Warning

JUser: :_load: Unable to load user with ID: 65

The appeal by Privacy First and 19 citizens against the Dutch government takes place today. Privacy First is of the opinion that the new Dutch Passport Act violates the right to privacy. Despite criticism from the Dutch House of Representatives, the Dutch government recently decided to push this controversial law ahead. The case of Privacy First primarily concentrates on the centralised storage of fingerprints. This lawsuit is the first of its kind.

Clarification
On February 2, 2011, the Privacy First Foundation and 21 co-plaintiffs (citizens) were declared inadmissible by the district court of The Hague in our civil case against the Netherlands regarding the 2009 Dutch Passport Act. A proposal by the Dutch Minister of the Interior, Ms. Liesbeth Spies, to revise the Passport Act has been presented to the House of Representatives on 17 October this year. However, in this legislative proposal the original provision (Article 4b) concerning a centralised database remains intact for the greater part. Under this provision, biometric data of every Dutch citizen will be used for criminal investigation and prosecution purposes as well as intelligence work, disaster control and counter-terrorism. This constitutes a flagrant violation of, among other things, European privacy law. Efforts by individual citizens to challenge this through individual administrative court cases have thus far not yielded any results, since the administrative courts proved unwilling to evaluate the provision in question. Nevertheless, the Dutch Council of State (Raad van State) has recently made a preliminary reference to the European Court of Justice in Luxembourg regarding the European Passport Regulation. In anticipation of the Court’s response, all Dutch administrative proceedings have been put on hold for at least one and a half years, which means that protesting citizens have to fend for themselves during that period without valid identity documents. Enough reason for Privacy First to again haul up the civil-law sails in the public interest and to appeal in our Passport Act lawsuit.

To that end we have today presented our Statement of Appeal to the Court of Appeal in The Hague. In this Statement Christiaan Alberdingk Thijm and Vita Zwaan (SOLV Attorneys) outline why Privacy First and co-plaintiffs have to be declared admissible. Subsequently, it will be possible for the Passport Act to be legally scrutinized in its entirety by the court and be measured up against higher law, including European privacy legislation. Our entire Statement of Appeal can be downloaded HERE (in Dutch). The Appeals Court of The Hague is expected to deliver its judgment before the summer.

Urgent appeal
Privacy First makes an urgent appeal to all Dutch citizens to contribute to the financing of this lawsuit. This can be done by donating on account number 49.55.27.521 attn. Stichting Privacy First in Amsterdam, mentioning the following reference: ‘Paspoortproces’. We kindly thank you for your support!

Published in Litigation

This afternoon the Privacy First Foundation sent the following email to the Dutch Senate: 

Dear Members of the Senate,

Recently the international Amsterdam Privacy Conference 2012 took place. In his opening speech at this conference, Dutch politician Lodewijk Asscher principally addressed the current legislative proposal of regulating prostitution. Asscher voiced the expectation that the envisaged registration of prostitutes will lead to lawsuits that will end up before the European Court of Human Rights in Strasbourg. The Privacy First Foundation shares this expectation. Therefore, we hereby make an urgent appeal to you not to let things get this far and to reject the legislative proposal during the plenary discussion this coming Tuesday, October 30th. Privacy First does so on the following grounds:

1. Compulsory registration of prostitutes will lead to a shift of prostitution to the illegal circuit. Thereby this legislative proposal will prove to be counterproductive, with all the risks this entails. The social (legal) status of prostitutes will become further weakened instead of strengthened.
2. Compulsory registration of prostitutes violates the right to privacy because it concerns the registration of sensitive personal information. This is prohibited under Article 16 of the
Dutch Data Protection Act and is in breach of Article 8 of the European Convention on Human Rights.
3. Registration of prostitutes has a stigmatizing effect. Moreover, the security of this registration cannot possibly be guaranteed and there is also the danger of function creep. Therefore, the supposed advantages of registering do not outweigh the risks of data breaches, hacking, unauthorised and unforeseen use - now and in the future. This, in turn, also implies new risks of abuse and blackmailing.  
4. Combating criminality and human trafficking ought not to happen through the risky registration of prostitutes, but rather through more effective criminal investigation, prosecution and adjudication of the culprits without putting the victims in danger. For that purpose it is up to the Minister to develop alternative, privacy-friendly instruments in consultation with relevant NGOs.

We are willing to supply further information on the above points upon request.

Yours sincerely,

Privacy First Foundation

Update 30 October 2012: this afternoon the Senate heavily criticised (especially) the privacy aspects of compulsory registration of prostitutes. As a result, Minister Ivo Opstelten has decided to reconsider his approach to the issue. It now seems that compulsory registration is shelved. The discussion on other parts of the legislative proposal is postponed until further notice. Click HERE for an audio recording of the parliamentary debate (in Dutch) until its suspension (mp3, 2u53m, 119 MB).

Published in Law & Politics

The Privacy First Foundation has, with pleasure, just taken cognisance of 1) the announcement earlier today of a Dutch legislative proposal to abrogate fingerprints in ID cards and 2) the decision by the Dutch Council of State (Raad van State) to make a request for a preliminary ruling to the European Court of Justice in Luxembourg on the legality and interpretation of the European Passport Regulation in four administrative cases of individual Dutch citizens. The Privacy First Foundation hereby makes an appeal to Dutch Parliament to adopt the legislative proposal to abrogate fingerprints in ID cards as soon as possible. In anticipation of the expected adoption of this legislative proposal, taking people's fingerprints for ID cards must be halted immediately or at least become voluntary as a temporary solution. Privacy First also hopes that the European Court of Justice will swiftly deal with the preliminary reference and conclude that taking fingerprints for passports and ID cards is unlawful because it violates the right to privacy. Further comments by Privacy First will follow.    

Update 18.00h: listen to the interview (in Dutch) with Privacy First on Radio 1.

Update 29 September 2012: see also our reaction in the Dutch regional press.

Published in Biometrics

This Tuesday afternoon it is expected that the Dutch House of Representatives will vote in favour of two important motions. The first motion urges the Dutch government to have the European Passport Regulation critically discussed in Brussels. The second motion appeals to the government to take a firm stand in Brussels for there to be a critical reaction to American extraterritorial legislation, such as the notorious US Patriot Act. Both motions have come into being partly as a result of earlier reports by Privacy First about 1) the futility of taking fingerprints for passports and ID-cards and 2) the risk of Dutch fingerprints secretly ending up in foreign hands.  

The current taking of fingerprints is the result of the European Passport Regulation. This regulation dates back to the end of 2004 and primarily came into existence under pressure of the American Bush administration. Back then there was hardly any critical discussion about the benefits and necessity of taking people's fingerprints for travel documents. At the time the responsible rapporteur of the European Parliament wasn’t even able to bring out into the open statistics about this matter, as was recently revealed through a FOIA-request filed by Privacy First. Soon it will be up to the European Commission to still prove the effectiveness of the Passport Regulation. In case the Commission fails in doing so, the Regulation should be discarded immediately.

Apart from fingerprints, the long arm of the Bush administration has for years been reaching deep into the heart of Europe. With the American Patriot Act in force, the US government acquired, among other things, the power to obtain information from European companies that are situated in America as well. But this piece of legal imperialism was nothing new for the Americans: in the American 'war on drugs', American powers have been reaching far across US land and sea borders for decades. Since 2001, the Patriot Act has extended this extraterritorial circus to the American 'war on terror'. The 2002 The Hague Invasion Act has the same colonial touch to it: under this law the American administration reserves the right to keep Americans out of the hands of the International Criminal Court, if needed by invading The Hague. Another, more recent example is the National Defence Authorization Act: this law provides the US army with the power to arrest 'terror suspects' anywhere in the world and put them in military detention without any form of due process for an unlimited period of time.

In recent years Washington has hardly cared about the jurisdiction of other countries and international law. It has been generally known that in the long run this could only lead to excesses. Therefore it’s an absolute mystery to Privacy First what led the Dutch government to extend the contracts with the French passport manufacturer Morpho (partially situated in the US) without the guarantee that the fingerprints of Dutch citizens could not end up in American (or other foreign) hands. It is now up to the Dutch government to still protect its citizens and to request the European Commission to do the same thing at the European level.

Update: Both motions have been adopted by the House of Representatives with an overwhelming majority! You can find a video of it HERE (in Dutch, starting at 9m55s). Only the right-wing Party for Freedom (PVV) rejected the motions.

Published in Law & Politics

This morning in Geneva the long-awaited Universal Periodic Review (UPR) of the Netherlands took place before the Human Rights Council of the United Nations (UN). In the run up to this four-year session, the Privacy First Foundation and various other organisations had emphatically voiced their privacy concerns about the Netherlands to both the UN and to almost all UN Member States; you can read more about this HERE. The Dutch delegation for the UPR session was led by Interior Minister Ms. Liesbeth Spies. The opening statement by Spies contained the following, remarkable passage about privacy:

"The need to strike a balance between different interests has sometimes been hotly debated in the Dutch political arena, for example in the context of privacy measures and draft legislation limiting privacy. The compatibility of this kind of legislation with human rights standards is of utmost importance. This requires a thorough scrutiny test, which is guaranteed by our professionals and institutions. Improvements in this regard have been made when necessary, especially in the starting phase of new draft legislation. This has been done in the field of privacy, where making Privacy Impact Assessments (PIAs), describing the modalities for the planned processing of personal data, are compulsory now." (pp. 5-6, italics Privacy First)

A "thorough scrutiny test" and compulsory Privacy Impact Assessments are the terms that positively stand out for Privacy First.

Prior to the UPR session, the United Kingdom had already put the following questions to the Netherlands: "Given recent concerns about data collection and security, including the unintended consequences of cases of identity theft, does the Netherlands have plans for measures to ensure more comprehensive oversight of the collection, use and retention of personal data?" (Source) On behalf of the Netherlands, Minister Spies responded to this question in Geneva this morning saying: "On the review of our laws on data protection, The Netherlands are currently working on a legislative proposal on data breach notification, following announcements of this proposal in the present coalition agreement. The proposal, which would require those responsible for personal data to notify the data protection authorities in case of "leakage" of personal data with specific risks for privacy (including identity theft), is expected to be tabled in Parliament in the coming months." This answer is rather concise and unfortunately it doesn’t contain any new elements. However, a new Dutch law on compulsory notification for data leakages will hopefully become a best practice for other UN Member States. The credits for this go to our colleagues of the Dutch NGO Bits of Freedom who have worked on this for a long time.  

During the UPR session Estonia called the protection of privacy and personal data a "human rights challenge of the 21st century". Morocco then asked a critical question about the privacy issue: "Quelles sont les mesures concrètes entreprises par les autorités néerlandaises pour sécuriser l'utilisation des donnés personnelles?" ("What are the concrete measures taken by the Dutch authorities to protect the use of personal data?") The Philippines also raised the issue of the right to privacy, but only in these words: "The Philippine delegation appreciates the frank assessment of the Netherlands of the obstacles and challenges it has to hurdle in the implementation of the right to privacy especially in the area of protection of personal information." The comments by Greece, India, Russia and Uzbekistan were more content-focused. Greece addressed the practice of preventive searches: "We take note of reports regarding the issue of preventive body searches. We recommend that the Netherlands ensure that in its application of preventive body searches, all relevant human rights are adequately protected, in particular the right to privacy and physical integrity and the prohibition of discrimination on the basis of race and religion." India exhorted the Netherlands on ethnic profiling of citizens: "We encourage the Dutch Government to take concrete measures to combat discrimination including discrimination by the Government such as ethnic profiling." Russia too advised the Netherlands "to introduce measures to stamp out discrimination arising as a result of the practice of racist, ethnic or religious profiling." The Netherlands was addressed about this very issue by Uzbekistan as well: "We are concerned over the existence of information on the increasingly broad use by the police of racist profiling."

As a reaction to these points Minister Spies referred to recent research by the Dutch police, scientists and the National, the Amsterdam and the Rotterdam Ombudsman about preventive body searches, discrimination and ethnic profiling. With regard to digital profiling (in general), she moreover proclaimed the following: "In its recent proposal for a general Data Protection Regulation, the [European] Commission has included rules on profiling, which can address the problems associated with profiling and the protection of personal data. The Netherlands endorses the need for clear legislative rules with regard to this topic, given the specific challenges for privacy protection that this technique entails. This is also the background against which the Netherlands welcomed in 2010 the Council of Europe Resolution on this topic, which contained a useful definition of profiling that would also be beneficial for inclusion in the [European] Commission proposals. The Netherlands will draw attention to this ongoing discussion in Brussels. The Regulation, once in force, will be directly applicable in the Netherlands." 

By and large this is a reasonable result, given that up until now the privacy issue had hardly played any role at all within the UN Human Rights Council. However, it’s a shame that most countries still hardly dare to confront this issue, let alone ask specific and critical questions about it. Many of the recommendations by Privacy First have not been touched upon during this UPR session, although diplomats in Geneva and The Hague had earlier shown great interest in them. Perhaps they were stopped by their Foreign Affairs departments in capital cities because many privacy issues are also sensitive in their own domestic politics? Who knows... However, the fact remains that the international community was informed by Privacy First well in advance, which was part of the reason that the Dutch UN delegation headed by Minister Spies was properly focussed on the job at hand. This can only be to the benefit of general awareness and the protection of privacy, both inside and outside the Netherlands. In the end, for us this is what it’s all about. 

Update 4 June 2012: This afternoon, a working group of the Human Rights Council adopted a draft report on the Dutch UPR session. The final version of this report will be adopted by the Human Rights Council in September 2012, accompanied by a (motivated) acceptance or rejection by the Netherlands of each individual recommendation in the report. Furthermore, this will also be discussed by the Dutch House of Representatives.

A total of 49 countries have taken part in the Dutch UPR session. It is noteworthy that Belgium, Italy and Austria did not take part in the session (although Belgium and Italy had in fact enrolled beforehand). As far as Austria is concerned this is particularly regrettable, because of all the UN Member States it was actually Austria which had in advance expressed the most interest in the Privacy First UPR shadow report and had intimated to be able to make a powerful, overall recommendation to the Netherlands about the right to privacy.  

Update 21 September 2012: This morning, the UN Human Rights Council discussed its recommendations to the Netherlands. The Dutch Permanent Representative in Geneva declared which recommendations have been accepted or rejected by the Netherlands; see this UN document and this video. The two recommendations by the Human Rights Council that related to ethnic profiling and preventive body searches have both been accepted by the Netherlands under the following clarification:

ethnic profiling: "The Dutch government rejects the use of ethnic profiling for criminal investigation purposes as a matter of principle." About profiling in a more general sense: "In its recent proposal for a General Data Protection Regulation, the European Commission included rules on profiling that address problems that may arise due to the increasing technical possibilities for in-depth searches of databases containing personal data. The Netherlands endorses the need for clear legislative rules on this subject, given the specific challenges for privacy protection that this technology entails." (Source, 98.57 & n. 75).
- preventive body searches: "The power to stop and search is strictly regulated in the Netherlands. The mayor of a municipality may designate an area where, for a limited period of time, preventive searches may be carried out in response to a disturbance of or grave threats to public order due to the presence of weapons. The public prosecutor then has discretion to order actual body searches and searches of vehicles and luggage for weapons."
(Source, 98.74 & n. 95).

See also this statement by the Netherlands Committee of Jurists for Human Rights (Dutch abbreviation: NJCM) from this morning (video). Just like the NJCM, Privacy First regrets the lack of government consultation in the run up to today’s UPR session.

Below you can watch the 31 May 2012 UPR session in its entirety (click HERE for video segments of individual countries). 

Published in Law & Politics
These days, of all human rights the right to privacy finds itself under the most pressure. Therefore, it is of great importance that the government, being the largest privacy violator, is tightly controlled by means of proper legislation. With good checks & balances, for the government itself as well as for monitoring possible privacy violators such as Microsoft, Google, Apple and large ICT companies like Cisco and Intergraph that set up entire electronic surveillance infrastructures in China.

Under the ‘principle of security’, current Western democracies are increasingly being led by suspicion, hate and control instead of the principles of trust, love and freedom. And all of this to protect those last three mentioned? In the view of Privacy First, the line in the sand has already been drawn in 2001. Under the guise of security our legislation has been heavily modified to the disadvantage of individual citizens and through function creep the boundaries of the application of this legislation are continuously being stretched. Will loitering youth and football hooligans soon be seen as criminal or terrorist organisations under our judicial system? And what about everyone who thinks or acts differently? Where can we draw the line? And who makes the decisions over this? And who will scrutinize the decision maker and the executor?

At the moment, it is under the big heading of ‘profiling’ that ever more privacy violations take place. The aim of profiling is tracking entire populations or target groups in order to identify so-called 'outliers' through criteria and norms that are to be imposed. Outliers are deviations from the norm: people who behave differently than the ‘normal group’, or a specific group the government has set its eyes upon, whoever it may concern. People who have unpaid bills, who drive too fast, who gather in groups, attorneys, journalists, activists, airplane passengers, those entitled to public aid, sect members, etc. Just identify and track them, you never know if there’s someone amongst them who hasn’t abided by the rules or who fits a certain profile you’re looking for.

Profiling is characterised by four aspects that in our perception are in conflict with the Dutch Constitution as the basis for our constitutional State:

  • The reversion of a fundamental principle of law: citizens are tracked en masse without a concrete, reasonable suspicion of a crime. Through profiling everyone becomes a potential suspect and everyone’s privacy can be violated unpunished.
  • With the current state of technology, profiling is aimed at continuous, real-time identification instead of passive registration and analysis of data of a citizen under reasonable suspicion. So we move from registration to identification, without the authorization and awareness of the trustful citizen. In this way, out of its own distrust the government abuses the good faith of citizens and in so doing imposes its own standard criteria. Without any democratic evaluation or strict legal guarantees.
  • The application of the technology used for profiling is based on the principle that ‘everything’s allowed if it’s technically possible’. For the greater part this development is invisible for citizens. Subway stations, trains, busses, trams, inner cities, police helmets and even parking machines (!) in Amsterdam are incessantly being equipped with cameras. These are linked to central control rooms and, where possible, fitted with identification and pattern recognition software in order to be able to directly perceive ‘suspicious matters’. The mantra of our government: ‘ill doers are ill deemers’.
  • Increasing restrictions to internet freedom of companies and individuals. Since 2010 all our personal telephone and email correspondence are being stored. All this is being done to prepare for profiling. At the moment the US Congress is working on a legislative proposal (Cyber Intelligence Sharing and Protection Act, CISPA) which grants private businesses and the US government the right to spy on citizens at any given moment and for as long as they want and to report them in case there are ‘outliers’. All of this without the need for a warrant. WikiLeaks, child porn, copying illegal content and the like are all too readily used to introduce new legislation to further restrict our internet freedom and which is to be applied in other areas the government wants to have control over. Preferably on a worldwide scale, without any democratic scrutiny. The government obliges citizens to increasingly use online services: the Citizen ‘Service’ (Control that is) Number (in Dutch: Burger Service Nummer, BSN), the Electronic Child File (Elektronisch Kind Dossier, EKD/DDJGZ), the Electronic Student File (Elektronisch Leerlingen Dossier, ELD), Diagnosis Treatment Combinations in healthcare (Diagnose Behandel Combinaties, DBC’s), etc. Of every citizen an ‘electronic life file’ comes into existence which in conjunction with electronic traces are to become able to predict suspect or deviant behaviour. Preferably in real-time and online. All of this, naturally, to protect our freedom...

In case fingerprints in passports will be replaced by new biometric features, the road will be cleared for a much worse form of profiling. Through the use of facial scans in databases, citizens will be able to be identified and tracked in public spaces in real-time and to be singled out through profiling on the basis of criteria predetermined by ‘someone’. In this process the government deliberately focuses on modifying the technology. As a result, there is 'fortunately' no need to talk about whether or not biometrics are actually desirable in our society, and if so, under which conditions and guarantees. Privacy First advocates for 'privacy by design' and privacy enhanced technologies as well as strict legislation with regard to biometrics and profiling. Because we don’t want to leave our children behind in an electronic concentration camp...

For a free, open and vivid 2012!

Bas Filippini,
Chairman of the Privacy First Foundation

Postscript: in the context of the National Privacy Debate, this column has also been published (in Dutch) as an Opinion by Dutch web-magazine Webwereld: http://webwereld.nl/opinie/110383/profiling-het-grootste-gevaar-voor-privacy--opinie-.html and http://nationaalprivacydebat.nl/article/ww/110383/profiling-het-grootste-gevaar-voor-privacy-opinie

Published in Profiling

The following article by Privacy First employee Vincent Böhre was published this month in the periodical De Filosoof (‘The Philosopher’, University of Utrecht). Tomorrow the Dutch Passport Act will be high on the Dutch political agenda: in a debate with the Minister of the Interior Liesbeth Spies the compulsory taking of fingerprints for Dutch passports and ID cards will be discussed. Privacy First has recently (again) emphasized to all political parties in the Dutch House of Representatives to have passports without fingerprints introduced as soon as possible and to make a request to the government to have the Passport Regulation revised at the European level. This in order for the compulsory taking of fingerprints to be done away with also for passports, or at least to become of a voluntarily nature. The text below offers a quick recap with a positive twist. A pdf version of the original article in Dutch can be found HERE (pp. 6-7).

The biometric passport as an unintended privacy gift

‘‘Late 2001, the Christian-democratic political party CDA proposed storing the fingerprints of every Dutch citizen through passports for criminal investigation purposes. However, this proposal was immediately scrapped by other political parties because it would lead to a Big Brother society. Nonetheless, an even more far-reaching proposal became law seven years later almost inconspicuously. Under the new Dutch Passport Act, apart from criminal investigation and prosecution, everyone’s fingerprints and facial scan (biometric data) could also be used for counter-terrorism, domestic and foreign State security, disaster control and personal identification. However, none of these legal purposes had been discussed in Parliament.[1] In fact, the new Passport Act was accepted by the Senate even without a vote. The media merely stood by and watched how it happened. How could things have gotten this far?

‘Bystander syndrome’

In a certain way the Passport Act was (and is) emblematic for the Dutch era after '9/11'. An era in which (presupposed) anti-terrorism measures could be steered through Parliament with the greatest of ease. After all, such measures would enhance our security, we were continuously told. By nature people are inclined to believe the authorities and to accept the status quo. From a human rights point of view, one could consider the post-9/11 era as a huge Milgram experiment: without too much resistance many human rights have for years been put to the rack of society. The realization of the new Passport Act is no exception. Every Member of the Senate could at least have made a request for a parliamentary vote. Journalists and scientists could have blown the whistle on time. Instead, they all stood there and watched since, of course, the law would make the Netherlands a ‘more secure’ place. But what was this assumption based on? Wasn’t the Netherlands actually going to be less secure by the massive storage of fingerprints in travel documents and affiliated databases? This question has never been asked in public, let alone discussed and answered.

Disproportionate

The prime argument by the Dutch government for the introduction of fingerprints in passports and ID cards has, since the late 90s, been the following: it would prevent look-alike fraud with travel documents. Look-alike fraud is a form of abuse whereby someone uses an authentic travel document of someone else to whom his or her appearance resembles. Questions about the scale of this type of fraud have hardly ever been asked in Parliament. From a recent FOIA-request filed by Privacy First, it appeared that we’re dealing with only a few dozen cases each year (with Dutch travel documents on Dutch territory).[2] In light thereof the introduction of fingerprints in travel documents of 17 million Dutch citizens is completely disproportionate. Not to mention the dozens, if not hundreds of millions of Euros that the government has spent on this project.

Risks

With the introduction of a ‘biometric identity infrastructure’ a new form of fraud comes to life that is extremely difficult to trace and combat: biometric identity fraud, for instance through hacking. Not just with guileless citizens and companies, but also in the public sphere (espionage). Moreover, it has been pointed out that in 21-25% of cases the biometric data in the chip of Dutch travel documents cannot be read (verified). So in the event of passport control, there is a high risk that citizens become unjustly suspected of fraud. The biometric passport is no good for combating terrorism either: terrorists generally use their own, authentic travel documents. Unfortunately, little is publicly known about the way security and intelligence agencies use biometrics, even though some purposes are easy to predict: identification of suspects unwilling to speak and ‘interesting’ persons in public space, the recognition of emotions, lie detection and the recognition or use of doubles. The same applies to the domain of criminal investigation and prosecution, also in conjunction with camera surveillance and automatic facial recognition. In addition, the RFID (Radio Frequency Identification)-aspect of the chip in the document enables it to be read from a distance: citizens can be identified and tracked without it being noticed. With regard to personal identification, one could think of the possible introduction of fingerprints at banks, social services, the internet, etc. (Since the end of last year, a Dutch pilot project with mobile finger scanners for the police is ongoing.) Finally, there’s the domain of fighting disasters: biometrics used for the identification of casualties in the event of large-scale disasters or as a logistic means. All in all these possibilities for the use of biometrics go dozens, if not a hundred steps beyond the mere combating of look-alike fraud with travel documents. One ought to realize that all of these possibilities will sooner or later be put into practice. In jargon this is called ‘function creep’; historically seen it’s inevitable. Scientific research into future applications of biometrics continuously takes place. What’s more, even in our part of the world a democratic constitutional State is no invariable matter of fact. It is therefore very dubious whether our world will become ‘more secure’ by the large-scale use of biometrics.  

Positive change

It is exactly this concern which brought about a small Dutch revolution in the summer of 2009: at the time, the enactment of the new Passport Act led to a torrent of criticism and to the coming into being of the current Dutch privacy movement. New privacy organizations such as Privacy First proliferated, social coalitions were forged and lawsuits against the new Passport Act were filed.[3] This boomerang effect within society continues to this day. Since that time the right to privacy is ever higher on the societal and political agenda. In that sense the biometric passport has so far proved to be an unintended gift from heaven.''



[1]
See Vincent Böhre, Happy Landings? Het biometrische paspoort als zwarte doos (Happy landings? The biometric passport as a black box), Wetenschappelijke Raad voor het Regeringsbeleid, WRR (Scientific Council for Government Policy) October 2010, http://www.wrr.nl/publicaties/publicatie/article/happy-landings-het-biometrische-paspoort-als-zwarte-doos-46/.
[2]
See Privacy First, Revealing figures about look-alike fraud with Dutch travel documents (20 March 2012).
[3]
See Böhre supra footnote 1, p. 111 ff.
Published in Meta-Privacy
These days, of all human rights the right to privacy finds itself under the most pressure. Therefore, it is of great importance that the government, being the largest privacy violator, is tightly controlled by means of proper legislation. With good checks & balances, for the government itself as well as for monitoring possible privacy violators such as Microsoft, Google, Apple and large ICT companies like Cisco and Intergraph that set up entire electronic surveillance infrastructures in China.

Under the ‘principle of security’, current Western democracies are increasingly being led by suspicion, hate and control instead of the principles of trust, love and freedom. And all of this to protect those last three mentioned? In the view of Privacy First, the line in the sand has already been drawn in 2001. Under the guise of security our legislation has been heavily modified to the disadvantage of individual citizens and through function creep the boundaries of the application of this legislation are continuously being stretched. Will loitering youth and football hooligans soon be seen as criminal or terrorist organisations under our judicial system? And what about everyone who thinks or acts differently? Where can we draw the line? And who makes the decisions over this? And who will scrutinize the decision maker and the executor?

At the moment, it is under the big heading of ‘profiling’ that ever more privacy violations take place. The aim of profiling is tracking entire populations or target groups in order to identify so-called 'outliers' through criteria and norms that are to be imposed. Outliers are deviations from the norm: people who behave differently than the ‘normal group’, or a specific group the government has set its eyes upon, whoever it may concern. People who have unpaid bills, who drive too fast, who gather in groups, attorneys, journalists, activists, airplane passengers, those entitled to public aid, sect members, etc. Just identify and track them, you never know if there’s someone amongst them who hasn’t abided by the rules or who fits a certain profile you’re looking for.

Profiling is characterised by four aspects that in our perception are in conflict with the Dutch Constitution as the basis for our constitutional State:

  • The reversion of a fundamental principle of law: citizens are tracked en masse without a concrete, reasonable suspicion of a crime. Through profiling everyone becomes a potential suspect and everyone’s privacy can be violated unpunished.
  • With the current state of technology, profiling is aimed at continuous, real-time identification instead of passive registration and analysis of data of a citizen under reasonable suspicion. So we move from registration to identification, without the authorization and awareness of the trustful citizen. In this way, out of its own distrust the government abuses the good faith of citizens and in so doing imposes its own standard criteria. Without any democratic evaluation or strict legal guarantees.
  • The application of the technology used for profiling is based on the principle that ‘everything’s allowed if it’s technically possible’. For the greater part this development is invisible for citizens. Subway stations, trains, busses, trams, inner cities, police helmets and even parking machines (!) in Amsterdam are incessantly being equipped with cameras. These are linked to central control rooms and, where possible, fitted with identification and pattern recognition software in order to be able to directly perceive ‘suspicious matters’. The mantra of our government: ‘ill doers are ill deemers’.
  • Increasing restrictions to internet freedom of companies and individuals. Since 2010 all our personal telephone and email correspondence are being stored. All this is being done to prepare for profiling. At the moment the US Congress is working on a legislative proposal (Cyber Intelligence Sharing and Protection Act, CISPA) which grants private businesses and the US government the right to spy on citizens at any given moment and for as long as they want and to report them in case there are ‘outliers’. All of this without the need for a warrant. WikiLeaks, child porn, copying illegal content and the like are all too readily used to introduce new legislation to further restrict our internet freedom and which is to be applied in other areas the government wants to have control over. Preferably on a worldwide scale, without any democratic scrutiny. The government obliges citizens to increasingly use online services: the Citizen ‘Service’ (Control that is) Number (in Dutch: Burger Service Nummer, BSN), the Electronic Child File (Elektronisch Kind Dossier, EKD/DDJGZ), the Electronic Student File (Elektronisch Leerlingen Dossier, ELD), Diagnosis Treatment Combinations in healthcare (Diagnose Behandel Combinaties, DBC’s), etc. Of every citizen an ‘electronic life file’ comes into existence which in conjunction with electronic traces are to become able to predict suspect or deviant behaviour. Preferably in real-time and online. All of this, naturally, to protect our freedom...

In case fingerprints in passports will be replaced by new biometric features, the road will be cleared for a much worse form of profiling. Through the use of facial scans in databases, citizens will be able to be identified and tracked in public spaces in real-time and to be singled out through profiling on the basis of criteria predetermined by ‘someone’. In this process the government deliberately focuses on modifying the technology. As a result, there is 'fortunately' no need to talk about whether or not biometrics are actually desirable in our society, and if so, under which conditions and guarantees. Privacy First advocates for 'privacy by design' and privacy enhanced technologies as well as strict legislation with regard to biometrics and profiling. Because we don’t want to leave our children behind in an electronic concentration camp...

For a free, open and vivid 2012!

Bas Filippini,
Chairman of the Privacy First Foundation

Postscript: in the context of the National Privacy Debate, this column has also been published (in Dutch) as an Opinion by Dutch web-magazine Webwereld: http://webwereld.nl/opinie/110383/profiling-het-grootste-gevaar-voor-privacy--opinie-.html and http://nationaalprivacydebat.nl/article/ww/110383/profiling-het-grootste-gevaar-voor-privacy-opinie

Published in Columns
Friday, 13 April 2012 16:11

Save the internet from the U.S.

The following (translated) call reached us this week from Avaaz (in Dutch) and is fully supported by Privacy First:

‘‘At this very moment, the American Congress wants to secretly adopt a legislative proposal which enables them to spy on internet users everywhere in the world, hoping the world won’t notice it. Last time around we contributed to the fight against the attack on the internet, now let’s do it again.

Over a 100 Congress members support the legislative proposal (CISPA) which grants private businesses and the American government the right to spy on every one of us, at any given moment and for as long as they want without the need for a warrant. This is the third time the American Congress tries to attack our internet freedom. We helped defeat the Stop Online Privacy Act (SOPA) and the Protect IP Act (PIPA) – now we can defeat this new ‘Big Brother law’.

Our global indignation has previously played a leading role in protecting the internet against governments that want to track and control us online. Let’s once more stand united and thwart this law for good. Sign the petition and forward it to anyone who uses the internet: http://www.avaaz.org/en/stop_cispa

The Cyber Intelligence Sharing and Protection Act (CISPA) determines that in a mere case of suspicion of a cyber threat, companies that allow us internet access have the right to collect information about our online activities, to share this information with the government and to refuse notifying us about this. Afterwards they enjoy immunity from prosecution for privacy violations or whichever other illegal activity it may concern. This implies an insane dismantling of the privacy we all have faith in during our daily habits of sending emails, having Skype chats, performing search actions, etc.

But we know the American Congress is afraid of the world’s reaction. It is the third time that they put the attack on our internet freedom in a new jacket in order to push it through after all. The name of the law is repeatedly being changed in the hope that citizens won’t notice it. NGOs that deal with internet rights, like the Electronic Frontier Foundation, have already condemned the legislative proposal on account of violation of privacy protection. It’s time for us to speak out.

Sign the petition for Congress against CISPA. As soon as we have 250.00 signatures we will hand over our petition to every one of the 100 American representatives who support this law: http://www.avaaz.org/en/stop_cispa

Every day internet freedom has to endure the threats from governments from all over the world, but the US can cause the greatest damage since most of the internet’s infrastructure is situated there. Time and again our movement has proved that global public opinion contributes to stopping the US from threatening our internet. Let’s do this again.’’

Published in Online Privacy

Thanks to a FOIA-request by the Privacy First Foundation, the official figures about look-alike fraud with Dutch passports and ID-cards have today, for the first time, become public. From these figures it emerges that the Dutch biometric passport with fingerprints is an absolutely disproportionate measure, the introduction of which should never have been allowed.

The primary argument from the Dutch government for introducing fingerprints in passports and ID-cards has for years been the same: fighting look-alike fraud. Look-alike fraud is a form of abuse whereby someone uses an authentic travel document of someone else to whom his appearance resembles. This kind of swindler is also called an impostor. Questions about the scale of this type of fraud have hardly ever been asked, not by members of Dutch Parliament, nor by scientists or journalists. Those who raised a question about it in the last ten years were usually provided with an answer that left them none the wiser: figures about look-alike fraud would be ‘unknown’, ‘not publicly available’, ‘confidential’, or ‘secret’. The answer to the most recent parliamentary question in this respect dates back to October 2010:

- Question: ‘‘Is it true that the figures of look-alike fraud with ID documents are known, but that you are unwilling to provide them to the House of Representatives? Are you actually prepared to provide these figures to the House of Representatives?’’
- Answer by Dutch State Secretary Ank Bijleveld (Ministry of the Interior): ‘‘No, this is not true. Since such figures are unknown to me, it’s obvious I cannot send them to you.’’ (Dutch source)

Those who have been asking supplementary questions in recent years were often told we would be facing a massive phenomenon. In this way the idea of a 'dark figure' of crime of almost mythical proportions came into existence. That is to say, without any trace of evidence. So recently the Privacy First Foundation filed a FOIA-request to the department of the Dutch government that has been keeping track of the figures on look-alike fraud for years: the Dutch Expertise Centre on Identity fraud and Documents (Expertisecentrum Identiteitsfraude & Documenten, ECID) based at Schiphol Airport. The ECID falls under the Royal Netherlands Marechaussee (KMar) and is thus part of the Dutch Ministry of Defence. Privacy First knew from a reliable source that those figures could be found in the clear annual reports of the ECID from 2008 onwards. So recently we have simply made a request for those reports by email. Subsequently Privacy First received the Statistic Annual Overviews on Document Fraud (Statistische Jaaroverzichten Documentfraude) from 2008 to 2010 from the Ministry of Defence. (Update: the statistics from 2011 followed on 29 May 2012.) The following figures result from these annual reports relating to look-alike fraud with Dutch passports and ID-cards on Dutch soil:   

2008: 46 cases (source: Statistisch Jaaroverzicht Documentfraude 2008, p. 45)

2009: 33 cases (source: Statistisch Jaaroverzicht Documentfraude 2009, pp. 42-43)

2010: 21 cases (source: Statistisch Jaaroverzicht Documentfraude 2010, pp. 52-53)

2011: 19 cases (source: Statistisch Jaaroverzicht Documentfraude 2011, pp. 52-53).

The Netherlands has 17 million inhabitants. By now almost 7.5 million of those had their fingerprints taken to combat a handful of cases of look-alike fraud. By any standard this is a completely disproportionate situation and thereby forms a collective violation of the right to privacy of all Dutch citizens. Privacy First regards these figures as a strong backing in its lawsuit against the Dutch government regarding the new Dutch Passport Act and hereby makes a call to the government to immediately stop the compulsory taking of fingerprints for passports and ID-cards. Regardless of whether or not that’s against European policy.

Update 22 March 2012: At first Privacy First showed the numbers 63 (2009) and 52 (2010). However, those figures were based on a calculating error (they were counted twice), for which we apologise.  

Update 30 March 2012: internal documents from the Dutch Ministry of the Interior from 2004 also imply a relatively low figure for fraud and, moreover, high costs for introducing biometric technology in travel documents. Privacy First recently obtained these documents through a large-scale FOIA investigation that has been ongoing since April 2011.

Update 29 May 2012: Today Privacy First finally received the long-awaited Statistisch Jaaroverzicht Documentfraude 2011 from the Dutch Ministry of Defence. The number of cases of look-alike fraud with Dutch passports and ID-cards on Dutch soil (as far as the KMar is aware) according to this report were respectively... 11 and 8, so just 19 in total. We have updated the list of cases from 2008 to 2010 above with the figures from 2011. So the idea of look-alike fraud as a very small-scale phenomenon is once more confirmed. To burden the entire Dutch population with biometric passports and ID-cards as a countermeasure is and will be completely disproportionate and therefore unlawful.

Published in FOIA Requests
Page 8 of 9

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
Procis

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon