Amelia Andersdotter - conferences

European Innovation Summit 5: Standardisation for innovation empowerment

Amelia Andersdotter — Tue, 08 Oct 2013 09:24:26 +0000

Language Swedish

During the 5th European Innovation Summit, I was invited to present my views on standardisation processes and innovation. Standardisation is a very important activity and allows for open platforms that can be used by different parties. However, standardisation can also be a political point - laws are effectively the way we standardise behavioural norms for society. My address therefore focused on this issues, but was free form and therefore it is recollected from memory:

Address:

Standardisation is a clearly convenient tool, but it's important to remember that not all standardisation is always done on a purely technical level. Opting for a particular standardised norm can also be a political choice, and so we have in the European Union the situation that many of the north-eastern member states, like Finland and the Baltics, have railroads that are built according to an old Soviet or Russian standard width rather than the European standard width. It is clear that for the purposes of logistics, it was politically appropriate in each of those regions to pick one width for the railroads and stick with it. Now there is a frenetic discussion in the Baltics about whether to adapt their railroads to European standard widths. From a cost perspective that is unlikely to be beneficial. It costs a lot of money to build infrastructure. On the other hand, they may wish to have a larger exchange of goods with their European Union peers than with Russia, and from that political perspective of integration the discussion of railroad width makes sense. This is to show that standardisation can affect norms, economies and the perceived identities of entire nation states.

In the information technology field, which is where I do most of my political work, we have some notable instances where technical standards impose or codify behavioural norms that we may want to take a serious look at politically. I have been dedicating some time to the EME standardisation process at World Wide Web Consortium - to my understanding, this standardisation process pretends to enforce a behavioural norm over which we have no political consensus. It is either an overhaul of what is technically possible within the framework of broadcasting, or it is a process that risks removing many of our citizens' legal rights to engage with cultural material for parody, political discourse, quoting and further creativity. In Europe, this is a particular problem because our legal framework is already fragmented. But we also have some member states where the freedom to use culture for political and society discourse is especially important - Poland being the notable example of where this freedom is even enshrined in the Constitution.

We may want to have a serious political discussion about which type of norms we want to be codified in technology. It is clear that communications technologies for a large extent define the boundaries of what is possible in terms of human interactions, and as democratically elected representatives it may not at all be desirable that we outsource the responsibility of setting these norms to some technical consortia.

Similarly, we have had problems with tracking and tracing, which is actually illegal in the European Union if the consent of the private person is not obtained. Here we have seen very little standardisation going on, and projects by industry to follow the law have fell short of success. When the legislators make norms for society and decide on a particular route to follow, one has to ask if it is not appropriate for those same legislators to follow up on the norms. Ultimately it matters much for what society we are getting which behavioural norms we advance and which liberties and freedoms in the communications that citizens get.

The discussion prior to my intervention and afterwards was highly focused on the project Open-Stand.org, a community for innovation which is founded on the W3C, IEEE, and other standard organisations that are independent from governmentally ran standardisation institutions (in Sweden IIS, I think, and in the EU ETSI, for telecommunications).

The commentary was centered on how Open-Stand was agreed upon, and also the wide adoption of the Ethernet standard in various places in society. The Commission presented the advancements of their multi-stakeholder group for ICT standardisation. One thing which struck me was the unification idea: the idea of total unification is indeed very appealing, and it is nice to know that you are part of a standardisation group which reaches every place in society (like Ethernet). On both a technical and a political level, one can argue that complete unification of technologies is not necessarily desirable: we may want different systems in cars from what we have in washing machines. For instance. On unification theories in general much can be said, and many observations can be made both economically and socially. A problem which is intellectually satisfying ("how do we unify the theories of everything?") can have a practically undesirable result (string theory comes to mind). In principle, I was left with the feeling that maybe we focus too much on what is intellectually satisfying and too little on what is practically desirable. We also, but this is a more general problem that I also raised in my intervention, don't define what is the actual direction we want to move. The political leadership, or moral leadership as it were, is lacking somehow and that is one of the problems that the Pirate Party could reresent a solution to.

Participation in Europeah Health Forum Gastein 2013

Amelia Andersdotter — Tue, 08 Oct 2013 06:28:26 +0000

Language English

Curiosity killed the cat, as they say in English, and the medical confidentiality cat is one cat we may not want to kill too lightly.

I had the fortune of being invited to a panel discussion at European Health Forum in Gastein, Austria, on big data and medicine. This is a rapidly developing field – how can we exploit and make use of personal data to provide better medical services and get better research. In one way, the pharmaceutical industry and many medical companies are jumping on the already existing bandwagon from the advertisement industry. But it's also important to realize that the pharmaceutical sector is suffering from blockbuster patents expiring – having been able to extort the legislator for only two additional years of market exlusivity and seeing their ability to ever-green patents reduced by competition law, they need to quickly replace their existing block-buster based sales model with something else. And they have went for big data.

Because the discussion was freeform I will recount from memory the discussions.

I would like to open by talking about trust. We need for people to trust healthcare systems because it is not good for society if people, from distrust or suspicion, start preferring being sick or dying over approaching health care. In my region in Sweden, for instance, they decided to put all patient dossier on the internet – including my health care dossiers. I assure you that I would have never consented to this measure because this is very personal to me – I suffered a period of illness in my youth which I see as my business and mine alone, with the possible exception of close family members. Because patient data laws in Sweden don't permit this type of publication, my region has decided to make it a research project. We have worse data protection for individuals such as myself in my country when it comes to research than when it comes to health care, and so in order to exploit me and my personal history and that of my family they cleverly relabelled my history scientifically necessary. I can assure you that I am in no way amused by being the guinea pig of database engineers.

Historically we award health records a very high level of protection because often the information contained therein is sensitive. Courts cannot access it however they want, neither can the police. Doctors undertake an oath to not violate their patients confidentiality because it is seen that an integral part of the system of trust for doctors, and what they do with our lives or the lives of close ones. It is also a question of social, political and economical freedom – the wrong information in the wrong hands can have very negative consequences for individuals which they may have to live in fear of for their entire lives if these systems aren't well-constructed.

It's therefore strange that while traditionally we have understood the nature of this information very closely, we are now putting it on the internet – a very large place where very many people can access this information illegitimaly. And in databases which, when they leak, will leak the information of thousands of citizens rather than just one, as it would with paper journals. We unify patient dossiers in the same system so maximize the damage of any mistake – rather than keeping dossiers and systems separated, we put all eggs in the same basket.

There is effectively no way for citizens to feel ultimately comfortable with this system, and that will end up being a problem for both citizens, doctors and researchers in the field of medical sciences.

In some ways, it is as though we've discovered the internet is a solution to some problems, and now we're assuming it solves every other problem also. But just like hammers, the internet is a good solution sometimes, and other times it really isn't a good solution at all. It is my belief that we need to be more careful with how we use the internet for things it ultimately wasn't meant for – the internet is great when we want to spread and disseminate information widely, but is not that great when it comes to information we don't want to spread. It is my belief that the internet can be very useful for everyone in society, and should be used to spread information, culture and research that we want to be accessible, but that we need to reconsider its use in other circumstances.

To some extent these thoughts are lacking in the medical sciences and in medical research. This is only natural: it is very difficult for every individual to understand or relate to other people's privacy. Normally we have a natural relationship only to our own privacy, and when we deal with the personal information of our patients, or our guinea pigs, we may not be as inclined to appropriately assess how much that information means to them. But it is an integral challenge for researchers and doctors to see how privacy must be parts of these systems, and that the protection of individuals makes a difference.

There were some topics raised in the following discussion.

Dialogue I:

Science|Europe: The European data protection regulation threatens researchers and should be made weaker.

Me: As I mentioned, my region in Sweden violated my medical privacy by classifying their publication of all their patients' health records online as a research project. I am disinclined to make this protection weaker and rather believe we need a stricter regulation of research projects when these things are possible.

Researcher from Netherlands: We need to remove consent from this. We should rather just put all the patients' dossiers somewhere and do data mining on them, and then inform people when we're doing it. It's important to empower people by letting them know. Also we have nice database systems for this.

Me: You are aware that the database manufacturers are paid to sell this stuff to you right?

Researcher from the Netherlands: We simply don't agree with each other.

Me: ….

Dialogue II:

Researcher from Switzerland: We could make a sort of cloud which is ran as a cooperative of 10 million individuals, with democratic governance and so. All the patients dossiers would be there and could be accessesd against payment which goes to the cooperative. The people will be empowered by this arrangement, and everyone's influence is guaranteed and we also let people get paid for the exploitation of their data.

Me: A cooperative of 10 million people sounds like it could be many of the member states – why not simply then make it a government project? Or is the democracy in the member states not good enough?

Researcher from the Netherlands: A cooperative is simply more democratic than a government. But it isn't actually. Democracy works in the member states also.

Me: ….

Dialogue III:

IBM guy: Of course it's a trade-off. We can never guarantee 100% security so it's a cost-benefit analysis. We had a great research project in Scotland which I was asked to mention: basically we behaviourally profile teenagers to see when someone is close to being diabetic, and if they are we can nudge them into behaving differently. Also if they are diabetic they can be helped by knowing how other people act in similar situations.

(me, but later in a different conversation: What I don't understand is, I've been in Scotland and it's the only place I've been where I went into a grocery store and two thirds of the shelves are covered in biscuits. The rest is softdrinks, a sad carrot and cheese bathing in brine. Clearly whatever is the cause of diabetes in Scotland is not that IBM does not know enough about people's behaviour or that researchers don't know – their eating habits are horrible, and it's like these big data projects are rather distracting from the real problem which is that they don't have access to real food. Additionally, Scotland is a place where young people frequently have as their passtime to hang around outside grocery store to shout insults at people entering and exiting the store. This phenomenon is so big that they have actual news paper articles about it. It seems, again, that this profiling of teenagers' behaviour which is very invasive och violating of their independent identity formation, is distracting from the fact that they are teens with no cause, nothing to do, have access to only bad foodstuffs, and ultimately this isn't going to be solved by a mobile phone app)

Dialogue IIII:

Elsevier guy: On open access to data and research articles, we want to point out that we want to make money from this.

Me: (didn't have the time to comment on this because of all the medical people looking to invade my privacy).

Later in the day I had a coffee with a person who definitely wasn't lobbying me. That conversation was however so surreal that I feel it needs to be recounted for humour purposes:

Dialogue V:

Person: I liked your analogy with the hammer.

Me: Oh?

Person: Well, but I wasn't sure I compeltely understood. So you mean that in the past we had rocks, and they didn't work so well, and then we had hammers and they were a lot better...

Me: … (oh god where is this going?)

Person: ...and then we got the internet which is an even better tool than a hammer?

Me: No, that really wasn't my point at all.

Person: Then I think you were misunderstood by everyone in the room.

Me: That's unfortunate. My point was rather that hammers are good for solving some problems, like when you have a nail, but for many other problems hammers are entirely inadequate. Just like the internet might be inadequate for many problems, even if it's very good for others.

Person: I don't think anyone understood that. I thought it was more like we have regulated hammers and now the internet will be good if we regulate it also. That's how most people in the room understood it.

Me: Well, it's unfortunate if my point was carried across that badly.

This conversation later lapsed into a discussion about how computers are more reliable than people (which is only true in so far as you are certain that you have control over the computer in question – a person, having independent will, can of course defy you even if you technically have control over them. A computer doesn't do that, but for the computer not to defy you you would first have to assume that you have control over the computer. In the vast majority of cases wont be the case and so mostly anything that follows from that assumption will be untrue).

I pointed out that most computers that we pass our information through are accessible by every other computer on the internet which makes them unreliable by default. That it's important with individual choice. The person agreed vigorously with this, but argued that it was not up to the individual to choose how to store medical information. The person then went on to say that any person could leak medical information just like a computer, and I replied that one person, or even several people, acting on one medical dossier is very different from many computers operating on thousands of medical dossiers in several steps of an internet transfer chain. The person agreed with this noisily and repeatedly and then went on to say that actually he didn't.

Then the person suggested that we should have another coffee in Brussels to which I replied ”uhm.”

I asked the person if they were employed to lobby people in my position to be more positive about personalised medicine apps for mobile phones or some such. The person felt that ”lobbying” sounded like a negative word and that he preferred to think of it as us having a cup of coffee.

It struck me that that person might actually be influential. That is flabberghasting, funny and fills me with fear at the same time. Also with alliterative ambitions.

Upon my return in Brussels I learned that Yahoo! has a patent on estimating and making use of other people's level of influence.

To contextualize: European Health Forum Gastein is Europe's largest health conference and has been held in Gastein for the past 16 years. It enjoys presence of many high level Commission officials, and many lower level officials as well. It is visited by really big companies – Pfizer, Elsevier, IBM obviously were represented only in the short 1,5 hour discussion I was in – and lots of researchers.

Dialogue VI:

I shared a taxi to the airport with a nice researcher from the Netherlands who was doing comparative health care studies between European countries. He was partially concerned that a lot of the discussions on health care development is the victim of heavy lobbying by large companies. I said something sarcastic in reply, which I hope was nevertheless consoling. We had a discussion on making partially accessible medical dossiers: my argument would be that you can choose to put online that which you want to put online (I have a strict definition of ”online” as meaning anything that is reachable in any way through any part of the internet, regardless of how illegal or difficult such access might be). So for instance, you can share information about your wheat allergies if you wish, without having to also share information about your incontinence. The Dutch researcher suggested that this would make it more difficult to study differences in incontinence care. This can partially be solved through anonymization of medical dossiers, but anonymization is notoriously difficult and my personal preference would be also for that kind of access to be optional. One way of reducing sensitivity to publication though would be to make incontinence a more socially accepted problem.

Curiosity killed the cat, as they say in English, and the medical confidentiality cat is one cat we may not want to kill too lightly.

Anförande på Bokmässan i Göteborg 2013

Amelia Andersdotter — Sun, 06 Oct 2013 22:56:05 +0000

Language Swedish

Detta året hade jag nöjet att återigen vara med på Bok och bibliotek tillsammans med Piratpartiet. Jag hade också, för andra året i rad, möjligheten att göra ett trettio minuters anförande om mina goda politiska gärningar i EU-institutionernas monter. Informationspolitik framstår ofta som oundviklig och ogenomträngbar, men det är inte sant. Det är inte heller sant att det inte går att förändra saker och att riktningen på hela övervakningsapparaten är oundviklig. Det finns däremot många politiska frågor om teknologi som inte tas i beaktande och där det krävs att man är lite smart - smarta teknologier löser inga problem på egen hand, utan det krävs också tydliga visioner för samhället. Piratpartiet menar framför allt att samhälle, teknologi och innovation går hand i hand. Vi motsätter sig uppfattningen att politiskt ledarskap på något sätt står emot till exempel marknadsutveckling och menar istället att en tydlig riktning för både samhälle och marknad leder till bättre innovationer och förutsättningar för alla.

Anförandet på Bokmässan är nära baserat på det anförande jag hade hållit dagen innan på BruCon i Gent, men antog ett bredare perspektiv på dataskydd och nätverks- och informationssäkerhet. Anförandet är från minnet, och en mer exakt beskrivning av e-legitimationen finns i BruCon-posten. För dataskyddsfrågorna hänvisar jag till https://dataskydd.net och om nätverks- och informationssäkerhetsdirektivet har jag inte skrivit särskilt mycket. Texten är fortfarande under utredning men industriutskottet har gjort två studier som man nog med fördel kan beta sig igenom om man är väldigt intresserad.

Den här presentationen kommer att handla mycket om mitt arbete i Bryssel. Jag är piratpartist och jobbar mest med teknologifrågor. Det senaste året har jag haft nöjet att grotta ned mig i saker som EU:s nya personuppgiftslag, men kanske framför allt e-legitimationsförordningen som ju också är en fråga som mina utskott faktiskt har behandlat i Bryssel.

Så vad är e-legitimation? Det är någonting man använder om man till exempel behöver besöka en offentlig myndighet. I Sverige skulle det kunna vara Skatteverket på nätet, eller Mina vårdkontakter eller kanske en skola eller något annat sådant. Då behöver staten veta att du har rätt att besöka tjänsten. Här på bilden är belgiska skatteverkets webbinterface. Där kan man logga in med sitt "eID" eller sin "e-legitimation". I Sverige pratar vi sällan om identifikation, eftersom legitimationen legitimerar medborgare som "rätt" i förhållande till tjänster. Staten har inget utbyte av att veta hur du identifierar dig idag, utan vill legitimera att du är rätt mottagare av en viss tjänst. Det är en språklig skillnad som inte finns på alla europeiska språk, och framför allt engelskan utmärker sig som mindre nyanserad.

Bland annat därför, kanske var det förslag som vi fick till vårt utskott ganska dåligt formulerat. Det hade ingen skillnad mellan legitimation och identifikation. Vi har haft väldigt svåra politiska debatter i Bryssel just för att EU-kommissionen inte hade formulerat ett särskilt bra förslag, och undvikit de flesta stora och svåra frågorna med legitimation på nätet.

Identitet är över huvud taget ett ganska svårt ämne. Det är många stora filosofer som gått bet på frågan vem de är. Kommissionen har också gått bet på frågan om vem medborgaren är eller bör vara i förhållande till till exempel staten. Det tekniska systemet man använder för legitimation på nätet spelar stor roll för hur relationerna mellan medborgare och stat utvecklas. Vi kan heller inte i regel välja att inte ha kontakt med staten, och hur vi har kontakt med offentliga tjänster som skola, vård, omsorg, osv påverkar mycket vad eller hur vi uppfattas av oss själva och vår omvärld. Vården är ett väldigt tydligt exempel på det. Mot denna snåriga bakgrund hade man hoppats på ett bättre diskussionsunderlag för parlamentet när vi hanterar denna svåra fråga. Sådan finns också att tillgå i EU, för vi har extremt mycket bra forskning på området som kommissionen sponsrat under tiotals år.

Projektet Future Identities in the Information Society (FIDIS) var ett flaggskeppsprogram i EU som ämnade undersöka hur våra relationer till samhället och varandra påverkas av nya teknologier, och hur man kan bygga bättre institutionella ramverk i ett teknologiserat samhälle. Deltagare från hela Europa var med, och företag, och forskare, och studenter och ett antal politiska institutioner - däribland kommissionen. FIDIS-projektet blev så småningom uppföljt av ab4trust - eller attribution-based credentials, som handlar om hur man kan hantera sina spår och legitimeringsmöjligheter just på internet. Det hade varit lämpligare för kommissionen att rikta sitt förslag mot resultatet av dessa forskningsprogram. Vi har studerat hur man kan bevara ungefär samma institutionella ramverk i informationssamhället som tidigare - hur upprätthåller man rätt maktbalans mellan individ/medborgare och stat? Hur ser man till att individer får så mycket inflytande över sin egen identitetsbildning som möjligt? Kanske man till och med kan stärka individens friheter och identitetsbildning gentemot staten med nya teknologier? Kommissionens förslag lämnade inte öppet för dessa diskussioner och det har varit en väldigt svår kamp att få upp frågorna på agendan i Bryssel, och ha en gedigen politisk diskussion. Området är politiskt omoget, och det är lätt att diskussionerna blir för tekniska, vilket ger ytterligare politiska utmaningar.

Från svenska statens håll har tyvärr intresset för sådana här forskningsprojekt varit så gott som obefintligt. Där har man istället gjort någonting helt annat och eget, som tydligen är i framkant.

Historien om den svenska e-legitimationsfederationen roar mig stundtals genuint, men förmodligen av fel anledningar. Svenska staten har använt sig av BankID, en banklösning för att legitimera bankkunder gentemot Internetbanken. Eftersom man gjorde bedömningen att det kanske inte var så bra att förlita sig på banker, och dessutom göra det svårare för människor att byta bank eftersom man blir så beroende också av banken för att ha en personlighet gentemot statliga tjänster ville man ha ett nytt system. Lyckligtvis fanns det då en tekniker på ett universitetsnätverk som underhöll ett system på sitt universitet som fungerade väldigt bra för honom - lärare och studenter kunde samlas på rätt platser, får rätt mejl-inkorg, och så vidare. Besöka kurshemsidor och så vidare. På något sätt fick denna tekniker kontakt med Näringsdepartementet som inledde en rad långa utredningar om framtidens fantastiska legitimationssystem, givetvis helt bortkopplat från samtidigt pågående europeiska diskussioner (som hade svenska universitetssamarbetspartners men på ett annat universitet). Teknikern insåg att hans system var bra, och att han kunde det väldigt bra och att det kanske också vore lämpligt för hela den offentliga sektorn. Att universitetet är en väldigt annorlunda institution än den offentliga sektorn slog inte honom - vilket är helt naturligt, för han är inte samhällsvetare. Men det slog ingen på Näringsdepartementet heller!

Sättet detta funkar är nämligen så att den som tillhandahåller legitimationen, på bilden här ovan "identity providern", får en databas över alla tillfällen man legitimerat sig någonstans. Så om man varit på Mina vårdkontakter först, och sen på Skatteverket, och sen på Mina vårdkontakter igen, och sedan kanske på skolan, då kommer identity providern veta det. Medan detta kan vara ett bra och praktiskt system, eventuellt, i en universitetsmiljö är det ingenting man vill ha i den offentliga sektorn. Det har också kommit klagomål mot systemet från till exempel Sveriges kommuner och landsting, som inte upplever att det här systemet - där all kunskap och kontroll över hur medborgarna interagerar med offentlig sektor hamnar hos en tredje-part - hjälper dem att bygga pålitliga tjänster. De känner inte att de kan säga till medborgaren: här är en tjänst som vi underhåller och som vi har förtroende för.

Att man som teknisk underhållare definierar sig som pålitlig är förstås helt naturligt. Om man kan underhålla sitt system bra så är man naturligtvis övertygad om att man är pålitlig vad gäller det tekniska underhållet. Att information om medborgarens påtvingade myndighetsliv också är en typ av maktutövande över individen, som kan kräva ett separat förtroende utöver ens tekniska kunskap, behöver inte enkelt förstås. Det borde naturligtvis ha förståtts av Näringsdepartementet, men så kan det gå.

Jag hade en del av min bekantskapskrets som illustrerar ett ytterligare intressant problem med e-legitimationsfederationen. De ville bli en del av federationen för att de var oroliga för att det skulle komma in privata företag och andra mindre moraliskt lagda aktörer och samla på sig mycket information om medborgares interaktioner med myndigheter som sedan kunde säljas till reklamföretag eller användas på andra mindre nyttiga sätt som medborgare inte gillar. Tänk till exempel att du beställer ett klamydiatest, eller att din tonårsdotter gör det, och så plötsligt får en lärare på skolan information om läromedel för att ta upp könssjukdomar med alla elever i klassen: kanske inte är jätteroligt om sådana saker sammanfaller, och framför allt inte om man behöver misstänka ett i stort sett påtvingat system för att vara orsaken till denna konstiga påverkansstrategi. Dessutom vet vi redan att offentliga myndigheter i Sverige gärna säljer personuppgifter för många miljoner till reklamföretag så det finns anledning att känna oro.

De ville bli en godare spårare och kartläggare av medborgarnas interaktioner med staten, för de kände att de kan lita på sig själva i den rollen. Egentligen var de inte så förtjusta i spårningen och kartläggningen som sådan. Men de var oroliga för att en ondare aktör skulle komma in och utföra spårningen om inte de själva gjorde det på ett gott sätt. Problemet är förstås att det kan finnas en anledning att göra motstånd mot att man spårar medborgare på det här sättet på det hela taget. Det är ett klassiskt dilemma i beslutsfattande: etik eller kompromiss, där etiken representeras av att man gör det som är rätt och motsätter sig ett system som kan undergräva medborgares förtroende för det offentliga, och kompromissen är att man gör det dåliga på ett så bra sätt som möjligt.

Jag har tillägnat många långa kvällar grubblande över etik mot kompromiss. Jag tror att man i regel kan säga att jag lutar mer åt etik än kompromiss.

Förtroende och spårning är förstås någonting som också satts på sin spets under sommaren. Jag minns en morgon i maj då jag vaknade och förstod att någon sagt att den svenska e-legitimationsfederationen satts upp för att militären tyckte att den specifika tekniska standard som valts var en bra idé. Jag satte mig upp i sängen och tänkte "varför tycker militären det är bra med en teknisk lösning som spårar allas interaktioner med myndigheter Av alla myndigheter i Sverige, varför dom?"

Vi har sett många kommentarer i Sverige, framför allt i tekniska medier, om hur det är allt för frestande för all världens underrättelsetjänster, som svenska FRA, att avlyssna allt möjligt och samla på sig data om allt mellan himmel och jord. En särskilt insiktsfull kommentar jag hörde i Bryssel för inte så länge sedan gjorde gällande att det är för att spioner spionerar - det är deras jobb. De är också svåra att nå med konventionell lagstiftning, för deras verksamhet är till sin natur oreglerad. Underrättelsetjänster och deras gelikar existerar i en form av undantagstillstånd som inte nås av den vanliga rättsstaten.

Undantagstillstånd är det som händer när andra lagar inte gäller, till exempel i krig. I normala fall förväntar du dig att polisen hjälper dig om du får inbrott - eller kanske inte i Sverige idag, men i allmänhet - men om det är krig kanske du har överseende med att polisen gör en annan prioritering.

Det är ett oerhört stort problem för samhället att det råder i stort sett undantagstillstånd på nätet - vi har nästan inga begränsningar för vad polis och säkerhetstjänster och andra kan göra alls. Samtidigt har vi lagt över hela vår offentliga sektor på det här mediet: vård, utbildning, politisk diskurs, samhällsutveckling, ekonomi, företag, upphandling, allt. Det vi sett under sommaren är att till exempel säkerhetstjänsten aktivt arbetar för att göra den här miljön osäker och opålitlig, och svenska underrättelsetjänsten hjälper till med det.

När vi besöker Mina vårdkontakter förväntar vi oss inte ett militärsjukhus utan ett vanligt civil sjukhus för folk med nageltrång och andra normala problem. Därför är det viktigt att vi på något sätt kan ta bort osäkerhetsmomentet på internet och föra den här infrastrukturen ut ur undantagstillståndet. Där finns det lyckligtvis ett antal europeiska initiativ som kan vara väldigt behjälpliga.

Dataskyddsförordningen är den nya personuppgiftslagen som diskuteras på europeisk nivå. Den sätter upp skyldigheter för de som behandlar personuppgifter och samlar in personuppgifter. Den har ett starkt fäste i europeiska konventionen för mänskliga rättigheter och utmålar ett väldigt tydligt ledarskap för samhällsutvecklingen både industriellt och i den offentliga sektorn. Det är viktigt, för samhällsutvecklingen styrs lika mycket av marknaden och vilka typer av tjänster vi skapar förutsättningar för på marknaden, som den styrs av hur offentlig verksamhet strukturerar sin verksamhet. Tjänsteutvecklingen påverkar också vilka produkter som kan lanseras och användas i offentlig sektor, så det är enormt viktigt med ett starkt ledarskap här.

Olyckligtvis är det enormt svårt att få en bra dataskyddsförordningen. Lobbytrycket har varit enormt starkt i Bryssel och det är framför allt amerikanska aktörer som är mycket argsinta över dataskyddsförordningen. Det är också viktigt att förstå att amerikanska regeringen har en delvis annan industripolitik, som de också genomför bättre än Europa genomför sin. E-legitimationsförordningen är ett typexempel på hur de europeiska institutionerna och medlemsländerna är oförmögna att ta sina egna forskningsresultat i beaktande när de driver vidare politik - istället för att konsekvent dra åt ett tydligt håll, drar man först åt ena hållet för att istället fara iväg åt andra hållet.

När vi gick igenom svenska regeringens kommentarer på dataskyddsförordningen från i somras verkar det också som att svenska regeringen, som är väldigt aktiv i den här frågan i förhandlingarna i Bryssel, inte godkänner förordningens grundprincip. Man misslyckas på i stort sett varenda punkt att ta tillvara på den mänskliga rättigheten att ha makt och kontroll över sina egna uppgifter och sin egen identitetsbildning som ligger till grund för hela förordningens utformning. Det som roade mig mest av svenska regeringens kommentarer var deras inställning till extra starkt skydd för barn. Man upplever inte att barn ska ha rätten att godkänna behandling av personuppgifter, men samtidigt godkänner man inte att i stort sett någon annan ska ha möjlighet att godkänna behandling av personuppgifter. Det säger sig självt att barn inte kan få bättre rätt att ha kontroll än alla andra, så där finns ett tydligt filosofiskt problem.

Man kan följa vårt arbete med dataskyddsförordningen på någon av de två ovanstående hemsidorna. Vi försöker att regelbundet uppdatera med saker från Bryssel, parlamentet och när det finns tillgängligt också kommentarer från ministerrådet. Men från rådets och svenska regeringens diskussioner är vi beroende av läckor så det är inte säkert att det uppdateras särskilt regelbundet i det avseendet.

Ett annat initiativ på EU-nivå som hade kunnat vara mycket bättre än det blev är nätverks- och informationssäkerhetsdirektiv. Det är grundat på artikel 114 i ramfördragen som beskriver alla europeiska medborgares rätt att bedriva handel med varandra i stort sett. Vi får föreslå lagar om det hjälper europeer att bedriva mer handel. Fördelen med just den filosofin bakom nätverks- och informationssäkerhet är att den mesta aktiviteten i det området är kommersiell: svenska företag ger tjänster till grekiska företag, och spanska konsumenter köper tyska produkter. I medlemsstaterna har nätverks- och informationssäkerhet gradvis militariserats, men det är i stort sett ingen som ser sig själv som en militär entitet för att de t ex skaffar ny elmätare eller får en e-legitimation eller skickar ett mejl till en kompis eller köper ett nytt operativsystem. Så det hade varit bra med ett genomtänkt direktiv som verkligen kodifierar att den verksamhet som normalt sett inte borde vara militär - vilket är i stort sett allt från infrastruktur till offentliga tjänster till hela marknaden - inte heller ska vara det, utan att internet ska vara en civil plats för civil handel mellan alla medborgare och företag i EU.

Det finns lite fnurror på den här tråden dock. Kommissionen har skrivit ett väldigt dåligt förslag som stött på i stort sett unisont motstånd från medlemsstater och industrin. Parlamentet har inte resurser att göra rätt när kommissionen gör fel - vi får kanske ett år på oss att behandla stora och viktiga frågor samtidigt som vi gör en massa annat, medan kommissionen är tänkt att fungera utredande och förberedande under flera år innan de lägger ett förslag. Det är verkligen en besvikelse att kommissionen inte lyckas sätta upp en tydligare riktning, för det är uppenbart att den underliggande tanken är god.

Riksdagen skickade något förvånande direktivet till försvarsutskottet, som ju inte alls är rätt plats att hantera marknadsfrågor. Det är väldigt underligt att riksdagen gör den prioriteringen för ett i stort sett civilt område, och som har så tydliga marknadsimplikationer, men jag drog slutsatsen av detta att militariseringen av internet gått för långt i Sverige. Det finns inga bra sätt att föra ut internet från undantagstillståndet på Sverigenivå längre, utan det är EU - som saknar militära organ och underrättelseorgan - som verkligen behöver göra rätt i frågan.

Vi har över huvud taget svårt att måla upp riktningar i EU och i Sverige när det gäller informationspolitik. Dataskyddsförordningen från kommissionen var rätt fegt tilltagen, ändå är medlemsstaterna i uppror. Dataskydd handlar i slutändan om individers makt över sig själva och staten har ingen lust att ge upp sin makt över individer.

Journalistkåren har inte heller haft någon bra bevakning av de här frågorna. När det gäller sommarens övervakningsskandaler har de istället för mig framstått som förhållandevis uppgivna. Man ser riktningen som ofrånkomlig och som oföränderlig.

Det politiska ledarskapet saknas på nästan alla nivåer. Det finns ingen omfattande verksamhet att ställa ansvariga beslutsfattare till svars för vad de gör och inte gör, och det är väldigt synd för...

Egentligen är det inte så svårt! Det finns ingen anledning att inte ha hopp, och de politiska riktningar som hittills varit fel kan bli rätt i framtiden. Vi behöver börja med en bra dataskyddsförordning och att fundera ut hur vi kan låta EU göra ett nätverks- och informationssäkerhetsdirektiv som plockar bort makt från medlemsstaternas militärer och underrättelsetjänster över vår allmänna och offentliga infrastruktur, samt vårt primära handelsmedel.

Frågor som kom upp:

- Har det hänt någonting med medborgarinitiativet?

Nej, det kan man inte säga.

European Innovation Summit 5: What can we do to help SMEs in Europe?

Amelia Andersdotter — Sat, 05 Oct 2013 22:29:14 +0000

Language English

I was invited to hold an address at the 5th edition of the European Innovation Summit in the European Parliament on the topic of helping to advance small and medium-sized enterprises (SMEs) in the European Union. We had three case-studies of SMEs in the panel, as well as Chief Science Officer of Commission President Barroso, Ms Anne Glover, in the panel. You can see the outcome of the innovation summit in this press release, which explicitly does not cover many of my observations. That is, however, normal and it is obvious from the line-up that the press release has premiated big and important political groups in the parliament.

Address:

The good news is that small and medium-sized enterprises are neither new nor controversial in the political discussions of Europe. We have widely cited statistics on the importance of small- and medium-sized enteprises for employment, productivity and innovation. Sometimes I have heard the distinction made between start-ups, the drivers of innovation, and SMEs, that many times perform already widely known services. We have a special liking for SMEs in new industries.

I work a lot with information policy. Clearly an outstanding and exceptionally recent political field. We are accustomed to information policy as driving the world forward for only slightly longer than I have been alive, which can be contrasted with the real estate sector which then obviously has existed for much longer than that.

To me it seems the problem for Europe is one of a lack of consistent, coherent political leadership. While at the European level we invest in privacy-friendly techologies for all sectors in society, and open source solutions suitable for the public sector, in the member states we rarely implement these tools. We don't even make legislation at the European level which is capable of creating the market conditions that are required for our important ambition to make use of our investments.

The discussions on e-authentication models for the public sector[1], the data protection regulation[2], network openness[3] or open acess for research and market data[4] have all reflected the inability of European policy makers to take advantage of their own investments. While we steer our researchers and companies down one line, ultimately we end up opting for implementations that are better served by large multi-nationals and especially foreign multinationals. Why we do this is a mystery to me - surely if I can detect this so easily and after so short a time, someone else must have also noticed.

The most recent policy to come out of DG CONNECT, with responsibility for telecommunications issues with which I work a lot, is the Digital Single Market Regulation[5]. It has been widely criticized by all parties except really large telecommunications companies that are also former state monopolies. We have four of them in Europe. There was no impact assessment made on this legislation which passed internal scrutiny processes of the Commission, but it seems clear to me that making policy for the four largest telcos in Europe is not necessarily beneficial to SMEs. Things like that could be easily fixed, but aren't. Why? I ask myself.

While SMEs is one of the most frequently raised topics in our political discussions, is is unavoidable that most interest groups in Brussels represent much larger interests than SMEs. It is nevertheless surprising to see the difference between the walk and the talk. For instance, while a good SME measue is to make competition clauses in employment contracts weaker, the European Commission has been looking to harmonise trade secret rules. Trade secret rules are known to create problems for employees that seek to migrate from their current workplace to a different workplace. In some member states this is already a problem, and now the Commission seeks to harmonize this problem of work force flexibility rather than enabling European legislation for better competition frameworks[6]. In many instances, it seems our policy work is directly counter-productive to supporting SMEs.

Similar problems arise in the field of intellectual property rights licensing. With increasing amounts of rights being granted, at the EU level and through EPO, and in the member states, the amounts of licenses by necessity also increases. But open innovation in the context of licensing agreements exists primarily between very large companies. Small companies instead suffer a high degree of legal uncertainty from law suits and injunctions where sometimes product seizures are made unlawfully (we have close to 3000 known wrong seizures per year at EU customs[7]) and where there are no good ways of seeing if a law suit actually comes from a legitimate rightsholder.

Ironically, we are just now working with a trademark regulation in the European parliament which, rather than making legally uncertain situations more clear, increases the complexity of the trademark law[8]. While this may be good for small and medium-sized law firms specialising in trademark licensing contracts, it's really difficult to see how the new rules will benefit anyone else. Unfortunately the Commission has not taken that into account at all, and so we have another policy unfriendly to SMEs.

But I also stand here mindful that most representatives in this room aren't going to be SMEs. It is difficult to know how to deal with our ambition to support SMEs and make good policy for SMEs. Competition and market entrance barriers are poorly understood, and at least in information policy our work aims primarily to make market entrance barriers high and competition slightly lower.

With a higher degree of focus on competition, openness and clear political leadership, SMEs and the European Union have much to gain. Policy needs to be coordinated in and between European member states, and also between research and innovation. It is my belief that a competitive advantage of Europe will emerge from our ability to cooperate and make good use of the European idea: together we are strong, at peace and working for a better tomorrow. The four freedoms make sense not only to avoid world wars, but also for a market place and a social Europe which respects human rights and the freedom of entrepreneurs to prosper.

[1] https://ameliaandersdotter.eu/dossiers/eid

[2] https://dataskydd.net/industriutskottets-tidigare-erfarenheter-av-datask...

[3] http://www.vieuws.eu/ict/net-neutrality-european-commission-proposal-may...

[4] https://ameliaandersdotter.eu/2012/11/28/horizon-2020-votes-in-itre-open...

[5] http://www.totaltele.com/view.aspx?ID=483326&G=1&C=3&Page=0

[6] https://ameliaandersdotter.eu/lankar/ipred-konsultation/affarshemlighets...

[7] http://parltrack.euwiki.org/mep/Amelia%20ANDERSDOTTER#am-68-PE-496.561 It doesn't appear to list the justification where the EU border control report should otherwise be listed.

[8] See https://ameliaandersdotter.eu/2013/09/03/forslag-pa-ny-varumarkeslag-lat... or http://ipkitten.blogspot.be/2011/04/over-intellectualisation-of-european... for an older example (2011).

BRUCON Keynote on e-ID

Amelia Andersdotter — Sat, 05 Oct 2013 21:37:35 +0000

Language English

I had the big privilege of getting to attend the BruCon Conference in Gent on September 26 2013. It's an annual security conference which is attended by professionals, students and academics in the field. I had chosen to speak about the first eight articles of the electronic identification and trust services regulation at the conference. They cover electronic identification, and I am particularly critical of some of the Commission's policy choices in the file. As it turns out, there is also much that can be said about the articles regulating trust services (or "certification authorities" as they are more commonly known in other circles). In addition there were some questions raised by the audience that I will try to cover below. If I forget a particular question it's not out of malice. The address is as I have written it, not necessarily as I spoke it.

Address:

I'm very happy to be here and to be able to speak to you all today. I have opted for talking today about the electronic identification regulation which was proposed by the European Commission last year in July[1]. I've been working with this in the parliament for the past year and it's in many ways a good illustration of many big questions that are facing society about the internet, identity, surveillance, privacy, security and how these things relate to individuals and their socities.

So, first of all, what does the regulation aim to do? The regulation aims to give people in different member states a way of accessing eGovernment services in other European countries. When a specific eGovernment service in member state A requires authentication, the regulation means to make it possible for a citizen of member state B to access this service with the their member state B issued electronic identification. The problem is that member states have chosen many different ways of issuing electronic identification. Another problem is that there is a general perception that electronic identification has not been very successfully implemented or adopted by citizens or consumers. Rather than using government issued identification on the internet, citizens feel more comfortable relying on their Facebook-login or, in many cases, creating different logins for every site.

There's been some pushes towards stuff like OpenID on the internet, but OpenID often doesn't fulfill the requirements that a government would have on its own services. Tax declarations online, for instance, you want to be able to ensure that they are actually made by the person who should be making them. Same with some health care things.

But electronic identification is also something that we expect to apply on companies. The European Union is moving towards eProcurement[2], which is when companies have to participate in procurement on the internet, and so we need verifiable ways of ensuring that the public authority which is procuring is in contact with the right entrepreneur.

The solutions often rely somehow on certificates, and therefore the Commission has also aimed to regulate what they call ”trusted service providers”. These trusted service providers would be more known in common technical language as ”certificate authorities”. Many member states rely on what they call ”qualified certificate authorities”. In practise, the qualification in this case just means that the member state recognises the qualified certificate as secure and reliable in a given transaction with the government. The rules for how to qualify certificates are derived from a European law from 1999, and was never really used in all member states – for instance in my country, Sweden.

Qualified TSPs have also suffered a number of problems which are undesirable from the point of view of good governance. The DigiNotar failure[3] in the Netherlands was clearly unconvenient from the perspective of the government.

And so we had this proposal that tried to create interoperability between different member states solutions for electronic identification, and fix the problem of vulnerable CAs.

The regulation was proposed in two different parts: the first part of the regulation covered electronic identification, and the second part covered more or less CAs, or trusted service providers[4]. Then there were about 20 articles – which for referens is many – covering various forms of qualified things that the Commission envisaged would be necessary in the future, digitally boosted Europe[5].

Electronic identification is a touchy subject in many member states. In some member states, like Ireland and Great Britain, government issued ID-cards are completely rejected by citizens and people in those countries every time they're proposed[6]. In other member states, like Germany and many central European countries they have constitutions which require different parts of the government not to cross-run databases of citizens: effectively, every citizen or resident will have a health care persona, a social service persona, an educational system persona, and so forth, because the idea is that if the government can collect too much information about every citizen in the same place this could lead to very negative consequences for the citizen if the government starts acting arbitrarily or against the interests of the citizens[7]. In other member states, like Sweden, Estonia or Finland, we have personal registration numbers that are unique and for every individual and that helps the government cross-run databases when necessary. In at least Sweden this used to not be too easy to do, but with information technologies being deployed very quickly in all parts of society it should be a relatively trivial exercise to completely map any citizen in Sweden with respect to their interactions with any public service or authority.

The European Commission's proposal evaded most of these difficulties and was largely a roadmap to how one makes different types of electronic stamps, signatures and identification procedures that public authorities later have to consider ”truthful”. Basically a set of technical criteria for what is to be considered authentic and genuine in different member states.

This led to much confusion in the European Parliament. We are not a technical institution, but a political institution and we cannot consider ourselves being the best agents to make technical decisions for what is true and genuine and what is not true or genuine. It is even a fact that the different member states use different systems for establishing what is true or genuine, so with the many different backgrounds of members of the european parliament we had problems seeing what the purpose was of this file or why it was politically interesting.

But it turned out that the European Union has sponsored a lot of research into why there is a potentially large political impact of this file.

So the first thing is that identity in general is a highly philosophical concept – who am I? What are we? What is Europe? Many people spend entire life-times pondering these issues, and most of us never reach any satisfactory answers.

So after we understand that we don't have any good answers to the question on who we are, comes the second question – what is my identity in relation to the government. This is where the different member states have adopted very different approaches, and so different cultural backgrounds give many different answers.

It's a question that the Commission had hoped to avoid by introducing an interoperability framework for all the various Member State solutions, so that everyone could keep their own solution while at the same time allowing their citizens to interact with the public services of other member states. However, the European Commission has also sponsored a rather large body of reserach in this field in the past years, and so when I met representatives from the Future Identities in the Information Society (FIDIS)[8] and Attribution-Based Credentials For Trust (ABC4Trust)[9] projects I was given to understand that the Commission had actually rather cautiously decided to discard most of the big investments they had themselves made in figuring out how to make authentication of citizens work online in a secure and primarily privacy-friendly way.

The problem with governments is that we are forced to interact with them in a number of circumstances. We can't help providing lots of information about ourselves, our families, our wage situation, housing, et c to the tax office. The tax office could be said to legitimately need this information, but so it's a lot of information about us as persons which if it is arbitrarily spread could lead to negative consequences for us in our working life, with our friends, family or other things. We generally expect confidentiality of some sort from our tax authorities. Similarly health or dental care services – we more or less have to interact with these public services, at least until we're legally adult. Schools, social services, the job centre.

The government will normally run all these public services, and the general privacy friendly idea is that because it is now so easy to cross-run and cross-reference databases, the interactions need to be unlinkable. It should not be possible to find out that you, the citizen, in the same day ordered a chlamydia test on a public health service website and then filled in your tax returns or requested a building permit for a veranda extension on your summer house.

The idea of unlinkability is particularly strong in the German constitution. In Germany it is mandated by constitution that public authorities don't cross-run or profile their own citizens based on the totality of their interactions with public authorities. And so – if you had an encounter with a law enforcement officer, but you also had to go to the hospital, neither the hospital nor police will or should normally be allowed to find out that you visited the other. Unlinkability in this case means that you stop one party which is very powerful from getting too much information and therefore much more power about another party which is very weak.

In Sweden we have many specialised laws for government registers where we restrict the ability of a public authority to cross-run their databases with those of another public authority or service. However, the unique identifiers of all citizens makes it both convenient and easy to do such a mash-up should one want to. So the idea of unlinkability exists, in the law, but the databases over citizens' interactions with the government are not technically constructed in a way which is suitable for living up to the spirit of the law, as it were. Also because public authorities apparently frequently sell data about citizens to private companies[10], it is always possible to aggregate or mash-up the data through a third-party private actor.

But EU research projects had made another insight: in order to reduce the size of databases, and therefore reduce the harm of security breaches or data leaks, and protect the privacy of the users and the confidentiality of the interactions, one could use something called ”anonymous authentication” or ”attribution-based credentials”. This is when you would provide only the information necessary for a specific purpose to identify yourself. If it was needed for me to demonstrate that I am legally allowed to buy tobacco products, I would demonstrate that I am in fact not born in 1995 or after, rather than demonstrating that I am born on August 30th 1987. The resulting data trail from me would be information about ”someone born before 1995 used this service” rather than ”Amelia Andersdotter, 1987-08-30 used this service”. While in the first case, it's relatively difficult even after a data leak to link the use of the service back to me as a person. In the second case, it is of course inevitable that such a link arises.

To me, at that time, and this was October or November 2012, it seemed counterintuitive that the Commission had disregarded its own research programs, and that we further were not considering the institutional effects of the law proposal we had before us. Also, I am very privacy minded, and I believe that preservation of privacy is an essential aspect of maintaining a good power balance between individuals, groups, governments and companies. Individuals and groups of individuals need privacy in themselves, and for themselves.

So I wanted, politically, to advance the idea of unlinkability and attribution-based credentials. The problem is I had this messy and seemingly very technical file that made little sense.

For those of you who are unfamiliar with the parliaments' work, we are allowed to make any and however large changes in a text proposed by the European Commission that we wanted. But it requires us to know the nature of the changes we want to do. Often work in the European Parliament rather becomes a changing of some semantic things in the proposal, rather than an overhaul of political and technical direction.

At the same time that I was working on this in the European Parliament, I was looking a lot for information about different systems in member states. An Austrian colleague helped me find more info about the Austrian eID – it's not seen as a succees because only 10% of all Austrians use it, there's no real service market around it, it's based on smartcards, I guess. In Sweden they had worked really hard for several years to put up a SAML2 federation [with SAML being just a generic standard for authenticating users in a system], which could replace other forms of e-authentication online. A friend of mine was upset with that because SAML2 systems keep track of who the user interacts, and so rather than the unlinkability I described above you have perfect linkability.

I also am upset – I think the decision to use this particular standard in Sweden is derived from complete idiocy and lack of attention. It is obvious that most citizens will not like for there to be an IT-guy running a database over all of their interactions with the government. Swedish municipalities and regions were also not so happy with the government for pushing that kind of tracking of public interactions – municipalities and regions deal with citizens in their day to day affairs, so they have to have a system they trust and that citizens trust and that makes citizens trust them.

Sweden had investigated this topic for 3 or 4 years before they made the decision[11]. Nowhere in 4 years and thousands of pages of text do they envisage that HOW the authentication works may affect how it is perceived. Apparently the reason for this decision is two-fold: first some tech guy runs a system at a Swedish university which is SAML2. It works for him to manage I guess students, teachers, et c, and so he assumes it will also run a nation state well. But a state and all of its public services at every level of governance is a very different place from a university. While I can relate to why, as a technical guy, you wouldn't think about things like that, it is completely mind-boggling to me why no one in the government thought about this either! That is really extremely worrying.

The universal identifier in Sweden, which I mentioned and that makes linkability very easy between databases in Sweden, has been controversial for many years. A lot of people want it gone. So these tech guys have requested to have the universal identifier out of the government e-authentication system and succeeded. And then when I asked them ”how could you mistake a government for a university?” they said actually they make it more difficult with tracking because the unique identifier isn't there. I woke up a few months later, early in the morning, and thought, well they've actually just replaced the universal identifier with themselves. Either you have a number which allows you to connect databases easily with each other, or you have an IT guy who keeps track of all your databases.

In general the Swedish system has given me some big pains: another time that I woke up early in the morning because of this system was when I realized someone had told me we were setting up this nifty SAML-thing because the military liked it. It dawned on me suddenly, three months after, that there are good reason to question why the military, out of all institutions you normally find in a state, would want to have an easy way of tracing and making a database of all citizen interactions with all public institutions all the time.

Some people I knew wanted to become part of this new tracking federation because they were upset with the tracking and wanted to find a way to hack the system and make it useless so that it would go away. In that particular case I had a minor existential crisis: the nature of decision making has been studied for a long time, and this group of people had made a classical trade-off between compromise and ethics as described by Max Weber, a German political scientist from sometime way back[12]. Compromise versus ethics means the process of reaching a decision: you have to reach a decision, but you have to do it with others, so you may have to compromise to get a decision. How much do you water down your ethics to reach the decision you have to make?

This group didn't want a bad tracker. So they wanted to become a good tracker. But what is a good tracker? Someone who can be trusted not to use all the highly personal information about how citizens do or have to interact with governments for unpleasant things, that don't sell this information, and so forth. Also generally if you have a big database normally the government will have access to it whenever they want. So choosing to be a ”good tracker” will always mean that you are participating in the tracking – it's a compromise you make with your anti-tracking ethics to ensure that there is an option which is less bad than other options that may exist. But then again, if it's a bad system to run a government on, maybe one shouldn't compromise in that way. The ethical thing to do is to not participate in a tracking and tracing system, because ultimately it's the tracking and tracing in themselves that are problematic, not which particular entity is doing it.

The other thing is that some parliamentarians in national parliament in Sweden had been very clear with wanting ”the same” system online and offline[13]. And so I thought, what does ”the same” mean in this case? I have a national ID card from Sweden and most people I show it to will remember that my picture is very bad – it really is spectacularly bad – but not exactly how (many people have asked me to show it twice, for instance), or they extract the information they require and then they forget. This is because my ID card is normally read by humans. For all commercial transactions, when I buy tobacco for instance, actually no information about me as such is stored. If you ask the shop attendants 2 hours later, chances are they will have already forgotten even that someone authenticated themselves for a tobacco purchase in their very shop. So there's not really that much tracing of the use of an ID card by a central authority. Electronically it's much more difficult to ensure that there's no central agent tracing all the times authentication happens. Humans also learn to recognise each other after some time – I can go to my dentist and they recognise me by face. A computer might learn this if it is located in the same room as me, but if it's a server on which the government service for health care and which is not in the same city as me, chances are more slim.

So the systems online and offline would by definition not be ”the same” but then which sameness does one want: the same in that the privacy of the individual is somehow protected and the general institutional power balance that has been carefully deviced over many hundreds of years is protected, or the same in that access should be possible under whatever conditions? I don't think the Swedish national parliamentarians had really thought very deeply about what they requested, but it's strange because it's a very political issue how you balance power and information in a society. This is exactly the type of thing that normally we would expect politicians to think about very carefully. What should society be like? Who should have what power over whom and when? How can that power be exercised? How do we ensure that abuses of power can be resolved – so that is, how do we solve the conflicts that arise when someone with power abuses it with respect to someone without power?

The Swedish example is a beautiful story of how technology for public infrastructures was seen as some magically thingie-maging that could not be anything other than positive. It's a story of technical naivite with respect to politics, and political naivite with respect to technology. Nowhere in the entire process did anyone consider that a citizen's relationship with their public services and authorities is quite fundamental to the machinations of the society we find ourselves in but they really should have. Especially political people need to think about these things.

But going back the the European level, I had decided to at least try and remedy these technical and political mistakes from Sweden at least partially. We can technically make whatever changes we want in a political file, but it's rare that the Parliament makes big changes. I was considering ways in which I accomplish ethically and politically that which I wanted to do without changing too much but actually the Commission's text was so far from doing anything at all, that I ended up tabling 141 amendments, on a file with only 42 articles and 51 recitals. That's quite a lot, but because most of us in the parliament recognise a bad proposal when we see it, even if we may not immediately or even ever know how to fix a bad proposal, I have been tolerated.

The thing is it's quite obvious why we don't want a random tech maintenance person somewhere to be able to casually look up when or why we've been in contact with health care, for instance. Or why we don't want all of the information about what and how we do at school to be sold to advertisers so that they can more easily target people at our universities. But the devil is in the details. Because we didn't actually vote on this yet (but we're voting soon) I'm somehow in this constant state of concern that by now we have well understood the problems, politically, ethically and systemically, but we will not be able to write the legal text in a technically correct way. If you make a given set of moral and political choices, liability, risk, duties and obligations need to be allocated to different parts of the system in specific ways and this is.. Difficult. It's not obvious at all how one would do this.

But it's something that we, the legislators, will definitely have to do if we're going to put public services and all these systems online. That is why I say we have to regulate the internet. It's an old discussion of course. Already in the late 1990s there was an argument that the architecture needs to be regulated, because the architecture decides ultimately what we can or cannot do, or what we must and mustn't do[14]. Some people back then, and even now, argued that technology changes too quickly to be regulated so it makes no sense to regulate. I think this latter argument is a bit daft – copyright law can be said to have regulated the internet since the internet emerged. It took some time to get the caselaw and court cases, but the regulation was always there. The same thing with banking – a bank does not become unregulated only because it has operations online. It has strict regulations on liabilities and risks in its activities regardless of how it providers its services. We didn't see a lot of technical architecture regulation yet – the regulation we have in place now describes the duties that fall on human agents behind the architecture or that operate the architecture, but as we've seen over this last summer these human agents don't always act very predictably or in a trustworthy way.

And so finally, Europe is going through a big ordeal at this time. The legislation that I have just described is important for the reason that it could implement a privacy-by-design obligation on some technical systems, also describing what such a privacy-by-design obligation could be: unlinkable transactions based on anonymous authentication, or attribution-based credentials.

But we have also the large discussions on the general data protection regulation[15]. That regulation is very fundamental for how we, as a continent, will make our future. It sets the frameworks for market operators, companies, governments, everyone, on how we deal with data protection and privacy. What we've seen in those discussions is very heavy lobbying, especially American lobbying, and especially against a strong privacy protection. But we also see governments that are very unwilling to set a direction towards strong privacy-protecting legal frameworks[16]. It's worthwhile to look up more information on the general data protection regulation, because optimally we want it to influence many things in a direction of more secure and more privacy-friendly technologies[17, 18].

How to deal with privacy and data protection technically I understand is not always a trivial problem, but mostly very interesting ones. I hope that many of you here today go out to become innovators and entrepreneurs that have the legal framework that you need to make the most of such innovation and markets. I want to thank you for your attention, and I hope that this was at least somehow helpful in understanding also a political view of challenges around regulating and legislating on the boundary between politics and technology.

[1] http://ec.europa.eu/dgs/connect/en/content/electronic-identification-fol...

[2] http://ec.europa.eu/internal_market/publicprocurement/e-procurement/inde...

[3] See for instance http://www.esecurityplanet.com/browser-security/diginotar-when-trust-goe... or do an internet search. It was really given much attention when it happened.

[4] Shameless self-promotion but it's anyway good for overview: https://ameliaandersdotter.eu/dossiers/eid

[5] I liked "Burdens of Proof" by Jean-Francois Blanchette. A perfectly sarcastic yet very informative overview of how technical policy and technical technologies fail.

[6] http://www.no2id.net/ for instance. Proposals to create national IDs have been stopped many times in both jurisdictions. Many essays have been written on this topic.

[7] A decent amount of German language information: https://www.datenschutzzentrum.de

[8] http://fidis.net/

[9] https://abc4trust.eu/

[10] See for instance this article: http://www.kristdemokraterna.se/Media/Nyhetsarkiv/Kristdemokrater-vill-g... But there are longer texts that to my knowledge aren't published online that connect it back to Avgiftsförordning 1992 with earlier legislation and the Swedish principle of transparency.

[11] http://www.government.se/sb/d/12840/a/158256

[12] Wikipedia summary sufficient to understand context, I thought: https://en.wikipedia.org/wiki/Politics_as_a_Vocation

[13] http://www.riksdagen.se/sv/Dokument-Lagar/Forslag/Motioner/E-legitimatio...

[14] Lawrence Lessig, Code v2: http://www.codev2.cc/

[15] http://ec.europa.eu/justice/data-protection/document/review2012/com_2012...

[16] See, in Swedish: https://dataskydd.net/sammanfattningar-regeringen/

[17] https://dataskydd.net

[18] http://www.respect-my-privacy.eu

Questions

- What about privacy and security problems with smart meters? Are they addressed?

Not really. Smart meters are a solution looking for a problem in the vast majority of member states and they seem to create more problems than they solve wherever they go. There are however no easy remedies to this problem. The infiltration of standardisation bodies for electric grids seems to have begun more than 20 years ago and it is by now a consolidated view that smart meters, despite their flaws, solve some problem: for instance that of teenagers wanting to find out, in retrospect, which electrical appliances have been used in a household. In for instance Sweden, the security agency now has access to communications to and from smart meters to ensure that there is sufficient information to investigate any attacks against the grid over the internet after they've happened. That is wasn't a good idea to put electricity networks on the internet in a first place is striking nobody. The original problem, which was that of creating variable demand in a world where the grid is filled with renewable energies, is not solved - smart meters haven't accomplished any changes to that effect and what we're left with is a very messy technology than can fail in so many ways from both privacy and security perspectives that it's doubtful if this was a really talented path to travel down in the first place. It is especially clear with this fundamentally important infrastructure that smart technologies require smart policies. Electricity is vital to our economy and our socities and it's stupid to gamble with it in this way.

- Is it really necessary to regulate the architecture though? What about innovation?

There are plenty of big and unresolved issues inside every possible type of architectural regulation. One mistake commonly made in Europe is to assume that all architectural choices are unregulated in the United States: on the contrary they appear to be having a very deliberate industrial agenda that they also follow up over time. The electronic identification regulation is an extremely sad example of how Europe isn't doing that at all. Similar for the data protection regulation: we have steered our research, education and industry down a data protection friendly path for many years, and then suddenly we've decided in loads of legislation that actually we don't want that type of industrial development after all. This is really harmful to human rights and to industry.

Universities and copyright: address to Jindal Global Law School

Amelia Andersdotter — Sat, 05 Oct 2013 20:22:46 +0000

Language Swedish

I had the great privilege of being invited to hold a video presentation for a group of Jindal Global Law School, Delhi, intellectual property law students last week Tuesday. This is the text record of that presentation and the questions asked by the students. Especially the questions are incredibly worthwhile looking at because many of them illustrate well the philosophical problems of copyright today.

Address:

I'm very happy to be here giving this adress. I'm very honoured to be also at an Indian university presenting on this topic, and I've followed an Indian IP Law blog för some years now. Spicy IP India[1], in case any of you have heard of it. They cover a lot of interesting topics, including copyrights, and I've tried to superficially keep track of that which is going on with universities, students and publishers in India right now[2].

In Sweden, university copying was mostly devastated several years ago. While we had a healthy culture of knowledge dissemination at universities which was of great help to teachers, students, librarians and small copyshops, a reform of the Swedish copyright law in 2005 made this impossible[3]. This reform was in turn caused by a European directive from 2001[4], in which the European Union attempted to harmonize the application of the TRIPS agreement in Europe.

I think at the time time European directive from 2001 was written, not many people anticipated its effects on the many educational institutions in society. To paraphrase a European academic, Professor Bernt Hugenholtz at Amsterdam University[5], it's somewhat ironic that at a time when copyright needed much more flexibility to allow for more creativity, inspiration and more innovation, the legislator did the opposite and made copyright very stringent.

Copyright law is very bloated, and a lot of the laws that we have to deal with today are actually the effect of very clever lobbying in the 1990s. In a significant number of cases, it also seems that courts are taking increasing liberties to sharpen the legal framework even further[6]. And so, a law which already leaves very little wriggling space for users of culture, and derivative industries such as copyshops outside universities, is interpreted in a such a way that no wriggling space is left. The result is that most people habitually violate copyright on a daily basis, simply because the rules cannot be followed or because they are too unintuitive, and this in turn means that the general respect for the system of law is undermined.

The legislator is clearly facing a delicate task: we have to make laws that people can respect. It is not possible to have a legal framework which works only because most people feel comfortable habitually violating it. It is increasingly my view that legal systems exist to help people solve conflicts, and that laws should be written in a way that helps people ensure that conflicts in society are as few as possible. Copyright law, on the other hand, seems to do the opposite thing: it creates a lot of conflicts, and makes the resulting conflicts very difficult to solve.

Luckily I am not alone in the belief that we need a better legal framework for Europe in the field of copyright. While I have already paraphrased Professor Hugenholtz, he is not by far the only legal scholar criticizing copyright developments[7]. In fact, in Europe as much as in India, universities are at the forefront of critique of copyright along every discipline. Research libraries, libraries, public service broadcasters and university teachers as well as their students are increasingly critical of a system which makes their activities much more burdensome. The licensing fees are out of control, the amount of permissions that have to be requested administratively impossible.

Even with open access becoming a more normal mode of publishing academic content in Europe, clever publishers are deriving support from a 1997 directive which gives them rights to databases – even when they cannot control the content as such, they can control the way in which it is distributed. And so one form of harmful monopoly is taken over by another[8], and the legislator is still unable to act.

In the European Union, the European Commission – the executive bransch of the Union – has the right of initiative. This creates problems for the co-legislators, which are the European Parliament (where I work) and the Council of Ministers (a platform for member state cooperation). It means that copyright law will only be reformed if they allow it to be. In the p]ast years they have worked very hard not to have to adress the issue, and in fact they have even neglected duties of investigation imposed on them regarding the implementation of the old directive from 2001. For myself, I have to hope that it will not be possible for them to close their eyes much longer.

In 2013, the Commission attempted to set up a discussion platform for getting more licenses in Europe. It was always difficult to see which particular benefits the Commission thought they would derive from this platform, since the platform was set up specifically to avoid the reform of the copyright law that everyone except the publishers want. And indeed, universities, research funders, libraries and a large group of other stakeholders eventually abandoned the platform in protest of its inability to discuss the real problems of copyright law[9].

This is not to say there is no light. Indeed with more and more persistent pressure from universities, students, teachers, libraries and every negatively affected group in society, a copyright reform can happen. And of course when it does, the European Union's ability to show political and moral leadership in the world will be put to the test – are we able to make a law which is better suited for modern morality and the information society? Will we be able to see the value in a more free information landscape? The freedom and rights to acquire and use culture and information are hard to acquire, but have been let go easily. Now is the time to re-assume our autonomy to decide for ourselves how we see and use information.

[1] http://spicyipindia.blogspot.be/

[2] See here: http://spicyipindia.blogspot.be/2012/09/analysing-delhi-university-v-pub... , http://spicyipindia.blogspot.be/2012/09/delhi-university-must-defend.html and http://spicyipindia.blogspot.be/2013/04/academics-speak-out-in-coursepac... for instance.

[3] http://www.notisum.se/rnp/sls/sfs/20050359.pdf

[4] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32001L0029:E...

[5] See also http://www.ivir.nl/index-english.html Instituut voor informatierecht at University of Amsterdam.

[6] See extensive criticism on BSA v Czech Republic verdict in CJEU by Cambridge Prof Lionel Bently presented here.

[7] Three-Step Test Declaration with signatories: http://ip.mpg.de/shared/data/pdf/declaration_three_steps.pdf For background see http://www.ivir.nl/publications/hugenholtz/limitations_exceptions_copyri...

[8] In this text, the European Commission concludes that database rights appear to not have been useful for the European market: http://ec.europa.eu/internal_market/copyright/docs/databases/evaluation_... They subsequently decided to keep database rights, in case they would turn out to be more useful in the next ten years than in the previous eight.

[9] This statement of leaving Libraries for Europe by a large amount of stakeholders explains: http://www.libereurope.eu/L4Ewithdrawal

Questions

Out of my memory here are some questions that were raised:

- Should face paint and other decorative art, such as icing on a cake, be copyright protected?

It is my belief that it's not useful to include such artistic expressions under copyright. Copyright is the right to bring someone in front of a court if they refuse to strike a licensing agreement with you. I can't see how face painting or cake icing is benefitted from the people engaging in those activities having that right. But I see a big deal of legal uncertainties popping up for those who do face paints or cake icing should other people suddenly be allowed to sue them at random. Cost-benefit analysis seems to end on the negative.

- What is the criteria for something being original enough?

I may have remembered this question wrong, but the answer is the same as the one asked by the student: politically we don't decide on the originality criterion interpretation. We decide that works should be original to get protection, and leave the details of originality up to courts. My strong suggestion presently is that courts are interpreting the originality requirement rather broadly and so many things are included in copyright protection spheres that shouldn't be (Maglite cases in Netherlands and Sweden, Infopaq, BSA decisions from the CJEU, among others). But the question is how to deal with that from a legislator's perspective.

- Does originality actually exist?

Philosophically everything is created out of building blocks that already existed. Knowledge, culture and innovation are iterative processes and most of them aren't new or original at all. That presents a problem for the originality requirement, and in patent rights we've seen a very quick degradation of the innovative step requirement because patents are important for transaction opportunities, while most industries are suffering from a lack of really groundbreaking innovation (high-end electronics, pharmaceuticals, but even thermodynamical innovations or agricultural innovations being notable). It would be easier if copyright were seen only as an industry support regime - if we saw it as an economic right only, rather than a spiritual or natural right, we could also deal better with the fact that most things aren't very original or creative at all, even if they could use some form of market intervention in their favour. But we know from for instance Sweden that most people will consider copyright a cultural policy rather than an economic policy. That is problematic, but also a problem of inadequate information to the public about the legal regime they find themselves in.

Notification to ICT Standardisation Group at the European Commission: Post-pone DRM in HTML5

Amelia Andersdotter — Thu, 13 Jun 2013 11:06:01 +0000

Language English

Today the European Commission is gathering its European Multi-Stakeholders Platform on ICT Standardisation to discuss issue on ICT and Standardisation issues in Europe. I have taken the opportunity to bring to the agenda the issue of DRM in HTML5, a currently much controversial issue which risks passing the standardisation procedures at W3C without further political scrutiny. I have had the help of my assistant Ulf Pettersson, who attends the event in my name as I have obligations in Strasbourg, and Martin Kliehm, a Piratenpartei member and well-acknowledged expert on public sector ICT use from Frankfurt.

Dear ICT experts and platform participants,

Unfortunately Ms Amelia Andersdotter, Member of the European Parliament, cannot be with us here today as she needs to remain in Strasbourg for important plenary votes. My name, however, is Ulf Pettersson and I work for Ms Andersdotter with matters of technology and intellectual property.

Amelia Andersdotter, who works with ICT issues in the Industry, Energy and Research Committee in the European Parliament, is very happy to be part of this platform. Amelia believes careful, well informed and technically sound ICT standards are very important for a functioning society in which the citizens can trust. This is a perspective which necessarily touches upon the standards and architectures that we use, as citizens, to interface with different technologies around us, and one which is often overlooked both politically and technically. The choices we make for technology standards influences our daily lives by enabling, shaping or restricting the communications and interactions between citizens. The artist Carol Hanisch coined the famous phrase the “personal is political” – we believe the “technological is political”. Therefore, we need to make sure that human rights and human communication perspectives are taken into consideration at the level of standardization.

In this vein, Amelia Andersdotter would like this meeting to address the issue of DRM, Digital Rights Management, in HTML5. This is currently being decided on in the W3C under the name “Encrypted Media Extensions”. As decisions on this are being made now, more or less, it is important that well informed stakeholders, such as yourselves, act with expedience.

Amelia believes it would be wrong to standardize on Encrypted Media Extensions in HTML at this time. At the very least, more time is needed to properly reflect upon the consequences of such a standard choice for a very important technical infrastructure in contemporary society. There are many reasons why DRM in HTML is a bad idea, but we will limit this to two relevant legal obstacles. For the European Union, there are legislative reasons as to why DRM in HTML does not work out at this time.

Firstly, in practice, DRM sets up restrictions to the rights granted by copyright and freedom of expression laws. Thus, the standardization of DRM in HTML will pre-empt upcoming revisions to European Union copyright law. The Commission has announced its intention to reform the copyright legislation over the coming years. And as present efforts like the Licenses for Europe platform cannot achieve their targets – parts of it have already fallen apart – it becomes clear that legislative reforms will be necessary. Similarly, there are also rumors of an upcoming copyright reform in the United States.

It would be inappropriate for a standards consortium run by private actors to make decisions that could prevent or side-track political decisions in this area in the near future, before those decisions are made. We believe that democratic representatives need to make political decisions, and that these decisions should not be pre-empted by technical standards.

Secondly, in the EU, our legislative framework provides an additional challenge for the Encrypted Media Extensions as proposed by Netflix and Google. Netflix is a streaming company, and is as such interested in controlling re-transmissions of streams. However, European jurisprudence grants specific rights for users and consumers of broadcasts in cross-border trade between member states. These rights are codified in for example, the Premier League vs. Murphy cases on the retransmission of content. Any technical standard which implements obstacles to retransmission at the infrastructural level should at least take these rights into account.

When legally consolidated rights of users and consumers are compromised by technical standards decisions, it is a political issue. We believe that the distinction between the technical and the political is important to safe-guard, and we are hoping that you will agree with this. If the W3C makes a political decision that is not in line with EU law or upcoming reforms in the European Commission and Parliament there is the risk that HTML5 cannot be supported in the European Union.

In addition, Martin Kliehm adds this serious critique:

DRM in HTML is cementing closed ecosystems instead of promoting competition and innovation. Google, Microsoft, and Apple control the hardware, the operating system, the player (i.e. browser), and the app stores. They have absolute control over their ecosystems. As content distributors they can exert leverage on content suppliers for exclusive contracts. Open source developers will be locked out.

Like the EFF point out, video and audio content is just the beginning. Content includes books, games, 3D content, even web pages. Accepting EME could lead to other rightsholders demanding the same privileges as Hollywood, leading to a Web where images and pages cannot be saved or searched, ads cannot be blocked, innovative new browsers cannot compete without permission from big content companies.

DRM is against the principle of the Open Web. It will create a fragmented landscape of content that is restricted to certain areas, contradicting the principles of a European Digital Single Market.
Property rights of end-users will be violated by installing software on their computers that seize control of their personal computers. This encrypted black box of executable software cannot be accessed or scanned by anti-virus programs, leaving strong security and privacy concerns.
DRM constricts fair use of purchased content. It could ignore exceptions from copyright for people with vision impairments, schools, and libraries. Other features of HTML5 like local storage for reading offline could be broken.
Once DRM is implemented, it will be really hard to remove it.
The key issue is not content protection, but how a content owner or producer can sell its content online. DRM cannot solve this issue. Political decisions should be made by democratic, political bodies, not by standardization organizations.

It's important to remember that the European Union has not had any discussions at all on Digital Rights Management Technologies almost at all since 2004, when the IPRED directive was first addressed by the European Commission and later adopted in a quick procedure of less than 6 months political work. This should be sufficient cause for the European Commission and the other political institutions to reflect.

References:

Harry Halpin, W3, independently expressing his views on the ongoing procedures in the Guardian: http://www.guardian.co.uk/technology/2013/jun/06/html5-drm-w3c-open-web
The recent mass-withdrawal from the Commission's Licenses for Europe platform: http://www.libereurope.eu/L4Ewithdrawal
The Premier League v Murphy case at the CJEU: http://curia.europa.eu/jcms/upload/docs/application/pdf/2011-10/cp110102en.pdf (see otherwise also: http://www.guardian.co.uk/media/2012/feb/24/pub-landlady-karen-murphy-premier-league )
European Commission report from 2004 on DRM: http://ec.europa.eu/information_society/eeurope/2005/all_about/digital_rights_man/doc/040709_hlg_drm_2nd_meeting_final_report.pdf

Tyska Piratenparteis partikongress - framtiden är räddad!

Amelia Andersdotter — Mon, 13 May 2013 17:58:13 +0000

Language English

Piratenpartei!!!

Last weekend I visited Piratenpartei's members' congress in Neumarkt in der Oberpfalz, Bavaria. It was a grand event - around 1500 people gathered to make important decisions about the election platform. It was a time of reconciliation - the new spokesperson Katharina Nocun and party chairman Bernd Schlömer were impressive in their way of looking ahead and their belief in the capacity of the party to work constructively towards success in the Bundesdagselections of November this year.

I am as always amazed by the organizational capacity of Germans. The halls were well-attended, the feeding opportunities supreme. Networks, press room, proper air in the big meeting hall and simultaneous sign language interpretation raised the overall impression of the event. There were many meetings with old and new friends that give me the hope, strength and motivation to continue my endeavours in Brussels. Over all, it was superinspiring and many German Pirates seemed to have a similar feeling :-)

On the Sunday morning after the final debates on opportunities for online meetings in the party I held an address:

Honourable pirates, representatives,

I'm honoured to be standing before you today in this room, where so many of you have gathered to decide on the future of Piratenpartei leading up to the elections this autumn. My base of operations is Brussels and the European Parliament. I've been attending this congress since Friday and some of you may have seen me lurking around the isles or in the press center with the international visitors. I assure you we've all been impressed with the organisation and the spirit of cooperation here.

It is challenging to do politics. One has to be friendly not only with one's own but also with opponents. In many cases political battles can seem so long and hopeless that they are hardly worth the effort. We, the pirates, have also chosen an extremely difficult field within which to be political: the intersection between politics and technology.

Many times this distinction is not made, neither by politicians nor by technical developers. It leads to bad decision making with poor or no connection to a moral or philosophical framework for our society. In the case of privacy protection, a poor understanding of the adaptability of technology to the moral frameworks we actually want in our society leads to misplaced watering down of the European data protection regulation. Instead of seeing a strong moral framework for industry and society alike as an opportunity for our economy and domestic technology development, we have largely handed over political problem formulation to foreign technology companies.

In the case of net neutrality, a poor understanding of what constitutes technology and what constitutes an interaction between parties has led to no political action being taken whatsoever. To me it has always been clear that politics is about the interaction between different entities in society, and which terms of interaction we as politicians find morally acceptable. We want everyone on the internet to be able to create, contribute and take part, therefore net neutrality should always apply. The technical details can be solved - we need merely to make the political decision for it to be.

But strange actions do not only come from politicians. Also the technical side has difficulties resolving the political from the technical, and many of you will probably be worried about the potential inclusion of technological protection measures for copyrighted content in the most basic and fundamental of web standards. It is obvious to any casual observer that the moral framework, the political framework, within which we regulate copyright and cultural works is highly contested and it is therefore premature to codify in a technical standard a technical solutions which favours a particular political outcome.

All of these three cases, data protection, net neutrality and web standards, are examples of times in society when politics and technology are not appropriately separated, and the result is bad politics, bad technology and a society which increasingly loses trust and faith in the systems used to govern it. This is what it lies on us, the Pirates, to fix.

It is a problem of technology not being regulated enough, and it's a problem of technology being far too regulated. For some reason, the idea that the internet should be free and therefore also unregulated has now become a popular political idea also with political parties that are not the Pirate Party. The idea is obviously wrong - legislation and the government is how we as societies self-organise to minimize conflicts and to help ourselves with resolution of conflicts when conflicts arise. We try to make our legislation in such a way that the risk of conflict is minimized, and that the scope of conflict if it does arise is as small as possible.

Many pieces of our legislation does not do that at all. Copyright law, for instance, creates conflicts between people who needn't be in conflict, and it makes the resolution of those conflicts very difficult. We are looking at a situation in Europe now where the need to reform copyright has been plainly obvious for over a decade, but where entrenched political positions make it impossible for any useful action. After 2014 we are looking towards a new Commission in the European Union, and our publically elected institutions at all levels need to push this reform forward. We can do it in the local government, in the regional government and from the European Parliament.

We need the copyright reform not only so that our children can visit the library, have teachers that don't habitually violate the law and access to culture for the visually impaired. We need it also to connect with our history - would you believe that despite the wealth of German television the only thing I personally am acquainted with is actually Schnappi das kleine Krokodil? We need the copyright reform also to not incentivise the development of technologies that control and lock in users and the public when we digitalise our public sector materials.

A society needs a moral compass and our industries need a moral compass. There is a political vacuum that we need to fill in terms of establishing this moral compass, and we can do it.

From my time in Brussels it's been obvious that Pirates are more needed than ever. We have ICT discussions in transport, automobiles, electricity, city planning, water management, health care and all associated industry sectors. We need a stable set of values based on culture as a tool to build communities in Europe, and the world, and privacy as a fundamental right that we need to shape our identities and participate on a non-discriminatory basis in our democracies.

It's important that none of the stages in the legislative process is forgotten. Often the moral frameworks are codified at the European level and refined in national or local settings. But national and local policies can and must be strong growing grounds for the values we want our socities to uphold. I believe strongly in the cooperation between the local levels.

Being here encourages me. I see a Piratenpartei open to collaboration with others, and one where the political debate thrives. You will have an important election coming up this autumn, and next year we will campaign together for the European elections. Things are moving - the data protection reform is now, and we can make it. The copyright reform will come, and we have to push it forward.

With these words I wish you a good rest of the congress. I'm sure that many of you will leave this place with as many positive impressions and new ideas as I have.

Amelias tal på Ung Pirats förbundskongress

Tess Lindholm — Mon, 06 May 2013 01:39:25 +0000

Video of aUsBCEKtwSQ

Misc.

Reforma sistemului european de protecție și securitate a datelor, PP, București

Amelia Andersdotter — Sun, 17 Mar 2013 08:19:24 +0000

Language Romanian

Acum două zile am fost la o conferință organizață la București de Eurosfat și Europuls la Palatul Parlamentului în cadrul anului cetățenia europeană, privind reforma sistemului european de protecție și securitate a datelor. A fost și colegii mei Adina-Ioana Vălean și Renate Weber (amândouă de la grupul liberal în parlament) și Ioan Enciu, de la grupul socialdemocrat. Am venit cu Cristian Bulumac, fostul meu practicant de la Bruxelles, și alt tip de la partidul pirați în România. Bogdan Manolea de la APTI, Christiana Mauro de la Universitatea a Europei Centrală, un tip francez de la Microsoft și alt tip reprezintându pe industria publicății și încâ unul reprezintându pe CERT-RO mai au fost. Doi dintre ei mă au ajutat cu urmatoarele două intervenții pe care am făcut (greșelile nu sunt de către ei):

Doamnelor și domnilor, colegi;

chiar dacă știu că organizătorii au aranjat traducere între română și engleză - vă mulțumesc - aș vrea să încerc să fac intervenția în limba română, o limbă de care m-am îndrăgoștit și pe care am studiat-o, chiar dacă mai puțin decât aș fi dorit.

Suntem aici pentru a discuta legislația europeană privind protecția datelor cu caracter personal. Nu-i ceva nou, e o codificare a unor valori vechi apreciate pe tot teritorul european. Am observat în discuții din parlementul european, dintre colegii români cu care am lucrat și în dezbaterea în care ne-am angajat în statul membru din care vin eu, Suedia, că ceamai mare partea a discuțiile se referă la detalii, fără scopul de a discuta sau a defini care sunt valoriile pe care societatea noastră este bazată.

Și, că rezultat, fără direcție morală sau politică, a fost dificil să aflăm cum trebuie scris textul legislativ.

Sunt suedeză, m-am născut în lumea de după optzeci și nouă, așa că, nu am prea multe cunoștințe despre lumea dinainte.

Am crescut într-o Europa în care, pentru fiecare persoană, exprimarea liberă, formarea liberă a propriei identități și autonomia personală sau confidențialitatea sunt drepturi. Sunt drepturi pentru că societatea devine mai bună pentru toți când știm și avem control asupra ce se întâmplă cu noi și viețile noastre.

Identitatea noastră proprie nu se poate defini ușor. Depinde de situație, cu cine suntem, și ce vrem să facem. Ne formăm identitatea în parte prin interacțiuni cu alți și în parte noi singuri. În orice caz, ne exprimăm identitatea noastră prin alegeri muzicale, ce ascultăm, ce preferăm la televizor, cum comunicăm, pentru că tot ce este comunicat de noi însine este parte din identitatea nostră.

Așa că, fiecare actor care are foarte mult control asupra modului în care comunicăm, asupra informaților și știrilor pe care le citim, de la cine și când, poate avea mult control asupra noastră.

Legislația privind datele personale are impact asupra dreptului nostra de a ști când altcineva, în afără de noi, și de multe ori neidentificat pentru noi, are acest control. Se referă la principiul potrivit cuiva, pentru ca fiecare dintre noi să poată determina ce se întâmplă cu identititatea noastră, trebuie să putem să ne opunem acestui control.

Identitatea noastră nu este o marfă, în sensul că toată societatea, piața și fiecare grup de persoane sunt constituite din indivizi cu identitate propriu, fără de care nu putem să avem democrație, un sistem bazat pe ideea libertățiilor indivizilor, și nici nu putem să avem o piața liberă, ținându în seamă că și piața liberă are nevoire de participanți care pot face alegeri libere.

Atunci, valorile despre care trebuie să discutăm, sunt destul de profunzi pentru a nu zice fundamentale, pentru societatea întreagă, așa cum cunoaștem.

E adevărat, și mă va surprinde imens dacă nu va fi menționat faptul, că dezvoltarea tehnologiilor informatice s-a făcut foarte rapid. E și adevărat că putem primi avantaje foarte mari prin aceste tehnologii. Dar în primul rând, doar posibilitatea de a crea orice fel de bază de date, și a-o corela (faptul care înseamnă că anonimizarea datelor este de fapt imposibil), nu înseamnă că ar trebui să facem. Știm că, în aproape toate cazurile, dacă baza de date există, în final va fi folosita de poliție sau servicii secrete din țările noastre sau, chiar mai departe în afără controlului nostru, și în mâinile unor terte state sau organizați. Acest singur fapt ar trebui să ne facă să ne oprim puțin pentru a evalua efectele piaței pe care am construit-o pânâ acum.

În doilea rând știrile și informațiile pe care le folosim pentru a cunoaște lumea înconjuratoare vin din ce în ce mai mult de la furnizorii privați. Un furnizor mare de servicii de telecomunicație sau de software poate să restrânge intr-un fel foarte dăunâtor pentru societatea felul în care comunica cetățeni între ei.

Pentru asta, Comisia Europeană a defășurat în urmă cu mulți ani activității în cadrul de reflamentare al concurrenției, și acum a înaintat o propunerea pentru a da mai mult control indivizilor privați, cetățenilor și ai europeni.

În Europa, există multi tări cu experiențe foarte grave de pierdere a controlului identități de către cetățeni, și avem multe cercetări asupra tehnologiilor ce pot fi folosite pentru aceasta. Am studiat în Europa și alternative și de fapt exportăm multe produse care ajută cetățeni altor state să își protejeze identitatea și intimitatea în aceeași măsură ca și cetățenii europeni.

Aș vrea să aprobăm o legislație puternică și durabilă care sâ ne protejeze cetățenilor europeni. Avem nevoie de standarde pentru protecția datelor la nivel european. Vor ajuta pe industria și pe cetățeni. Sper că toți aici veți vrea să participeți în discusie asupra temei asta foarte important. Vă mulțumesc.

După mai multe intervenți și după ce ceilalți participanți spectatori au făcut și ei intervenți (unul dintre ei a vrut să discutăm și datele deschise dar mi-a părut că APTI va organiza un seminar despre aceasta chestie în aprilie? găseam acest articol despre un seminar despre datele deschise organizat în februarie dar nu i ajută pe nimeni în de a cunoaște viitorul), toți noi invitați i-am dat posibilitatea de a raspunde participanți. Eu am zis până la urmă:

Drepturi omului sunt din tradiție o temă liberală și cum a spus doamnă Weber grupul liberal are potențială în a fi balanță în voturi.

Am considerat mult dorintă politicienilor să iau responsabilitatea pentru dezvoltarea societatei și a industriei.

Este un fapt că fiecare piață este reglementată. Singur punct de diferință este felul în care o reglementăm.

Regulamentul în față crea un cadru pentru standarde pentru protecția datelor și pentru născocirea. N-ar trebuie să fie o problemă. Standarde sunt folosite tot timp în orice industria.

Numai transparența nu este suficiente pentru a garanta protecția datelor. Avem nevoie de nu numai cuvinte dar și technologiile care implementează cuvintele. Dar, bine, dacă Microsoft dorește să fie transparent, dăți-ne algoritmi!

Și este o problemă și pentru firme dacă politicieni nu pot fi responsabili pentru cadrul legislativ a societatei și a pieței. Uniunea europeană de fapt nu-i Statele Unite, și putem crea legislație proprie. Noi trebuie șa avem politiciene care vor fi responsabili și vor crea o societate în care cetățeni se simt siguri și în control. Este o discuție despre valori și responsabilitate dar cu participarea cetățenilor în dezbăterii asupra temei nu există nici un motiv de ce nu vor fi responsabili politicieni noștri.

Vă mulțumesc.

Mai târziu m-am grăbit la aeroport pentru a mă întorc în Belgia.