The latest EDRi-gram

*Gosh what a messy world. To err is human, but to really screw up requires technology.

======================================================================

EDRi-gram

biweekly newsletter about digital civil rights in Europe

Number 11.15, 31 July 2013

1. Irish DPA: OK for Facebook and Apple to share personal data to NSA!?!
2. Finally! Safe Harbour Agreement under question by EU commissioner
3. Turkey: Social media and our rights
4. How much longer before web accessibility?
5. Ireland: champion in requesting retained traffic data
6. Over 100 global groups make a principled stand against surveillance
7. UK: Vehicle plate recognition system ruled illegal
8. ENDitorial: Belgian railways – a case study in bad internet security
9. Recommended Action
10. Recommended Reading
11. Agenda
12. About

The Irish Data Protection Authority (ODPC) has recently ruled that the
Irish subsidiaries of Facebook and Apple may perfectly share their
users’ data with NSA as this is legal under the EU law.

The ruling comes as a result of the two complaints filed by Europe vs
Facebook group: one against Facebook and Apple’s Irish subsidiaries and
the other against the European operations of Microsoft and Skype in
Luxembourg and Yahoo in Germany, for breaking EU law by sharing data
with US intelligence services. The group argued that EU companies may
not transfer the data of the European citizens to the US, if the
respective data is further on forwarded to the NSA for surveillance
without probable cause. The EU law says an export of data to another
country is legal only if there is “adequate protection” of Europeans’
privacy.

“In order to avoid taxes US companies have spun a network of
subsidiaries. At the same time these ‘tax avoidance strategies’ lead to
a situation where the companies have to abide by US and EU laws. This
can get tricky when they have to adhere to EU privacy laws and US
surveillance laws,” explains the law graduate Max Schrems, the leader of
the group.

Yet, ODPC believes there are no grounds for investigating Facebook and
Apple European subsidiaries, serenely stating that the European
Commission has “envisioned and addressed the access to personal data for
law enforcement purposes” (including the PRISM program) in the “Safe
Harbor” decision from 2000. The ruling is also informal. ODPC has simply
sent an informal letter in response to the legal complaints, instead of
issuing a formal decision that could be appealed in courts.

The “Safe Harbor” decision allows the transfer of data to the US as a
rule of thumb, but includes exceptions in cases when Europeans’ data is
not adequately protected. Which means that ODPC considers the European
citizens’ data are actually properly protected even in PRISM case.

“We consider that an Irish based data controller has met their data
protection obligations in relation to the transfer of personal data to
the U.S. if the U.S. based entity is 'Safe Harbor' registered.”

The position of the German data protection authorities is totally
opposed to that of ODPC. The German authorities sent a letter to German
Chancellor, only a day before ODPC’s ruling, saying that, after the
PRISM scandal, it is clear that the “Safe Harbor” cannot guarantee an
“adequate level” of privacy for data exported to the US.

There is no reaction yet from Luxembourg.

Unbelievable: Facebook and Apple may forward data to PRISM under EU law
Irish Authority rules that Europeans’ data is adequately protected
(25.07.2013)
http://www.europe-v-facebook.org/PA_en_25_7.pdf

Irish DPC: EU has 'envisaged' PRISM in the year 2000. Facebook and Apple
may share data with NSA under EU law (25.07.2013)
http://www.europe-v-facebook.org/EN/en.html

Facebook, Skype challenged in EU over spy affair (18.07.2013)
http://euobserver.com/justice/120894

Complaint filed against Irish subsidiaries of Apple, Facebook (26.06.2013)
http://www.irishtimes.com/business/sectors/media-and-marketing/complaint-filed-against-irish-subsidiaries-of-apple-facebook-1.1443217

On 19 July 2013, during the informal Justice Council in Vilnius,
Lithuania, EU justice commissioner Viviane Reding stated for reporters
that her services will be reviewing the so-called Safe Harbor Agreement.

The agreement, concluded 13 years ago between the US department of
commerce and the European Commission, based on a clause in the current
1995 EU Data Protection Directive, does no longer seem as "safe" as the
title currently implies.

"The Safe Harbour agreement may not be so safe after all. It could be a
loophole for data transfers because it allows data transfers from EU to
US companies – although US data protection standards are lower than our
European ones. I have informed ministers that the Commission is working
on a solid assessment of the Safe Harbour Agreement which we will
present before the end of the year," said Reding.

Within the agreement, around 3 000 companies have voluntarily signed up
to follow a binding set of data transfer rules based on seven principles
- notice, choice, onward transfer, security, integrity, access, and
enforcement. However, the agreement includes low data protection standards.

In 2010, the US consultancy company Galexia found a number of
irregularities in the agreement and reported that 200 companies had
falsely claimed to have joined the agreement and that only 350 companies
had complied with the minimum standards of the agreement.

Hence, the US Federal Trade Commission (FTC) has issued orders on Twitter, Google, Facebook and MySpace to be regularly audited and in November 2012, asked Google to pay out 22.5 million dollars for having planted cookies on Apple’s Safari Internet browser.

Reding’s announcement on Safe Harbor comes in the context of the PRISM
programme revelations which have pushed the European regulators to
finalise negotiations on the data protection regulation and its
adjoining directive, the post-Stockholm programme on future justice
priorities. The German and French ministers have sent a joint-letter to
the legislative saying that the negotiations between the European
Parliament and the member states for the data reforms should be
finalised before the end of the Lithuanian EU Presidency that is, by the
end of 2013.

“It is good to see that the French and German ministers have reaffirmed,
in a joint declaration, that we need a high level of data protection for
European citizens, which strikes the right balance between freedom and
security.

It is also good to see that they have both committed to quickly adopting
the reform of Europe's data protection rules that the Commission put on
the table in January 2012.

PRISM has been a wake-up call. The data protection reform is Europe's
answer," said Reding in Vilnius.

EU questions decade-old US data agreement (22.07.2013)
http://euobserver.com/justice/120919

Informal Justice Council in Vilnius (19.07.2013)
http://europa.eu/rapid/press-release_MEMO-13-710_en.htm

The EDRi member from Turkey Alternative Informatics Association together
with other 11 NGOs from Turkey issued the following public announcement
with the title "Reclaiming our rights on social media following the Gezi
Park protests":

UN and some international organizations have declared Internet as the
main tool of freedom of expression and freedom of the press. Internet
and social media are indispensable for the individual to progress, for
the individual to take part in society and for a sustainable democracy.
Around the whole world masses demand access to information, transparency
and participative democracy.

Freedom of expression, freedom to protest and privacy are fundamental
human rights. Freedom of expression also consists of dissent. However,
defamation, hate speech and call for violence are not included in
freedom of expression.

Social media have changed communication and organization styles
considerably. Social media is not a “menace” to society, but in the
contrary, they are group of tools that are highly valuable for the society.

The use of social media is not an illegal act, but it is part of
communication freedom, which is a constitutional right. Eavesdropping
into others’ social media communication however is illegal. According to
22nd article of the constitution of the Turkish Republic “everyone has
the right to communicate freely. One of the fundamentals of
communication is privacy”

Gezi Park protests show us that social media supports the right seeking
attempts of the citizens perfectly. This support is performed in order
to resolve the information asymmetry between the citizens and the
government. Since almost all the Turkish press was ignoring the truth or
openly fabricating news, the social media allows the population to learn
the truth.

Social Media sharing activities that do not contain defamation, hate
speech or call to violence are not a crime. These activities include
sharing protest locations and times or sharing medical information such
as doctor or pharmacy locations for those who have been exposed to
violence.

Citizens may use pseudo names or nicknames while sharing content on
Social Media. This is one of the most common practices of the Internet
and it is not a crime according to Turkish Republic’s criminal law.

The reason to regulate social media or making it a crime to share
content on social media is to threaten people and force them into
self-censorship. Self-censorship is one of the most terrifying
violations of freedom of expression, information and communication. In a
constitutional state where democracy is operational, we cannot accept
the authorities to force the citizens to self-censorship.

Technology

Twitter, Facebook, Gmail and Hotmail carry information in an encrypted
form. It is almost impossible to decrypt or break encrypted information.
Having a small lock icon on the address bar of the browser and
"https://" prefix instead of "http://" ensures encrypted communication.

It is not possible for third parties to peek through these user data on
the Internet in a decrypted form. However all these data are stored in
servers in a decrypted form that are mostly operated by American
companies. These companies can see and share all user data.

According to various sources including government sources, Facebook is
sharing user data with Turkish authorities, while Twitter is refusing
data sharing at this moment.

According to the general public opinion, companies that operate Gmail
and Hotmail (Google and Microsoft) are sharing user data with
authorities over the world.

Communication in Turkish: Sosyal Medya ve Haklarımız
http://www.alternatifbilisim.org/wiki/Sosyal_Medya_ve_Haklar%C4%B1m%C4%B1z

Communication in French: Les médias sociaux et nos droits
http://www.alternatifbilisim.org/wiki/Les_m%C3%A9dias_sociaux_et_nos_droits

(Thanks to EDRi member Alternative Informatics Association - Turkey)

Access to the so-called Digital Society through the Information and
Communication Technologies (ICTs) is increasingly gaining importance in
our everyday life. Access to the web, where these technologies usually
converge, is already a fundamental right that everyone should enjoy,
including persons with disabilities, who represent 15 % of the European
population. Today, ICTs and the web are the gateway to public services,
education, employment, leisure etc. Therefore, they are also a great
opportunity to combat isolation and social exclusion by ensuring the
participation of persons with disability in all aspects of digital life.

In the same way that architects must bear in mind accessibility
requirements when designing a building, web-developers have at their
disposal the Web Content Accessibility Guidelines (WCAG 2.0) of the
World Wide Web Consortium (W3C), which are the globally acknowledged
tool for making websites accessible to all. These guidelines became an
international standard last year (ISO/IEC 40500:2012), and will also be
included in the future European Standard which is in process under the
European Commission Mandate 376.

Why build an accessible website?

Besides the fact that it is not complex at all to make a website
accessible (see the 10 golden rules recommended by the Commission), web
accessibility also has other advantages: the overall usability and
users’ web experiences are improved for everyone; the maintenance costs
are reduced since the structure is consistent and therefore easier to
maintain over time; search engines can more accurately index the content
of accessible websites, as all content must be tagged properly in the
HTML structure of the website and, finally, accessible websites are more
easily used on tablets and smartphones, since the accessibility and
mobility requirements are very similar.

For years, the European disability movement has been raising awareness
of the importance of web accessibility. We have pointed out the need for
binding legislation to this regard, but in the past ten years
non-binding instruments have failed to deliver their promises (e.g. the
2006 Ministerial Declaration of Riga assuring the accessibility of all
public websites by 2010). Nowadays, less than one third of public
authorities’ websites are made accessible which also means that many
services provided online are out of reach for persons with disabilities.

What first steps have been made?

Through the adoption of the UN Convention on the Rights of Persons with
Disabilities (CRPD) in 2011, the European Disability Strategy 2010-2020,
and the Digital Agenda for Europe, the European Institutions re-edited
their commitment to address web accessibility (before 2015, according to
action 64 of the Digital Agenda). Finally, on 3 December 2012, the
European Commission issued a proposal for a Directive on accessibility
of public sector bodies’ websites (COM(2012)721 final).

The European disability movement welcomed the legislative proposal as a
first positive step towards the removal of all barriers to access the
web. However, despite the Commission's will to develop this specific
measure, the scope of the proposal was clearly restrictive, since it
includes just twelve types of websites and web-based public services.
Such a narrow scope would not provide a systematic change within the web
for persons with disabilities.

Fortunately the European Parliament has listened to the users and has
understood that web accessibility is indispensable for persons with
disabilities. The EP rapporteur of this proposal, MEP Jorgo
Chatzimarkakis (IMCO Committee), and the majority of the shadow
rapporteurs agree on the necessity of widening the scope to include all
public sector bodies’ websites, as well as those services of general
interest which are usually provided by other entities such as public
transport, health related services, banking services or utility services
(gas, water, electricity...).

The period for tabling amendments is over and after the summer break the
IMCO committee will need to reach consensus on other relevant issues
regarding this Directive. We believe that without an effective
enforcement mechanism and an efficient monitoring system, involving
persons with disabilities and their representative organisations, this
proposal for a Directive will not be able to ensure the accessibility of
the websites concerned. This proposal will be a test of the real
commitment of the European Institutions to ensure web accessibility for
persons with disabilities, so that no one is left behind and no digital
rights are undermined. As citizens and Internet users, we must join
forces to push for equal rights and the same opportunities to “access” them.

Web Content Accessibility Guidelines (WCAG 2.0)
http://www.w3.org/TR/WCAG/

ISO/IEC 40500:2012
http://www.iso.org/iso/iso_catalogue/catalogue_tc
/catalogue_detail.htm?csnumber=58625

Mandate 376
http://www.mandate376.eu/

European Commission’s 10 Golden Rules
http://ec.europa.eu/ipg/standards/accessibility/10_rules/

Web accessibility advantages
http://www.w3.org/WAI/bcase/

2006 Riga Ministerial Declaration
http://ec.europa.eu/information_society/events/ict_riga_2006/doc/declaration_riga.pdf

UN Convention on the Rights of Persons with Disabilities
http://www.un.org/disabilities/default.asp?id=150

European Disability Strategy 2010-2020
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52010DC0636:en:NOT

Action 64 of the digital agenda
http://ec.europa.eu/digital-agenda/en/pillar-vi-enhancing-digital-literacy-skills-and-inclusion/action-64-ensure-accessibility-public

Proposal for a Directive on accessibility of public sector bodies’
websites (COM(2012)721 final)
http://ec.europa.eu/digital-agenda/en/news/proposal-directive-european-parliament-and-council-accessibility-public-sector-bodies-websites

The European Disability Forum (EDF) is an independent NGO that
represents the interests of 80 million Europeans with disabilities. EDF
is the only European platform run by persons with disabilities. EDF is
the voice of persons with disabilities in Europe. More information at
http://www.edf-feph.org

(Contribution by the The European Disability Forum)

During the ECJ hearing on 9 July 2013 considering the legality of the
European Data Retention Directive, it has come out that the Irish
authorities are champions in requesting people’s data stored on phone or
Internet, having made several times more such requests than other
countries comparable in size.

The Data Retention Directive limits the use of such data to combating
serious crime and terrorism. However, the Irish representative, told ECJ
judges that “6 000 to 10 000” requests were made annually under the
Irish law.

According to the a 2012 European Commission report regarding the data
requests made in 2010 by member states, cited at the hearing as evidence
in support of the directive’s implementation, Irish authorities
(including the Garda, Revenue Commissioners and Defence Forces) made 14
928 data orders. The Department of Justice has recently confirmed 12 675
data requests for 2011. A spokesman for the Department of Justice told
The Irish Times: “The communications data retention statistics for
Ireland for 2012 are in the order of 9,000 requests.”

The UK refused to disclose figures at the ECJ hearing.

Meanwhile the counsel representing Austria, which is comparable in size
with Ireland, said authorities had made 326 requests for data in a
recent one-year period. Irrespective of which figure is considered for
Ireland, the discrepancy is more than obvious.

To make thinks even worse, the spokesman from the Irish Department of
Justice refused to give any details on the nature of the requests,
stating: “It is not the practice nor would it be in the public interest
to go into further detail of the provision of the data to the relevant
authorities.”

At the same time, during the ECJ hearing, the representative of the
Austrian government provided an extensive set of figures about the use
of data stored by internet services and telecommunication providers,
according to the Austrian data retention implementation programme (which
is presently challenged at the Austrian Constitutional Court).

The classification of the cases presented by Austria - 16 thefts, 12
drug cases, 12 cases of stalking, 7 frauds and 9 others – brought about
a critical question from ECJ Judge Thomas von Danwitz, the main court
rapporteur for the case: "Was there a terrorist case?"

If none of the 326 requests made by Austria is about terrorism or
serious crime, could we imagine what the 10 000 requests made by Ireland
are for?

None of the representatives of the Member States present at the hearing
was able to offer more solid statistics or any scientific data that
would support the necessity of the directive.

State agencies target Irish phone and internet records (25.07.2013)
http://www.irishtimes.com/business/sectors/technology/state-agencies-target-irish-phone-and-internet-records-1.1473739

Data retention might not be proportional to risks (9.07.2013)
http://policyreview.info/articles/news/data-retention-might-not-be-proportional-risks/170

EDRi-gram: Data retention: "We ask the Court to rule in favour of
Freedom" (17.07.2013)
http://edri.org/edrigram/number11.14/data-retention-hearing-ecj-2013

For some time now there has been a need to update understandings of
existing human rights law to reflect modern surveillance technologies
and techniques. Nothing could demonstrate the urgency of this situation
more than the recent revelations confirming the mass surveillance of
innocent individuals around the world.

To move toward that goal, today we’re pleased to announce the formal
launch of the International Principles on the Application of Human
Rights to Communications Surveillance. The principles articulate what
international human rights law – which binds every country across the
globe – require of governments in the digital age. They speak to a
growing global consensus that modern surveillance has gone too far and
needs to be restrained. They also give benchmarks that people around the
world can use to evaluate and push for changes in their own legal systems.

The product of over a year of consultation among civil society, privacy
and technology experts, the principles have already been co-signed by
over hundred organisations from around the world. The process was led by
Privacy International, Access and the Electronic Frontier Foundation.

The release of the principles comes on the heels of a landmark report
from the United Nations Special Rapporteur on the right to Freedom of
Opinion and Expression, which details the widespread use of state
surveillance of communications, stating that such surveillance severely
undermines citizens’ ability to enjoy a private life, freely express
themselves and enjoy their other fundamental human rights. And recently,
the UN High Commissioner for Human Rights, Nivay Pillay, emphasised the
importance of applying human right standards and democratic safeguards
to surveillance and law enforcement activities.

“While concerns about national security and criminal activity may
justify the exceptional and narrowly-tailored use of surveillance
programmes, surveillance without adequate safeguards to protect the
right to privacy actually risk impacting negatively on the enjoyment of
human rights and fundamental freedoms,” Pillay said.

The principles, summarised below, can be found in full at
necessaryandproportionate.org. Over the next year and beyond, groups
around the world will be using them to advocate for changes in how
present laws are interpreted and how new laws are crafted.

We encourage privacy advocates, rights organisations, scholars from
legal and academic communities, and other members of civil society to
support the principles by adding their signature.

To sign, please send an email to rights at eff dot org, or visit
https://www.necessaryandproportionate.org/about

International Principles on the Application of Human Rights to
Communications Surveillance
https://en.necessaryandproportionate.org/text

Towards international principles on communications surveillance (21.11.2012)
https://www.privacyinternational.org/blog/towards-international-principles-on-communications-surveillance

Spies Without Borders Series: Using Domestic Networks to Spy on the
World (8.06.2013)
https://www.eff.org/deeplinks/2013/06/spy-without-borders

UN report: The link between State surveillance and freedom of expression
(4.06.2013)
https://www.privacyinternational.org/blog/un-report-the-link-between-state-surveillance-and-freedom-of-expression

(Contribution by Katitza Rodriguez - EDRi member Electronic Frontier
Foundation, USA)

The Information Commissioner's Office (ICO), UK's data protection
authority, issued on 24 July 2013, an Enforcement Notice asking the
Hertfordshire police to stop using a vehicle plate tracking system that
it considered as unlawful.

The ICO notice is a result of a complaint made in June 2013 by No CCTV,
Privacy International and Big Brother Watch against the so-called “Ring
of Steel” of Automatic Number Plate Recognition (ANPR) cameras around
the small town of Royston which is tracking all cars entering or leaving
the town.

The data collected by ANPR cameras is stored both in local force
databases and in a centralised database. License plate photos are stored
for two years and photographs of cars are stored for 90 days.
The notice issued by ICO said that the seven cameras around the town had
"effectively made it impossible for anyone to drive their car in and out
of Royston without a record being kept of the journey".

According to ICO inquiries, the Hertfordshire Constabulary failed to
carry out "any effective impact assessments" before implementing the
system and decided that the system breached the Data Protection Act.

"It is difficult to see why a small rural town such as Royston, requires
cameras monitoring all traffic in and out of the town, 24 hours a day.
The use of ANPR cameras and other forms of surveillance must be
proportionate to the problem it is trying to address. After detailed
enquiries, including consideration of the information Hertfordshire
Constabulary provided, we found that this simply wasn’t the case in
Royston. We hope that this enforcement notice sends a clear message to
all police forces, that the use of ANPR cameras needs to be fully
justified before they are installed,” stated ICO's head of enforcement
Stephen Eckersley.

By this complaint, the three groups raised serious concerns over the
entire nationwide ANPR network which has been constructed by the police
without any public debate.

Charles Farrier of No CCTV welcomed ICO’s decision: "This is a landmark
decision. The ICO has validated our view that blanket vehicle tracking
should have no place in a democratic society. The Automatic Number Plate
Recognition (ANPR) camera network amounts to an automated checkpoint
system that is the stuff of totalitarianism. The ICO has ruled strongly
within the constraints of the Data Protection Act.”

He said that other UK police forces should be taking note of this
decision. "We hope that this enforcement notice sends a clear message to
all police forces, that the use of ANPR cameras needs to be fully
justified before they are installed. This includes carrying out a
comprehensive assessment of the impact on the privacy of the road-using
public."

The Hertfordshire Constabulary stated it would not appeal this decision
and accepted the system needed additional privacy checks. It also state
that although it would continue to use such camera, it intended to work
with the Commissioner to “ensure that its particular deployment of such
cameras is - and is seen to be - fully justified."

"We have already undertaken considerable analysis of the justification
for the use of these cameras in Royston and we have welcomed the
Commissioner's offer of further advice on strengthening our privacy
impact assessments," also said the police statement.

Press Release – ICO Rules Royston Vehicle Number Plate Tracking Cameras
Unlawful (24.07.2013)
http://www.no-cctv.org.uk/press/press_release_23.pdf

Data protection Act 1998 – Supervisor Powers of the Information
Commissioner Enforcing Notice (15.07.2013)
http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/hertfordshire-constabulary-enforcement-notice.pdf

Police number plate camera scheme broke law in Royston (24.07.2013)
http://www.bbc.co.uk/news/technology-23433138

ICO slams police for invading motorists' privacy with 'unlawful' ANPR
camera use (24.07.2013)
http://www.v3.co.uk/v3-uk/news/2284452/ico-slams-police-for-invading-motorists-privacy-with-unlawful-anpr-camera-use

Earlier this year, we reported on the major data leak that was suffered
by Belgian railways. Following the release of the data – including
names, email addresses and even, in some cases, phone numbers and home
addresses - the company failed to notify their customers of the leak.

The company practices has unfortunately not improved since this episode.
In recent weeks, it sent out an e-mail asking clients if they wanted to
opt out of receiving marketing communications, without clarifying
whether they were referring to online or offline communications and
without clarifying what would happen (default opt-in or default opt-out)
if people decided to take no action.

The e-mail is impressive in that it manages to contain virtually every
characteristic of a fraudulent (“phishing”) e-mail:

1. The salutation in the e-mail is non-personal.
2. The reply-to e-mail address is different from the sender e-mail address.
3. Neither the reply-to nor sender e-mail address are obviously SNCB
e-mail addresses.
4. The e-mail contains links asking people to fill in an “online form”.
5. None of the links in the e-mail point to a website owned or
controlled by the SNCB.
6. Because the e-mail was sent in HTML, the characters do not decode in
all webmail services, making it appear that the text has been altered
automatically to bypass spam filters.
7. The subject-line (“information to clients”) is vague, increasing the
likelihood that it will be opened, in case it might contain important
information.
8. The e-mail sets a time-limit for responding – if you do not act
within the deadline that you have to go through a more cumbersome procedure.

The logic behind the e-mail is baffling. If the SNCB were already
behaving appropriately with regard to their direct marketing, there
would be no obvious need to send this e-mail. People who receive the
e-mail are given a choice between taking the risk of clicking on the
links in the message or, it appears, passively giving their consent to
receiving unspecified numbers of marketing messages, via unspecified
media from unspecified sources, which they could only opt out of through
more cumbersome methods.

Whether the Belgian data protection authority would consider this e-mail
to be an acceptable opt-in, opt-out or something else is almost
irrelevant, because the authority has extremely weak enforcement powers
in any case.

The only thing that is certain is that any SNCB subscriber who did avail
of this opportunity to opt-out of direct marketing messages will have
been shown that e-mails that contain pretty much every possible
characteristic of a phishing e-mail may not, in fact, be a phishing
e-mail. So, next time they receive a phishing e-mail, it will probably
be okay to click on the link.

EDRi was able to verify the validity of the e-mail because one of us has
a “wildcard” e-mail system for a personal domain name. Whenever this
person gives their e-mail address to a company, the address given is
[email protected]. As the e-mail was sent to sncb@, it
was easy to identify it as authentic. Or it would have been, if the
company hadn't leaked it.

List of phishing e-mail characteristics
http://www.infosec.gov.hk/english/anti/phishing.html

The SNCB e-mail
http://edri.org/files/sncb.png

EDRi-gram 11.1: Major data leak at the Belgium railway company (16.01.2013)
http://www.edri.org/edrigram/number11.1/sncb-europe-major-data-leak

(Contribution by Joe McNamee - EDRi)

Sign the Open letter to stop surveillance initiated by EDRi member Digitale Gesellschaft (Germany)
http://www.stopsurveillance.org/en/

OSCE media freedom representative warns UK, Internet filtering
ineffective, open to abuse (23.07.2013)
http://www.osce.org/fom/103848

Report Challenges Assumptions On IP Valuation And Cybercrime (07.2013)
https://csis.org/files/publication/60396rpt_cybercrime-cost_0713_ph4_0.pdf

PRISM revelations result in lost business for US cloud companies
(26.07.2013)
http://arstechnica.com/tech-policy/2013/07/prism-revelations-result-in-lost-business-for-us-cloud-companies/

EDPS on smart borders: Smart borders: key proposal is costly, unproven
and intrusive (19.07.2013)
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2013/13-07-18_Smart_borders_EN.pdf

31 July – 4 August 2013, Geestmerambacht, Netherlands
Observe. Hack. Make. - OHM2013
https://ohm2013.org/

7 September 2013, Berlin, Germany
Demonstration "Freiheit statt Angst" / rally against surveillance
http://blog.freiheitstattangst.de/

14-15 September 2013, Vienna, Austria
Daten, Netz & Politik 2013 - DNP13
https://dnp13.unwatched.org/

16-18 September 2013, Geneva, Switzerland
2013 Open Knowledge Conference (OKCon)
http://okcon.org/

18-20 September 2013, Berlin, Germany
8th International Conference of Information Commissioners (ICIC
2013)
http://www.info-commissioners.org/index.php/blank-menu/281-8th-international-conference-of-information-commissioners-icic-2013-germany

23-26 September 2013, Warsaw, Poland
Public Voice Conference 2013
35th International Data Protection and Privacy Commissioners conference
http://www.giodo.gov.pl/259/id_art/762/j/en/

24-25 September 2013, Brussels, Belgium
EU hackaton - hack4yourrights
This year’s theme is privacy
http://2013.euhackathon.eu/

27-30 September 2013, Brussels, Belgium
Freedom not Fear 2013
http://www.freedomnotfear.org/
http://www.freedom-not-fear.eu

22-25 October 2013, Bali, Indonesia
Internet Governance Forum 2013
http://igf2013.or.id/

25-27 October 2013, Siegen, Germany
Cyberpeace - FIfF Annual Meeting 2013
http://www.fiff.de/

22-24 January 2014, Brussels, Belgium
CPDP 2014: Reforming data protection: The Global Perspective
http://www.cpdpconferences.org/

24-25 April 2014, Barcelona, Spain
SSN 2014: Surveillance Ambiguities & Assymetries
http://www.surveillance-studies.net/documents/cfp_SSN2014_Barcelona_final.pdf

EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 35 members based or with offices in 21 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge
and awareness through the EDRi-gram.

All contributions, suggestions for content, corrections or agenda-tips
are most welcome. Errors are corrected as soon as possible and are
visible on the EDRi website.

This EDRi-gram has been published with financial support from the EU's
Fundamental Rights and Citizenship Programme.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea

Information about EDRi and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in
the EU. If you wish to help us promote digital rights, please consider
making a private donation.
http://www.edri.org/about/sponsoring
http://flattr.com/thing/417077/edri-on-Flattr

- EDRI-gram subscription information

subscribe by e-mail
To: [email protected]
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: [email protected]
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay.
Translations are provided by Metamorphosis
http://www.metamorphosis.org.mk/mk/vesti/edri

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are
provided by Andreas Krisch from the EDRI-member VIBE!AT - Austrian
Association for Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask if you have any problems with subscribing
or unsubscribing.