Amelia Andersdotter - Anonymitet

Vad tycker svenska ledamöter om dataskyddsförordningen? Moderaterna.

Amelia Andersdotter — Thu, 02 May 2013 15:39:59 +0000

Språk Svenska

Håkan Ogelid på IDG frågade sig i tisdags vad svenska ledamöter tycker om dataskyddsförordningen. Enkelt uttryckt tycker Moderaterna att stora amerikanska bolag har många bra poänger, om man får tro Anna-Maria Corazza Bildts ändringsyrkanden. Det här är den första bloggposten av tre där jag går igenom vad svenska ledamöter tycker om Dataskyddsförordningen.

Den stora skillnaden mellan USA och Europa rättsmässigt är att privatliv och integritet är en mänsklig rättighet i Europa enligt EKMR art 8. I USA är privatliv och integritet istället en konsumenträttighet som privatpersoner kan förvärva avtalsrättsligt i relationer med privat aktörer på marknaden. Sverige är bundet av Europeiska konventionen för mänskliga rättigheter sedan 1950-talet, och jag förutsätter att svenska politiker därför utgår ifrån att privatliv är en mänsklig rättighet som vi alla har för att vi är människor, snarare än någonting som uppstår när vi interagerar med en viss tjänstetillhandahållare (varesig denna är statsmakten själv eller en privat tjänstetillhandahållare).

Anna Maria Corazza Bildts:s ändringsyrkande 396, underskrivet med 6 av hennes EPP-kollegor, kommer direkt från amerikansk lobby. Europeisk IT-industri har inte stött att pseudonymiserad data ska undantas från förordningens/personuppgiftslagens förpliktelser. Enligt amerikanska konsumentgrupper och säkerhetsforskare (t ex Bruce Schneier, se emellertid också Paul Ohm som också gör upp med FOI:s rapport 3633) lär pseudonymiserad data heller inte hjälpa oss att skydda vårt privatliv eller integritet på något särskilt sätt, så därför är det uppenbart inte en tanke grundad i MR-tänk, utan snarare ett sätt att konsumenträttsligt minska konsumenters rättigheter mot företag (vilket är rimligt att göra, om man upplever privatliv som konsumenträttslig fråga). Samma feltänk återfinns i Corazza Bildt:s ändringsyrkande 730, 734 och 922, där särskilt #922 utgör ett väldigt stort avsteg från MR-tanken och egentligen gör det omöjligt att på något bra sätt utöva konsumenträttigheter heller. Pseudonymiseringsdiskussionen har uppstått via Yahoo!, eBay, Amazon, Google och Facebook (amerikanska företag), och de har haft väldigt stort inflytande vilket man kan se på bland annat lobbyplag.eu. Man kan också kontrollera de lobbydokument som kommit in till mig och Christian Engström här.

Den europeiska organisationen CEPIS som organiserar IT-tekniker har försökt lobba mot förslaget att urvattna definitionen på personuppgift på det ovan förslagna sättet. På dataprotectioneu.eu har en sammanslagning av mer än 100 europeiska akademiker också försökt protestera mot amerikansk industris urvattningsförsök.

I det vidare har Corazza Bildt också skrivit under ändringsyrkande 1357 tillsammans med 8 kollegor. Detta ändringsyrkande till artikel 15 i dataskyddsförordningen lägger privatliv och integritet från EKMR:s artikel 8 på en lägre prioritetsordning än företagshemligheter och immaterialrätter, i en lagstiftning som bara rör privatliv, personuppgiftsskydd och integritet(!). Här rör det sig inte om huruvida fildelning hotar integritet eller anonymitet eftersom ju det är en avvägning domstolar gör i varje specifikt fall, utan om man ska i lagstiftning sätta prioriteringsordningen på detta sätt, vilket då skulle tvinga domstolar att alltid göra avvägningen på ett särskilt sätt. Det härrör från European Banking Federation och en del andra finansiella industrier (se dataskydd.net och lobbyplag.eu).

Ändringsyrkandena 414 och 1537 är underskrivna av Corazza Bildt och 7 kollegor från EPP-gruppen. De är lite lurigare eftersom de undergräver en rättighet vi medborgare redan har enligt direktivet 2002/58/EC och i Sverige 18§ LEK, nämligen rätten att få säga ja om vi vill bli spårade (alltså opt-in resp. opt-out). Trots att formuleringen i #1537 alltså inte "ser farlig ut" är det alltså så att den är onödig om man tycker att detta är en rättighet, eftersom rättigheten redan är etablerad. Enda syftet med att kodifiera den igen om med andra ord är att göra rättigheten svagare. Detta förslag har drivits av IAB (reklamföretag), Google, och andra amerikanska företag och sätter, återigen, privatliv och integritet som konsumenträttighet snarare än mänsklig rättighet.

Det filosofiska problem jag har lite svårt med vad gäller Corazza Bildt och Moderaterna här är huruvida de anser att privatliv och integritet är en mänsklig rättighet eller en konsumenträttighet. Jag tycker personligen att det är en mänsklig rättighet och att EKMR har gjort en bra avvägning som inkluderar det i den europeiska rättighetskatalogen. Man behöver inte hålla med om det alls, och det kanske Moderaterna (t ex) inte gör, men i sådana fall tycker inte jag att man ska börja med att skriva om "sekundär lagstiftning" utan kanske istället ta en nationell debatt om huruvida vi fortfarande vill vara med i EKMR eller om vi ska begära en omförhandling av EKMR:s text. Så länge alla uppfattar det som bra att vi har den rättighetskatalog vi har i EKMR finns ingen anledning att i annan lagstiftning agera annorlunda (tycker jag).
Är det då inte lugnt så länge vi frivilligt delar med oss av data och personuppgifter? Vad Anna-Maria Corazza Bildt åstadkommer med sina ändringsyrkanden är att vi inte ges möjligheten att uttrycka någon frivillighet. Vi får helt enkelt inte veta, och vi får ingen möjlighet att säga ja eller nej. Det är det som är problemet med Anna-Maria Corazza Bildts ändringsyrkanden - de tar bort rättigheter, valfriheter och självbestämmande från europeiska medborgare.

Kollegor som Anna-Maria Corazza Bildt har affilierat sig med: Sean Kelly, irländsk konservativ ledamot tillika föredragande för yttrandet om dataskyddsförordningen i industriutskottet. Fick mycket hård kritik av olika civilsamhällesaktörer och undergräver totalt allt personuppgiftsskydd i EU (se http://www.theregister.co.uk/2013/02/22/european_parliament_industry_committee_data_protection_amendements/ ); samt Lara Comi, en italiensk konservativ ledamot tillika föredragande i utskottet för konsumenträttsfrågor vars yttrande om förordningen fick ännu hårdare kritik (se t ex http://www.techweekeurope.co.uk/news/eu-committee-votes-to-water-down-data-protection-regulation-105326 ). Se också mer information om vart och ett av utskotten och deras arbete på http://protectmydata.eu.

Keynote på Open Source Days, Köpenhamn (9 mars)

Amelia Andersdotter — Wed, 13 Mar 2013 07:02:45 +0000

Språk Svenska

Jag hade den stora äran att få närvara vid Open Source Days, en stor dansk konferens om öppen källkod och öppen mjukvara som anordnas varje år i Köpenhamn sedan 1998. Nedan följer det anförande jag gjorde under konferensen, och efteråt var det många som ställde frågor och förde diskussioner som jag också besvarade så gott jag kunde. Det var många intressanta presentationer utöver min egen som DNS-censur, privatlivsskyddande teknologier för din mobiltelefon (specifikt Android och orbot), samt en mycket intressant historia om hur man kan porta mjukvara från slutna plattformar till Linux, och vilka avväganden man som företag då behöver gå igenom. Jag träffade PROSA, KLID, Superusers och ett makerbot-team som tillverkade små bystar (alltså statyer). Också närvarande var Ung Pirat Malmö:s nya ordförande Janni! Stort tack för sällskapet och jag hoppas vi ses snart igen :-)

I'm very happy to see so many people here. Welcome.

Most of you have come here because you are developers, or implementers, of open source solutions. Am here in a slightly different role. Even if I have been known to use open source software, I'm here because I am a member of the European Parliament, a publically elected representative, and, as such, legislating and creating norms for interactions in society are some of the tasks for which I m responsible and accountable. I am, optimally, responsible and accountable both for choices that I make, and choices that I don't make.

We all make choices, on a daily basis. In the vast majority of cases they don't have a big impact on the people around us, nor do they impact our surrounding world a lot. Many of the choices I make, when I work in Brussels, by contrast impact the framework in which the 500 million citizens of the European Union find themselves.

So I would like to talk about responsibility and accountability.

Last year I was awarded the honour of being named the fifth most influential internet activist in the world by online internet social community magazine Daily Dot, because of my work in the European Parliament against the Anti-Counterfeiting Trade Agreement.

Now, ACTA is an interesting piece of work since, ultimately, the European Parliament rejected the agreement. The international federation of phonogram industries issues a press release on the day after the vote, July 6th 2012, urging the parliament to be more responsible ”next time”.

But the agreement was already from the outset an example of devastatingly bad allocation of responsibility and accountability.

One of my major concerns in the agreement was the proposition that businesses make their own agreements on how copyright law or trademark law should be enforced.

The reason I don't like this is because I recognise that business, ultimately, doesn't have the olbigation to make difficult and sometimes costly judgement of which particular society benefit should be given preference over another at some given time.

It is us, the legislators, who make that balance through the laws that we enact, and up to the courts to implement these balances.

We have to be able to trust our legislators and our courts to uphold our rights and freedoms. We, the people, everyone of us that interacts every day, need to feel safe that our legislators take responsibility for our common interaction spaces. In the case of ACTA they did, so that is good.

But returning to the issue of responsibility: earlier this week the European Economic and Social Committee had invited me to hold a keynote at one of their meetings. They are not a legislative institution, by the way, so they do not necessarily cause a lot of harm. I was invited to hold a keynote on the responsible use of the Internet. Their thematic conference concerned children, nasty comments on the internet and how we can ensure that the Internet become a friendlier and funner place.

I said at that meeting, and I will maintain, that we have a fundamental political problem in how we define interaction spaces in society when all responsiblity for friendlieness is hurled towards the individual rather than us assessing whether the interaction frameworks are in fact wrongly defined.

We know, for instance, that at the World Summit for Information Society in 2005, ”communciation” was left out from the list of expected benefits from public access to information benefits. An arbitrary exclusion, given how important communication is for society and group cohesion.

In the European Union similarly we are not reforming the opyright laws. They create only uncertainties and risks for those who try to express themselves through use of culture, or those who turn to culture to build commonalities with others. Being a user of cultural works is associated with nothing but risk – all rights and certainties are kept for rightsholders. But because we either do not value communication or because we, the legislators, are unwilling to acknowledge the huge impact our work or, as it were, non-work, has on the abilities for people to interact, the reforms aren't coming.

I will give you an example: in December of last year, the current European Commissioner in charge of copyright issues Michel Barnier said in front of a parliamentary meeting that he did not want to look closer at users' rights in the European legislation because he didn't want to make copyright weaker.

I would argue that a legal framework made in such a way that it creates fear, uncertainty and doubt for those who try to build social networks and communities with each, is a weak legal framework. Our legal system can never be stronger than its legitimacy, and the legitimacy of the current copyright framework with its few limitations is very low.

When teachers, librarians, e-book consumers, radio stations, organizations helping out the visually impaired or Djs find themselves in a situation where they cannot, at any other than severe cost in time, money or to themselves, comply with or respect the law, that is the definition of a weak legal framework.

Laws have no purpose if they don't minimize conflicts between different members of society, or make the conflict resolution between these members as painless as possible if a conflict nevertheless arises. Copyright does exactly the reverse: it generated a multitude of conflicts, and makes the resolution of those conflicts painful and traumatic.

To no reassess users in copyright is irresponsible. It is an avoidance of responisibility that users and citizens themselves can't remedy. It falls upon politicians and elected representatives to take this responsiblity, but the political fear of action in this field is harming our society and our communication places.

Many here will be private persons, entrepreneurs or business people who are deeply concerned with policy areas like competition, standards development or patent law, trademarks or worse: trade-secrets, one of my biggest problems in legal development today.

Also here, unarguably, we are suffering from a gret number of problems over which politicians largely do not exercise much responsibility. Because of the very unclear value-base which guides all policy around communication, be it innovation, group work, personal or economic endeavours or what, the very concept of ”responsible use of the internet” is naturally confusing.

Is it responsible to have built a market model entirely dependent on the removal of freedom, choice and privacy of your customers?

I would argue that it isn't, but politically we have huge difficulties acknowledging concepts like indutrial leadership or the consequences of showing, or refusing to show, such leadership. What we seem particularly unable to determine, politically, is how to discuss the frameworks for interaction that we are making.

Because politicians, publically elected officials, decide the frameworks within which all other actors in society operate, it is incredibly important that they have a vision and some values to impose on that framework.

So for instance, I believe that we need a much stronger policy against vertical integration. Competition policy, which today deals msotly with cartels, mergers and dominant actors need to have a shift of focus towards market entrance barriers. For each level of a different product chain we should not only ponder, but also enforce, functional separation. This will make market entrance on each level of the vertical chain much easier and more actors will be able to join in innovation and product development.

What we are seeing instead is a less conflictful application of competition law now than in the past. When Apple locked its platform sot hat developers only by locking in themselves could participate in the AppStore, the European Commission was happy to accept only a weak commitment from Apple to open partially the developer kit in 2010.

Clearly a more useful discussion or investigation to have been had could and should have been the exact control exercised by Apple over every step of their value chain, and whether anti-trust laws should actually be given a larger role in contravening such practises.

Similarly, when Apple and four publishers were doing price-fixing and locin-in for the e-book sectors, the Commission cautiously criticized the license market they were engaging in as potentially in violation of competition laws, but in the end the Commission decided to not go in and actually just ban the market that they though was not in any way competitive, but instead accept the voluntary commitment to discontinue these market practises for a period of two years.

Clearly more political evaluation over what type of market models we are actually willing to accept would have been useful here.

Even in the Commission's merger investigations, they will very rarely scrutinize the conglomerating effects of merging patent portfolios on a licensing market. But the market for licenses of certain types of patents can be very heavily influenced by large mergers.

The type of competition overhaul that I would like to see would of course demnd involvement not only of competition authorities, but politicians and sector-specific national regulatory authorities as well. It is possible, but it reuires consistent and responsible politicians that are willing to be accountable, and responsible, for the decisions and values they implement.

We as citizens should not be letting our publically elected officials get away with losely referring to industry self-regulation or how they do not want to stop some business development from happening.

Even if it is clear that vertical integration and centralization can have some benefits, freedom, choice and the liberty to make new things is to me more important, and comes only from a structural framework of functional separation.

This brings me over to a last point that i would like to propose on the topic of responsibility. I say that often we hear politicians avoiding responsibility by stressing their unwillingness to interfere with business development or the development of new business models. It is already quite clear that all businesses emerge inside a society context, and that politicians, parliamentarians, governments and commissioners have the responsibility for how that framework is set up.

We all exist inside this framework, which defines how and when we interact in which way with whom. It defines our social interactions, our interactions with businesses, public authorities or the way that businesses interact with each other or public institutions.

These frameworks are made to reduce th total amount of conflicts and bad blood. They are here to help us make bad blood that nevertheless appers go away in some process least traumatic to the parties involved.

So clearly, in order to preserve these conflict minimizing properties of our framework for interaction, we should not be scared of, or avoid, showing an appropriate amount of industrial leadership.

Privacy, data protection or security are good examples of where a larger degree of political responsibility is needed.

In one place I read, and I think this captures beautifully this point: one national data protection authority based in a member state of the European Union stated that it feels its mission is to mitigate the negotative consequences brought on to private persons and citizens in their interactions with business and public authorities by the large scale deployment of information and communication technologies.

Mitigating the negative consequences implies that all is lost, and you would wonder why we at all make public investments in data protection authorities if all is lost.

As we see, and as many of you know, we could simply politically decide not to accept some economic models which create the need for ex post crisis management and damage mitigation with respect to privacy concerns.

We need stronger leadership, responsibility and enforcement of the privacy and data protection measures that we want.

I'm not saying politicians must necessarily favour some technology over another, but I do believe strongly that we both can and should consider the properties which technologies that get deployed at large-scale have to possess.

As business models deal a lot with interaction and communication, we can and should also exercise responsibility in open, democratic debates about which business models we find ok, and which ones we don't.

Now finally, then, if one is a private person and one would like to interact with policy making institutions because one is concerned about the lack of responsibility or one wants to increase accountability? I would suggest writing e-mails, letters or give phonecalls to deputies, that are personal. One person writing a heartfelt, personal email to their deputy easily counts more than any lobbyist or any other interest. Keep in touch with your deputies, ask what they are doing, get in touch when you know that they are addressing issues relevant to you.

Facts you should know about your data

Felipe Gonzalez Santos — Fri, 01 Feb 2013 08:27:09 +0000

Språk Engelska

Privacy is a Fundamental Right in the European Union, so protecting your data should be one of the priorities of EU institutions.

Very few things in life are free (I am sure you knew this already) and online services are not an exception. You don´t need money for using Google (as well as Gmail, Google Drive, etc), Facebook, Hotmail, Twitter and many other services because you pay with allowing these companies to have access to your data and make money out of it.

Many smart-phone applications, like Angry Birds and many other, collect part of your data in your phone and use it for their own interests. Some of them even track contact lists and pictures from your phone!

Every time you have purchased something on the internet it gets registered and stored. This means that there are databases with all the stuff you have bought and your consumption patterns.

Facebook tracks you every time you visit a website with its 'Like' button. It doesn't matter whether you are logged out from your account or you are not even a Facebook user.

Out of the 100 biggest websites in the world, only Wikipedia does not track you. All the rest collect some information from you every time you visit them.

To be able to read all privacy policies you encounter while surfing on the internet you would need to spend one month every year, according to this study (Say goodbye to your holidays!)

If you want to know more about your data, privacy and how to protect it, you can take a look to these websites:

https://dataskydd.net/ (in Swedish)

http://protectiadatelor.noisieu.ro (in Romanian)

The Spanish version is coming soon!

#exile6e "Bloggers for Democracy" S02E09

Tess Lindholm — Sun, 16 Dec 2012 09:05:36 +0000

Språk Svenska

http://www.youtube.com/watch?v=j_bhGgQzefE

Workshop on Data Protection Regulation

Julia Reda — Wed, 30 May 2012 16:11:55 +0000

Språk Svenska

On Tuesday, May 29, LIBE rapporteur Jan Philipp Albrecht, MEP of the Greens/EFA group, hosted a debate on the proposed Data Protection Regulation (downloadable here). Stakeholders from business to civil society and representatives of the EU institutions gathered in the vast Brussels plenary chamber of the EP to exchange their views and concerns on the future of data protection in the EU. The three panels treated in turn the scope and principles of the proposal, the data subject rights and the roles of Data Protection Authorities (DPAs) and Data Controllers. This report highlights some of the many issues brought forward by panelists and attending stakeholders alike.

Data Protection as a Fundamental Right

The first panel, consisting of Peter Hustinx, European Data Protection Supervisor, Peter Drunkenmöller, representative of the loyalty card system Payback and Joe McNamee of European Digital Rights organization EDRi, showed remarkable agreement that a regulation is indeed the best tool for addressing data protection on a European level. While Drunkenmöller emphasized the positive impact of a harmonized EU data protection regime for the expansion of businesses, McNamee welcomed the improvement of data protection implementation through the regulation. As he pointed out, data protection's inclusion in the Charter of Fundamental Rights constitutes a binding promise of the EU to its citizens to not just pay lip service to this right, but to effectively implement it in all member states.

Repeated attempts from business representatives in the audience to frame data protection as a consumer right rather than a fundamental right (as a Privacy International attendee correctly pointed out, consumer rights are fundamental rights) and to argue that fundamental rights were only supposed to protect the individual from the state and not require the state to regulate business were rightly shot down by the panel. Hastings pointed towards horizontal relations in fundamental rights, i.e. the obligation of the state to actively guarantee those rights.

Strengthening the Implementation of Data Protection

In order to further improve the implementation of the right to data protection, EDRi identified potential loopholes in the draft: The exemption of law enforcement from the scope of the regulation, which could be interpreted as including private security contractors, would give foreign governments the opportunity to access EU citizens' data through private companies. As McNamee pointed out, no foreign government should be able to circumvent EU law.

Another point of criticism was the vague nature of the legitimate interest clause that allows companies to process data without explicit consent. One national high court had ruled that even an ISP's snooping for copyright infringements by its customers was a legitimate interest. McNamee suggested to strengthen the clause to make sure that the need for consent to data processing could not be overridden by an ISP's contract with a customer.

Effects of the Data Protection Regulation on Media

Several media associations weighed in on the debate with differing concerns regarding the draft. A representative of the European Newspaper Association criticised that the exemption for journalists from parts of the data protection regime was left to the member states to implement. She suggested that the aim of balancing data protection with freedom of expression would be better served by making the exemption directly legally binding within the regulation.

A member of the Newspaper Publishers Association pointed towards the importance of the legitimate interest clause for newspapers' business models, defending the practice of sending addressed letters to households without consent, in order to acquire new customers. Hastings assured that the inclusion of a legitimate interest clause in the regulation was necessary due to a ruling of the European Court of Justice, but strong safeguards like the right to objection were necessary to protect citizens' rights.

Right to be Forgotten

The second panel on data subject rights featured some criticism of the newly introduced right to be forgotten. Marisa Jimenez of Google argued that in the digital environment, an individual user is not always just the data subject, but also often the data processor. Google proposed not to enforce the right to be forgotten against individuals, introducing a household exception to the text. In a similar vein, Nuria Rodriguez of the European Consumers' Organization (BEUC) argued that while the concept was to be welcomed in principle, the enforcement against individuals could collide with their freedom of expression, or could be grounds for companies to filter content. Leila Schilthuis, formerly associated with the International Centre for Missing and Exploited Children (ICMEC), warned that the enforcement of the right to be forgotten against individuals (e.g. teenagers sharing group photos) would be very difficult. In her opinion, the regulation should focus on effectively enforceable provisions in order not to mislead individuals, and to support awareness programs for children and their parents when dealing with personal data on the internet. To further protect minors from being targeted by online marketing, the regulation should include safeguards against the use of meta-data produced by minors.

Transparency

Rodrigez of BEUC drew attention to the importance of transparency to individuals in matters of data protection. She welcomed that the regulation asks for easily understandable information on the processing of data, but wanted to extend the principle of transparency and readability by making standard forms for privacy policies a requirement. The information a data controller has to provide to a data subject should also be extended to include the type of personal data collected.

Strengthening Data Protection Authorities

The last panel mainly focused on the role of Data Protection Authorities. Laetita Kroener of the Article 29 working party asked that the role of the European Data Protection Authority be strengthened vis-à-vis the Commission. Philip Schütz, a researcher at the Fraunhofer Institute for Systems and Innovation who is working on the comparative analysis of DPAs, identified two major factors in the efficiency of DPAs: independence and funding. As data protection must be followed by private companies as well as government institutions, DPAs, that are closer to government than to industry, must be organisationally and financially independent of the institutions they may be scrutinising.

As DPAs have to fulfill a wide variety of obligations, from complaint handling to education and advice, they require adequate resources, as outlined in the regulation. Schütz criticised that the term "adequate resources" may be open to interpretation by member states. Along with Kroener, he cautioned for stronger independence of the DPAs from the Commission.

A large number of diverse interests were voiced during the well-attended workshop, covering all of which would certainly exceed the reader's attention. Further information can be gathered from the opinions on the data protection reform issued by various parties.

Den nya dataskyddsförordningen

Amelia Andersdotter — Sat, 05 May 2012 19:34:02 +0000

Språk Svenska

Den nya dataskyddsförordningen kommer att handla dels om människors rätt till privatliv och skydd för sina privata data, men också på ett avgörande sätt om hur vi i Europa är villiga att reglera våra industrier. Följande inlägg är ett försök att i alla fall delvis förklara hur jag därför ställer mig till vissa av förslagets olika delar.

Mindre uppmärksammat i Sverige än datalagringsdirektivet (DLD) är dataskyddsdirektivet (DSD) från 1995 (infört som Personuppgiftslagen i Sverige 1998). Kommissionen släppte ett förslag på hur regelverket ska uppdateras i januari i år, vilket har fått mild kritik från de som vill skydda privata data och hårdare kritik de som inte vill det. Vi publicerade en längre text om detta för två veckor sedan.

Invändningar jag tagit emot från olika branschorganisationer (t ex Eurofinas - the voice of consumer credit providers in Europe) inkluderar en oro att det t ex inte kommer att gå att utföra ordentliga kreditundersökningar om man inte får hantera så mycket data som behövs för att man ska klara sina lagstadgade förpliktelser. En underlig invändning eftersom kommissionen medgivit att man får hantera precis den mängd data och under så lång tid (minimiregeln) som behövs för att utföra sådana uppgifter. Man tycker också att det är svårt, tekniskt, att kontrollera vart privata data hamnar efter att de publicerats på en hemsida (rätten att bli bortglömd). Jag kan visserligen tänka mig rätten att bli glömd som en tänkbar utmärkt affärsmöjlighet, vars potential industrin för tillfället inte anser sig tillräckligt innovativ för att kunna uppfylla. Reglering kan ju också användas för att styra den tekniska utvecklingen i privatlivsvänlig riktning och det är inte nödvändigtvis dåligt, menar jag.

Situationen att man går över från direktiv till förordning då? Skillnaden är att förordningen blir direkt tillämpbar i alla medlemsländer samtidigt, och att kommissionen i egenskap av exekutiv institution blir skyldig att upprätthålla förordningens ord. Hade det varit ett direktiv hade man istället behövt införa direktivets regelverk i alla medlemsstater och haft ett fortsatt mycket stort ansvar dels på nationella lagstiftande församlingar och dels medlemsländernas dataskyddsmyndigheter för att säkerställa efterlevnad. Erfarenheterna från DSD-1995 visar att tillämpningen av dataskyddsdirektivet i de olika medlemsstaterna var mycket ojämn och i många fall bristfällig. Tydliga regler i hela unionen som är likadana överallt kommer också att hjälpa företag eller enskilda som vill agera över gränserna, som ju så ofta händer på internet, utan att oroa sig för olika juridiska krav på olika ställen.

Bör det vara kommissionen som utarbetar tydliga riktlinjer för arbetet med dataskydd? Jag har svårt att se att de nationella regleringsmyndigheterna helt kommer att spela ut sin roll. Snarare tror jag att det kommer uppstå en liknande situation som på konkurrensområdet, där kommissionen har väldigt tydliga riktlinjer för alla former av konkurrensbegränsande beteende som uppstår i handel mellan medlemsländerna, medan de nationella myndigheterna ägnar sig åt mer lokala företeelser. Den relevanta frågan för mig blir istället om jag litar mer på kommissionen i deras ambition att utarbeta bra riktlinjer för mig, än vad jag litar på t ex brittiska, tyska eller nederländska myndigheter (de medlemsländer jag bedömer som troligast att ha webhosting och cloud services för företag, på grund av infrastrukturell kapacitet och nuvarande marknadsfördelning) att vara särskilt benägna om att skydda mig som svensk privatperson mot de faktiskt multinationella, gränsöverskridande företag som oftast hanterar min persondata slarvigt.

Artikel 29-gruppen har arbetat nära kommissionen under hela transponeringsprocessen för DSD-1995, och det finns ingen anledning att tro att kommissionen kommer att förkasta de nationella dataregleringsmyndigheternas (i Sverige Datainspektionen) erfarenheter i framtiden.

Är det ett problem att insynen från parlamentet och ministerrådet är för lågt? Svårt att säga. European Data Protection Supervisor och Artikel 29-gruppen har ett svårt jobb framför sig varän ansvaret för att arbeta ut riktlinjer hamnar. Olyckligtvis är det väldigt starka kommersiella krafter som skulle ha intresse av att tänja på regelverket, och oviljan att investera i nya, bättre affärsmöjligheter som skyddar privata data är förhållandevis hög.

Det finns en stor misstanke mot att överreglera industrin, som oftast tar sig uttryck i att man viker sig för industrins naturliga rädsla för förändring. I slutändan kommer det att handla om huruvida väljare väljer att rösta på politiker som tror att en väl reglerad industri klarar av att driva samhället framåt på de premisser samhället håller med om.

Kaniner, bilar och durbaner

Amelia Andersdotter — Thu, 22 Dec 2011 01:09:54 +0000

Språk Svenska

För en vecka sidan idag satt jag i SVT:s morgonsoffa och pratade om Durbankonferensen och klimatkrisen. Det kändes lite underligt eftersom jag var med och organiserade Piratpartiets delegation till klimatkonferensen i Köpenhamn 2009. Det var vid den tiden Gustav Nipe precis investerat i en Reprap-maskin för Ung Pirat Malmös räkning som presenterades på alternativkonferensen, och första gången som EU på allvar blev totalöverkörda av den nya globala alliansen Kina+USA i klimatfrågor.

För ungefär ett år sedan skrev jag en bloggpost om elektronik i bilar och hur ökad användning av, framför allt sluten, mjukvara i bilar riskerar att begränsa bilförarnas kontroll över sina fordon och därmed också utgöra en säkerhetsrisk för individen utanför individens egna kontroll.

Hur hänger dessa frågor ihop? Jo. Bilar som automatiseras och digitaliseras kan med datorernas hjälp finkalibreras att minimera till exempel bränsleförbrukning. För transportindustrin är det här väldigt intressant ur kostnadsperspektiv och enligt Svenska dagbladet tidigare i år ska de första pilotprojekten hamna på Sveriges vägar redan nästa år. Även vad gäller transport av privatpersoner kan man få ned bränsleförbrukning en hel del om man frånhänder privatpersonerna själva kontrollen över fordonet.

Den resulterande krocken mellan privatpersoners intresse att ha full kontroll över sin huvudsakligen mekaniska ägodel bilen, samhällets intresse av att få bukt med den stora bränsleförbrukningen samt begränsa dödstalen i trafiken samt vårt gemensamma intresse av att på ett så bra sätt som möjligt inarbeta teknikens ~~teknologins~~ alla nya möjligheter i vår vardag är en intressant paradox. Jag är inte övertygad om att fri mjukvara i bilarna är en lösning på kontrollproblemet - att påtvinga biltillverkarna öppna standarder och öppen källkod kan måhända skapa ett bättre företagarklimat kring tillhandahållandet av reservdelar och underhållstjänster i bilindustrin, men kontrollen över bilarna ligger fortfarande hos dem som kan koden. Särskilt om ~~teknologierna~~ tekniken ska vara trådlös.

Att det skulle vara mer miljövänligt att "digitalisera bilarna", som Europakommissionen uttrycker det, kan det knappast råda något tvivel om. Ej heller att trafiken, så länge ~~teknologin~~ tekniken fungerar, blir betydligt säkrare än om man i varje ögonblick gör sig beroende av en mänsklig faktor. Man kan hårdkoda i bilens fartmätarsystem att det inte ska vara möjligt att köra fortare än vissa hastigheter på särskilda sträckor, och sedan justera bilens interna hastighetsbegränsning efter vad GPS-apparaten rapporterar om bilens position.

Och föreställ er situationen att din öppenkällkodsbil utsätts för samma risker som din dagens Androidtelefon. En del av bildigitaliseringsproblemet är att valfriheten inte sträcker sig längre än att vi ha möjlighet att välja appar, men inte hur de fungerar, vad de gör, eller välja bort möjligheten att välja appar.

Klimatdiskussionerna i Durban handlade naturligtvis inte om skärningspunkterna mellan informationsfrihet, användarnas (i detta fall förarnas) makt över hårdvaran eller piratpolitiska spörsmål om informationssamhällets inneboende konflikter utan om hur man i så hög utsträckning som möjligt ska kunna undvika att vidta aktioner åt varesig klimatvänligt håll, eller det energiförbrukande hållet.

Ovanstående inlägg ska kanske ses som en uppmaning till piratpartister att tänka över ~~teknologins~~ teknikens stundtals dubbeltydiga roll i andra samhällsprocesser. Om någon får för sig att ämnet var väldigt intressant bidrar jag gärna med andra länkar och artiklar på området som jag samlat på mig under året!

Save yourself from Zombie Laws

Amelia Andersdotter — Wed, 16 Mar 2011 15:59:40 +0000

Språk Svenska

bleeerarrguh

As I reported two days ago, and is now noted also by Walter van Holst, a recent South Korean DDoS attack may in fact be a malicious attempt at sneaking through an oppressive law allowing the government to snoop commercial and private traffic alike. The European security agency ENISA published two reports on botnets not long ago, but appears to be supporting the idea of internet service providers notifying their customers of a potential infection instead.

Regardless of which security analyst you talk to, they will say that users are the true compromisors of security. The South Korean authorities appear to have taken this very literally, and while I didn't check if the strategy pursued by the Austrialian authorities and promoted by ENISA is actually helping users and ISPs it is clear that public authorities feel that users are not inclined and will not be inclined to take responsibility for their own security. Because botnets suck up bandwidth, the ISP is already tried on private initiative in some places although it appears to be a while ago. To my understanding this experience was discontinued since it's easy to forge being an ISP suggesting that you're infected..

At least one friend reacted to me in private saying that this proposal is an attack on democracy. It is, but it's just one among many, and many of the others are already enacted. As I've said in many discussions about trade agreements I think that our democratic powers are already quite limited by the fact that decisions are taken way over our heads. South Korea has signed two trade agreements that make mandatory severe repercussions against filesharing only within the last year, so clearly the South Korean government has already outsourced privacy to private actors. The other argument is the loss of free speech online that many other people have brought up in relation to Apple, Facebook, Google and other commercial actors who's activities with respect to users can't really be monitored or controlled. Presumably there at least one technical argument against, but nobody I know seems to be able to think of any.

Just like speed cameras though, you would expect there to be lots of fines in South Korea about this, but the danger to users and to the government is not very likely to decrease at all. Internet users, like drivers, are not likely to keep track of everything and update all their software or car tires as often as they should.

The public procurement process is likely to lead to very few, or even just the one, security company getting the entire responsibility for helping the government determine what is dangerous and what is not. Public procurement sadly isn't as transparent as it should be, and it's very easy for public authorities to default on a specific vendor because it's convenient. 98% of all computers in South Korea run Microsoft Windows. Government documents are only available for users running Windows. I'd feel uncomfortable with the same amount of power ending up with a single security company as are, presumably, all former customers of HBGary. So added security from this aspect is unlikely

Even if you, like ENISA suggests, would "outsource" the responsibility of warning users to an ISP, I simply can't believe that this is a good solution. I've written many angry posts about ISPs and I don't trust them for squat. Telefónicas business strategies, or for that matter Comcast's, Verizon's or even Eircom's strategies do not fill me with confidence that these people will either warn me or warn me in a way that doesn't primarily serve their business interests - at the expense of both me and my security. Added security from this aspect is also unlikely.

A counter-proposal would be to introduce computer security as a mandatory subject in basic education. That's probably the most useful way of spending public money. Everyone should know how to secure a home network, protect themselves against viruses and know the risk of viruses, or encrypt a harddrive. But when I talk to people who stopped studying even five years ago, very few of them remember any of the mathematics they studied so the system is obviously not flawless. Still, it's the only measure I can think of that's worth spending any public money on.

If we're going to digitize our society I think we're going to have to live with there being a risk crime in all parts of society. Some people break into your car, other people violate your network security. A much larger problem for society is the fact that our backbone infrastructure, our last mile infrastructure, our internet service provision and our online portals are likely to end up getting owned by the very same companies. Vertical monopolies. I noticed that this is already happening in hardware manufacturing which gives the one or two remaining hardware manufacturers a disproportionate amount of influence on what goes into our hardware - the specifications aren't open, how are we supposed to know? Just because internet service providers are larger than life and people are not, doesn't mean you should take the easy route and attempt to secure the networks from the parties that aren't the biggest threat to secure, and primarily reliable, network infrastructure.

Religiösa upplevelser

Amelia Andersdotter — Sun, 13 Mar 2011 17:10:17 +0000

Språk Svenska

Ibland är mitt liv lite bättre än jag tror.

Jag har just läst ikapp på min El Reg-feed som jag i en månad noggrannt hållit mig borta ifrån. Med min nyfunna energi upptäckte jag omedelbart att det ökända hackerkollektivet Anonymous har hacketihackat Westboro Baptists. Tydligen misstänker nu några av medlemmarna att aktionen egentligen var en fälla uppsatt av församlingen i syfte att spåra IP-adresser som har använts av bedrägliga individer som brukat det likaledes ökända LOIC-verktyget. Ironiskt nog har den portugisiska regeringen nyligen brukat liknande tarvliga fällor för att spåra användare av den jävulusiska fildelningsteknologin. Åtminstone, får man anta, IP-adresser till användare som inte anonymiserar sitt ondsinta uppsåt.

Medan den luriga busen Jester tar åt sig äran för denna illvilliga antibaptistiska handling kan jag inte hjälpa att undra om det här är ett nogsamt planerat ironiskt skämt. I ljuset av mina skriverier om Jesu nekande av demonen Legions frestelser med åtföljande förening med heliga ande under ett dop utfört av Johannes Döparen, väljer jag att leva i tro. Givet att Kristdemokraterna är Sveriges mesta upphovsrättsförespråkare förstärks mitt hopp än mer.

Jag tycker dock fortfarande att Piratpartiet och dess nya evangelistiska linje kräver en baptistisk motvikt. Har man någon som pratar behöver man någon som agerar. Och ja, jag tycker att IT-industrins användning av ordet "evangelist" för att beskriva en industrisponsrad reklamare är olämplig. Och ja, jag tycker att det är olämpligt att ordet inkluderas i politiken som benämning för politiska förespråkare.

Awesomest hack or politicality

Amelia Andersdotter — Sat, 26 Feb 2011 09:00:02 +0000

Språk Svenska

A little less than a month ago a temporary alliance under the banner of Anonymous successfully broke into the servers of security firm HBGary and acquired information about a security firm menage-a-trois busying themselves with pleasing the American Chamber of Commerce in their struggles against undesirable leftist groupings and labour unions.

On the Kaspersky Lab newsblog Threatpost Paul Roberts has compiled the following complementary list of malpractises: take over information from Facebook to intimidate customers, zero-day merchandising(!), custom malware production(!!) and an additional menage-a-deux with investment bank HSBC to bring down the Wikileaks servers by means of denial of service. Quoth Kaspersky's Paul Roberts: "It's up to the FBI to solve crimes, not to banks, or their attorneys."

At Ars Technica I further find, or perhaps equivalently, that the FBI undoubtedly are planning to hunt down the HBGary hackers, especially considering the previous (disproportional) responses against Operation: Payback and the ddos protests for Wikileaks. Quoth Ars additionally: FBI reminded Anonymous that "facilitating or conducting a DDoS [Distributed denial of service] attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability".

Ironically, my first association is to a Swedish cultural essay on the Russian author Solzjenitsyn and his literary works on Gulag. Another quote (my translation): The story concerns one day out of the life of a prisoner, one out of 3653 days of a ten year long prison sentence, a common punishment for most real or imaginary crimes in Soviet both prior and shortly after the Second World War.

I've written some posts about Anonymous in the past. After the Gawker hack I think it's relatively obvious that Anonymous, despite their quite prominent political results and representativity, even if it's not always their goal (which I actually doubt that it ain't), isn't solely a group of internet-minded citizens with a passion for openness and transparency engaging in unqualified and harmless ddos-protests. Anonymous in this case becomes the difference between forcefully liberated, emancipated, publicized or leaked information. I would love to heard the opinions on this by Simon Rosenqvist, a party comrade who decided to take a leave from party work earlier this year, and especially in relation to his ideas about a public database of trade secrets (coolest idea ever!).

On Anonymous: Hunnism (2011-02-08) , Globalt (2011-01-18) , Perspectives (2010-12-13)

My boyfriend once told me that he can access my facebook and my mail super-easily. And boy if he can. Remember boys and girls that from a security perspective it is very unhealthy practise to permit password saving in a browser or forget to log out if you're not on your own computer. Especially if you're not on your own computer. The computer owner being a trusted steed is not an excuse for your enormous dispassionate laziness and comfort with the situation. I have two emails from my boyfriend sent to me from my own email account with several sentences of rebuke and reproachment.