Warning

JUser: :_load: Unable to load user with ID: 65

On March 5, 2012, Adriaan Bos presented his exciting debut novel Advocaat van de waarheid ('Advocate of the Truth') at Van Doorne Lawyers in Amsterdam. More about the book can be found HERE (in Dutch). Below are the translated text and a Dutch video of the speech that Privacy First chairman Bas Filippini held for this occasion:

"We are a foundation, we proceed from donors and with that money we deliver action. That's actually a new form of action: business action - I come from the industry - and if necessary we can also take legal action. Mainly against the Dutch government: the government which should be protecting our privacy, but which at this moment is in fact the biggest violator of privacy that you can imagine.

There is something very "close" about privacy, namely one's own private environment. The thing with privacy is, it is actually quite simple, as the Egyptians used to say: there is a balance, an ostrich feather, and your soul, and you can find out for yourself what has weighed most heavily in your life. We always see the pictures of the hieroglyphics, but that's what these people were actually doing. Which life do you live and how do you shape that life? Just as the government has a mantra of "nothing to fear, nothing to hide", we have our own mantra: "I have nothing to hide, so I do not have to be checked and I am certainly not to be watched. I prefer to possess my own personal data in this society." For me, this line in the sand had already been drawn in the year 2000. Then at one point I took the initiative and said: let's take action. With a foundation. Maybe you've heard about us from the Passport Act. The big Moloch, the government goes on and on, often out of ignorance, sometimes unwillingness, sometimes consciously, funded by IT companies, so is my perception. Then there comes a point that if one doesn't want to listen, one must feel. So we deployed a lawyer. And through these first small steps, we have already achieved some big results.

From the book by Adriaan Bos I recognized many things to myself: personal development and making choices in life. In his book, Adriaan immediately puts the cat among the pigeons by choosing the worst scenario: government-obliged chipping of people. That is of course the horror scenario where I dig my Privacy First heels in the sand. The storyline immediately appealed to me and I found it very recognizable. It reminds me of the ability to make personal choices: make it personal, get that balance and make your choice. On the other hand, I recognized it as a Da Vinci Code-type book, a thriller, businesslike, including the legal profession. I experience that a lot: you need a lawyer for a contract or an acquisition; that's when you need each other. That business approach really appealed to me. This is also a beautiful way of introducing this topic to the masses. But also the frightening prospect of the end to your personal freedom. In my perception we're talking about principles here which took 3,000 years to develop and to discuss, where people have been killed, given their lives and waged wars. What are the real truths in everyone's own story? For me, those are freedom, a sense of freedom, and trust, a society based on trust. Speech by Bas FilippiniAnother key is different for each person: a child comes to this world in freedom, curiosity and confidence. I think a child is always a good mirror for how society should be. A society based on opposite principles, mistrust, hatred and control, to that everyone will say in advance: this is not a society we want to live in. But look around you and see what is happening: we are building a society based on distrust, hate - "you are either with us or against us" - and control. This is what we call 'profiling'. From unwillingness and stupidity you see a lot of profiling taking place in this society. The highway is under total surveillance. Everywhere you drive into Amsterdam you will be photographed. This started with environmental legislation and then we quickly saw the poles shift until it suddenly became a measure for every Amsterdam resident. Even the parking meters have cameras. For what purpose? To buy a ticket? I don't understand this, and yet you see some kind of general acceptance about it. Looking at Adriaan's book, I can say that you must experience it yourself and read it in order to have to your own opinion about it. Luckily, we are free to do this. The book is about the fact that, in times of crisis, legislation can quickly shift in the direction of a quick "fix". As we all know, choices out of fear are often not the best choices. Short-term pleasure is long-term pain, and short-term pain is long-term pleasure. Sometimes it is better not to overreact because of something hysterical in the newspapers, as we often experience in this media democracy.

I would like to finish by stating my intention of not leaving my daughter behind in an electronic concentration camp. This is what I see we are heading toward. This may not be the nicest of messages, but that is not what I am here for; I like to challenge and to stimulate. I hope that Adriaan Bos will make a very good contribution to this. You should really make a movie out of this book. The Privacy First Foundation hereby donates 5,000 Euros for the first building block: the translation of the book into English so that it can get a much bigger audience. It really is a whole new genre in the field of thrillers, ethics, spirituality and personal development."

Overhandiging van het boek door Adriaan Bos aan Bas Filippini

Video (in Dutch):

Published in Privacy Library
Wednesday, 27 June 2012 13:58

No bodyscans on the streets!

The Amsterdam police are considering the introduction of mobile X-ray body scanners on the streets, local television station AT5 reported today. If the police will indeed introduce such "nude scanners", Privacy First will not hesitate to sue both the Amsterdam police and the responsible Amsterdam Mayor Van der Laan for breach of 1) human dignity, 2) the presumption of innocence, 3) privacy, 4) freedom of movement, 5) physical integrity and 6) the health of all Amsterdam residents. Any introduction of mobile X-ray scanners will actively jeopardize the privacy as well as the health of innocent citizens.

Privacy First hereby makes an urgent appeal for political measures: this Thursday the subject of preventive searches is on the agenda of the Amsterdam city council. It is primarily up to the council to blow the whistle and prohibit the introduction of nude scanners by the Amsterdam police. If the council fails in this, Privacy First reserves the right to take all necessary measures to prevent the introduction of nude scanners.

Update 7.00pm: reaction of Privacy First on FunX Radio (in Dutch).

Update June 29, 2012: the introduction of mobile body scanners is put on hold during further investigations by Amsterdam Mayor Van der Laan. The subject will not be on the agenda of the Amsterdam city council again until early 2013. The political debate on preventive searches (including the possible introduction of body scanners) which took place yesterday in the Amsterdam city council Committee for General Affairs can be viewed online HERE (starting at 233m40s).

Published in CCTV
Saturday, 23 June 2012 18:29

National Privacy Debate 2012

On June 11, 2012, the long-awaited National Privacy Debate took place in The Hague. Privacy First summarizes the most noteworthy aspects for you, starting with the striking plea (in Dutch) for a Privacy Delta Plan by Brenno de Winter:

"The National Privacy Debate is a unique opportunity to start something beautiful and to challenge people into engaging in open discussion. Let us seize this opportunity and work on a Delta Plan. To make the Netherlands a guiding country again. A model for the rule of law as to the protection of the citizen. That's what we are best at!"

Brenno de Winter.  © Sebastiaan ter Burg

The floor was then given to Anthony House (Google), who at the end of his keynote speech posed the following question to the audience:

“Are the principles of data protection that were developed in the 1970s still good today? Do we need to start from scratch on privacy principles?”

From the silence in the audience and some answers that followed, it could (fortunately) be inferred that the classic privacy principles still suffice today, at least to a large extent.

The event then turned to the first panel discussion, which was focused on the question of what is currently preferred most: more legislation or more self-regulation? The responses from the panel and from the audience showed a predominant preference for both options together instead of just one or the other. As in the financial sector, good laws and strict enforcement have become a bitter necessity for the ICT sector. However, such laws only represent a rapidly aging minimum level of privacy protection. It follows that it is up to the ICT sector itself to operate continuously at the highest, most privacy-friendly (i.e. customer-friendly) level. This is an important selling point which offers significant competitive advantages. In this sense, legislation and self-regulation can complement each other well.

Then there was a speech by Joost Farwerck (KPN) who stated, inter alia, that privacy now has a high priority among a broad Dutch audience: research by KPN had shown that the public attaches most value to this after good healthcare and education. Therefore, KPN has set up an internal Privacy Awareness program and an external Privacy Mission. Farwerck finally pleaded to make the National Privacy Debate a recurring event. (So did Arie van Bellen (ECP-EPN) later that day.) Privacy First is happy to join this plea.

During the second panel session (on privacy and security) some interesting parallels were drawn with security in other sectors such as the food industry and the aviation industry, both in terms of legislation and self-regulation as well as supervision and enforcement. Earlier in the day, Vincent Böhre (Privacy First) had drawn a similar parallel with past developments in the field of environmental protection. Many participants in the debate agreed that, on the one hand, the Dutch Data Protection Authority (DPA) lacks adequate resources and powers, while on the other hand its enforcement of existing privacy laws is too weak. In addition, Walter van Holst (Mitopics) rightly noted from the audience that more emphasis should be put on data minimization. Indeed, without any data no security is needed.

The floor was then given to Bart de Koning: journalist and author of the Dutch book 'Alles onder controle, de overheid houdt u in de gaten' ("Everything under control, the government is watching you"). In his speech, De Koning pointed out some positive recent developments, such as the Dutch resistance to passport fingerprinting, the new Dutch law on cookies, net neutrality and political attention to the risks of the U.S. Patriot Act. At the same time he warned about negative developments such as the Dutch proposal to provide all car number plates with RFID chips. Furthermore, the Netherlands is still champion in eavesdropping. In addition, De Koning noted that Dutch media (including Elsevier magazine) are devoting more attention to privacy than before and that citizens are increasingly keeping an eye on their government instead of vice versa. "The citizen peeks back" and this can have "a disciplining effect on the State", De Koning said. As to the future, De Koning suggested the following guidelines to the audience: 1) think before you act, 2) data minimization, 3) transparancy, 4) effectiveness, 5) sunset clauses and 6) an ongoing debate. De Koning further argued for the introduction of Dutch constitutional review (at the judiciary), a Constitutional Court and stronger oversight by the Dutch DPA. In this connection he made a comparison with Germany, where ANPR (automatic number plate recognition) is prohibited.

 

Bart de Koning.  © Sebastiaan ter Burg

Then there was room for discussion with the audience, at which point Joyce Hes (Foundation for the Protection of Civil Rights) made an especially important remark: many public debates (including the periodic Privacy Cafes in Felix Meritis) are conducted with privacy advocates. Politicians and officials who are critical of privacy rarely show up at these debates. This is not good for the discussion.

Joyce Hes and Frénk van der Linden.  © Sebastiaan ter Burg

Finally, Bart de Koning stated that the ethnic 'underclass' has become the main victim of systematic privacy violations, including preventive home visits. Privacy First endorses all of these points.

The topic of the third panel session was "privacy and government":

© IDG Nederland

© IDG Nederland

On behalf of Privacy First, Bas Filippini kicked off as follows:

"What we focus on are private choices in a free environment. Private choice means the freedom to choose, and a free environment means that we endeavor to keep society as free as possible for the average citizen in the Netherlands. This unless you are suspected of a crime: then privacy can be exchanged for security. That is our philosophy. We argue things from principles first, tested against the Constitution. Then we look at the implementation: are there sufficient checks and balances? How is policy being set and how is it applied? Only finally we look at technology. I always use the following example: "With a knife you can stab someone, but you can also make a sandwich." For many people, technology is the "holy grail" to which everything is connected, without first having taken these three steps: 1) principles , 2) policy, 3) implementation, followed by smart use of technology. Often the principles of subsidiarity and proportionality are breached, which is very unfortunate. In government, there are many people who would like to do things differently, but if they disagree with something, they are quickly seen as whistleblowers, which has a stigmatizing effect. So the Titanic keeps on sailing towards the iceberg, currently resulting in more and more profiling. By that we don't mean targeted profiling in case of a reasonable suspicion of a criminal offence, but surveillance of an entire population to see if there is "anything wrong" somewhere, based on outliers, the deviations from the median. We consider this a great danger, because everyone will become suspect. This creates a lot of self-censorship among people, officials and citizens alike."

 

Bas Filippini.  © IDG Nederland

Bas Filippini.  © IDG Nederland

During the remainder of the panel debate, the observations by Ronald Leenes (Tilburg University) stood out: Leenes warned about loss of confidence among citizens in their government if that government didn't take the right to privacy seriously. "The consideration whether or not an infringement of privacy is necessary in a democratic society is hardly made by the Dutch government in a number of cases", Leenes said. According to Leenes, data are being collected simply "because it's possible", there is huge confidence in technology, it is thought that more information leads to better decisions, insufficient attention is paid by the government to alternatives to reach the same goals, and there is ignorance. Leenes warned about current plans to register prostitutes in a central database. He also stressed that privacy is not only an individual right, but that it also has a social function.

 Ronald Leenes and Wilmar Hendriks.  © IDG Nederland

Others in the panel pointed to the dangers of risk profiling. Furthermore, the fallacy "if you have nothing to hide, you have nothing to fear" was unanimously invalidated: everyone has the right to keep his or her private life simply to themselves. Moreover, a core element of freedom is precisely that you may have something to hide. It was further noted that hard work must be made to increase privacy knowledge and awareness in government. Some in the panel emphasized incompetence in government rather than intent. Bas Filippini replied that there is often an agenda behind things, namely policy from the United States and the European Union. "How do you shape your society? Do you do that on a basis of fear, hatred and control, or on a basis of trust, freedom and love?", Filippini said.

Bas Filippini.  © IDG Nederland

Frénk van der Linden and Bas Filippini.  © IDG Nederland

Bas Filippini, Kees Verhoeven and Sander Duivestein.  © IDG Nederland

Then there was a discussion with the audience, in which Jeroen Terstegge (PrivaSense) rightly stated that one should be wary of Privacy Impact Assessments (PIAs) conducted by directly involved officials rather than an independent regulator, such as a Chief Privacy Officer. In this field there should be more self-criticism in government, aside from the Dutch DPA's external role. Another striking remark from the audience was made at the end of the panel session by Dimitri Tokmetzis (Sargasso): insurance was originally intended to spread risk, but through profiling risks are being individualized. This comes at the expense of solidarity in our society.

Thereafter Pim Takkenberg (National Police Services Agency, KLPD) held a speech on the theme of privacy and criminal investigation, in which he specifically discussed the dilemmas around dismantling a so-called botnet: a network of hijacked computer systems. According to Takkenberg, the legal framework in this context is sometimes "insufficiently specific", e.g. in case of 1) remotely "entering" (or hacking) computer systems by the police and 2) international cooperation in fighting cybercrime. Also in public-private partnerships, the police in this context are still "walking on eggshells", Takkenberg noted. In reply to a question from the audience about the effectiveness of data retention, Takkenberg said that "sometimes you have to give things some time in order to see what they yield in the long-term". This strengthens the position of Privacy First that this measure should never have been introduced. Finally, Takkenberg rightly stated that the police does not benefit from too much information gathering and that one must be very selective.

 

Pim Takkenberg.  © Sebastiaan ter Burg

The panel discussion on privacy and criminal investigation that followed took an unexpected turn due to the comments of Jan Grijpink (Utrecht University, formerly also Ministry of Justice) on the recent complications surrounding the Dutch biometric passport. When asked which aspect of the privacy debate annoyed him, Grijpink answered as follows:

"The discussion about the biometric passport, which I find a good example of how too persistent nagging - if I may say so - on the privacy side impairs the security side. If we have now come to the point of saying "let's remove the fingerprints from the passport", then I am satisfied. Back in 2002, I would have liked to avoid putting fingerprints on the passport, because it is unnecessary to use fingerprints to verify the holder. That has just been superfluous. But the moment you put fingerprints on the passport, you must be able to check whether those fingerprints are still the correct fingerprints and whether the person who says he belongs to them is truly that person. This has led to a decision by various [Dutch] ministers who were responsible for storing four fingers in a municipal database, and if you don't have that, then the citizen is actually lawless when he carries a document with two fingers, because that document is also intended to show to others. If it is just for yourself, then so be it, but a passport is meant to hand over to an authority. When we distribute a passport, we do not even check with the same biometrics whether it's really being distributed to the person who's the official holder. Either no fingerprints, or completely correct. Both these aspects are now threatened to be destroyed through a persistent nagging to one aspect of privacy only. That's what I worry about."

 

André Elissen, Jan Grijpink and Wilbert Tomesen.  © IDG Nederland

This led Vincent Böhre (Privacy First) to ask Grijpink about his assessment of the risk of function creep in the storage of fingerprints in municipal databases.

Vincent Böhre.  © IDG Nederland

Grijpink answered as follows:

"If you put the fingers on the passport only, you just lose all control for the protection of the individual. I have always made the case for storing four fingers - two on the passport and two extra - with the municipality in order to be able to check whether it is still the right person and whether anything in the document has changed. This can also exonerate yourself if you're accused of something with such a document. Whether that can lead to function creep: yes, everything can lead to function creep. But I think that if you organize it well, and I'm naturally a strong supporter of that, also because of the fact that we build large-scale infrastructures with chain-computerization to manage it well, then I think you also have to put some confidence in the government in a certain sense. I have been part of it for 40 years. In my view, some sort of a ghost is often made of the government in privacy debates. I don't recognize that. Many government officials do their work faithfully."

It is up to the reader to draw his own conclusions from this... ;)

During the panel discussion another central issue concerned the question whether or not to release figures on Dutch telephone and internet wiretaps. On behalf of Bits of Freedom Simone Halink rightly pleaded for more transparency in this respect. From the KLPD corner (and a former AIVD intelligence officer in the audience) however, it quickly became clear that there was complete unwillingness to provide any openness. This then led to a hardening of the discussion in which privacy advocates and (former) representatives of police and justice became diametrically opposed to each other. During this discussion Grijpink made the following remarks:

"I want to bring attention to an aspect as to why you should also be careful with making such hard calls for data and surveys. Especially, very clear in my file, identity fraud, then you make use of someone else's identity. When successful, it is invisible. And if the person is dead, then he won't notice anything. So that's a good example that if you start measuring, you get the wrong answer. And false conclusions and false images may even be worse for criminal investigation than if something gets known. In the case of identity fraud it is quite clear. I was asked: "How bad is the problem?" I replied: "Asking that question means that you don't understand. You must first have a situation in which you are sure to have the person who succeeded in committing identity fraud." There is only one situation that I know: the prison cells of the Justice department. Then minister Donner said: "Let's have a look." And guess what: 15% had the wrong identity. Half of those we didn't even know. And those people are in jail. In other words: figures are only really useful to some extent, and in the public debate they often go wrong."

This led Böhre to emphasize the importance of the notion that privacy is a human right, in which the question of proportionality in both individual and collective sense is fundamental. The discussion should therefore always be based on hard facts and figures. Vague assumptions about look-alike fraud are no excuse to impose biometric passports on an entire population. No negative reaction to this followed from the panel. The importance of further discussions based on facts and figures also seemed to be recognized by the audience. In that sense, the National Privacy Debate hopefully marked the end of an era of fact-free politics.

Privacy First will be happy to actively attend the next National Privacy Debate. In the meantime, the debate between all relevant stakeholders should be permanent.

A full video recording of the whole (6.5 hour) National Privacy Debate can be viewed online HERE.
More pictures of the event can be found HERE and HERE.

Postscript: the above report has also been published in the Dutch journal Privacy & Compliance 3-4/2012, p. 46-49.

Published in Meta-Privacy

This Tuesday afternoon it is expected that the Dutch House of Representatives will vote in favour of two important motions. The first motion urges the Dutch government to have the European Passport Regulation critically discussed in Brussels. The second motion appeals to the government to take a firm stand in Brussels for there to be a critical reaction to American extraterritorial legislation, such as the notorious US Patriot Act. Both motions have come into being partly as a result of earlier reports by Privacy First about 1) the futility of taking fingerprints for passports and ID-cards and 2) the risk of Dutch fingerprints secretly ending up in foreign hands.  

The current taking of fingerprints is the result of the European Passport Regulation. This regulation dates back to the end of 2004 and primarily came into existence under pressure of the American Bush administration. Back then there was hardly any critical discussion about the benefits and necessity of taking people's fingerprints for travel documents. At the time the responsible rapporteur of the European Parliament wasn’t even able to bring out into the open statistics about this matter, as was recently revealed through a FOIA-request filed by Privacy First. Soon it will be up to the European Commission to still prove the effectiveness of the Passport Regulation. In case the Commission fails in doing so, the Regulation should be discarded immediately.

Apart from fingerprints, the long arm of the Bush administration has for years been reaching deep into the heart of Europe. With the American Patriot Act in force, the US government acquired, among other things, the power to obtain information from European companies that are situated in America as well. But this piece of legal imperialism was nothing new for the Americans: in the American 'war on drugs', American powers have been reaching far across US land and sea borders for decades. Since 2001, the Patriot Act has extended this extraterritorial circus to the American 'war on terror'. The 2002 The Hague Invasion Act has the same colonial touch to it: under this law the American administration reserves the right to keep Americans out of the hands of the International Criminal Court, if needed by invading The Hague. Another, more recent example is the National Defence Authorization Act: this law provides the US army with the power to arrest 'terror suspects' anywhere in the world and put them in military detention without any form of due process for an unlimited period of time.

In recent years Washington has hardly cared about the jurisdiction of other countries and international law. It has been generally known that in the long run this could only lead to excesses. Therefore it’s an absolute mystery to Privacy First what led the Dutch government to extend the contracts with the French passport manufacturer Morpho (partially situated in the US) without the guarantee that the fingerprints of Dutch citizens could not end up in American (or other foreign) hands. It is now up to the Dutch government to still protect its citizens and to request the European Commission to do the same thing at the European level.

Update: Both motions have been adopted by the House of Representatives with an overwhelming majority! You can find a video of it HERE (in Dutch, starting at 9m55s). Only the right-wing Party for Freedom (PVV) rejected the motions.

Published in Law & Politics

This morning in Geneva the long-awaited Universal Periodic Review (UPR) of the Netherlands took place before the Human Rights Council of the United Nations (UN). In the run up to this four-year session, the Privacy First Foundation and various other organisations had emphatically voiced their privacy concerns about the Netherlands to both the UN and to almost all UN Member States; you can read more about this HERE. The Dutch delegation for the UPR session was led by Interior Minister Ms. Liesbeth Spies. The opening statement by Spies contained the following, remarkable passage about privacy:

"The need to strike a balance between different interests has sometimes been hotly debated in the Dutch political arena, for example in the context of privacy measures and draft legislation limiting privacy. The compatibility of this kind of legislation with human rights standards is of utmost importance. This requires a thorough scrutiny test, which is guaranteed by our professionals and institutions. Improvements in this regard have been made when necessary, especially in the starting phase of new draft legislation. This has been done in the field of privacy, where making Privacy Impact Assessments (PIAs), describing the modalities for the planned processing of personal data, are compulsory now." (pp. 5-6, italics Privacy First)

A "thorough scrutiny test" and compulsory Privacy Impact Assessments are the terms that positively stand out for Privacy First.

Prior to the UPR session, the United Kingdom had already put the following questions to the Netherlands: "Given recent concerns about data collection and security, including the unintended consequences of cases of identity theft, does the Netherlands have plans for measures to ensure more comprehensive oversight of the collection, use and retention of personal data?" (Source) On behalf of the Netherlands, Minister Spies responded to this question in Geneva this morning saying: "On the review of our laws on data protection, The Netherlands are currently working on a legislative proposal on data breach notification, following announcements of this proposal in the present coalition agreement. The proposal, which would require those responsible for personal data to notify the data protection authorities in case of "leakage" of personal data with specific risks for privacy (including identity theft), is expected to be tabled in Parliament in the coming months." This answer is rather concise and unfortunately it doesn’t contain any new elements. However, a new Dutch law on compulsory notification for data leakages will hopefully become a best practice for other UN Member States. The credits for this go to our colleagues of the Dutch NGO Bits of Freedom who have worked on this for a long time.  

During the UPR session Estonia called the protection of privacy and personal data a "human rights challenge of the 21st century". Morocco then asked a critical question about the privacy issue: "Quelles sont les mesures concrètes entreprises par les autorités néerlandaises pour sécuriser l'utilisation des donnés personnelles?" ("What are the concrete measures taken by the Dutch authorities to protect the use of personal data?") The Philippines also raised the issue of the right to privacy, but only in these words: "The Philippine delegation appreciates the frank assessment of the Netherlands of the obstacles and challenges it has to hurdle in the implementation of the right to privacy especially in the area of protection of personal information." The comments by Greece, India, Russia and Uzbekistan were more content-focused. Greece addressed the practice of preventive searches: "We take note of reports regarding the issue of preventive body searches. We recommend that the Netherlands ensure that in its application of preventive body searches, all relevant human rights are adequately protected, in particular the right to privacy and physical integrity and the prohibition of discrimination on the basis of race and religion." India exhorted the Netherlands on ethnic profiling of citizens: "We encourage the Dutch Government to take concrete measures to combat discrimination including discrimination by the Government such as ethnic profiling." Russia too advised the Netherlands "to introduce measures to stamp out discrimination arising as a result of the practice of racist, ethnic or religious profiling." The Netherlands was addressed about this very issue by Uzbekistan as well: "We are concerned over the existence of information on the increasingly broad use by the police of racist profiling."

As a reaction to these points Minister Spies referred to recent research by the Dutch police, scientists and the National, the Amsterdam and the Rotterdam Ombudsman about preventive body searches, discrimination and ethnic profiling. With regard to digital profiling (in general), she moreover proclaimed the following: "In its recent proposal for a general Data Protection Regulation, the [European] Commission has included rules on profiling, which can address the problems associated with profiling and the protection of personal data. The Netherlands endorses the need for clear legislative rules with regard to this topic, given the specific challenges for privacy protection that this technique entails. This is also the background against which the Netherlands welcomed in 2010 the Council of Europe Resolution on this topic, which contained a useful definition of profiling that would also be beneficial for inclusion in the [European] Commission proposals. The Netherlands will draw attention to this ongoing discussion in Brussels. The Regulation, once in force, will be directly applicable in the Netherlands." 

By and large this is a reasonable result, given that up until now the privacy issue had hardly played any role at all within the UN Human Rights Council. However, it’s a shame that most countries still hardly dare to confront this issue, let alone ask specific and critical questions about it. Many of the recommendations by Privacy First have not been touched upon during this UPR session, although diplomats in Geneva and The Hague had earlier shown great interest in them. Perhaps they were stopped by their Foreign Affairs departments in capital cities because many privacy issues are also sensitive in their own domestic politics? Who knows... However, the fact remains that the international community was informed by Privacy First well in advance, which was part of the reason that the Dutch UN delegation headed by Minister Spies was properly focussed on the job at hand. This can only be to the benefit of general awareness and the protection of privacy, both inside and outside the Netherlands. In the end, for us this is what it’s all about. 

Update 4 June 2012: This afternoon, a working group of the Human Rights Council adopted a draft report on the Dutch UPR session. The final version of this report will be adopted by the Human Rights Council in September 2012, accompanied by a (motivated) acceptance or rejection by the Netherlands of each individual recommendation in the report. Furthermore, this will also be discussed by the Dutch House of Representatives.

A total of 49 countries have taken part in the Dutch UPR session. It is noteworthy that Belgium, Italy and Austria did not take part in the session (although Belgium and Italy had in fact enrolled beforehand). As far as Austria is concerned this is particularly regrettable, because of all the UN Member States it was actually Austria which had in advance expressed the most interest in the Privacy First UPR shadow report and had intimated to be able to make a powerful, overall recommendation to the Netherlands about the right to privacy.  

Update 21 September 2012: This morning, the UN Human Rights Council discussed its recommendations to the Netherlands. The Dutch Permanent Representative in Geneva declared which recommendations have been accepted or rejected by the Netherlands; see this UN document and this video. The two recommendations by the Human Rights Council that related to ethnic profiling and preventive body searches have both been accepted by the Netherlands under the following clarification:

ethnic profiling: "The Dutch government rejects the use of ethnic profiling for criminal investigation purposes as a matter of principle." About profiling in a more general sense: "In its recent proposal for a General Data Protection Regulation, the European Commission included rules on profiling that address problems that may arise due to the increasing technical possibilities for in-depth searches of databases containing personal data. The Netherlands endorses the need for clear legislative rules on this subject, given the specific challenges for privacy protection that this technology entails." (Source, 98.57 & n. 75).
- preventive body searches: "The power to stop and search is strictly regulated in the Netherlands. The mayor of a municipality may designate an area where, for a limited period of time, preventive searches may be carried out in response to a disturbance of or grave threats to public order due to the presence of weapons. The public prosecutor then has discretion to order actual body searches and searches of vehicles and luggage for weapons."
(Source, 98.74 & n. 95).

See also this statement by the Netherlands Committee of Jurists for Human Rights (Dutch abbreviation: NJCM) from this morning (video). Just like the NJCM, Privacy First regrets the lack of government consultation in the run up to today’s UPR session.

Below you can watch the 31 May 2012 UPR session in its entirety (click HERE for video segments of individual countries). 

Published in Law & Politics
Sunday, 20 May 2012 20:36

Wireless pickpocketing through RFID

A debit or credit card with an RFID chip? Not a good idea! Watch the video below:

These days, of all human rights the right to privacy finds itself under the most pressure. Therefore, it is of great importance that the government, being the largest privacy violator, is tightly controlled by means of proper legislation. With good checks & balances, for the government itself as well as for monitoring possible privacy violators such as Microsoft, Google, Apple and large ICT companies like Cisco and Intergraph that set up entire electronic surveillance infrastructures in China.

Under the ‘principle of security’, current Western democracies are increasingly being led by suspicion, hate and control instead of the principles of trust, love and freedom. And all of this to protect those last three mentioned? In the view of Privacy First, the line in the sand has already been drawn in 2001. Under the guise of security our legislation has been heavily modified to the disadvantage of individual citizens and through function creep the boundaries of the application of this legislation are continuously being stretched. Will loitering youth and football hooligans soon be seen as criminal or terrorist organisations under our judicial system? And what about everyone who thinks or acts differently? Where can we draw the line? And who makes the decisions over this? And who will scrutinize the decision maker and the executor?

At the moment, it is under the big heading of ‘profiling’ that ever more privacy violations take place. The aim of profiling is tracking entire populations or target groups in order to identify so-called 'outliers' through criteria and norms that are to be imposed. Outliers are deviations from the norm: people who behave differently than the ‘normal group’, or a specific group the government has set its eyes upon, whoever it may concern. People who have unpaid bills, who drive too fast, who gather in groups, attorneys, journalists, activists, airplane passengers, those entitled to public aid, sect members, etc. Just identify and track them, you never know if there’s someone amongst them who hasn’t abided by the rules or who fits a certain profile you’re looking for.

Profiling is characterised by four aspects that in our perception are in conflict with the Dutch Constitution as the basis for our constitutional State:

  • The reversion of a fundamental principle of law: citizens are tracked en masse without a concrete, reasonable suspicion of a crime. Through profiling everyone becomes a potential suspect and everyone’s privacy can be violated unpunished.
  • With the current state of technology, profiling is aimed at continuous, real-time identification instead of passive registration and analysis of data of a citizen under reasonable suspicion. So we move from registration to identification, without the authorization and awareness of the trustful citizen. In this way, out of its own distrust the government abuses the good faith of citizens and in so doing imposes its own standard criteria. Without any democratic evaluation or strict legal guarantees.
  • The application of the technology used for profiling is based on the principle that ‘everything’s allowed if it’s technically possible’. For the greater part this development is invisible for citizens. Subway stations, trains, busses, trams, inner cities, police helmets and even parking machines (!) in Amsterdam are incessantly being equipped with cameras. These are linked to central control rooms and, where possible, fitted with identification and pattern recognition software in order to be able to directly perceive ‘suspicious matters’. The mantra of our government: ‘ill doers are ill deemers’.
  • Increasing restrictions to internet freedom of companies and individuals. Since 2010 all our personal telephone and email correspondence are being stored. All this is being done to prepare for profiling. At the moment the US Congress is working on a legislative proposal (Cyber Intelligence Sharing and Protection Act, CISPA) which grants private businesses and the US government the right to spy on citizens at any given moment and for as long as they want and to report them in case there are ‘outliers’. All of this without the need for a warrant. WikiLeaks, child porn, copying illegal content and the like are all too readily used to introduce new legislation to further restrict our internet freedom and which is to be applied in other areas the government wants to have control over. Preferably on a worldwide scale, without any democratic scrutiny. The government obliges citizens to increasingly use online services: the Citizen ‘Service’ (Control that is) Number (in Dutch: Burger Service Nummer, BSN), the Electronic Child File (Elektronisch Kind Dossier, EKD/DDJGZ), the Electronic Student File (Elektronisch Leerlingen Dossier, ELD), Diagnosis Treatment Combinations in healthcare (Diagnose Behandel Combinaties, DBC’s), etc. Of every citizen an ‘electronic life file’ comes into existence which in conjunction with electronic traces are to become able to predict suspect or deviant behaviour. Preferably in real-time and online. All of this, naturally, to protect our freedom...

In case fingerprints in passports will be replaced by new biometric features, the road will be cleared for a much worse form of profiling. Through the use of facial scans in databases, citizens will be able to be identified and tracked in public spaces in real-time and to be singled out through profiling on the basis of criteria predetermined by ‘someone’. In this process the government deliberately focuses on modifying the technology. As a result, there is 'fortunately' no need to talk about whether or not biometrics are actually desirable in our society, and if so, under which conditions and guarantees. Privacy First advocates for 'privacy by design' and privacy enhanced technologies as well as strict legislation with regard to biometrics and profiling. Because we don’t want to leave our children behind in an electronic concentration camp...

For a free, open and vivid 2012!

Bas Filippini,
Chairman of the Privacy First Foundation

Postscript: in the context of the National Privacy Debate, this column has also been published (in Dutch) as an Opinion by Dutch web-magazine Webwereld: http://webwereld.nl/opinie/110383/profiling-het-grootste-gevaar-voor-privacy--opinie-.html and http://nationaalprivacydebat.nl/article/ww/110383/profiling-het-grootste-gevaar-voor-privacy-opinie

Published in Profiling

The following article by Privacy First employee Vincent Böhre was published this month in the periodical De Filosoof (‘The Philosopher’, University of Utrecht). Tomorrow the Dutch Passport Act will be high on the Dutch political agenda: in a debate with the Minister of the Interior Liesbeth Spies the compulsory taking of fingerprints for Dutch passports and ID cards will be discussed. Privacy First has recently (again) emphasized to all political parties in the Dutch House of Representatives to have passports without fingerprints introduced as soon as possible and to make a request to the government to have the Passport Regulation revised at the European level. This in order for the compulsory taking of fingerprints to be done away with also for passports, or at least to become of a voluntarily nature. The text below offers a quick recap with a positive twist. A pdf version of the original article in Dutch can be found HERE (pp. 6-7).

The biometric passport as an unintended privacy gift

‘‘Late 2001, the Christian-democratic political party CDA proposed storing the fingerprints of every Dutch citizen through passports for criminal investigation purposes. However, this proposal was immediately scrapped by other political parties because it would lead to a Big Brother society. Nonetheless, an even more far-reaching proposal became law seven years later almost inconspicuously. Under the new Dutch Passport Act, apart from criminal investigation and prosecution, everyone’s fingerprints and facial scan (biometric data) could also be used for counter-terrorism, domestic and foreign State security, disaster control and personal identification. However, none of these legal purposes had been discussed in Parliament.[1] In fact, the new Passport Act was accepted by the Senate even without a vote. The media merely stood by and watched how it happened. How could things have gotten this far?

‘Bystander syndrome’

In a certain way the Passport Act was (and is) emblematic for the Dutch era after '9/11'. An era in which (presupposed) anti-terrorism measures could be steered through Parliament with the greatest of ease. After all, such measures would enhance our security, we were continuously told. By nature people are inclined to believe the authorities and to accept the status quo. From a human rights point of view, one could consider the post-9/11 era as a huge Milgram experiment: without too much resistance many human rights have for years been put to the rack of society. The realization of the new Passport Act is no exception. Every Member of the Senate could at least have made a request for a parliamentary vote. Journalists and scientists could have blown the whistle on time. Instead, they all stood there and watched since, of course, the law would make the Netherlands a ‘more secure’ place. But what was this assumption based on? Wasn’t the Netherlands actually going to be less secure by the massive storage of fingerprints in travel documents and affiliated databases? This question has never been asked in public, let alone discussed and answered.

Disproportionate

The prime argument by the Dutch government for the introduction of fingerprints in passports and ID cards has, since the late 90s, been the following: it would prevent look-alike fraud with travel documents. Look-alike fraud is a form of abuse whereby someone uses an authentic travel document of someone else to whom his or her appearance resembles. Questions about the scale of this type of fraud have hardly ever been asked in Parliament. From a recent FOIA-request filed by Privacy First, it appeared that we’re dealing with only a few dozen cases each year (with Dutch travel documents on Dutch territory).[2] In light thereof the introduction of fingerprints in travel documents of 17 million Dutch citizens is completely disproportionate. Not to mention the dozens, if not hundreds of millions of Euros that the government has spent on this project.

Risks

With the introduction of a ‘biometric identity infrastructure’ a new form of fraud comes to life that is extremely difficult to trace and combat: biometric identity fraud, for instance through hacking. Not just with guileless citizens and companies, but also in the public sphere (espionage). Moreover, it has been pointed out that in 21-25% of cases the biometric data in the chip of Dutch travel documents cannot be read (verified). So in the event of passport control, there is a high risk that citizens become unjustly suspected of fraud. The biometric passport is no good for combating terrorism either: terrorists generally use their own, authentic travel documents. Unfortunately, little is publicly known about the way security and intelligence agencies use biometrics, even though some purposes are easy to predict: identification of suspects unwilling to speak and ‘interesting’ persons in public space, the recognition of emotions, lie detection and the recognition or use of doubles. The same applies to the domain of criminal investigation and prosecution, also in conjunction with camera surveillance and automatic facial recognition. In addition, the RFID (Radio Frequency Identification)-aspect of the chip in the document enables it to be read from a distance: citizens can be identified and tracked without it being noticed. With regard to personal identification, one could think of the possible introduction of fingerprints at banks, social services, the internet, etc. (Since the end of last year, a Dutch pilot project with mobile finger scanners for the police is ongoing.) Finally, there’s the domain of fighting disasters: biometrics used for the identification of casualties in the event of large-scale disasters or as a logistic means. All in all these possibilities for the use of biometrics go dozens, if not a hundred steps beyond the mere combating of look-alike fraud with travel documents. One ought to realize that all of these possibilities will sooner or later be put into practice. In jargon this is called ‘function creep’; historically seen it’s inevitable. Scientific research into future applications of biometrics continuously takes place. What’s more, even in our part of the world a democratic constitutional State is no invariable matter of fact. It is therefore very dubious whether our world will become ‘more secure’ by the large-scale use of biometrics.  

Positive change

It is exactly this concern which brought about a small Dutch revolution in the summer of 2009: at the time, the enactment of the new Passport Act led to a torrent of criticism and to the coming into being of the current Dutch privacy movement. New privacy organizations such as Privacy First proliferated, social coalitions were forged and lawsuits against the new Passport Act were filed.[3] This boomerang effect within society continues to this day. Since that time the right to privacy is ever higher on the societal and political agenda. In that sense the biometric passport has so far proved to be an unintended gift from heaven.''



[1]
See Vincent Böhre, Happy Landings? Het biometrische paspoort als zwarte doos (Happy landings? The biometric passport as a black box), Wetenschappelijke Raad voor het Regeringsbeleid, WRR (Scientific Council for Government Policy) October 2010, http://www.wrr.nl/publicaties/publicatie/article/happy-landings-het-biometrische-paspoort-als-zwarte-doos-46/.
[2]
See Privacy First, Revealing figures about look-alike fraud with Dutch travel documents (20 March 2012).
[3]
See Böhre supra footnote 1, p. 111 ff.
Published in Meta-Privacy
These days, of all human rights the right to privacy finds itself under the most pressure. Therefore, it is of great importance that the government, being the largest privacy violator, is tightly controlled by means of proper legislation. With good checks & balances, for the government itself as well as for monitoring possible privacy violators such as Microsoft, Google, Apple and large ICT companies like Cisco and Intergraph that set up entire electronic surveillance infrastructures in China.

Under the ‘principle of security’, current Western democracies are increasingly being led by suspicion, hate and control instead of the principles of trust, love and freedom. And all of this to protect those last three mentioned? In the view of Privacy First, the line in the sand has already been drawn in 2001. Under the guise of security our legislation has been heavily modified to the disadvantage of individual citizens and through function creep the boundaries of the application of this legislation are continuously being stretched. Will loitering youth and football hooligans soon be seen as criminal or terrorist organisations under our judicial system? And what about everyone who thinks or acts differently? Where can we draw the line? And who makes the decisions over this? And who will scrutinize the decision maker and the executor?

At the moment, it is under the big heading of ‘profiling’ that ever more privacy violations take place. The aim of profiling is tracking entire populations or target groups in order to identify so-called 'outliers' through criteria and norms that are to be imposed. Outliers are deviations from the norm: people who behave differently than the ‘normal group’, or a specific group the government has set its eyes upon, whoever it may concern. People who have unpaid bills, who drive too fast, who gather in groups, attorneys, journalists, activists, airplane passengers, those entitled to public aid, sect members, etc. Just identify and track them, you never know if there’s someone amongst them who hasn’t abided by the rules or who fits a certain profile you’re looking for.

Profiling is characterised by four aspects that in our perception are in conflict with the Dutch Constitution as the basis for our constitutional State:

  • The reversion of a fundamental principle of law: citizens are tracked en masse without a concrete, reasonable suspicion of a crime. Through profiling everyone becomes a potential suspect and everyone’s privacy can be violated unpunished.
  • With the current state of technology, profiling is aimed at continuous, real-time identification instead of passive registration and analysis of data of a citizen under reasonable suspicion. So we move from registration to identification, without the authorization and awareness of the trustful citizen. In this way, out of its own distrust the government abuses the good faith of citizens and in so doing imposes its own standard criteria. Without any democratic evaluation or strict legal guarantees.
  • The application of the technology used for profiling is based on the principle that ‘everything’s allowed if it’s technically possible’. For the greater part this development is invisible for citizens. Subway stations, trains, busses, trams, inner cities, police helmets and even parking machines (!) in Amsterdam are incessantly being equipped with cameras. These are linked to central control rooms and, where possible, fitted with identification and pattern recognition software in order to be able to directly perceive ‘suspicious matters’. The mantra of our government: ‘ill doers are ill deemers’.
  • Increasing restrictions to internet freedom of companies and individuals. Since 2010 all our personal telephone and email correspondence are being stored. All this is being done to prepare for profiling. At the moment the US Congress is working on a legislative proposal (Cyber Intelligence Sharing and Protection Act, CISPA) which grants private businesses and the US government the right to spy on citizens at any given moment and for as long as they want and to report them in case there are ‘outliers’. All of this without the need for a warrant. WikiLeaks, child porn, copying illegal content and the like are all too readily used to introduce new legislation to further restrict our internet freedom and which is to be applied in other areas the government wants to have control over. Preferably on a worldwide scale, without any democratic scrutiny. The government obliges citizens to increasingly use online services: the Citizen ‘Service’ (Control that is) Number (in Dutch: Burger Service Nummer, BSN), the Electronic Child File (Elektronisch Kind Dossier, EKD/DDJGZ), the Electronic Student File (Elektronisch Leerlingen Dossier, ELD), Diagnosis Treatment Combinations in healthcare (Diagnose Behandel Combinaties, DBC’s), etc. Of every citizen an ‘electronic life file’ comes into existence which in conjunction with electronic traces are to become able to predict suspect or deviant behaviour. Preferably in real-time and online. All of this, naturally, to protect our freedom...

In case fingerprints in passports will be replaced by new biometric features, the road will be cleared for a much worse form of profiling. Through the use of facial scans in databases, citizens will be able to be identified and tracked in public spaces in real-time and to be singled out through profiling on the basis of criteria predetermined by ‘someone’. In this process the government deliberately focuses on modifying the technology. As a result, there is 'fortunately' no need to talk about whether or not biometrics are actually desirable in our society, and if so, under which conditions and guarantees. Privacy First advocates for 'privacy by design' and privacy enhanced technologies as well as strict legislation with regard to biometrics and profiling. Because we don’t want to leave our children behind in an electronic concentration camp...

For a free, open and vivid 2012!

Bas Filippini,
Chairman of the Privacy First Foundation

Postscript: in the context of the National Privacy Debate, this column has also been published (in Dutch) as an Opinion by Dutch web-magazine Webwereld: http://webwereld.nl/opinie/110383/profiling-het-grootste-gevaar-voor-privacy--opinie-.html and http://nationaalprivacydebat.nl/article/ww/110383/profiling-het-grootste-gevaar-voor-privacy-opinie

Published in Columns

This week an excellent article about biometrics by internet journalist Jean-Marc Manach appeared in French web-magazine 'OWNI'. Many current issues and uncertainties around biometrics are discussed in this article, including the Dutch situation: 

"20% d'empreintes inutilisables

Les eurodéputés rappellent également qu'aux Pays-Bas, une étude menée sur plus de 400 passeports a révélé que les empreintes digitales étaient inutilisables dans plus de 20% des cas...

Sophia in 't Veld, de l'Alliance des démocrates et libéraux pour l'Europe (ADLE) révéla par ailleurs qu'au Pays-Bas, les passeports biométriques avaient été justifiés au motif de la lutte contre la fraude et l'usurpation d'identité, mais que le ministère de l'Intérieur avait toujours refusé de rendre public le nombre de cas recensés, au motif que le chiffre serait «inconnu», «pas public», «confidentiel» ou «secret».

Or, des documents obtenus par l'ONG Privacy First révèlent que les autorités n'ont dénombré que 46 cas d'usurpation en 2008, 33 en 2009 et 21 en 2010, sur une population de 17 millions d'habitants..."

Read the entire article HERE, or click HERE for an 'English version' in Google Translate.

Page 12 of 17

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
Procis

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon