Friday, 13 April 2012 16:11

Save the internet from the U.S.

The following (translated) call reached us this week from Avaaz (in Dutch) and is fully supported by Privacy First:

‘‘At this very moment, the American Congress wants to secretly adopt a legislative proposal which enables them to spy on internet users everywhere in the world, hoping the world won’t notice it. Last time around we contributed to the fight against the attack on the internet, now let’s do it again.

Over a 100 Congress members support the legislative proposal (CISPA) which grants private businesses and the American government the right to spy on every one of us, at any given moment and for as long as they want without the need for a warrant. This is the third time the American Congress tries to attack our internet freedom. We helped defeat the Stop Online Privacy Act (SOPA) and the Protect IP Act (PIPA) – now we can defeat this new ‘Big Brother law’.

Our global indignation has previously played a leading role in protecting the internet against governments that want to track and control us online. Let’s once more stand united and thwart this law for good. Sign the petition and forward it to anyone who uses the internet: http://www.avaaz.org/en/stop_cispa

The Cyber Intelligence Sharing and Protection Act (CISPA) determines that in a mere case of suspicion of a cyber threat, companies that allow us internet access have the right to collect information about our online activities, to share this information with the government and to refuse notifying us about this. Afterwards they enjoy immunity from prosecution for privacy violations or whichever other illegal activity it may concern. This implies an insane dismantling of the privacy we all have faith in during our daily habits of sending emails, having Skype chats, performing search actions, etc.

But we know the American Congress is afraid of the world’s reaction. It is the third time that they put the attack on our internet freedom in a new jacket in order to push it through after all. The name of the law is repeatedly being changed in the hope that citizens won’t notice it. NGOs that deal with internet rights, like the Electronic Frontier Foundation, have already condemned the legislative proposal on account of violation of privacy protection. It’s time for us to speak out.

Sign the petition for Congress against CISPA. As soon as we have 250.00 signatures we will hand over our petition to every one of the 100 American representatives who support this law: http://www.avaaz.org/en/stop_cispa

Every day internet freedom has to endure the threats from governments from all over the world, but the US can cause the greatest damage since most of the internet’s infrastructure is situated there. Time and again our movement has proved that global public opinion contributes to stopping the US from threatening our internet. Let’s do this again.’’

Published in Online Privacy
Thursday, 29 March 2012 17:03

Privacy First endorses the Earth Charter

Declaration of endorsement of the Earth Charter by the Privacy First Foundation 

« Privacy is the new green »
 

The Privacy First Foundation hereby endorses the Earth Charter. We subscribe to the ideas and goals of this document and we support the common pursuit of a righteous, sustainable and peaceful world. To that end, the worldwide preservation and promotion of the universal right to privacy is of primary importance. In order to achieve this goal, Privacy First shall be guided by the values and principles of the Earth Charter.

Privacy is the basis of our democracy under the rule of law. Without privacy, there can be no free personal development and no free democratic dynamics. Of all human rights, the right to privacy today finds itself under the most pressure. Through the rise of modern information and communications technology (ICT) the physical and virtual world become ever more integrated and societies become increasingly transparent. The digital revolution offers sovereign peoples as well as individuals from all over the globe new chances and opportunities in terms of democratisation and socio-economic empowerment. However, it also provides governments with the technical resources to suppress these processes. Information technology ought to serve the free individual, not the other way around. Therefore, in a sustainable information society the privacy of every single individual is to be optimally safeguarded.

The same positive change in recent decades with regard to the environment has to be made in the coming years in the field of privacy. Indeed, the toxic leakages of the past have become the data leakages of today. As large groups of people are stricken by environmentally unfriendly practices, the same goes for practices which are privacy-unfriendly. In both these fields our habitat and the private sphere are inextricably linked as parts of a whole. In terms of human rights this is already evinced by the European development of a 'green interpretation' of Article 8 of the European Convention on Human Rights, through which the right to privacy has received an environmental dimension. Conversely, the values and principles of the Earth Charter are a relevant guideline with regard to the protection of our privacy. In the spirit of the Earth Charter, this translates into the following principles for Privacy First:

1. In every public and industrial policy, positive human freedom and the human dimension are to fulfil a central role.

2. Privacy is the most fundamental freedom and apart from private life and personal development, this comprises the protection of personal data, confidential communication and the integrity of the person and body.

3. Both companies and government authorities have a duty of care for appropriate privacy protection. This duty also extends across national borders.

4. Everyone has the right to informational self-determination: the right to personal control over one's own personal data.

5. The human body is inviolable. The right to physical integrity is absolute in the sense that any infringements thereupon are only permissible with the consent of the individual.

6. ICT companies are required to act in a socially responsible, ethical and transparent manner. In this respect they also have a chain responsibility over the customers and suppliers within their line of business.

7. Privacy Impact Assessments are required in every situation in which one's privacy could be interfered with. Measures which can lead to large-scale and irreversible privacy violations are prohibited a priori.

8. Government authorities and companies which violate people's privacy have a duty to repair the situation and to compensate for any damage.

9. In order to defend themselves against any (impending) privacy violations by government authorities or companies, citizens shall have at their disposal both individual as well as collective legal remedies. The government safeguards individual legal protection and a collective right of action.

10. Any complicity by companies in foreign privacy violations shall be prevented and punished. This can be realised through the installation of international sanctioning mechanisms.

11. Everyone has the right to free internet access. Governments and companies facilitate this right.

12. Everyone has the right to active administrative transparency. This comprises the right to timely, correct and integral government information.

13. Privacy-sensitive information technology needs to live up to the highest standards of 'privacy by design'. This can be achieved through the use of privacy enhancing technologies (PET).

14. Every generation of people is responsible for the privacy protection of future generations.

15. A privacy friendly future starts with our youth. Therefore privacy education is to become compulsory in primary, secondary and higher education.

Privacy First Foundation,
Amsterdam, March 29, 2012

The official declaration of endorsement by Privacy First can be downloaded HEREpdf.

Published in Meta-Privacy

Thanks to a FOIA-request by the Privacy First Foundation, the official figures about look-alike fraud with Dutch passports and ID-cards have today, for the first time, become public. From these figures it emerges that the Dutch biometric passport with fingerprints is an absolutely disproportionate measure, the introduction of which should never have been allowed.

The primary argument from the Dutch government for introducing fingerprints in passports and ID-cards has for years been the same: fighting look-alike fraud. Look-alike fraud is a form of abuse whereby someone uses an authentic travel document of someone else to whom his appearance resembles. This kind of swindler is also called an impostor. Questions about the scale of this type of fraud have hardly ever been asked, not by members of Dutch Parliament, nor by scientists or journalists. Those who raised a question about it in the last ten years were usually provided with an answer that left them none the wiser: figures about look-alike fraud would be ‘unknown’, ‘not publicly available’, ‘confidential’, or ‘secret’. The answer to the most recent parliamentary question in this respect dates back to October 2010:

- Question: ‘‘Is it true that the figures of look-alike fraud with ID documents are known, but that you are unwilling to provide them to the House of Representatives? Are you actually prepared to provide these figures to the House of Representatives?’’
- Answer by Dutch State Secretary Ank Bijleveld (Ministry of the Interior): ‘‘No, this is not true. Since such figures are unknown to me, it’s obvious I cannot send them to you.’’ (Dutch source)

Those who have been asking supplementary questions in recent years were often told we would be facing a massive phenomenon. In this way the idea of a 'dark figure' of crime of almost mythical proportions came into existence. That is to say, without any trace of evidence. So recently the Privacy First Foundation filed a FOIA-request to the department of the Dutch government that has been keeping track of the figures on look-alike fraud for years: the Dutch Expertise Centre on Identity fraud and Documents (Expertisecentrum Identiteitsfraude & Documenten, ECID) based at Schiphol Airport. The ECID falls under the Royal Netherlands Marechaussee (KMar) and is thus part of the Dutch Ministry of Defence. Privacy First knew from a reliable source that those figures could be found in the clear annual reports of the ECID from 2008 onwards. So recently we have simply made a request for those reports by email. Subsequently Privacy First received the Statistic Annual Overviews on Document Fraud (Statistische Jaaroverzichten Documentfraude) from 2008 to 2010 from the Ministry of Defence. (Update: the statistics from 2011 followed on 29 May 2012.) The following figures result from these annual reports relating to look-alike fraud with Dutch passports and ID-cards on Dutch soil:   

2008: 46 cases (source: Statistisch Jaaroverzicht Documentfraude 2008, p. 45)

2009: 33 cases (source: Statistisch Jaaroverzicht Documentfraude 2009, pp. 42-43)

2010: 21 cases (source: Statistisch Jaaroverzicht Documentfraude 2010, pp. 52-53)

2011: 19 cases (source: Statistisch Jaaroverzicht Documentfraude 2011, pp. 52-53).

The Netherlands has 17 million inhabitants. By now almost 7.5 million of those had their fingerprints taken to combat a handful of cases of look-alike fraud. By any standard this is a completely disproportionate situation and thereby forms a collective violation of the right to privacy of all Dutch citizens. Privacy First regards these figures as a strong backing in its lawsuit against the Dutch government regarding the new Dutch Passport Act and hereby makes a call to the government to immediately stop the compulsory taking of fingerprints for passports and ID-cards. Regardless of whether or not that’s against European policy.

Update 22 March 2012: At first Privacy First showed the numbers 63 (2009) and 52 (2010). However, those figures were based on a calculating error (they were counted twice), for which we apologise.  

Update 30 March 2012: internal documents from the Dutch Ministry of the Interior from 2004 also imply a relatively low figure for fraud and, moreover, high costs for introducing biometric technology in travel documents. Privacy First recently obtained these documents through a large-scale FOIA investigation that has been ongoing since April 2011.

Update 29 May 2012: Today Privacy First finally received the long-awaited Statistisch Jaaroverzicht Documentfraude 2011 from the Dutch Ministry of Defence. The number of cases of look-alike fraud with Dutch passports and ID-cards on Dutch soil (as far as the KMar is aware) according to this report were respectively... 11 and 8, so just 19 in total. We have updated the list of cases from 2008 to 2010 above with the figures from 2011. So the idea of look-alike fraud as a very small-scale phenomenon is once more confirmed. To burden the entire Dutch population with biometric passports and ID-cards as a countermeasure is and will be completely disproportionate and therefore unlawful.

Published in FOIA Requests

Since a few days there is justified commotion over two new Dutch government plans that will grossly invade people's privacy. The first one is a plan by Dutch Minister for Immigration, Integration and Asylum Affairs Gerd Leers of the Christian-democratic party CDA to start creating automatic risk profiles of every airplane passenger. Before going on a business trip or on vacation, you will get a little green, yellow, orange or red flag behind your name. Without you knowing it. This is no hint at a surprise party, no, it’s because in the eyes of the Dutch government you may be a dangerous terrorist. At Schiphol Airport you are hopefully amongst those who can quickly go passed the security checks for people with green flags. In case you have a different flag you’ll be taken apart, thoroughly checked and interrogated and as a consequence you might miss your flight. The legislative proposal hasn’t yet been sent to the Dutch House of Representatives, but the government is already starting to build the corresponding central infrastructure (PARDEX). This is the state of democracy in the Netherlands in 2012.

The second plan has been concocted by Dutch State Secretary for Social Affairs and Employment Paul de Krom of the liberal party VVD. In terms of protection of privacy, De Krom happens to be just as uncompromising: his idea is to create comprehensive profiles of everyone entitled to social welfare from now on, on the basis of all the possible databases that can be linked to the municipal population register. In case an anomaly is found in your digital profile, you immediately appear on the radar of a central control room, a sort of Central Command for public benefits. Subsequently, it’s up to you to prove something’s not right with your profile, otherwise you may lose your benefit.  

Both proposals are all about profiling: creating and keeping up-to-date detailed risk profiles of ordinary citizens. In an ocean of information that for 99% derives from innocent people, Leers and De Krom are hoping to catch that 1% of (potential) troublemakers. (Do you remember 'The One Percent Doctrineby Dick Cheney?) In other words, it’s an inversion of the classic principle that the government is only allowed to intrude upon your privacy once there’s a reasonable suspicion of a crime. After all, through profiling everyone is treated as a (potential) suspect beforehand. This effectively turns the right to privacy into fiction.

Yesterday night this topic was discussed on Dutch radio programme Dichtbij Nederland (‘Close to the Netherlands’) on NTR, Radio 5. Apart from Vincent Böhre of Privacy First, two experts took part in the debate: criminologist Marianne van den Anker (former municipal councillor of the regional political party Leefbaar (‘Livable’) Rotterdam, dealing with security) and Marc Jacobs (writer and former police commissioner). The whole discussion can be listened to HERE (starting at 17m48s).

Published in Profiling

The Netherlands is a democratic constitutional State. This implies that every government action is to be 1) democratically legitimized and 2) subject to the rule of law. Therefore the law decides what the government has to adhere by. Whereas the prohibition on vigilante justice applies to every citizen, it also applies to the government itself. In that sense the government fulfils an important exemplary role. But what if the government ignores a judicial verdict? In that case citizens in a constitutional State are fortunately able to go to court again to call the government to order. This is what happened last year in a lawsuit against the Dutch Healthcare Authority (Nederlandse Zorgautoriteit, NZa) about medical privacy and professional confidentiality within the Mental Health Sector (Geestelijke Gezondheidszorg, GGZ). Last week the Dutch Trade and Industry Appeals Tribunal (College van Beroep voor het bedrijfsleven, CBb) judged that the NZa had not adhered by an earlier verdict of the CBb and still has to do so. Here below Privacy First briefly clarifies the CBb’s verdict.  

In 2008, so-called Diagnosis Treatment Combinations (Diagnose Behandel Combinaties, DBCs) were introduced in the Netherlands. This means that every medical treatment has a special code. This code is printed on your invoice and on that of your health insurance company so it can verify your expense claim. Furthermore, a short description (‘layman’s description’) is indicated on the expense claim. Every DBC registration is also entered (pseudonymously) in a central government database: the DBC Information System (DIS). This database can be consulted among others by the Dutch Central Agency for Statistics (Centraal Bureau voor de Statistiek, CBS). Through linkage these DBC data can easily be tracked back to private individuals. All of this constitutes a violation of the medical privacy (of patients) and the professional confidentiality (of medical specialists) in medical healthcare, including curative mental healthcare. A few years ago a number of independent psychiatrists & psychotherapists (being represented among others by the KDVP Foundation and the DeVrijePsych) rightly alarmed the NZa about this. However, their objections against the DBC system were declared unfounded by the NZa, after which legal action with the CBb followed. In August 2010 the CBb decided in favour of the psychiatrists & psychotherapists: the NZa was summoned to henceforth exclude them from the DBC system. However, the NZa happened to be reluctant to live up to the verdict, after which new proceedings with the CBb followed to reconfirm the earlier verdict. In its verdict of 8 March 2012 the CBb judged that the NZa has not lived up to the earlier verdict:

‘‘Based on what was stated earlier, the question whether or not [the NZa], in its new decision on appeal, has in the right way implemented the earlier verdict of the CBb, has to be answered in the negative.’’ (para. 5.33)

The guiding consideration in the earlier verdict of the CBb reads as follows:‘‘Providing diagnosis data about individual patients to health insurance companies violates the medical privacy of these very patients. Appellants have extensively elucidated which objections - from the perspective of the patient, the treatment and that of the professional confidentiality - are linked to the passing on of this sort of information to third parties that are not involved with the treatment. In the view of the CBb these objections are substantial: it concerns diagnoses that affect the core area of private life of the individuals involved, which makes information about this very privacy-sensitive. In addition, when it comes to the treatment of mental disorders confidentiality and secrecy are of great importance, as appellants have maintained.’’ (para. 2.4.4.3)

In the new verdict the CBb obliges the NZa to design an opt-out privacy regulation for the provision of diagnosis data for the treatment of mental disorders within the Mental Health Sector:

‘‘The outcome of the modification to the expense claim-system will in any case need to be that the obligation to indicate the diagnosis-classification code, as well as the obligation to indicate other data on the expense claim with which a diagnosis can be deduced, will be discontinued as such.’’ (para. 5.42)

In this context the CBb concludes on the one hand that the NZa (and the Dutch Ministry of Health) has the competence to realize this, and on the other hand that an exemption regulation (opt-out) is very well achievable. As the brand-new winner of a Dutch 'Big Brother Award', this is an excellent opportunity for Minister of Health Edith Schippers to restore her reputation with regard to privacy by closely monitoring the NZa’s implementation of the verdict. Privacy First is keen on keeping an eye on this.

Update 10 June 2012: Meanwhile the NZa has lived up to the verdict of the CBb by adjusting its rules. As of 7 June 2012, new NZa-policy rules within the Mental Health Sector apply according to the ‘letter and the spirit’ of the CBb:

1. In order to protect their privacy, patients who undergo psychiatric or psychotherapy treatment can reject indicating the diagnosis on the expense claim. In case patients want to make use of their health insurance, they must compose a ‘privacy statement’ together with the practitioner and send it to their insurance company. In that case it’s no longer compulsory to indicate the diagnosis. However, the medical advisor of the health insurance company may make inquiries respecting patient confidentiality.

2. For patients who pay for themselves, indicating the diagnosis is no longer compulsory. There is no need for a privacy statement.

3. In these two cases sending DBC registrations to the DBC Information System (DIS) is no longer compulsory either.

You can find more about this HERE on the weblog of the DeVrijePsych (in Dutch). Click HERE to read the entire decision (in Dutch) by the NZa dated 7 June 2012.

Update 7 July 2012: Privacy First appears to have been celebrating too soon: The KDVP Foundation appeals to the new policy rules of the NZa. ‘‘The opt-out regulation designed by the NZa is incomplete, ineffective and in practice it is hence useless with regard to insured healthcare within the Mental Health Sector’’, KDVP states on its website. Among other things, the NZa appears to have ‘‘failed to provide the necessary information about the introduction of a privacy opt-out regulation for the Mental Health Sector’’ and has insufficiently defined the regulation in order to prevent that diagnosis data can (still) be exchanged. With the current opt-out regulation it can in fact not be prevented ‘‘that diagnosis data can still be deduced from codifications and declared amounts of money.’’ You can read the entire point of view of the KDVP Foundation HERE (in Dutch). It would be to the credit of the NZa if it were to mend the flaws in the opt-out regulation that were ascertained by the KDVP Foundation as soon as possible.
Published in Medical Privacy
Thursday, 23 February 2012 16:33

Privacy First Annual Report 2011

"In the first decade of the 21st century the right to privacy in the Netherlands has come under enormous pressure. On the one hand this has been the result of the collective mindset after '9/11', in which there seemed to be ever less room for classic civil rights such as the right to privacy.  On the other hand it was the outcome of rapid technological developments that brought along inherent privacy risks. Examples of this are the rise of the Internet, mobile telephony, camera surveillance and biometrics, all of which are technologies that are intended to serve Mankind but that could just as well disrupt society. For example through abuse or ill-thought out use without proper privacy guarantees. An ICT dream can then quickly turn into a societal nightmare. These observations were the reason the Privacy First Foundation was founded in March 2009. Only a few months later (in the summer of 2009) the first turning point in Dutch society was perceivable: the storage of fingerprints under the new Dutch Passport Act led to a torrent of criticism, courtesy also of the pressure exerted by Privacy First. This subsequently acted as a societal lever:  due to all the fuss surrounding the Passport Act a widely supported Dutch privacy movement came to life. Since then Privacy First has gradually expanded its area of work while the theme of privacy has climbed ever higher on the agenda of Dutch society..."

Read further pdfHERE in Privacy First's annual report 2011!

Published in PR Downloads
Wednesday, 01 February 2012 13:36

Your fingerprints in the Twilight Zone

In almost all of the lawsuits that are pending against the new Dutch Passport Act, there is one important subject that has so far been little exposed: the use of sensitive personal data by secret services. In this case it’s about biometrics: digital facial scans and fingerprints that end up in all sorts of databases through people's passports and ID cards. At the moment those databases are still only in the hands of municipalities and the passport manufacturer in Haarlem (Morpho, previously called Sagem), in the future they will undoubtedly end up elsewhere too, eventually worldwide. In that sense every Dutchman is a potential globetrotter: in the long term your fingerprints and facial scan may be available even in the farthest corners of the world. Not only in the databases of ‘allies’, but also in the databases of countries with which those ‘allies’ have in turn concluded (possibly secret) exchange agreements. And this is all but transparent. Neither is it publicly known what secret services are willing to use our biometrics for. A Privacy First employee who was eager to examine this for the Dutch Scientific Council for Government Policy (Wetenschappelijke Raad voor het Regeringsbeleid, WRR) soon encountered a wall of research restrictions. So for the time being all we can do is guess... Possible intelligence purposes of biometrics are: 1) identification of suspects unwilling to talk and ‘interesting’ persons in public space, 2) recognition of emotions and lie detection, 3) the use or recognition of doubles, 4) espionage, etc. The first purpose (identification) is being facilitated by the Radio-frequency identification (RFID)-aspect of the biometric chip in your passport or ID card. It’s precisely because of this that the chip can be read from a distance.  

Back to the main subject: the use of sensitive personal data by secret services. Today this is as easy as pie: many people unashamedly put half of their private lives on the internet, for instance on Facebook. And if the information can’t be found on the internet, it can be traced in databases of companies and the government. In the way you in your student days perhaps once turned on the TV with a pool cue without leaving your lazy armchair, secret services can nowadays conjure up your whole life including your fingerprints merely at the press of a button. But is this actually allowed? And in this respect, does it make any difference if your fingerprints are stored are stored 1) by the municipality, 2) in a central database or 3) by a passport manufacturer? ‘‘Yes, that’s allowed’’ and ‘‘no, it doesn’t matter where they’re stored’’, the Dutch State consistently implied until mid-2011 through the State attorney:    

‘‘Fingerprints will also have to be supplied to the General Intelligence and Security Service (Algemene Inlichtingen- en Veiligheidsdienst, AIVD) and the Military Intelligence and Security Service (Militaire Inlichtingen- en Veiligheidsdienst, MIVD). The provision of information to these services is regulated in Article 17 of the Intelligence and Security Services Act (Wet op de Inlichtingen- en Veiligheidsdiensten, WIVD). This already applied prior to the coming into force of parts of the modified Passport Act and it will be no different now that it’s been modified. The mention in Article 4b, paragraph 2(d) Passport Act (‘state security’) was merely motivated by transparency reasons.’’
(Source: Statement of Defence in the Passport lawsuit by Privacy First dated 28 July 2010, para. 2.17; repeated word for word in, among other things, the statements of defence of the State in the Passport lawsuits by Van Luijk dated 29 October 2010 & 10 June 2011 (paras.
3.17 & 5.8 respectively) and Deutekom dated 23 November 2010, para. 4.17.)

So there the State claims that basically nothing would change with the introduction of the Passport Act since the AIVD would already have had the opportunity to make a request for your fingerprints. Meanwhile however, the development of a central biometric database has been put on hold which means your fingerprints are stored ‘only’ relatively shortly by the municipality and the manufacturer. From a legal point of view this is what the discussion now revolves around. For instance on 27 October 2011 before a single judge at the district court of Amsterdam:

Judge: ‘‘Yes, I just wondered, madam [State attorney], you’re saying that Mr’s fear that intelligence and security agencies have access to his personal data - his fingerprints and facial scan -, is taken actually away by Article 65 [Passport Act].’’
State attorney: ‘‘Article 65 only applies to fingerprints.’’
Judge: ‘‘Mr [X] has pointed at Articles 17 to 34 of the Intelligence and Security Services Act. How do you see that?’’
State attorney: ‘‘I can very briefly say something about how you should see this in relation to each other. (...) The point is, quite a few things have of course been said about this in the legal history of this case. So when does the possibility of access arise: once you have a central administration with a biometric search function. There are all sorts of regulations but it’s not as if the AIVD could come up with a fingerprint and say to the municipality ‘show us who this fingerprint belongs to’. But that possibility, it isn’t there. There is simply no biometric search function. In that area the only possibility of what municipalities can do in providing fingerprints, is making a print of it, which comes down to: a sheet of paper with dots. That is the rendering on paper of those fingerprints. Provided the AIVD has complied to the regulations under which they can make a request for information on the basis of the WIVD, it could provide a name to the municipality where the person concerned is registered and could then make a request for personal data. For as far as such a request would concern fingerprints, it wouldn’t thus be any more than a printed page with those dots. So it can never happen, and this is the important point, that the AIVD would come up with fingerprints and say: ‘who are these fingerprints from?’’’
Attorney: ‘‘This is not what my client fears. My clients fears that the AIVD says: ‘we want to see the fingerprints of Mr [X]’.’’
State attorney: ‘‘If the AIVD would like to have the fingerprints of Mr [X], then it wouldn’t need the travel documents registration. They’re on these items over here, so to speak, on this cup...’’
Attorney: ‘‘Well I don’t see anyone of the AIVD taking fingerprints of my client, and it’s not just about him, it’s about him saying: ‘I find it to be in conflict with my conscience to cooperate because in that way the fingerprints of all Dutch citizens could be requested for by the AIVD.’ Not just his, but everyone’s.’’
Judge: ‘‘With the legislation that is in place now, would it be practically possible for the AIVD to step up to the municipality of Amsterdam and say: ‘we would like to have the fingerprints of Mr [X]?’’’
State attorney: ‘‘Eeehm, well [inaudible], Article 65 second paragraph [Passport Act] dictates that fingerprints may only be requested for the application and issuance of a passport. As far as the AIVD would be allowed to make a request for those data on the basis of its own legislation, they wouldn’t be able to obtain anything more than those printed dots because the municipality can’t offer anything different than that.’’
Interruption from the audience: ‘‘They can through [passport manufacturer] Morpho.’’
Judge: ‘‘You are not a party in this lawsuit. I have to ask you not to take part in the litigation.’’

So merely a ‘print with dots’, according to the State attorney. Demanding fingerprints at the passport manufacturer unfortunately was not discussed during the court session. Subsequently the case was redirected within the district court of Amsterdam to a court session with three judges. On 25 January 2012 this point of discussion was again briefly discussed:

Judge 3: ‘‘And what if the information is in the hands of the manufacturer?’’
State attorney: ‘‘Eeeeeeeehm... On what basis would the manufacturer be allowed to provide those data?’’
Judge 3: ‘‘That’s what I’m asking you.’’
To this question no clear answer was given by the State attorney, just a vague reference to Article 65, paragraph 2 of the Passport Act. Then a painful silence followed... and the judges didn’t ask any further questions.
Judge 3: ‘‘And Mr [attorney of X], what’s your take on this point?’’
Attorney: ‘‘I have a different view! [laughter from the audience]
The attorney of X subsequently extensively refers to the relevant legal history of the Passport Act and the provisions of the WIVD 2002.
State attorney: ‘‘Even if the AIVD would be able to make a request for fingerprints on the basis of Article 17 WIVD, then they would never get anything more than a printed page with those dots.
(...) They would get a printed page with the fingerprints, which is a printed page with dots.’’ A little later, after having been verbally informed by a civil servant of the Dutch Ministry of the Interior: ‘‘I’ve said something wrong. I said you get a printed page with dots, but now I understand you get a printed page with an image.’’

Hence, after a dozen court sessions about the Dutch Passport Act, the official clarification by the Dutch State on the use of fingerprints by secret services goes as follows: ‘‘a print with an image, from the municipality’’. The question thus remains whether digital requests can also be made to 1) the municipality and 2) the passport manufacturer, and if so, what exactly happens with it. The same goes for facial scans. The upcoming court session in the Passport Act saga will be on Monday, 2 April 2012 (11.00 am) at the Dutch Council of State (Raad van State). It will then be up the Council to clarify this case after all and invite expert witnesses in case necessary.

Update 10 February 2012: As a result of the above article, written questions have been asked by Member of European Parliament Sophie in ‘t Veld to both passport manufacturer Morpho as well as to the European Commission. At the same time Member of the Dutch House of Representatives Gerard Schouw has asked similar Parliamentary questions to the Dutch Minister of the Interior Liesbeth Spies.

Published in Biometrics

"Die Niederlande wollen ab Sommer die Kennzeichen aller einreisenden Fahrzeuge erfassen. Zumindest für 90 Stunden pro Monat.

Die Niederländer haben einigen Ehrgeiz entwickelt, wenn es darum geht zu erklären, dass ihr neues Kamera-Überwachungssystem kein Zeichen dafür ist, dass sie mit den offenen europäischen Grenzen eigentlich gar nicht so zufrieden sind. »Diese Überwachung hat nicht den Charakter früherer Grenzkontrollen«, heißt es auf der Internetseite der niederländischen Botschaft in Berlin. Es gehe einzig darum, Menschenschmuggel, Menschenhandel und Geldwäsche zu verhindern, sagt Gerd Leers, Minister für Einwanderung und Asyl, unter dessen Federführung das Projekt läuft.

Niemand sollte etwas merken

Erklärungen das Ministeriums zum Kamera-Überwachungssystem lesen sich meist wie Rechtfertigungen, und weil man damit gerechnet hat, dass die Maßnahme auf einigen Widerstand treffen wird, sollte sie so eingeführt werden, dass möglichst Wenige etwas davon mitbekommen. Erst als niederländische Medien nachfragten, welchen Zweck die von ihnen entdeckten Kameras an einer Grenzen im Norden des Landes erfüllen, wurde das Projekt öffentlich.

Mittlerweile allerdings ist es für jeden offensichtlich, der über die Autobahn oder eine Nationalstraße in die Niederlande fährt. So zum Beispiel am Grenzübergang Vetschau, wo die A4 in die A76 mündet, in Höhe von Bocholtz. An einem Stahlträger über den Fahrbahnen sind mehrere Kameras in­stalliert. Noch seien sie nicht in Betrieb, sagt René Claessen, Sprecher der Koninklijke Marechaussee (niederländische Nationalpolizei) auf Anfrage unserer Zeitung, die Geräte befänden sich in der Probephase. »Die Kameras werden erst kurz vor dem Sommer aktiviert«, sagt Claessen. Zum Einsatz kommen sie an den 15 meist frequentierten Grenzübergängen. Fünf davon teilen sich die Niederlande mit Belgien, zehn mit Deutschland, die meisten liegen in NRW. Daneben ist geplant, weitere sechs mobile Kameras einzusetzen.

Nach Angaben des Ministeriums wird von allen vorbeifahrenden Fahrzeugen Vorderseite und Nummernschild fotografiert. Die gewonnenen Daten gehen an die Koninklijke Marechaussee, die sie mit eingespeicherten Risikoprofilen abgleicht. Bei einem Treffer wird das Fahrzeug angehalten.

»Umkehrung des Rechtssystems«

Niederländische Datenschützer kritisieren die Grenzüberwachung, die Stiftung »Privacy First« etwa spricht von einem »enormen Eingriff in die Privatsphäre«. Alle Fahrzeuge zu kontrollieren, um etwas Verdächtiges zu finden, sei eine »Umkehrung des Rechtssystems«. Auf einer von niederländischen Datenschützern betriebenen Internetseite (www.sargasso.nl) heißt es, dass die Nationalpolizei durch die Kameras die Möglichkeit bekomme, die Daten einreisender Fahrzeuge mit »allerlei schwarzen Listen abzugleichen«.

Minister Leers widerspricht dem. Die gewonnenen Daten würden übrigens auch nicht gespeichert. Die Kameras registrierten wohl, aus welchem Land ein Fahrzeug komme. Aber das könnte die Nationalpolizei ja jetzt auch schon feststellen, sagt Leers.

Nachdem Deutschland aus Sorge um den freien Verkehr zwischen den Mitgliedsstaaten bei der Europäischen Kommission Klage eingereicht hat, wartet diese auf mehr Informationen aus den Niederlanden. Leers kündigte an, er werde darauf hinweisen, dass die Kameras nicht gegen Datenschutz- oder Grenzkontrollbestimmungen verstießen. Zudem sollen sie höchstens 90 Stunden pro Monat Aufnahmen machen - von permanenter Grenzkontrolle könne keine Rede sein."

Source: Aachener Zeitung 24 January 2012, p. 5.

In November 2011, a German ZDF Television crew visited Privacy First for a quick interview about the new Dutch border surveillance system @MIGO-BORAS. Below is the item from ZDF Heute evening news:

"Mit einem Kamerasystem sollen an der niederländischen Grenze einreisende Autos kontrolliert werden. Kritik an der Überwachung üben sowohl Datenschützer als auch die EU-Kommission.

Wenn eine reflexartige Verteidigungshaltung ein Anzeichen für Nervosität ist, dann ist man dieser Tage wohl ziemlich nervös im niederlän­dischen Immigrationsministerium. Ein Sprecher des Ministers Gerd Leers ließ jedenfalls wissen, dass selbstverständlich »alles ordentlich geregelt« sei beim neuen Hightech-Großprojekt seines Hauses. Dabei hatte die Jungle World lediglich nach dem genauen Betriebsbeginn für das automatische Kamerasystem gefragt, das an 15 Autobahngrenzübergängen in Richtung Belgien und Deutschland installiert wurde und demnächst einreisende Fahrzeuge frontal fotografieren soll.

Über das Datum der Inbetriebnahme will das Ministerium derzeit keine näheren Angaben machen. Bekannt ist hingegen, dass die Kennzeichen mit Hilfe der Technologie »Automatic Number Plate Recognition« gelesen werden. Anfang Januar erklärte Minister Leers im TV- Magazin Eén Vandaag deren Funktionsweise: Überquert ein Fahrzeug mit verdächtigem Nummernschild die Grenze, »gibt das System einen ›Piepton‹ von sich, so dass der Grenzschutz weiß, hier kann etwas vorliegen«. Es würden »nur Verkehrsströme« analysiert, um »illegale Aktivitäten« zu verhindern, aber weder Kennzeichen noch persönliche Daten gespeichert, beteuerte der Christdemokrat.
(...)
Datenschützer überzeugt das nicht. Die Stiftung Privacy First spricht von einem »enormen Eingriff in die Privatsphäre«. Ein solcher sei nur bei konkretem Verdacht einer strafbaren Handlung zu rechtfertigen, sagt Stiftungsdirektor Vincent Böhre. Alle Fahrzeuge zu kontrollieren, um bei irgendeiner Person etwas Verdächtiges zu finden, sei dagegen eine »Umkehrung des Rechtssystems«. Privacy First befürchtet, die gewonnenen Daten könnten je nach Bedarf mit schwarzen Listen der Polizei, der Staatsanwaltschaft oder des Geheimdienstes verglichen werden.

Die Regierung bestreitet diese Absichten. Doch birgt »Amigo-Boras« noch immer die Gefahr des function creep, also der Benutzung der Technologie zu anderen Zwecken als dem ursprünglich vorgesehenen. Wie naheliegend dies im Fall der Grenzkameras ist, zeigt ein Blick auf ein aktuelles Gesetzesvorhaben. Demnach sollen künftig alle mit Kameras ermittelten Kennzeichen, beispeilsweise entlang der Autobahnen, zusammen mit Angaben über Zeitpunkt und Ort der Aufnahme vier Wochen lang gespeichert werden können. Bislang ging das nur, wenn ein bestimmtes Nummernschild im Rahmen polizeilicher Ermittlungen verdächtig war.

Der Journalist Dimitri Tokmetzis, verantwortlich für die Website sargasso.nl, die sich mit Fragen des Datenschutzes befasst, spricht von einer »de facto hundertprozentigen Kontrolle«. Dies verstoße gegen das Schengen-Abkommen. Kritisch äußert er sich auch über den Versuch, ein zukünftiges Verhalten durch die Erstellung eines bestimmten Profils vorhersagen zu wollen. Anhand ihres Nummernschildes würden Menschen mit Hilfe von anderen Kennzeichen wie Autotyp, Zeitpunkt und Häufigkeit des Grenzübertritts kategorisiert. Sowohl seitens der Regierung als auch der Medien wurde in diesem Zusammenhang mehrfach das Bild eines Kleinbusses bemüht, in dem osteuropäische Menschenschmuggler angeblich häufig einreisen.

Inzwischen interessiert sich auch die EU-Kommission für »Amigo-Boras«. Nachdem die deutsche Regierung aus Sorge um den freien Verkehr zwischen den Mitgliedsstaaten eine Klage in Brüssel eingereicht hatte, wurde Cecilia Malmström aktiv. Die EU-Kommisarin für Innenpolitik wandte sich im November mit der Bitte um mehr Informationen an die niederländische Regierung, um sicherzustellen, dass das Schengen-Abkommen durch die Pläne nicht verletzt werde. Zu Jahresbeginn sagte Malmströms Sprecher Michele ­Cercone, das weitere Vorgehen hänge von der Antwort der niederländischen Regierung ab. Laut Minister Leers sei diese Anfang des Jahres zu erwarten. Bis Mitte Januar lag sie noch nicht vor.
(...)
Bereits seit 2005 wird an den Grenzkameras gearbeitet. Die Regierung der Niederlande bemüht sich, Bedenken zu zerstreuen. Nach dem Schreiben Malmströms sagte Minister Leers, die Kameraüberwachung verstoße keinesfalls gegen das Schengen-Abkommen. Beabsichtigt seien nur Stichproben, weshalb die Kameras pro Grenzübergang nicht länger als 90 Stunden monatlich zum Einsatz kämen. Das tägliche Limit soll bei sechs Stunden liegen. Wie eine solche Beschränkung gewährleistet werden soll, sagte der Minister nicht. Vorläufig ist die für Januar geplante Einführung des Grenzüberwachungssystems auf kommenden Sommer verschoben worden. Bis dahin stehe eine »verlängerte Testphase« an. Mit den Mahnungen aus Brüssel, heißt es im Ministerium, habe die Verzögerung aber nichts zu tun. Vielmehr steckten »operationelle Gründe« dahinter."

Read the entire article in German weekly Jungle World HERE, or click HERE for an 'English version' in Google Translate.

Page 13 of 17

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
Procis

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon