds of years is protected, or the same in that access should be possible under whatever conditions? I don't think the Swedish national parliamentarians had really thought very deeply about what they requested, but it's strange because it's a very political issue how you balance power and information in a society. This is exactly the type of thing that normally we would expect politicians to think about very carefully. What should society be like? Who should have what power over whom and when? How can that power be exercised? How do we ensure that abuses of power can be resolved – so that is, how do we solve the conflicts that arise when someone with power abuses it with respect to someone without power?

The Swedish example is a beautiful story of how technology for public infrastructures was seen as some magically thingie-maging that could not be anything other than positive. It's a story of technical naivite with respect to politics, and political naivite with respect to technology. Nowhere in the entire process did anyone consider that a citizen's relationship with their public services and authorities is quite fundamental to the machinations of the society we find ourselves in but they really should have. Especially political people need to think about these things.

But going back the the European level, I had decided to at least try and remedy these technical and political mistakes from Sweden at least partially. We can technically make whatever changes we want in a political file, but it's rare that the Parliament makes big changes. I was considering ways in which I accomplish ethically and politically that which I wanted to do without changing too much but actually the Commission's text was so far from doing anything at all, that I ended up tabling 141 amendments, on a file with only 42 articles and 51 recitals. That's quite a lot, but because most of us in the parliament recognise a bad proposal when we see it, even if we may not immediately or even ever know how to fix a bad proposal, I have been tolerated.

The thing is it's quite obvious why we don't want a random tech maintenance person somewhere to be able to casually look up when or why we've been in contact with health care, for instance. Or why we don't want all of the information about what and how we do at school to be sold to advertisers so that they can more easily target people at our universities. But the devil is in the details. Because we didn't actually vote on this yet (but we're voting soon) I'm somehow in this constant state of concern that by now we have well understood the problems, politically, ethically and systemically, but we will not be able to write the legal text in a technically correct way. If you make a given set of moral and political choices, liability, risk, duties and obligations need to be allocated to different parts of the system in specific ways and this is.. Difficult. It's not obvious at all how one would do this.

But it's something that we, the legislators, will definitely have to do if we're going to put public services and all these systems online. That is why I say we have to regulate the internet. It's an old discussion of course. Already in the late 1990s there was an argument that the architecture needs to be regulated, because the architecture decides ultimately what we can or cannot do, or what we must and mustn't do[14]. Some people back then, and even now, argued that technology changes too quickly to be regulated so it makes no sense to regulate. I think this latter argument is a bit daft – copyright law can be said to have regulated the internet since the internet emerged. It took some time to get the caselaw and court cases, but the regulation was always there. The same thing with banking – a bank does not become unregulated only because it has operations online. It has strict regulations on liabilities and risks in its activities regardless of how it providers its services. We didn't see a lot of technical architecture regulation yet – the regulation we have in place now describes the duties that fall on human agents behind the architecture or that operate the architecture, but as we've seen over this last summer these human agents don't always act very predictably or in a trustworthy way.

And so finally, Europe is going through a big ordeal at this time. The legislation that I have just described is important for the reason that it could implement a privacy-by-design obligation on some technical systems, also describing what such a privacy-by-design obligation could be: unlinkable transactions based on anonymous authentication, or attribution-based credentials.

But we have also the large discussions on the general data protection regulation[15]. That regulation is very fundamental for how we, as a continent, will make our future. It sets the frameworks for market operators, companies, governments, everyone, on how we deal with data protection and privacy. What we've seen in those discussions is very heavy lobbying, especially American lobbying, and especially against a strong privacy protection. But we also see governments that are very unwilling to set a direction towards strong privacy-protecting legal frameworks[16]. It's worthwhile to look up more information on the general data protection regulation, because optimally we want it to influence many things in a direction of more secure and more privacy-friendly technologies[17, 18].

How to deal with privacy and data protection technically I understand is not always a trivial problem, but mostly very interesting ones. I hope that many of you here today go out to become innovators and entrepreneurs that have the legal framework that you need to make the most of such innovation and markets. I want to thank you for your attention, and I hope that this was at least somehow helpful in understanding also a political view of challenges around regulating and legislating on the boundary between politics and technology.

[1] http://ec.europa.eu/dgs/connect/en/content/electronic-identification-fol...

[2] http://ec.europa.eu/internal_market/publicprocurement/e-procurement/inde...

[3] See for instance http://www.esecurityplanet.com/browser-security/diginotar-when-trust-goe... or do an internet search. It was really given much attention when it happened.

[4] Shameless self-promotion but it's anyway good for overview: https://ameliaandersdotter.eu/dossiers/eid

[5] I liked "Burdens of Proof" by Jean-Francois Blanchette. A perfectly sarcastic yet very informative overview of how technical policy and technical technologies fail.

[6] http://www.no2id.net/ for instance. Proposals to create national IDs have been stopped many times in both jurisdictions. Many essays have been written on this topic.

[7] A decent amount of German language information: https://www.datenschutzzentrum.de

[8] http://fidis.net/

[9] https://abc4trust.eu/

[10] See for instance this article: http://www.kristdemokraterna.se/Media/Nyhetsarkiv/Kristdemokrater-vill-g... But there are longer texts that to my knowledge aren't published online that connect it back to Avgiftsförordning 1992 with earlier legislation and the Swedish principle of transparency.

[11] http://www.government.se/sb/d/12840/a/158256

[12] Wikipedia summary sufficient to understand context, I thought: https://en.wikipedia.org/wiki/Politics_as_a_Vocation

[13] http://www.riksdagen.se/sv/Dokument-Lagar/Forslag/Motioner/E-legitimatio...

[14] Lawrence Lessig, Code v2: http://www.codev2.cc/

[15] http://ec.europa.eu/justice/data-protection/document/review2012/com_2012...

[16] See, in Swedish: https://dataskydd.net/sammanfattningar-regeringen/

[17] https://dataskydd.net

[18] http://www.respect-my-privacy.eu

Questions

- What about privacy and security problems with smart meters? Are they addressed?

Not really. Smart meters are a solution looking for a problem in the vast majority of member states and they seem to create more problems than they solve wherever they go. There are however no easy remedies to this problem. The infiltration of standardisation bodies for electric grids seems to have begun more than 20 years ago and it is by now a consolidated view that smart meters, despite their flaws, solve some problem: for instance that of teenagers wanting to find out, in retrospect, which electrical appliances have been used in a household. In for instance Sweden, the security agency now has access to communications to and from smart meters to ensure that there is sufficient information to investigate any attacks against the grid over the internet after they've happened. That is wasn't a good idea to put electricity networks on the internet in a first place is striking nobody. The original problem, which was that of creating variable demand in a world where the grid is filled with renewable energies, is not solved - smart meters haven't accomplished any changes to that effect and what we're left with is a very messy technology than can fail in so many ways from both privacy and security perspectives that it's doubtful if this was a really talented path to travel down in the first place. It is especially clear with this fundamentally important infrastructure that smart technologies require smart policies. Electricity is vital to our economy and our socities and it's stupid to gamble with it in this way.

- Is it really necessary to regulate the architecture though? What about innovation?

There are plenty of big and unresolved issues inside every possible type of architectural regulation. One mistake commonly made in Europe is to assume that all architectural choices are unregulated in the United States: on the contrary they appear to be having a very deliberate industrial agenda that they also follow up over time. The electronic identification regulation is an extremely sad example of how Europe isn't doing that at all. Similar for the data protection regulation: we have steered our research, education and industry down a data protection friendly path for many years, and then suddenly we've decided in loads of legislation that actually we don't want that type of industrial development after all. This is really harmful to human rights and to industry.

Tågbiljetter i Sverige: diskriminerad av SJ på grund av min webbläsare?

Amelia Andersdotter — Sat, 05 Oct 2013 16:12:03 +0000

Språk Svenska

När jag åkte hem från Bokmässan i Göteborg den 28 september 2013 blev jag och min syster sittandes utanför Södertälje i ungefär 45 minuter på grund av fel i signalsystemet. Innan dess hade vi haft problem att köpa tågbiljetter åt min syster eftersom SJ:s mobiltelefonapp inte fungerade. Mer specifikt fungerade inte betalningen via app - det gick alltså utmärkt att göra reservationen och söka resorna fram tills dess att betalningen skulle genomföras. SJ:s prissystem är väldigt lurigt, och när vi i slutändan köpte vi biljetten på min dator fick vi den obehagliga överraskningen att priset blev 120 kronor högre av att köpa via min dator än via min syster. Det har föranlett nedanstående fråga till SJ:s kundtjänst, och jag kommer naturligtvis posta svar när det kommer:

Vi som konsumenter och medborgare vet oftast inte om när vi utsätts för diskriminering baserat på maskinbehandling. Det yttrar sig i orättvis prissättning i tågtrafiken (kanske), flygtrafik och på andra platser på nätet där priserna varierar, som hotelltjänster. Det yttrar sig i hur vi mottar reklam och information om samtidshändelser baserat på hur våra anhöriga agerar.

Det drabbar våra anhöriga: i detta fall är det min syster som ska åka, inte jag, och eventuellt är den hon som fått betala för att någon spårningstjänst någonstans tagit reda på att jag har bättre betalningsförmåga än hon.

Egentligen finns det redan lagstiftning mot den här sortens okända, oöverskådliga spårning. Vi har också en rätt, som användare, att få veta när och hur vi diskrimineras baseras på sån här spårning och om det riskerar att drabba oss eller andra negativt. Den lagstiftningen upprätthålls inte av de myndigheter som är ansvariga. De som utvecklar IT- och webbtjänster för bland annat reseföretag bryr sig inte nämnvärt om en lag utan straff.

Men en annan olycklig omständighet med just SJ är att de inte lyckas särskilt bra med den tekniska implementation som ligger till grund för deras kärnverksamhet: transport. Anledningen till att vi betalar höga priser må vara höljd i dimmor, men att de inte lyckas fixa spår och signalsystem är faktiskt bara en felinvestering. Det vore bra om någon av de duktiga matematiker och programmerar som hanterar SJ:s biljettprissättning istället kunde förmås snickra ihop ett bättre signalsystem.

Vi behöver ett bättre politiskt ledarskap för informationssamhället. Vi behöver lagstiftning som upprätthålls och lagstiftare som är motiverade att ta tillvara på privatpersoners intressen när de interagerar med internetjänster, varesig de är privata eller offentliga.

Vårt nuvarande politiska ledarskap, eller snarare bristen på detsamma, misslyckas på alla punkter med detta. Det är Piratpartiet som gör skillnad.

Krig på nätet? Teknologi blir aldrig smartare än sin politiska tillämpning

Amelia Andersdotter — Thu, 03 Oct 2013 10:43:17 +0000

Språk Svenska

Smarta teknologier kommer aldrig bli smartare än det politiska ledarskap som framför dem. Politiskt är det smart att vi kan ha förtroende för våra samhällen och våra stater, och att vi kan lita på att våra liv är våra och under vår egen, självständiga kontroll. Nya teknologier kan förstärka förtroendet för demokrati och samhällsbygget, eller undergräva det. Piratpartiet står för ett smart politiskt ledarskap, så att vi kan bygga förtroende för demokrati och det samhälle vi alla på något sätt måste relatera till.

Anledningen till att stater lägger över mycket ansvar för nätverks- och informationssäkerhet på militären eller säkerhetstjänsten är för att det finns en ökad fascination för "cyberkriget". Erik Lakomaa har i FriVärld magasin skrivit en bra artikel om varför denna fascination är förhållandevis onyttig.

Lakomaa skriver

Statsvetaren Dwight Waldo menar att det som håller samman samhället är följande: legitimitet för staten (förmåga att leverera), statens auktoritet (möjligheten att implementera beslut), kunskap (möjlighet att organisera), kontroll (möjlighet att upprätthålla lagar) och inte minst, förtroende. Militära angrepp syftar ofta till att med fysiska medel övertyga det angripna landets befolkning att deras stat inte längre kan leverera. /.../ Staten bör också se till att upprätthålla förtroendet för statsmakten. /.../ Det innebär [att] ”cyberförsvarsåtgärder” som skadar förtroendet för staten är kontraproduktiva. Övervakning, hemliga program och begränsningar av yttrandefrihet och öppenhet (t.ex. när det kommer till att avslöja sårbarheter) kan räknas som sådana. Det är exempelvis uppenbart att den amerikanska (och svenska) övervakningspolitiken skadar förtroendet för statsmakten.

När EU föreslog ett nätverks- och informationsdirektiv för den inre marknaden missade svenska riksdagen att detta handlade om en marknadsfråga, ett sätt för europeiska medborgare, entreprenörer och företag att umgås med varandra under fredliga, avtalsstyrna former - kanske med inslag av konsumenträtt. Man skickade istället direktivet till försvarsutskottet som avslog direktivet på subsidiaritetsgrund. Sen när är försvarsutskottet ansvarig för marknadsfrågor? Sen aldrig. Problemet är att Sverige militariserat nätfrågor och att det är internet som är försvarsfrågan.

Att direktivet är dåligt formulerat och målar upp en otydlig riktning för unionens nätverkssäkra framtid har inte hjälpt någon. Tanken är god: av uppenbara skäl är informationsteknologier vi använder i vården, skolan, för privat kommunikation, med våra vänner, familjer, nya kontakter och för kulturskapande eller kulturanvändning inte starkast kopplade i våra sinnen till just Försvarsdepartementet. Snarare kopplar vi många av dessa aktiviteter till Socialdepartementet, Näringsdepartementet eller kanske till och med vår egna, individuella frihet. Ett EU-direktiv som ämnar stärka den inre marknaden förstärker denna intuitiva relation till de aktiviteter vi genomför på nätet.

Ett starkare och tydligare politiskt ledarskap för fred och mot militarisering hade varit önskvärt, både i Sverige och i EU.

Många medlemsländer, däribland Sverige, har flyttar istället nätet djupare in i försvarsträsket. Nätverks- och informationssäkerhet ligger under Försvarsdepartementet på Myndigheten för säkerhet och beredskap. Detta är säkert en av huvudanledningarna till att MSB inte lyckas göra ett bra och nyttigt jobb. På medlemsstatsnivå i Unionen är det svårt att se att utvecklingen går att stoppa: i Sverige motverkar både polisen, militären, säkerhetstjänsten (och i och med dessa regeringskansliet) och flera departement en civil, fredlig utveckling av nätet som plattform för förtroende och stabila samhällsstrukturer. Det politiska ledarskap för en civil, neutral och fredlig plattform för demokrati som i dagsläget saknas, tillför Piratpartiet.

The Netflix Law

Moa Normark — Wed, 02 Oct 2013 16:47:29 +0000

Språk Svenska

Netflix är ett amerikanskt företag på stark framfart som erbjuder online streaming, och har lanserats i flera av EU:s medlemsländer. Även i Sverige har Netflix varit framgångsrika med sin etablering, trots konkurrens från inhemska alternativa utbud, och har idag lyckats ta en framskjutande position som uppmärksammats medialt i samband med firandet av företagets ettårsdag.

Netflix och online streaming ställer lagstiftarna inför nya och intressanta utmaningar eftersom deras verksamhet inte är baserad på upphovsrätten, utan på sändningsrättigheterna, vilket innebär rätten att göra något tillgängligt för allmänheten genom utsändning. Sändningsrättigheterna ger alltså inte företaget rätten till själva filerna, men däremot spridningen av filerna över internet. Dessa kan till exempel vara musik och filmer. Det är ungefär som att ge ett logistikföretag eller en lastbilschaufför en specifik rättighet som skyddar dem medans de fraktar en tavla från ett ställe till ett annat.

Sändningsrättigheter regleras på olika sätt i EU:s respektive i den svenska lagstiftningen. Sändningsrättigheterna från satelliter och kablar täcks av ett direktiv från 1993. Direktivet "Television utan gränser" och direktivet om "Tillhandahållande av audiovisuella medietjänster" (AVMSD) reglerar på samma sätt TV:s innehåll och spridning av audiovisuellt innehåll (därigenom undantas till exempel radio som ju inte är audiovisuellt.)

Så frågan som både Netflix och lagstiftaren kommer att behöva ställa sig är om den tekniska och lagliga infrastrukturen i form av samhällsstöd räcker till för den typ av etablering som Netflix håller på med. Svaret på frågan är nej, nej det gör den inte. Det är därför World Wide Web Consortium (W3C), Netflix och Google har jobbat hårt för att införa ett DRM (Digital rights management) i system i standarden HTML5.

Argumentet som stödjer detta är att det är väldigt ofördelaktigt att ha ett stort antal olika DRM plug-ins för webbläsarna på en teknisk nivå.

Det kommer att bli tekniskt svårt för de som skapar webbläsare med många olika plug-ins då det kommer att innebära förvirring för användare och programledare. Motargumentet mot detta är att vi faktiskt inte har fattat ett politiskt beslut om hur vi ska hantera detta juridiskt än.

Det visade sig finnas belägg för att den svenska tillämpningen av AVMSD inte hindrar icke-kommersiell motiverad dekryptering av mottagandet av en sändning. Du har rätt som konsument att dekryptera saker som har du har mottagit genom en sändning.

Den svenska regeringen överväger en förändring av lagen för att göra det möjligt för Netflix att använda sig av den arbetsmodell de tagit fram. Förslaget befinner sig fortfarande i ett väldigt tidigt stadium, men kan ses som ett tydligt resultat av den envisa men försiktiga strategin Netflix har bedrivit i Sverige under det senaste året: de har nått ut till fler mediala nyhetsrapporteringar än någon annan aktör med en "innovativ" arbetsmodell för streaming.

W3C DRM- systemet för webbläsare är mer komplicerat: det är i grunden en tekniskt motiverad process som utnyttjar ett juridiskt system, på grund av det inte finns något avtal som reglerar detta i Unionen.

Vidare, man kommer att stöta på kommersiella svårigheter i användningsområdena: i syfte att stödja gränsöverskridande tillgång till tjänster, är EU:s sändningsrättigheter utformade på så sätt att rätten att ta emot en sändning som köpts i ett land kan användas för att titta på samma sändning i ett annat medlemsland oavsett vad licensvillkoren för det verk som har sänts säger.

Frågan som då uppstår är hur Netflix tekniska och lagliga ambitioner står i konflikt med den nuvarande europeiska lagstiftningen och hur snabbt de, tillsammans med Google, kommer att kunna lobba för att lagstiftarna i medlemsländerna ska ändra lagstiftningen för att få den att överrensstämma med deras ambitioner och tänkta affärsmodell.

På plus-sidan är både Netflix och Google amerikanska företag och bör därför komma att ställas inför vissa utmaningar i de medlemsländer som är obenägna att rätta sig efter andra länders industriella intressen. Detta kommer att gynna slutanvändare i Europa vars rättigheter kommer att påverkas i ett långsammare tempo än annars varit fallet.

På minus-sidan befinner sig Netflix och Google i en sådan position att de har ett väldigt stort inflytande på de tekniska standardiseringsorganisationerna som kontrollerar samspelet mellan internet och majoriteten av världens internetanvändare. Det skulle kunna leda till att de förstärker ett beteende och en juridisk norm i den tekniska arkitekturen utan lagstiftarens samtycke.

Vi har här i Bryssel arbetat med detta ämne sedan i våras, både i parlamentet och i kommissionen, och kommer naturligtvis att fortsätta med det. Det lönar sig att ta upp dessa frågor med våra politiker (det vill säga, utöver mig) och med de tekniska organisationerna, vilket i detta fall inte är Netflix eller Google. Det skulle vara intressant att veta om några förslag, liknande det svenska förslaget, har lagts fram i andra medlemsländer, och framför allt hur dessa i så fall förhåller sig till mediabevakningen av Netflix under de senaste två åren.

I länkarna nedan har finns en rad artiklar som publicerats om Netflix i de svenska tidningarna Dagens Nyheter och Svenska Dagbladet.

Dagens Nyheter:

kritiserar piraters, på populära TV-serier, använder textning, lanserar sina tjänster, poteniella Emmy-vinnare, vinner en Emmy, tar bort filmer från sin hemsida.

Svenska Dagbladet:

segrande, lanserar web-TV, når en toppnoteringan, ute efter pirater, undflyr Microsoft (for Googles HTML-idéer), konkurerar med traditionella TV-sändningar.

English

Notification to ICT Standardisation Group at the European Commission: Post-pone DRM in HTML5

Amelia Andersdotter — Thu, 13 Jun 2013 11:06:01 +0000

Språk Engelska

Today the European Commission is gathering its European Multi-Stakeholders Platform on ICT Standardisation to discuss issue on ICT and Standardisation issues in Europe. I have taken the opportunity to bring to the agenda the issue of DRM in HTML5, a currently much controversial issue which risks passing the standardisation procedures at W3C without further political scrutiny. I have had the help of my assistant Ulf Pettersson, who attends the event in my name as I have obligations in Strasbourg, and Martin Kliehm, a Piratenpartei member and well-acknowledged expert on public sector ICT use from Frankfurt.

Dear ICT experts and platform participants,

Unfortunately Ms Amelia Andersdotter, Member of the European Parliament, cannot be with us here today as she needs to remain in Strasbourg for important plenary votes. My name, however, is Ulf Pettersson and I work for Ms Andersdotter with matters of technology and intellectual property.

Amelia Andersdotter, who works with ICT issues in the Industry, Energy and Research Committee in the European Parliament, is very happy to be part of this platform. Amelia believes careful, well informed and technically sound ICT standards are very important for a functioning society in which the citizens can trust. This is a perspective which necessarily touches upon the standards and architectures that we use, as citizens, to interface with different technologies around us, and one which is often overlooked both politically and technically. The choices we make for technology standards influences our daily lives by enabling, shaping or restricting the communications and interactions between citizens. The artist Carol Hanisch coined the famous phrase the “personal is political” – we believe the “technological is political”. Therefore, we need to make sure that human rights and human communication perspectives are taken into consideration at the level of standardization.

In this vein, Amelia Andersdotter would like this meeting to address the issue of DRM, Digital Rights Management, in HTML5. This is currently being decided on in the W3C under the name “Encrypted Media Extensions”. As decisions on this are being made now, more or less, it is important that well informed stakeholders, such as yourselves, act with expedience.

Amelia believes it would be wrong to standardize on Encrypted Media Extensions in HTML at this time. At the very least, more time is needed to properly reflect upon the consequences of such a standard choice for a very important technical infrastructure in contemporary society. There are many reasons why DRM in HTML is a bad idea, but we will limit this to two relevant legal obstacles. For the European Union, there are legislative reasons as to why DRM in HTML does not work out at this time.

Firstly, in practice, DRM sets up restrictions to the rights granted by copyright and freedom of expression laws. Thus, the standardization of DRM in HTML will pre-empt upcoming revisions to European Union copyright law. The Commission has announced its intention to reform the copyright legislation over the coming years. And as present efforts like the Licenses for Europe platform cannot achieve their targets – parts of it have already fallen apart – it becomes clear that legislative reforms will be necessary. Similarly, there are also rumors of an upcoming copyright reform in the United States.

It would be inappropriate for a standards consortium run by private actors to make decisions that could prevent or side-track political decisions in this area in the near future, before those decisions are made. We believe that democratic representatives need to make political decisions, and that these decisions should not be pre-empted by technical standards.

Secondly, in the EU, our legislative framework provides an additional challenge for the Encrypted Media Extensions as proposed by Netflix and Google. Netflix is a streaming company, and is as such interested in controlling re-transmissions of streams. However, European jurisprudence grants specific rights for users and consumers of broadcasts in cross-border trade between member states. These rights are codified in for example, the Premier League vs. Murphy cases on the retransmission of content. Any technical standard which implements obstacles to retransmission at the infrastructural level should at least take these rights into account.

When legally consolidated rights of users and consumers are compromised by technical standards decisions, it is a political issue. We believe that the distinction between the technical and the political is important to safe-guard, and we are hoping that you will agree with this. If the W3C makes a political decision that is not in line with EU law or upcoming reforms in the European Commission and Parliament there is the risk that HTML5 cannot be supported in the European Union.

In addition, Martin Kliehm adds this serious critique:

DRM in HTML is cementing closed ecosystems instead of promoting competition and innovation. Google, Microsoft, and Apple control the hardware, the operating system, the player (i.e. browser), and the app stores. They have absolute control over their ecosystems. As content distributors they can exert leverage on content suppliers for exclusive contracts. Open source developers will be locked out.

Like the EFF point out, video and audio content is just the beginning. Content includes books, games, 3D content, even web pages. Accepting EME could lead to other rightsholders demanding the same privileges as Hollywood, leading to a Web where images and pages cannot be saved or searched, ads cannot be blocked, innovative new browsers cannot compete without permission from big content companies.

DRM is against the principle of the Open Web. It will create a fragmented landscape of content that is restricted to certain areas, contradicting the principles of a European Digital Single Market.
Property rights of end-users will be violated by installing software on their computers that seize control of their personal computers. This encrypted black box of executable software cannot be accessed or scanned by anti-virus programs, leaving strong security and privacy concerns.
DRM constricts fair use of purchased content. It could ignore exceptions from copyright for people with vision impairments, schools, and libraries. Other features of HTML5 like local storage for reading offline could be broken.
Once DRM is implemented, it will be really hard to remove it.
The key issue is not content protection, but how a content owner or producer can sell its content online. DRM cannot solve this issue. Political decisions should be made by democratic, political bodies, not by standardization organizations.

It's important to remember that the European Union has not had any discussions at all on Digital Rights Management Technologies almost at all since 2004, when the IPRED directive was first addressed by the European Commission and later adopted in a quick procedure of less than 6 months political work. This should be sufficient cause for the European Commission and the other political institutions to reflect.

References:

Harry Halpin, W3, independently expressing his views on the ongoing procedures in the Guardian: http://www.guardian.co.uk/technology/2013/jun/06/html5-drm-w3c-open-web
The recent mass-withdrawal from the Commission's Licenses for Europe platform: http://www.libereurope.eu/L4Ewithdrawal
The Premier League v Murphy case at the CJEU: http://curia.europa.eu/jcms/upload/docs/application/pdf/2011-10/cp110102en.pdf (see otherwise also: http://www.guardian.co.uk/media/2012/feb/24/pub-landlady-karen-murphy-premier-league )
European Commission report from 2004 on DRM: http://ec.europa.eu/information_society/eeurope/2005/all_about/digital_rights_man/doc/040709_hlg_drm_2nd_meeting_final_report.pdf

Online voting? German Pirates want it, but...

Petr Kopač — Wed, 15 May 2013 20:19:53 +0000

Språk Engelska

After a fast and hard fall from the heights the German Pirates are up and running again and their preferences grow up. They focus their forces now on hard-working preparations for the elections instead of internal disputes and feel motivated #ichbinmotiviert. And it pays off - the last Bundesparteitag was a success, commented as outstandingly productive as most local media stated.

There were though some reasons of the previous fall and one of them was actually the inflexibility of the modern party. Because the German Pirates, as all Pirates around the globe put much emphasis on direct democracy and at the same time their general assemblies take place only twice a year, it was virtually impossible for their leaders to take any position in reaction on current events, if nothing connected was approved by all the members.

You can imagine that it hurts your PR, when you keep saying into cameras "Sorry, we don't have an official position on this." Any opinion is better then just plain "I don't know."

So this very weekend the pirates gathered not only to agree upon more than 800 pages of proposals, but also to vote, which kind of online voting they would like to have. To put you into the image - the party has currently around 34 000 members! Seriously, guys, you'd need a stadium for such a GA! The event was actually attended just by "mere" 2000 people. Even so, it stays the largest general assembly organized by any party in Germany. And that's because direct democracy. But how can be it so much direct, when only a small portion of members can take part?

And that's it - we got now to the two main reasons to establish online votings: flexibility and allowing participation to all the party members - comfortably and cheap. Keeping up with 21st century, some might add. But on the other hand there stand many concerns - obviously - electronic voting can be tempered with and how can you find out then, what were the real votes? On the topic, I recommend you to watch this document shot for HBO, which features activists in the US fighting against insecure election system - which was closed-source and even the autorithies were not allowed to look into the source code, because of the "trade secret"!

But let's get back to Germany... there were actually many propositions at this huge gathering of Pirates, some of which offered voting, which was transparent, but on the other hand the voter lost their right of secret vote. Some proposed continuous voting system, where the party could react pretty fast, but if you think about it for a moment - that would keep all the party members in a constant stress. Because then you never know, whether something important comes up and so that you must pretty often check the voting system or keep some kind of voting calendar.

To be continued... tomorrow I will unfold, how online voting actually works in some Pirate parties around Europe and tell you how this ended up for now for the German Pirates. Stay tuned!

Keynote på Open Source Days, Köpenhamn (9 mars)

Amelia Andersdotter — Wed, 13 Mar 2013 07:02:45 +0000

Språk Svenska

Jag hade den stora äran att få närvara vid Open Source Days, en stor dansk konferens om öppen källkod och öppen mjukvara som anordnas varje år i Köpenhamn sedan 1998. Nedan följer det anförande jag gjorde under konferensen, och efteråt var det många som ställde frågor och förde diskussioner som jag också besvarade så gott jag kunde. Det var många intressanta presentationer utöver min egen som DNS-censur, privatlivsskyddande teknologier för din mobiltelefon (specifikt Android och orbot), samt en mycket intressant historia om hur man kan porta mjukvara från slutna plattformar till Linux, och vilka avväganden man som företag då behöver gå igenom. Jag träffade PROSA, KLID, Superusers och ett makerbot-team som tillverkade små bystar (alltså statyer). Också närvarande var Ung Pirat Malmö:s nya ordförande Janni! Stort tack för sällskapet och jag hoppas vi ses snart igen :-)

I'm very happy to see so many people here. Welcome.

Most of you have come here because you are developers, or implementers, of open source solutions. Am here in a slightly different role. Even if I have been known to use open source software, I'm here because I am a member of the European Parliament, a publically elected representative, and, as such, legislating and creating norms for interactions in society are some of the tasks for which I m responsible and accountable. I am, optimally, responsible and accountable both for choices that I make, and choices that I don't make.

We all make choices, on a daily basis. In the vast majority of cases they don't have a big impact on the people around us, nor do they impact our surrounding world a lot. Many of the choices I make, when I work in Brussels, by contrast impact the framework in which the 500 million citizens of the European Union find themselves.

So I would like to talk about responsibility and accountability.

Last year I was awarded the honour of being named the fifth most influential internet activist in the world by online internet social community magazine Daily Dot, because of my work in the European Parliament against the Anti-Counterfeiting Trade Agreement.

Now, ACTA is an interesting piece of work since, ultimately, the European Parliament rejected the agreement. The international federation of phonogram industries issues a press release on the day after the vote, July 6th 2012, urging the parliament to be more responsible ”next time”.

But the agreement was already from the outset an example of devastatingly bad allocation of responsibility and accountability.

One of my major concerns in the agreement was the proposition that businesses make their own agreements on how copyright law or trademark law should be enforced.

The reason I don't like this is because I recognise that business, ultimately, doesn't have the olbigation to make difficult and sometimes costly judgement of which particular society benefit should be given preference over another at some given time.

It is us, the legislators, who make that balance through the laws that we enact, and up to the courts to implement these balances.

We have to be able to trust our legislators and our courts to uphold our rights and freedoms. We, the people, everyone of us that interacts every day, need to feel safe that our legislators take responsibility for our common interaction spaces. In the case of ACTA they did, so that is good.

But returning to the issue of responsibility: earlier this week the European Economic and Social Committee had invited me to hold a keynote at one of their meetings. They are not a legislative institution, by the way, so they do not necessarily cause a lot of harm. I was invited to hold a keynote on the responsible use of the Internet. Their thematic conference concerned children, nasty comments on the internet and how we can ensure that the Internet become a friendlier and funner place.

I said at that meeting, and I will maintain, that we have a fundamental political problem in how we define interaction spaces in society when all responsiblity for friendlieness is hurled towards the individual rather than us assessing whether the interaction frameworks are in fact wrongly defined.

We know, for instance, that at the World Summit for Information Society in 2005, ”communciation” was left out from the list of expected benefits from public access to information benefits. An arbitrary exclusion, given how important communication is for society and group cohesion.

In the European Union similarly we are not reforming the opyright laws. They create only uncertainties and risks for those who try to express themselves through use of culture, or those who turn to culture to build commonalities with others. Being a user of cultural works is associated with nothing but risk – all rights and certainties are kept for rightsholders. But because we either do not value communication or because we, the legislators, are unwilling to acknowledge the huge impact our work or, as it were, non-work, has on the abilities for people to interact, the reforms aren't coming.

I will give you an example: in December of last year, the current European Commissioner in charge of copyright issues Michel Barnier said in front of a parliamentary meeting that he did not want to look closer at users' rights in the European legislation because he didn't want to make copyright weaker.

I would argue that a legal framework made in such a way that it creates fear, uncertainty and doubt for those who try to build social networks and communities with each, is a weak legal framework. Our legal system can never be stronger than its legitimacy, and the legitimacy of the current copyright framework with its few limitations is very low.

When teachers, librarians, e-book consumers, radio stations, organizations helping out the visually impaired or Djs find themselves in a situation where they cannot, at any other than severe cost in time, money or to themselves, comply with or respect the law, that is the definition of a weak legal framework.

Laws have no purpose if they don't minimize conflicts between different members of society, or make the conflict resolution between these members as painless as possible if a conflict nevertheless arises. Copyright does exactly the reverse: it generated a multitude of conflicts, and makes the resolution of those conflicts painful and traumatic.

To no reassess users in copyright is irresponsible. It is an avoidance of responisibility that users and citizens themselves can't remedy. It falls upon politicians and elected representatives to take this responsiblity, but the political fear of action in this field is harming our society and our communication places.

Many here will be private persons, entrepreneurs or business people who are deeply concerned with policy areas like competition, standards development or patent law, trademarks or worse: trade-secrets, one of my biggest problems in legal development today.

Also here, unarguably, we are suffering from a gret number of problems over which politicians largely do not exercise much responsibility. Because of the very unclear value-base which guides all policy around communication, be it innovation, group work, personal or economic endeavours or what, the very concept of ”responsible use of the internet” is naturally confusing.

Is it responsible to have built a market model entirely dependent on the removal of freedom, choice and privacy of your customers?

I would argue that it isn't, but politically we have huge difficulties acknowledging concepts like indutrial leadership or the consequences of showing, or refusing to show, such leadership. What we seem particularly unable to determine, politically, is how to discuss the frameworks for interaction that we are making.

Because politicians, publically elected officials, decide the frameworks within which all other actors in society operate, it is incredibly important that they have a vision and some values to impose on that framework.

So for instance, I believe that we need a much stronger policy against vertical integration. Competition policy, which today deals msotly with cartels, mergers and dominant actors need to have a shift of focus towards market entrance barriers. For each level of a different product chain we should not only ponder, but also enforce, functional separation. This will make market entrance on each level of the vertical chain much easier and more actors will be able to join in innovation and product development.

What we are seeing instead is a less conflictful application of competition law now than in the past. When Apple locked its platform sot hat developers only by locking in themselves could participate in the AppStore, the European Commission was happy to accept only a weak commitment from Apple to open partially the developer kit in 2010.

Clearly a more useful discussion or investigation to have been had could and should have been the exact control exercised by Apple over every step of their value chain, and whether anti-trust laws should actually be given a larger role in contravening such practises.

Similarly, when Apple and four publishers were doing price-fixing and locin-in for the e-book sectors, the Commission cautiously criticized the license market they were engaging in as potentially in violation of competition laws, but in the end the Commission decided to not go in and actually just ban the market that they though was not in any way competitive, but instead accept the voluntary commitment to discontinue these market practises for a period of two years.

Clearly more political evaluation over what type of market models we are actually willing to accept would have been useful here.

Even in the Commission's merger investigations, they will very rarely scrutinize the conglomerating effects of merging patent portfolios on a licensing market. But the market for licenses of certain types of patents can be very heavily influenced by large mergers.

The type of competition overhaul that I would like to see would of course demnd involvement not only of competition authorities, but politicians and sector-specific national regulatory authorities as well. It is possible, but it reuires consistent and responsible politicians that are willing to be accountable, and responsible, for the decisions and values they implement.

We as citizens should not be letting our publically elected officials get away with losely referring to industry self-regulation or how they do not want to stop some business development from happening.

Even if it is clear that vertical integration and centralization can have some benefits, freedom, choice and the liberty to make new things is to me more important, and comes only from a structural framework of functional separation.

This brings me over to a last point that i would like to propose on the topic of responsibility. I say that often we hear politicians avoiding responsibility by stressing their unwillingness to interfere with business development or the development of new business models. It is already quite clear that all businesses emerge inside a society context, and that politicians, parliamentarians, governments and commissioners have the responsibility for how that framework is set up.

We all exist inside this framework, which defines how and when we interact in which way with whom. It defines our social interactions, our interactions with businesses, public authorities or the way that businesses interact with each other or public institutions.

These frameworks are made to reduce th total amount of conflicts and bad blood. They are here to help us make bad blood that nevertheless appers go away in some process least traumatic to the parties involved.

So clearly, in order to preserve these conflict minimizing properties of our framework for interaction, we should not be scared of, or avoid, showing an appropriate amount of industrial leadership.

Privacy, data protection or security are good examples of where a larger degree of political responsibility is needed.

In one place I read, and I think this captures beautifully this point: one national data protection authority based in a member state of the European Union stated that it feels its mission is to mitigate the negotative consequences brought on to private persons and citizens in their interactions with business and public authorities by the large scale deployment of information and communication technologies.

Mitigating the negative consequences implies that all is lost, and you would wonder why we at all make public investments in data protection authorities if all is lost.

As we see, and as many of you know, we could simply politically decide not to accept some economic models which create the need for ex post crisis management and damage mitigation with respect to privacy concerns.

We need stronger leadership, responsibility and enforcement of the privacy and data protection measures that we want.

I'm not saying politicians must necessarily favour some technology over another, but I do believe strongly that we both can and should consider the properties which technologies that get deployed at large-scale have to possess.

As business models deal a lot with interaction and communication, we can and should also exercise responsibility in open, democratic debates about which business models we find ok, and which ones we don't.

Now finally, then, if one is a private person and one would like to interact with policy making institutions because one is concerned about the lack of responsibility or one wants to increase accountability? I would suggest writing e-mails, letters or give phonecalls to deputies, that are personal. One person writing a heartfelt, personal email to their deputy easily counts more than any lobbyist or any other interest. Keep in touch with your deputies, ask what they are doing, get in touch when you know that they are addressing issues relevant to you.

#exile6e "Cyber war with Anonymous" S02E08

Tess Lindholm — Fri, 07 Dec 2012 17:34:23 +0000

Språk Svenska

http://www.youtube.com/watch?v=vtgU65Xnb0U