EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Nerd Harder To Backdoor Encryption

from the that's-now-how-any-of-this-works dept

In September, we noted that officials in the EU were continuing an effort to try to ban end-to-end encryption. Of course, that's not how they put it. They say they just want "lawful access" to encrypted content, not recognizing that any such backdoor effectively obliterates the protections of end-to-end encryption. A new "Draft Council Resolution on Encryption" has come out as the EU Council of Ministers continues to drift dangerously towards this ridiculous position.

We've seen documents like this before. It starts out with a preamble insisting that they're not really trying to undermine encryption, even though they absolutely are.

The European Union fully supports the development, implementation and use of strong encryption. Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society. At the same time, the European Union needs to ensure the ability of competent authorities in the area of security and criminal justice, e.g. law enforcement and judicial authorities, to exercise their lawful powers, both online and offline.

Uh huh. That's basically we fully support you having privacy in your own home, except when we need to spy on you at a moment's notice. It's not so comforting when put that way, but it's what they're saying. Then there's a lot of nonsense about how encryption is creating a "challenge" for public safety, even though there is no evidence at all to support this claim. The reality is that law enforcement has access to more data and more tools than ever before in history. That one small fragment of it might sometimes be encrypted, is not an issue. And it's certainly not an issue that requires the wholesale destruction of end-to-end encryption. But, of course, that's not where the EU is coming out on this.

Instead, it concludes with the inevitable "nerd harder" bullshit argument without ever explaining how this can be done (answer: because it cannot be done safely).

Moving forward, the European Union strives to establish an active discussion with the technology industry, while associating research and academia, to ensure the continued implementation and use of strong encryption technology. Competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity. Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality.

Since there is no single way of achieving the set goals, governments, industry, research and academia need to work together to strategically create this balance.

This is the same old garbage we've seen before. Technologically illiterate bureaucrats who have no clue at all, insisting that if they just "work together" with the tech industry, some magic golden key will be found. This is not how any of this works. Introducing a backdoor into encryption is introducing a massive, dangerous vulnerability that basically takes the secure walls of a house and rams a giant tank through the side. It's not adding a special key for law enforcement. It's breaking the very foundation of how end-to-end encryption works, and introducing a wide variety of shaky dangerous elements that they insist will never get exploited. But, with encryption, any vulnerability inevitably gets exploited.

Attacking end-to-end encryption in order to deal with the miniscule number of situations where law enforcement is stymied by encryption would, in actuality, put everyone at massive risk of having their data accessed by malicious parties. It's incredibly clueless and incredibly shortsighted.

And it's absolutely stunning that it's coming from the EU. After all, we keep hearing how the EU believes in "privacy" and "data protection" much more than the US. We hear stories about the lessons learned from World War II about how governments can abuse access to the private information on citizens. Indeed, the EU courts recently blew up the EU/US "Privacy Shield" agreement regarding transferring data from the EU to the US because of NSA surveillance efforts that cannot guarantee EU data remains protected.

And then they turn around and want to destroy encryption? Incredible.

At this point, this is nothing more than a draft policy paper from the Council. A lot more needs to happen before this becomes anything resembling a law in the EU. But just the fact that this continues to lurch forward, pushed by ridiculously ignorant bureaucrats is hugely problematic. People in the EU need to speak up loudly about what a mess this is.

Filed Under: backdoors, encryption, end-to-end encryption, eu, eu council, lawful access

Article 13 Was Purposefully Designed To Be Awful For The Internet; EU Moves Forward With It Anyway

from the just-admit-it dept

As was widely expected, even if it's unfortunately, on Friday evening the EU Council voted to move forward with the latest draft of the EU Copyright Directive, including the truly awful "compromise" version of Article 13 hacked out by the Germans and the French. This happened despite the fact that there's basically no one left who supports this version of Article 13. The public is widely against it. The internet companies are against it. And, perhaps surprisingly, even the legacy copyright companies -- who pushed so hard for this -- are still angry about the result, which they insist is too lenient on the internet.

I've been left scratching my head over why the copyright holders are still pushing for more here. To be clear, the version that the EU Council approved last week would fundamentally change the internet in a massive way. It would, effectively, make it nearly impossible for any website to ever host any user-generated content. In nearly all cases it would require expensive and problematic upload filters. In the few "exceptions" to that, it would still require a massive amount of concessions from internet platforms to avoid liability.

However, the reality here is simple: Article 13 (and, to a lesser extent, Article 11 with its snippet tax) is purposely designed to be awful. The supporters of these efforts keep insisting that it's not going to harm the internet at all, and that it's just about "closing the value gap" or "making the playing field even" or other nonsense along those lines. They insist that it won't create any harm to user-generated content platforms, or to legitimate, non-infringing works. Given that we've already seen how these kinds of systems work in practice, everyone knows that's a laughably false proposition.

However, a bit of truth came out a few weeks back, when Axel Voss, the MEP pushing this Directive forward, put out a "Q and A" page attempting to defend both Articles 11 and 13. We walked through that page sentence by sentence to debunk it, but I kept thinking about why the EU and Axel Voss would push such utter nonsense. Normally, politicians at least try to put forth a flimsy attempt at pretending they're based in reality. But not here.

However, in rereading the "answers" to the questions in the document, the whole thing makes sense under one, and only one, condition: if Articles 11 and 13 are purposefully designed to be internet-destroyingly awful, then the belief is that it will force internet platforms to negotiate some sort of "global licensing" deal. Professor AnneMarie Bridy made this point last month, in noting the following:

But, as you read through Articles 11 and 13 and Voss's "answers" and the comments from the legacy copyright players, it all "makes sense" if you believe the entire point of these bills is not to set up a system whereby the internet companies are installing actual filters and blocking infringing works. Rather, they only make sense if the goal is to make things so goddamn awful for the internet companies that they pay the legacy copyright holders not to sue them. Indeed, the Q&A comes the closest to saying exactly this:

Large online platforms and news aggregators will have more reason than currently is the case to strike fair remuneration (licensing) agreements with artists and media houses who would have identified themselves beforehand as the owners of a piece of work. A platform or news aggregator will be further incentivised to strike such agreements because, in the absence of them, it would be directly liable if it hosts a piece of work with an unpaid licence fee. The current legislation offers more wiggle room for platforms to absolve themselves from this liability.

As we pointed out last time, this is utter nonsense, as nothing in the draft actually sets this up. But it does make sense if the entire point of the bill is to be so onerous as to be impossible -- creating a shotgun situation in which the platforms feel the need to pay off the copyright holders not to sue them (jokingly referred to here as "licensing agreements.") This is why the copyright holders are so upset about any form of safe harbor or any way in which platforms might avoid massive, crippling liability. Because if there's a path to abide by the law, then there will be less incentive to pay off Hollywood not to sue. It goes on:

The draft directive will not be the source of censorship. By increasing legal liability, the draft directive will increase pressure on internet platforms/news aggregators to conclude fair remuneration deals with the creators of work through which the platforms make money. This is not censorship.

Again, this makes no sense, as the entire point of the draft directive is increased censorship... unless every internet platform pays off Hollywood to leave them alone.

And, again, as Prof. Bridy rightly points out above, all of this only makes sense in the context where there is a fairly small number of rightsholders and an even smaller number of internet platforms, who can gather together and hash out "don't sue us" deals (i.e., "licenses" < -- sarcastic quotes implied). And, again, that only works if the actual provisions of Articles 11 and 13 are so laughably stupid, so ridiculously onerous, so painfully destructive, that the internet platforms are left with no choice (well, that, or shut down, which many would likely have to do).

And thus, it would be better for all involved if Hollywood, the big news publishers, and the record labels just admit this upfront. The entire point of Articles 11 and 13 are that they are awful and destructive to the internet. It is a form of regulatory extortion. "Pay us, or we destroy your internet." At least admitting that would be intellectually honest.

Still, given that, wouldn't it be better for Axel Voss and others to just do what clearly is intended here and write a law that is a lot more honest and just says "Google and Facebook need to pay &euro:X amount to satisfy these flopping legacy industries that failed to innovate." At least that would be much more direct and honest. But, alas, it appears that's wishful thinking. Instead, the EU Parliament will now gather with the EU Council and EU Commission for a new round of "trilogue" negotiations, where everyone will pretend that there's some good reason for this set of regulations, when even the key rationale in support of the effort is that following the law will be so painful and so destructive that the internet platforms will pay off copyright holders to avoid having to comply.

Filed Under: article 11, article 13, copyright, eu, eu copyright directive, eu council, licensing
Companies: facebook, google

EU Copyright Directive Has Been Made Even More Stupid, And Some Are Still Trying To Make It Even Worse

from the yet-it-moves-forward dept

So yesterday, we noted that Article 13 was back on thanks to an apparent "compromise" between the French and the Germans as to whether or not small internet platforms would be exempted from Article 13. France was pushing for no exemption and that the same rules apply to everyone, while Germany demanded some protections for smaller companies (those making less than €20 million per year). We knew, according to the reports coming out of Brussels, that France had won, but now the details have come out and it's worse than we thought.

The new plan does have an "exception" for small companies, but it is so ridiculous as to be non-existent. To qualify, a company has to be:

• Less than 3 years old
• Have less than €10 million in revenue
• Have less than 5 million uniques per month

As Julia Reda points out, this basically means almost no platform will qualify for the exemption (and it gets worse from there, but hang on):

Upload filters required

• Discussion boards on commercial sites, such as the Ars Technica or Heise.de forums (older than 3 years)
• Patreon, a platform with the sole purpose of helping authors get paid (fails to meet any of the three criteria)
• Niche social networks like GetReeled, a platform for anglers (well below 5 million users, but older than 3 years)
• Small European competitors to larger US brands like Wykop, a Polish news sharing platform similar to Reddit (well below €10 million turnover, but may reach 5 million visitors and is older than 3 years)

And, yes, it would also likely apply to our comments as well. We don't make €10 million per year, nor do we have 5 million monthly uniques... but we are way older than 3 years old. Even for the tiny number of companies who do qualify for the exception, the text of the directive still demands that they make "best efforts" to license the works. In other words, the whole thing sets up a shotgun negotiation where any platform will be required to license all content, which means that license holders can set any rate they want, and if you don't license, they can accuse you of violating the law. This is madness:

On top of that, even the smallest and newest platforms, which do meet all three criteria, must still demonstrate they have undertaken “best efforts” to obtain licenses from rightholders such as record labels, book publishers and stock photo databases for anything their users might possibly post or upload – an impossible task. In practice, all sites and apps where users may share content will likely be forced to accept any license a rightholder offers them, no matter how bad the terms, and no matter whether they actually want that rightholder’s copyrighted material to be available on their platform, to avoid the massive legal risk of coming in conflict with Article 13.

Hey, and it gets even worse. Whereas in the older draft, it at least required copyright holders to tell platforms what was infringing, that's now been removed:

If you can't see that, it shows that the draft of the text has removed the notice requirement for copyright holders to alert platforms to any infringing material, directly removing the phrase "for which the rightsholders have provided the service providers with the relevant and necessary information or submitted a notice..." In other words, copyright holders don't even have to alert the platforms any more -- and platforms might still be deemed liable for any infringing content appearing on their platform. Even if they don't know about it. Which is insane.

Later on, the draft also removes a phrase that requires the copyright holders to work with the platforms, because that's apparently too much of a burden for the copyright holders:

I do wonder if this will get Hollywood and the legacy recording industries back on board.

However, here's the incredible bit. Despite Article 13 now being demonstrably even more ridiculous, the MEP in charge of pushing it forward, Axel Voss, is complaining that it's not idiotic enough yet. In response to this draft from the EU Council (which is expected to be approved on Friday), Voss stated:

“What France and Germany have agreed is a new safe harbor for small platforms, able to exist beyond what we already have today. It’s something we can’t accept,” Axel Voss said at a conference in the European Parliament.

Are you fucking kidding me? He's saying even that tiny, useless safe harbor that will apply to basically no one is too much?

Voss and the entertainment industry are going for broke here. They recognize this is their last best chance to really fundamentally change the internet. It is an attempt to completely wreck its intended purpose as a communications medium and turn it into a broadcast medium of licensed content controlled by gatekeepers (the legacy companies who used to control movies, music, news and books). Don't let them get away with this. Tell the EU Parliament that this is completely and totally unacceptable. EU Parliamentary elections are coming up in a few months, and any MEP should be told over and over and over again that voting to destroy the internet in this way means that they no longer deserve their job in the EU Parliament.

Filed Under: article 11, article 13, axel voss, censorship, copyright, eu, eu copyright directive, eu council, eu parliament, intermediary liability, licensing, safe harbors, upload filters

Article 13 Is Back On: Germany Caves To France As EU Pushes Forward On Ruining The Internet

from the bad-news-for-memes dept

When last we checked in on the EU Copyright Directive it had been put on hold when the European Council (with representatives from all the member states) didn't have enough votes to move forward on a so-called "compromise" draft. Most of the council rejected it for the right reasons -- though a few (including France) were holding out to make the law worse. Since then there has been an ongoing back channel negotiation between France and Germany over whose vision would win out. Both of them support very problematic versions of the Directive, though France's is worse. Specifically, France doesn't want any exemptions for smaller internet websites in Article 13 (which will effectively make internet filters mandatory), while Germany wanted to include at least some safe harbors for smaller sites. After a bunch of back and forth, it's now being reported that Germany has caved to France and will now support the Directive, with very little in the way of protections for smaller sites. This is on top of all the other awful stuff in the Directive, including mandatory filtering (that they pretend is not mandatory filtering), huge fines, and liability for any site allowing infringement. The draft apparently still includes a weird and mostly useless safe harbor for sites hosting user-generated content -- which is what made the legacy entertainment industry bail out on its support of the Directive.

So, to be clear, there is now a draft that is worse than the draft that couldn't get the Council's approval a few weeks ago, and that will have an even bigger impact on the internet by sweeping up tons of smaller sites as well as the larger ones, which will do serious harm to any sites that host user-generated content. And you can't find anyone -- outside of the company selling internet filters -- who supports this. The internet companies are all still against the bill. The legacy entertainment companies are whining that it doesn't go far enough.

And, yet, this draft is likely to be added back on the schedule for a meeting this Friday.

There is nothing good about this. The EU bureaucrats negotiating this get really, really annoyed by anyone suggesting that this bill will kill off "memes," but that's not an exaggeration. The bill is literally designed to make it impossible for a site that has not purchased licenses from everyone to allow users to post new content. Meme culture was built almost entirely on free and open message boards and social media, without licenses. But hosting such a site in the EU will now be effectively impossible -- or very, very expensive, with massive restrictions, filters and lockdowns. In such a world, it is difficult to see how new memes can take off, outside of a narrowly prescribed set of "officially sanctioned/licensed" memes -- and we all know what kind of quality that will bring.

This whole thing is an exercise in stupidity, brought about by a cynical legacy entertainment industry that made up a fake concept called "the value gap" that they insisted needed to be closed. And the only way to "close" it, according to the very same lobbyists, was to effectively turn off what made the internet great: the fact that it is, and has always been, an open medium for communication and sharing.

This can still be stopped, but it's going to rely on the EU Parliament actually having a backbone and saying that this is not acceptable. And that is going to require people in Europe to contact their MEPs and telling them not to wreck the internet.

Filed Under: article 11, article 13, copyright, eu, eu copyright directive, eu council, filters, france, germany, intermediary liability, mandatory filters, memes, safe harbors, trilogue negotiations

EU Cancels 'Final' Negotiations On EU Copyright Directive As It Becomes Clear There Isn't Enough Support

from the breaking:-the-internet dept

So, this is certainly unexpected. Just hours after we pointed out that even all of the lobbyists who had written/pushed for Article 13 in the EU Copyright Directive were now abandoning their support for it (basically because the EU was considering making it just slightly less awful), it appears that Monday's negotiations have been called off entirely:

Apparently multiple countries -- including Germany, Italy, the Netherlands and Poland -- made it clear they would not support the latest text put forth by Romania, and therefore would have blocked it from moving forward. Monday's negotiations were supposed to have been the "final" negotiations (after the previous "final" negotiations that didn't accomplish much) around a "compromise" bill that then would have gone out to be voted on by the EU Council, the EU Committee and the EU Parliament in the next few months. However, with the news of all those countries (via the EU Council) deciding to vote against the proposal, it effectively blocks it for now.

MEP Julia Reda now has the full breakdown of the votes, noting that 11 countries voted against the "compromise" text: Germany, Belgium, the Netherlands, Finland, Slovenia, Italy, Poland, Sweden, Croatia, Luxembourg and Portugal. That's... a pretty big list. Reda points out that most of those countries were concerned about the impact on users' rights (Portugal and Croatia appear to be outliers). That's pretty big -- as it means that any new text (if there is one) should move in a better direction, not worse.

As Reda notes, this does not mean that the Copyright Directive or Article 13 are dead. They could certainly be revived with new negotiations (and that could happen soon). But, it certainly makes the path forward a lot more difficult. Throughout all of this, as we've seen in the past, the legacy copyright players plowed forward, accepting no compromise and basically going for broke as fast as they could, in the hopes that no one would stop them. They've hit something of a stumbling block here. It won't stop them from still trying, but for now this is good news. The next step is making sure Article 13 is truly dead and cannot come back. The EU has done a big thing badly in even letting things get this far. Now let's hope they fix this mess by dumping Articles 11 and 13.

Filed Under: article 13, copyright, eu, eu copyright directive, eu council, intermediary liability, safe harbors

EU Council Presidency Presents Paper On Tackling Copyright Infringement That's Little More Than ACTA Reheated

from the forward-to-the-past dept

The political machine of the European Union is undergoing a major makeover. Elections recently took place for Members of the European Parliament, bringing in many new faces. Later this year, a new array of Commissioners will take up jobs in the European Commission. The third main player in the EU political system is the Council of the European Union, a more anonymous kind of body, which consists of a varying group of ministers from the 28 member states who meet to discuss key areas. It may be shadowy, but can provide important hints about what is happening behind the scenes in Brussels. For example, the Presidency of the Council, currently held by Italy (EU countries take it in turns), has just presented a "paper aimed at structuring the exchange of views on IPR enforcement" (pdf). It notes that the European Commission carried out a consultation on copyright recently, and comments that:

The current legislative framework is not necessarily fit for purpose in the digital environment.

That's undoubtedly true, as the public's massive response to the consultation confirmed. Sadly, though, the paper's "solutions" to updating copyright are basically straight out of the infamous Anti-Counterfeiting Trade Agreement (ACTA) we thought had been killed off in 2012. Here are the paper's first suggestions for how things could be updated and improved:

Clarify which tools are available to identify IPR infringers: clarify the retention and disclosure of personal data by intermediaries, in order to improve identification in case of commercial scale infringements while guaranteeing the protection of fundamental rights of individuals (thus avoiding abuses); clarify to what extent due diligence obligations such as « know your customer » are or should be imposed on intermediaries.

As that indicates, there is the troubling suggestion that the metadata retained by ISPs and telecoms in the EU -- data that we were assured had to be kept, but only for use in the fight against terrorism -- might be handy for tracking down people who make unauthorized copies of copyrighted material. After all, if it's sitting there, why not use it? "In case of commercial scale infringements" is just a fig leaf. For ACTA, which the European Commission helped draft, the following dangerously broad definition of the term (pdf) was used:

Acts carried out on a commercial scale include at least those carried out as commercial activities for direct or indirect economic or commercial advantage.

"Indirect economic or commercial advantage" includes just about everything. In that quoted section above, there's also a wonderful new euphemism for using intermediary liability to turn ISPs into the copyright police: "know your customers." The second suggestion builds on that idea:

Improve the efficiency of actions to stop IPR infringements through better involvement of intermediaries: clarify the notion of intermediary in the context of Directive 2004/48 (are payment and advertising service providers included ?), clarify the conditions for imposing injunctions on them (to what extent should intermediaries be involved in the infringement ?), clarify what type of injunction can be imposed on intermediaries (which measures ? should priority be given to the « follow the money principle » to deprive commercial scale infringers of the revenue flows that draw them into such activities?); clarify the duration of injunctions and the possibility of obtaining cross-border or even pan-European injunctions.

"Better involvement of intermediaries" - that's a close cousin of a phrase in ACTA:

Promote cooperative efforts within the business community to effectively address trademark and copyright or related rights infringement

Suggestion three in the new paper is as follows:

Improve the accessibility of judicial systems, in particular for SMEs: introduce fast track procedures for small claims.

Maybe "fast track" means this idea from ACTA:

Each Party shall provide that its judicial authorities have the authority to adopt provisional measures inaudita altera parte where appropriate

Translated into English, that means allowing a court hearing without bothering to give the accused a chance to defend themselves -- that would certainly save time. Finally, we have this:

Clarify the allocation of damages: increase the predictability of the amounts allocated and ensure that damages awarded are sufficient to cover the prejudice suffered

Again, that seems to be a throwback to another section of ACTA:

In determining the amount of damages for infringement of intellectual property rights, a Party’s judicial authorities shall have the authority to consider, inter alia, any legitimate measure of value the right holder submits, which may include lost profits, the value of the infringed goods or services measured by the market price, or the suggested retail price.

Although the phrasing may be a little different, it's striking how the same old bad ideas keep on turning up. It will be interesting to see how the new European Commission takes this forward -- although maybe "backward" would be a better description of where it is going.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: acta, copyright, enforcement, eu, eu commission, eu council, intellectual property

European Court Of Justice Hands Down Big Win For Transparency in Europe

from the nice,-but-lots-more-needed dept

After a five-year battle by Access Info Europe, Europe's highest court has made an important ruling that will help boost transparency in the European Union:

the European Court of Justice today rejected arguments by the Council of the European Union that it should be able to keep secret the identities of Member States making proposals in the context of negotiations on future EU legislation.

The Council of the European Union had fought to defend its policy of releasing legislative drafting documents with the names of Member States tabling amendments blacked out.

Access Info Europe won access to the document it requested before the General Court in March 2011 but the Council appealed, joined by the Czech Republic, France, Greece, Spain and the UK.

The Council of the European Union is one of three bodies that jointly run the European Union, along with the European Parliament and European Commission. Some countries wanted their names blacked out from official Council of the European Union documents because it would have revealed which of them had blocked or tried to water down proposals they were hostile to. Now that it will be possible to name and shame Member States that act in this way, they will probably be less willing to be seen objecting to important and popular measures.

As Access Info Europe explains:

This ruling means that members of the public at the national level will find it easier to know what is going on in Brussels, and will make it easier for national parliaments to follow and scrutinise the EU legislative process, and in particular the positions taken by delegations of Member States.

Helen Darbishire, Executive Director of Access Info Europe, is quoted as saying:

"We call on the Council to respect this ruling and to go a step further by henceforth proactively publishing documents containing legislative drafting positions of Member States on the Council's public register as soon as they are created, as this will allow the public to follow the decision making process."

Given the Council's dogged resistance to even minimal transparency, that's unlikely to happen, but at least things have started moving in the right direction.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: eu, eu council, eu court of justice, europe, transparency