Slashdot Mirror
EU to Investigate Passport Privacy Concerns
mvdwege writes: "Well, it appears that the old fight between the US and the EU over privacy regulations is about to enter a second round. In response to a letter by a Member of the European Parliament, the Commission has stated that it will start investigating Microsofts possible breach of the EU privacy regulations. The Register has a nice summary."
Obligatory collection of information on users by Microsoft .NET Passport and measures to protect their privacy
.NET Passport service, which, while consumers are engaged in a purchase, a game, a request or a bank transaction on line, is designed continually to collect their personal information via for instance, an e-mail address (Hotmail), a chat programme (MSN Messenger), a shop (Expedia.com), an auction site (QXL), a community (MSN Communities) or a hotel chain (Hilton.com) and that, as a result, a vast quantity of personal information is surreptitiously passed on to unknown parties by, in particular, Hotmail address owners without their noticing it?
.NET Passport results in exclusion from many sites' services, that unsubscribing is not possible, that periodically only out-of-date information is removed and that the passwords to be given (minimum of six characters only) are easily accessible, to some extent, to others posing as system administrators or possessing considerable knowledge of dictionaries?
.NET Passport, and that, because of a de facto monopoly, Microsoft may shortly charge a high price for what are still for the time being free services?
.NET Passport registered with national agencies supervising the application of privacy legislation? Is registration mandatory in every Member State? Does such a requirement also apply where the database is not located on the territory of an EU Member State?
.NET Passport system and of its alleged capabilities and shares some of the Honourable Member's concerns. It is looking into this as a matter of priority, in concertation with national data protection authorities, as regards the system's compatibility (or not) with EU data protection law.
1. Is the Commission aware of Microsoft's free
2. Is the Commission also aware that failure to register with
3. Does the Commission regard it as acceptable that users of public terminals in universities, libraries or Internet cafes who fail to log off correctly may pass on their confidential information to the next user, that to hire software via the Internet (using Microsoft servers instead of a personal hard disk) access is possible only via
4. Is it lawful for a dominant firm to build up a very extensive database of personal information? Is
5. Can national or European criminal investigators make use of the information collected without prior consent of the individuals concerned or the courts?
6. According to the Commission, is there any call for further regulation in order to make abuses by interested parties or subversion of current privacy rules impossible?
E-0718/02EN
Answer given by Mr Bolkestein
on behalf of the Commission
(7 May 2002)
1-3. The Commission is indeed aware of Microsoft's
4. A company operating in the Union is subject to Community law and may build up a database of personal information, provided the obligations laid down in Directive 95/46/EC of the Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are respected. These include having a specific, legitimate purpose, informing the individual of identity of the controller of the data, of the purpose of collection and the rights individual has, such as the right to access his/hers own personal data. In cases where consent for processing is required, the Directive requires that it be unambiguous and freely given. The Directive also lays down the obligation to notify such processing operations to national data protection authorities. But the directive also provides for some exemptions from the notification obligation. The Commission is not at present in a position to say whether this processing operation has been notified within the Community.
The question of whether and to what extent the Directive applies to a data base (or in the terms of the Directive a data controller) located outside the Union, especially where data is collected directly from data subjects via the Internet, is a complex one which the Commission and national data protection authorities are at present examining carefully. Article 4.1(c) of the Directive provides for its application where a controller makes use of equipment, automated or otherwise, situated on the territory of a Member State, which means that the Directive does at least in some cases apply to controllers outside the Community. Furthermore specific national rules concerning a third country in which the controller is established may also apply and be enforceable within that jurisdiction. In this respect, Microsoft has notified the US Department of Commerce that it adheres to a privacy policy that meets the Safe Harbor framework.
5. On the basis of legislative measures, criminal investigators can make use of information collected without the prior consent of the individuals concerned or the courts, provided that the rights of defence of the individuals concerned are respected and that the restriction to the right to privacy is strictly necessary for the purpose of the criminal investigation. The information collected during the investigation may moreover only be used to the extent necessary for those purposes.
6. In accordance with Article 33 of the Directive, the Commission is examining the application of Directive 95/46/EC and expects to make a report before the end of the year. The subversion of current rules will be looked into in that context.
This, taken from the the original parliamentary submission upon which the Reg article is based, is laugh-out-load funny:
2. Is the Commission also aware that failure to register with .NET Passport results in exclusion from many sites' services, that unsubscribing is not possible, that periodically only out-of-date information is removed and that the passwords to be given (minimum of six characters only) are easily accessible, to some extent, to others posing as system administrators or possessing considerable knowledge of dictionaries?
You realize, of course, that pot is legal in the Netherlands?
The guy asking these questions, Erik Meijer MEP, probably realized the game was up when the Parliament issued it's preliminary answers in only one format... Microsoft Word.
the US government is trying to stop the European Commission's antitrust case against Microsoft.
You know, as little as a couple of years ago, you'd have been right. But the EU in general is very nervous about America right now. We've got a President they by and large despise (with considerable justification) and giant corporations (like Microsoft) which are effectively their own branches of government. Anything that gives them the chance to cut loose from their dependence on and vulnerability to the US -- militarily, economically, politically, whatever, especially as the lines between those categories blur -- they're going to see as a good thing.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
EU is preparing new legistaltion, which would make compulsory data retention possible forthe member states. The crusial vote on Directive on the protection of privacy in the electronic communications sector is scheduled for 29 May. More detailed information about the directive and backgrounds can be found from here.
GILC members have launced also a lobbying campaing including an open letter, which can be signed here.
Here's also Marco Cappato's (the person in charge of the directive in European Parliament) press release about the situation:
PRIVACY/EUROPEAN PARLIAMENT: CAPPATO (RADICALS) "PPE AND PSE TABLE IN THE EP THE COUNCIL PROPOSALS : IN THIS WAY EUROPE WOULD AUTHORISE DATA RETENTION OF EUROPEAN CITIZENS' INTERNET AND TELEPHONE COMMUNICATIONS"
Brussels, 23 may 2002
European PPE (conservatives) and PSE (socialists) have tabled yesterday common amendments to the Cappato report on privacy in electronic communications, that take over the Council positions on all main issues. Their content is in striking contradiction with the EP first reading position as confirmed by the EP Civil Liberties Committee during the second reading.
The discussion in the EP will take place on the 29th of May in Brussels, while the vote will follow on the next day.
Declaration by Marco Cappato, MEP of the Lista Bonino/Radical Party and EP draftsman
on the EU Commission proposal on the protection of privacy in electronic communications:
"With these amendments, PPE and PSE have abandoned the stance that the EP had taken in first reading and confirmed in second reading in the EP Civil Liberties committee, without getting any politically meaningful concession from the Council.
Ana Palacio Vallelersundi (PPE Spanish MEP), President of the Civil Liberties committee (and Spanish conservative Government representative in the Convention) has promoted the tabling in the EP of amendments that take over the (Spanish conservative) Presidency of the Council gaining the support of the Socialist group in the EP, with the only aim of avoiding the conciliation procedure between the Council and the EP and allowing the Spanish Presidency to close successfully the dossier.
PPE MEPs, that had supported until now the freedom for Member States to decide on the regime to adopt on unsolicited commercial communications, opt-out on directories and cookies, now obey to the Spanish Presidency indications and unite with the PSE in supporting a European opt-in system - although in a softened version - in all the abovementioned cases.
But the most controversial issue is that of the powers the Council wants to give to Member States to impose to Telecom and Internet service providers the retaining of data concerning citizens' communications, SMS, emails, Internet surfing. The PPE-PSE amendment (that goes beyond the legal basis of the directive, that is an internal market measure) inserts in the articles the possibility for Member States to provide for data retention, while guarantees for citizens' privacy are left to a reference to the general principles of community law and to the EU Treaty. The reference to the jurisprudence of the European Court of Human Rights is relegated in the PPE-PSE amendment in the recitals (while the EP had included it in the articles).
I appeal to MEPs to ask them to vote following their conscience and not on a party basis, and to follow my request to delete from the articles of the directive the reference to data retention of citizens' communications."
For more informations:
Marco Cappato offices: 0032 2 2847496
mcappato@europarl.eu.int www.radicalparty.org
While a number of European governments are as corrupt as the US Congress none of them operates in quite the same way. The EU officials who are in charge of implementing the directive do not stand for election and in any case European politicians do not collect campaign funds directly for their personal campaigns.
Nor does Microsoft have any significant political leverage with the EU. The only country it has significant investment in is the UK and that is a high powered research lab they are not going to close. Microsoft might ask the Bush administration to exercise leverage however after the steel tarifs and the farm bill the US does not have any.
Although Microsoft is not going to intimidate or bribe the EU into submission the Passport issue is not a problem. While Microsoft could in theory abuse their ability to collect personal info they merely have to undertake not to abuse the data, they do not have to design the system so that the data cannot posibly be abused.
While such 'undertakings' tend to be considered by US firms to be loopholes to be exploited while the government turns a blind eye, the EU is not like the US in that regard. Microsoft would be making a major mistake if they broke their undertakings. The EU can and will impose very very large fines.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Banks and financial institutions are subject to strict federal regulations in the U.S. with regard to:
- information they disclose to third parties
- information (advice/sales pitches) they provide their customers
These institutions are monitored, and employees/institutions who violate the regulations are investigated and prosecuted (slapped with fines or jail time).At the moment, there are a number of companies that collect sensitive information from consumers, and regardless of what they claim they are doing with that information, no one has any way of knowing if they are honoring those claims. Most public companies would leap at the opportunity to tell consumers whatever they wanted to hear if
- the company could profit from it
- consumers had no way of knowing the truth
The government needs to define regulations for this industry, it needs to be able to monitor the industry and it must have the power to enforce the regulations through fines and incarceration.The companies in this industry will oppose regulation, claiming that the costs associated with monitoring and compliance would put them out of business *bullshit-the-cost-of-not-being-able-to-prostitute -your-data-will-put-them-out-of-business* Excuse me; I must be coming down with a cold. As I was saying, they will insist upon being allowed to regulate themselves. They must not be permitted to persuade the politicians of this.
Ask your representative or senator to consider what life would be like today if banks and brokerages were not regulated. Then tell them that this is far more serious, because while money can be refunded, information cannot be stuffed back into Pandora's Box once it is released.
Personal data must not be released to a third party without the consent of the party who has given the data
Personal data must not be used for a purpose other than that for which it was collected
Now let's judge Passport against these:
As soon as somebody signs for a Passport account they start getting spam from third parties
As soon as somebody signs for a Passport account they start getting spam
Now, this isn't some precious view about what a pity junk email is - this is a basic breach of fundamental principles of privacy and data protection being perpetrated by a corporation with a large amount of trade in every EU country (and elsewhere in the world).
If they want to trade in the EU and make money here, they have to obey our laws. And our laws on privacy and data protection aren't that onerous - all that is asked is that if you collect personal data that you don't hand it out willy nilly, and that you use it for the purpose for which it was collected. Is that an unreasonable restraint on trade?
Dunstan
The last scintilla of doubt just rode out of town
You are completely right.
Any nation in the world who can safely cut ties from us, the U.S. should.
We are in the business of smashing you up and getting our multi-national companies in there and rebuilding (and getting all the profits or owning you in the end).
I'm eager to cut ties from the U.S.A. and I'm a citizen.
Sure, you're thinking; "How can you say that after September 11th? - We are at war you anti-American scum". To you I say; "Fuck off, I can challenge my leaders and their politics at anytime"
Get your Unix fortune now!
For quite a long time I've wondered why there has been no investigation on MS's EULA's and Passport in the EU, since most of these contravene EU wide laws on Privacy of Data where explicit agreement is required before Data can be used or given to third parties and while I'm not sure about it alltogether, I think that MS's EULA's also contravene one or two EU laws in the EU with respect to bought products etc. (Trying to control the product after sale etc).
I was one of the many who wrote in to the EU commisioner to complain about Passport. If you make a lucid complaint and have a valid view on some MS abuse etc, mail the EU. They generally do respond if you're not spamming or flaming and it seems that they do take the issues up.