EDRi-gram newsletter - Number 11.22, 20 November 2013


Failure of "Licenses for Europe"

Ahead of the last meeting of the “Licences for Europe” initiative, EDRi together with other four European civil rights organisations – Centrum Cyfrowe, Kennisland, Modern Poland Foundation and La Quadrature du Net – released, on 13 November 2013, the following joint press release reaffirming the urgent need of an European Copyright reform.

Today, the Licenses for Europe experiment comes to an end. This initiative, launched almost a year ago was ostensibly an attempt to 'explore the potential and limits of innovative licensing and technological solutions in making EU copyright law and practice fit for the digital age'.

At the end of this process we are compelled to conclude that 10 months of meetings have largely failed to identify any solutions which can be backed by all, or even the majority of, stakeholders involved. It is evident that there is very little consensus among stakeholders about the appropriate approach to making EU copyright law and practice fit for the digital age. It is unclear as to how licensing solutions can provide a significant improvement to a copyright system that has been widely recognised as being inefficient and out of date.

As a result, and as many stakeholders have been arguing for years, it is long past time that the European Commission initiated a full review of the existing copyright framework to identify areas where legislative changes are needed. We call on the Commission to stop delaying this urgent step, to proceed now, and to waste no additional time in further discussion on whether or not legislative action is necessary.

In real policy making terms this means that the copyright directive must be analysed by reopening the list of possible exceptions, and reviewing each individual exception to determine if and how they need to be adapted to the changed environments. As all of the exceptions are, by definition, compliant with the 3-step-test, they should be made mandatory, in order to avoid an unnecessary restriction on access to culture and freedom of communication.

'User Generated Content'

Our organisations participated in Working Group 2 of the stakeholder dialogue on 'User-generated Content and Licensing for Small-scale Users of Protected Material'. From the start this working group has struggled to identify, let alone agree, a (set of) problem(s) that need to be addressed: Civil society groups and representatives of users have stressed the need to have clearly established rights for European citizens that allow them to create and share works that include protected works from third parties.

The representatives of rights holders have insisted that this is not necessary. Instead they have advocated an approach where rights holders license their works to platform operators, which would in turn allow users of these platforms to share such works via these platforms.

Given the focus of the Licenses for Europe process on 'innovative licensing and technological solutions' and the explicit refusal of the Commission to allow any discussion of other approaches the stakeholder dialogue proved itself to be incapable of even attempting to reconcile these different approaches.

It has however clearly shown that the general approach of facilitating the agreement of licensing arrangements between rights holders and platform operators does not produce outcomes that address the needs of the public and other non-industry stakeholders such as institutions in the public sector. In the current technological environment, copyright affects ordinary citizens and many professionals, such as teachers and cultural heritage professionals, that are not represented by the two industries that Commission’s approach suggests are the only legitimate stakeholders. There are user rights at stake in this discussion that are extremely important in fields other than popular culture, in particular in education, but also for political expression and democratic participation.

Looking back, it is difficult to view the proceedings of Working Group 2 as anything other than a fundamentally undemocratic attempt to subjugate the ability of citizens to express themselves through digital media to the outcome of licensing negotiations between rights holders and platform operators. Such a process does not create rights, it would simply authorise certain forms of expression on the terms of rights holders.

Looking forward

This means that the discussion needs to shift to the question of how we can best guarantee the right of European citizens to make transformative use of protected materials, in order to express themselves via digital media. Canada has recently introduced an exception for such uses into its copyright law. Member states such as the Netherlands are currently exploring the possibility of broadening an existing exception to achieve the same effect. From our perspective, any attempt to 'make EU copyright fit for the digital age' should follow these examples and reform current copyright legislation. It is worth noting that these examples only address non-commercial uses by private individuals and as such do not unreasonably restrict the ability of rights holders to negotiate licenses for commercial uses that platforms make of the works in question. As stated above, such actions need to be integrated into a full review of the EU copyright directive that also looks at the issues that have been addressed in other working groups (such as Text and Data Mining) and issues that have been left outside of the scope of the Licenses for Europe process (such as use of protected materials for educational activities).

Press release on EDRi website
http://www.edri.org/RIP-L4E

EU speech: Licences for Europe: fostering access and distribution of culture in the digital era (13.11.2013)
http://europa.eu/rapid/press-release_SPEECH-13-918_en.htm

Microsoft and Skype may continue to send Europeans’ data to US

On 18 November 2013, Luxembourg’s Data Protection Authority (National Commission for Data Protection - CNPD) decided that Microsoft and Skype subsidiaries in Luxembourg have not broken EU privacy law by sending Europeans’ data to the US, although we all know where this data goes.

As a response to a complain filed by Europe v Facebook activist group, CNPD considered that the data transfer was legal under the Safe Harbor agreement, through which US companies can self-certify they comply with EU-strength privacy standards, even though their country does not. Which means that we have to take their word for that.

“The fact finding operations conducted since July 2013 and the subsequent detailed analysis did not bring to light any element that the two Luxembourg-based companies have granted the U.S. National Security Agency mass access to customer data,” said CNPD’s statement.

“Safe Harbor decision allows for data use for purposes of law enforcement and national security, but the NSA does much more than that. In addition the European Commission has recently said that PRISM would not be covered by the ‘Safe Harbor’, so it seems like the authorities in Brussels and Luxembourg are not in line. If PRISM would be allowed under the ‘Safe Harbor’ decision there is no doubt that the decision would be illegal. So overall we can’t really understand the response,” stated campaigner Max Schrems who added: “There is an urgent need that the European Commission amends the ‘Safe Harbor’ decision accordingly or at least formally calcifies that transfer of data is illegal if there is probable cause that US companies are forwarding Europeans’ data to the NSA."

Besides the complaints against the European subsidiaries of the US-based internet companies Skype and Microsoft in Luxembourg, Europe v Facebook filed similar complaints in Ireland, against the European subsidiaries of Facebook and Apple, and in Germany, against Yahoo.

The complaint against Yahoo! Germany is still under investigation by the German Federal Data Protection Authority while the Irish Data Protection Commissioner (DPC) gave the group a similar resolution as this in Luxembourg, but is now under a judicial review procedure with the Irish High Court.

Privacy campaigners lose Luxembourg bid to censure Microsoft over NSA links (18.11.2013)
http://gigaom.com/2013/11/18/privacy-campaigners-lose-luxembourg-bid-t...

NSA: Microsoft and Skype may further transfer data from EU to US. Luxemburg DPC sees ‘adequate protection’ despite PRISM (18.11.2013)
http://www.europe-v-facebook.org/PA_18_11_en.pdf

EDRi-gram: Skype is investigated in Luxembourg for its relations to NSA (23.10.2013)
http://www.edri.org/edrigram/number11.20/skype-nsa-investigation-luxem...

EDRi-gram: Irish DPA: OK for Facebook and Apple to share personal data to NSA!?! (31.07.2013)
http://www.edri.org/edrigram/number11.15/irish-dpa-ok-nsa-facebook-sha...

Search engines pushed to inefficient Internet filtering

The UK government continues its endeavours to censor the Internet and has succeeded in convincing search engines to filter search term results “associated” with child abuse images within its child abuse policy, despite the lack of proof of any efficiency of such measures, the rinks to abuses and the dangers to the citizens’ democratic rights. It is not clear how the measure will be implemented, if it will be reported in the Transparency Reports and if this kind of a search result manipulation will not be extended for other topics in the future.

The UK government is thus wasting time and money with other measures such as the opt-in system adopted for ISPs, by which, by the end of 2013, any new broadband account will have filters automatically switched on by default, blocking all online material the British government considers objectionable. The system will be extended to all existing users by the end of 2014.

Jim Gamble, former head of the Child Exploitation and Online Protection Centre (CEOP) explained on ITV’s website that there would be other more logical and efficient ways to fight child pornography: “The way to deter offenders from raping, abusing, photographing, sharing or seeking out images of child abuse is to line child abusers up, in the dock of a court room. One of the main problems is that people can see that is not happening. That is why public frustration often results in online vigilantes like Letzgo hunting enticing paedophiles to meet offline or actions by charities like Terre des Hommes who raised awareness of the problem by luring thousands of suspect sex offenders from their online nests to engage a virtual child. This is where the government must pause, look at themselves in the moral mirror they hold up to others so often, and ask whether they are doing enough? And before ministers hide behind the wall of recession and austerity consider this. Less than £1.5 million a year would pay for 12 regional child protection experts, supported by twelve training coordinators.”

Moreover, the government seem to be deaf to all specialists’ statements who have been, for some time now, explaining filtering is not the solution: it is easy to circumvent, it leads to over-filtering and is infringing people’s rights.

Even one of Cameron’s technology advisers, Wikipedia co-founder Jimmy Wales, considered the filter “an absolutely ridiculous idea” saying the software necessary to implement the policy would not work and ridiculing the opt-in system: “Additionally when we use cases of a paedophile who’s been addicted to child porn videos online, you realise all that Cameron’s rules would require him to do is opt in and say, ‘Yes, I would like porn please’.”

Cameron and his adviser Claire Perry pushed companies like Google, Yahoo and Microsoft to take action by accusing them of aiding paedophiles. So, Google hurried to express its eagerness to play nice: “We actively remove child sexual abuse imagery from our services and immediately report abuse to the authorities. This evidence is regularly used to prosecute and convict criminals,” says Google chief Eric Schmidt who enumerates the measures the company has taken to block child pornography on its search engine.

While it makes some excuses related to the shortcomings of the technology, (“There's no quick technical fix when it comes to detecting child sexual abuse imagery. This is because computers can't reliably distinguish between innocent pictures of kids at bathtime and genuine abuse. So we always need to have a person review the images”), Schmidt’s speech ends up apotheotically: “We welcome the lead taken by the British Government, and hope that the technologies developed (and shared) by our industry will make a real difference in the fight against this terrible crime.”

Oh, and as if this were not enough, Cameron has announced he will involve GCHQ in this matter. "There's been a lot in the news recently about the techniques, ability and brilliance of the people involved in the intelligence community, in GCHQ and the NSA in America. That expertise is going to be brought to bear to go after these revolting people sharing these images (of child abuse) on the dark net, and making them available more widely," the UK prime minster said.

'We've listened - and here's how we'll halt this depravity': Google chief ERIC SCHMIDT explains block on child porn (18.11.2013)
http://www.dailymail.co.uk/news/article-2509044/Google-chief-Eric-Schm...

Child abuse image policies risk looking like cynical manipulation (18.11.2013)
https://www.openrightsgroup.org/blog/2013/child-abuse-image-policies-r...

David Cameron: GCHQ will be brought in to tackle child abuse images (18.11.2013)
http://www.theguardian.com/technology/2013/nov/18/david-cameron-gchq-c...

ENDitorial: European Financial Coalition against CP launched...again (27.02.2013)
http://www.edri.org/edrigram/number11.4/financial-coallition-cp-blocki...

EDPS: Still a lot of work to be done

In a press release published on 15 November 2013, the European Data Protection Supervisor (EDPS), criticised the Commission proposal for a Regulation laying down measures concerning the European single market for electronic communications. The announced goal of this Regulation is to ease the requirements for communications providers, standardize wholesale products, aiming at harmonising the rights of end-users. In general, Hustinx approves the idea to include net neutrality, but points out that the Regulation provides the permission for abuses by the Internet Service Providers (ISPs) who would be legally allowed to manage and monitor the internet traffic of their users. Hustinx stated serious concerns especially with regard to Deep Package Inspections (DPI):

"Any monitoring and restriction of the internet activity of users should be done solely to achieve a targeted, specific and legitimate aim. The large-scale monitoring and restriction of users' internet communications in this proposal is contrary to European legislation as well as the EU Charter of Fundamental Rights. Such interference with the right to personal data protection, confidentiality of communication and privacy will do little to restore consumer confidence in the electronic communication market in Europe.”

The current proposal would offer broad interpretations for the service providers to control the online activities of their customers by monitoring their data flows ranging from visits of websites to the receiving of e-mails and would even legitimate the slowing down of bit rates or the restriction of access to allegedly illegal services and content.

Not only is this the clear opposite of net neutrality, it would further be a breach of both the Human Rights Declaration and the EU Charter of Fundamental Rights:

“The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).”

In the next months, the upcoming discussions and negotiations in the Parliament will be an opportunity to add necessary corrections to this proposal and to bring it in line with international law standards and fundamental individual rights.

Opinion of the EDPS (14.11.2013)
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Docume...

EDPS Press Release (15.11.2013)
http://europa.eu/rapid/press-release_EDPS-13-10_en.htm

Draft Regulation - the European single market for electronic communications
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2013:0627:FI...

“Building a connected continent”, Neelie Kroes (11.09.2013)
http://ec.europa.eu/commission_2010-2014/kroes/en/content/building-con...

Will the EU Parliament Enable Discrimination Online or Uncompromising Net Neutrality? (19.11.2013)
http://www.laquadrature.net/en/will-the-eu-parliament-enable-discrimin...

(Contribution by Karim Khattab - EDRi intern)

Bogus hearing of the UK intelligence agencies

On 7 November 2013, the heads of the three UK internal and foreign intelligence agencies, GCHQ, MI5 and MI6, were publicly heard by UK’s secretive intelligence and security committee (ISC) concerning Snowden’s leaks regarding the mass surveillance by US and UK intelligence.

Although this was a historical even being the first instance when heads of intelligence services were questioned in a public 90-minute broadcasted meeting, considered a first step to a transparency era, it seems that actually, the three agencies had been briefed beforehand on the questions that were to be asked by the nine members of ICS, all MPs and Lords.

Moreover, the questions were far from being tough giving the three intelligence heads the possibility to bring arguments for their position. Also, there were serious questions, like that related to spying on Angela Merkel’s communications, that have not been touched.

“But the chairman Malcolm Rifkind, who used to be the Foreign Secretary and in charge of GCHQ and MI6 a few years ago, has already exonerated GCHQ in the wake of the Snowden disclosures about endemic surveillance and things like that. So he’s already been on the record, arguing in favor of what the intelligence agencies do. I had no expectation there would be any difficult questions whatsoever,” stated former MI5 agent Annie Machon.

MI5's head Andrew Parker even condemned Snowden’s revelations as damaging qualifying the leaks as “the gift terrorists need to evade us and strike at will”. “Unfashionable as it might seem, that is why we must keep secrets secret, and why not doing so causes such harm,” he said as if terrorist group had no idea they could be under surveillance before Snowden’s revelations.

“What I can tell you is that the leaks from Snowden have been very damaging. They have put our operations at risk. It is clear that our adversaries are rubbing their hands with glee. Al-Qaeda is lapping it up,” stated Sir John Sawers, head of MI6. He did not mention however the fact that several European politicians have also been under surveillance. Or did they think they were all terrorists?

When asked about why the security services, despite the amount of information they gathered, had not been able to predict such events as 9/11 or the Arab Spring, Sir John Sawers said that was not their job: "We acquire the secrets that other countries don't want us to know... we are not all-knowing specialists in what's going to happen next month or next year."

GCHQ’s head, Iain Lobban, stated he needed a "ring of secrecy" to do his work and that his operations did not exceed the limits of the British law. He also described the internet as an “enormous hay field” where terrorists are plotting attacks. “We are very, very well aware that within that haystack there is going to be plenty of hay which is innocent communication, innocent people, not just British,” he said. He also suggested that the leaks could help paedophiles avoid detection, and said the success of intelligence operations required the country's enemies to be "unaware or uncertain" of methods.

Journalist Glenn Greenwald, who worked with Snowden on stories for the Guardian said the UK Parliament had not succeeded in holding UK intelligence agencies accountable. "There was a huge suspicion-less system of mass spying that the British people and the American people had no idea had been built in their name and with their money," he said.

Meanwhile, a new study published on 6 November 2013 by seven academics says British, Dutch, French, German and Swedish spying operations violate the EU Treaty, the EU Charter of Fundamental Rights and the European Convention on Human Rights.

"It's no longer credible to say the EU has no legal competence and should do nothing on this," one of the authors, Sergio Carrera told the EU parliament, urging MEPs to block an EU-US free trade deal unless the US and EU countries fully disclose their surveillance activities.

He also suggested that MEPs should push EU countries to draft a "professional code for the transnational management of data," and set up a permanent, EU-level intelligence oversight body.

UK spy chiefs defend mass-snooping on Europeans (8.11.2013)
http://euobserver.com/justice/122030

Grilling of spy chiefs ‘a total pantomime’ (17.11.2013)
http://www.thesundaytimes.co.uk/sto/news/uk_news/National/article13416...

UK intelligence work defends freedom, say spy chiefs (7.11.2013)
http://www.bbc.co.uk/news/uk-politics-24847399

As it happened: Spy chiefs quizzed (7.11.2013)
http://www.bbc.co.uk/news/uk-politics-24848186

UK intelligence chiefs getting such a soft touch is ‘shocking’ (8.11.2013)
http://rt.com/op-edge/intelligence-security-snowden-terrorists-435/

Mass Surveillance of Personal Data by EU Member States and its Compatibility with EU Law (6.11.2013)
http://www.ceps.eu/book/mass-surveillance-personal-data-eu-member-stat...

Mapping the public domain – a priority for France

On 7 November 2013, during the closing session of the “Transmission of culture during the digital era” event, Aurélie Filippetti, the French Minister of Culture and Communication, announced a R&D partnership between her ministry and the Open Knowledge Foundation France meant to create a French public domain calculator.

The project will thus develop a tool to help establishing the legal status of cultural works, giving the cultural sector the possibility to use it as a pedagogical tool in order to better know the status of a work and to help users in realizing whether they have passed out of copyright into the public domain.

“We often say that a work has “fallen” into the public domain, as though it falls into a state of disuse, abandonment or oblivion. In fact, precisely the opposite is true. When a work enters the public domain, it experiences a rebirth. And I want to show that my department recognises this. Therefore, to support our thinking in this area, we have formed a partnership with Open Knowledge Foundation France to develop a prototype of a French public domain calculator using a set of cultural metadata (in this case a selection of metadata about works from the Great War) provided by the National Library of France” said Filippetti in her speech.

During the event, there were also talks from the Rijksmuseum and the British Library about what they are doing to publish and encourage the reuse of open data and open digital copies of public domain works.

Speaking at the Mapping of Commons, Jonathan Gray, Director of Public Policies and ideas of Open Knowledge Foundation, also stated: “In any case, our aim is clear: we want to model the most crucial bits of copyright law and related rights that are relevant to making an informed estimate as to whether or not a given work is still in copyright or whether it has entered the public domain in a given country. We started off doing very basic models for this in the UK. We also worked with the late Aaron Swartz, who was then at the Internet Archive in San Francisco and interested in mapping which works are in the public domain in the US. We have gone on to work with a global network of lawyers and legal experts to map copyright law in countries around the world, producing flow diagrams to show what questions you must answer in order to establish the copyright status of a work. Europeana then took up the mantle and built on our work to produce flow diagrams for 30 European countries.”

The demonstrator of the French public domain calculator will be achieved on the basis of the cultural metadata from the National Library of France and the Media library of Architecture and Patrimony and will be presented during the first trimester of 2014.

New partnership to map the public domain in France (8.11.2013)
http://blog.okfn.org/2013/11/08/new-partnership-to-map-the-public-doma...

Aurélie Filippetti, Minister of Culture and Communication’s speech, held during the closing ceremony of the exchange day "Transmission of culture during the digital era" and the awarding of the Digital Fall prices (only in French, 7.11.2013)
http://www.culturecommunication.gouv.fr/Espace-Presse/Discours/Discour...

The calculator of the French public domain (only in French, 8.11.2013)
http://cblog.culture.fr/projet/2013/11/08/un-calculateur-du-domaine-pu...

Public Domain Calculators for European jurisdictions
http://publicdomain.okfn.org/calculators/flowcharts/

TPP may be worse than ACTA

A version of 30 August 2013 of the Intellectual Property Rights (IPR) Chapter of the Trans-Pacific Partnership (TPP) draft confirms previously expressed concerns that the negotiating parties are prepared to expand the reach of intellectual property rights to the detriment of consumer rights and data protection. The document was recently leaked and published by Wikileaks on 13 November 2013.

The secretly negotiated TPP IPR draft which was distributed among the Chief Negotiators by the USTR after the 19th Round of Negotiations at Bandar Seri Begawan, Brunei, on 27 August 2013, includes granting more patents, creating IPR on data, extending the terms of patents and copyrights protection, expanding right holder privileges, increasing penalties for infringement, while limiting at the same time the space for exceptions in all types of intellectual property rights.

The US, as well as other countries, have defended the secrecy of the negotiations considering the government negotiators get enough advice from 700 corporate advisors cleared to see the text which actually is far from being reassuring having in mind corporate right holder lobbying pressures.

Although all of the TPP member countries are members of the WTO, which has its own extensive obligations on copyright, and the TRIPS has already expanded copyright coverage to software, providing extensive protections to performers, producers of and broadcasting organizations, the TPP contains its own detailed lists of obligations. In the TPP, the copyright provisions are meant to extend copyright terms beyond the life plus 50 years (as in Berne convention), create new exclusive rights, and provide specific instructions as to how copyright is to be managed in the digital environment.

The TPP leaked draft offers less space for exceptions than provided in the 2012 WIPO Beijing treaty, the 2013 WIPO Marrakesh treaty or the TRIPS Agreement. It also wants to stop any return to copyright systems requiring registration which has been suggested as a possibility to solve some of the issues occurring due to the copyright's automatic nature. Lately, copyright policy makers and scholars have reconsidered the positive results of the registration of works and other formalities, especially having in view the massive orphan works problems.

Also, TPP wants strong protection for DRM. The copyright section includes a log text on technical protection measures, especially on the creation of a separate cause of action for breaking technical protection measures, which would make it illegal to circumvent DRM even if it has been applied to materials that are in the public domain. The exemptions to the restrictions on breaking technical protection measures include “lawfully authorized activities carried out by government employees, agents, or contractors for the purpose of law enforcement, intelligence, essential security, or similar governmental purposes.”

Regarding damages for copyright infringement the draft uses the same phrasing used by ACTA: “In determining the amount of damages under paragraph 2, its judicial authorities shall have the authority to consider, inter alia, any legitimate measure of value the right holder submits, which may include lost profits, the value of the infringed goods or services measured by the market price, or the suggested retail price.”

Yet, the TPP negotiation has been more secretive than the ACTA negotiation, and the TPP leaked text is now much worse than the ACTA text.

"If instituted, the TPP’s intellectual property regime would trample over individual rights and free expression, as well as ride roughshod over the intellectual and creative commons. If you read, write, publish, think, listen, dance, sing or invent; if you farm or consume food; if you’re ill now or might one day be ill, the TPP has you in its crosshairs," said Julian Assange, the founder and editor-in-chief of WikiLeaks.

There is also some hope as the leaked text shows various areas, such as patents, medicines, copyright and digital rights, where parties have not come to terms and there is still time and room for countries to take positions in the public interest and in preserving consumer rights. So much the more now that the text is leaked to the public.

TPP IP Chapter Leaked, Confirming It's Worse Than ACTA (13.11.2013)
https://www.techdirt.com/articles/20131113/08405625230/tpp-ip-chapter-...

KEI analysis of Wikileaks leak of TPP IPR text, from August 30, 2013 (13.11.2013)
http://keionline.org/node/1825

Secret TPP treaty: Advanced Intellectual Property chapter for all 12 nations with negotiating positions - WikiLeaks release (13.11.2013)
http://keionline.org/sites/default/files/Wikileaks-secret-TPP-treaty-I...

WikiLeaks publishes secret draft chapter of Trans-Pacific Partnership (13.11.2013)
http://www.theguardian.com/media/2013/nov/13/wikileaks-trans-pacific-p...

TPP on Wikileaks
https://wikileaks.org/tpp/

ENDitorial: How antivirus vendors handle state-sponsored malware

Last month, an international coalition of civil rights organizations and academic experts asked antivirus software vendors how they handled state-sponsored malware. Some of them already responded and the responses are interesting.

The letter, drafted by Bits of Freedom and signed by organisations such as EDRi, several EDRi-members and security experts such as Bruce Schneier, was sent to various antivirus companies (see below for a complete list). The coalition writes in the letter that these companies have a vital position in providing security and maintaining the trust of internet users engaging in sensitive activities such as electronic banking. Therefore, they were asked to answer four questions:

1) If they have ever detected the use of state sponsored software for the purpose of surveillance;
2) If they have ever been approached with a request by a government to not detect such software or, if detected to not notify the user of their software;
3) If they have ever granted such request;
4) How they would respond to such a request in the future.

Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply. All the aforementioned companies believe there is no such thing as harmless malware.

Furthermore, this means that several vendors did not respond to the letter before the deadline. We are now considering a follow up towards these companies.

The letter was sent to: Agnitum, Ahnlab, Avira operations GmbH & Co. KG, AVG, AVAST software a.s., Bullguard Ltd, Bitdefender SRL, F-Secure Corporation, Kaspersky Lab, McAfee Inc, Norman Shark, Microsoft Corporation, ESET spol. S r.o., Panda Security S.L., Symantec Corporation and Trend Micro Incorporated.

Internatonal coalition letter (25.10.2013)
https://www.bof.nl/live/wp-content/uploads/Letter-to-antivirus-compani...

Experts call upon the vendors of antivirus software for transparency (25.10.2013)
https://www.bof.nl/2013/10/25/experts-call-upon-the-vendors-of-antivir...

AV-vendors: we will act upon detecting govt malware (15.11.2013)
https://www.bof.nl/2013/11/15/av-vendors-we-will-act-upon-detecting-go...

Response ESET (11.11.2013)
http://www.welivesecurity.com/2013/11/11/eset-response-to-bits-of-free...

Response F-Secure(1.11.2013)
http://www.f-secure.com/weblog/archives/00002636.html

Response Kaspersky (6.11.2013)
http://usa.kaspersky.com/about-us/press-center/press-blog/kaspersky-la...

Response Panda (12.11.2013)
http://pandalabs.pandasecurity.com/panda-security-answer-to-bits-of-fr...

Response Trend Micro (7.11.2013)
http://blog.trendmicro.com/trend-micros-response-bits-freedom/

(Contribution by Ton Siedsma - EDRi member Bits of Freedom - Netherlands)

Recommended Action

EDRi looks for a Community and Communications Manager
Deadline for applications: 6 December 2013
http://www.edri.org/Community-Communications-Manager

Will the EU Parliament Enable Discrimination Online or Uncompromising Net Neutrality? (19.11.2013)
Citizens must contact the rapporteur and Members of the ITRE committee, and urge them to ensure the European Parliament guarantees a genuine and unconditional Net neutrality principle.
http://www.laquadrature.net/en/will-the-eu-parliament-enable-discrimin...

Recommended Reading

Joint-stakeholder statement on MEP Castex’ report on private copying levies (19.11.2013)
http://t.co/5MgfANbiJd

Waiting for Freedom of the Press in Bulgaria (17.11.2013)
http://globalvoicesonline.org/2013/11/17/waiting-for-freedom-of-the-pr...

Italian Court Orders ISPs to Block Russia’s Facebook and Rapidgator (19.11.2013)
http://torrentfreak.com/court-orders-isps-to-block-russias-facebook-an...

CoE: Ministerial conference calls for effective safeguards against electronic mass surveillance (8.11.2013)
http://hub.coe.int/en/web/coe-portal/press/newsroom?p_p_id=newsroom&am...

“The Evil Will Be Punished”: Russia Establishes Federal Service For Copyright (12.11.2013)
http://www.ip-watch.org/2013/11/12/the-evil-will-be-punished-russia-es...

Agenda

25 November 2013, Luxembourg
Public hearing on guidelines on recommended standard licences, datasets and charging for the re-use of public sector information
https://ec.europa.eu/digital-agenda/en/news/public-hearing-guidelines-...

27–30 December 2013, Hamburg, Germany
30C3 – 30th Chaos Communication Congress
http://events.ccc.de/2013/07/18/30c3-call-for-participation-en/

22-24 January 2014, Brussels, Belgium
CPDP 2014: Reforming data protection: The Global Perspective
http://www.cpdpconferences.org/

3-5 March 2014, San Francisco, California, USA
RightsCon: Silicon Valley
https://www.rightscon.org/

19-20 March 2014, Athens, Greece
European Data Forum 2014 (EDF2014)
CfP by 10 December 2013
http://2014.data-forum.eu

24-25 April 2014, Barcelona, Spain
SSN 2014: Surveillance Ambiguities & Assymetries
http://www.ssn2014.net/

28-29 April 2014, Newcastle upon Tyne, United Kingdom
OER14: building communities of open practice
http://www.oer14.org/