Open Letter: EDRi calls on IBM to clarify stance on facial recognition

Dear Mr. Krishna,
Chief Executive Officer of IBM

We are European Digital Rights (EDRi), a coalition of 44 digital rights organisations across Europe, working to protect fundamental rights in the digital environment. We read your recent statement on facial recognition with great interest and hope, and were pleased to see Amazon and Microsoft follow suit.

We, too, have been advocating for protections against the harms caused by invasive, discriminatory facial recognition and other forms of biometric mass surveillance, and are heartened to see influential companies such as IBM stepping up to take action. Our own call to action has urged the EU to ban biometric mass surveillance, and our members are working at a national level to increase awareness and drive positive changes to protect people from the threats of surveillance.

We would greatly appreciate the opportunity for a dialogue between IBM and EDRi to better understand the specific actions that you will be taking to act upon your recent commitments. It would be very powerful if we could show IBM as an example for other companies.

We will make this letter and your response public, and therefore would like to ask for your written reply by 10 July. We would also like to suggest a call to discuss the details of our questions in the meantime.

In particular, we are seeking insight into the following:

1. Which existing contracts will be stopped/cancelled as a result of IBM’s new position?
2. Which applications specifically will IBM stop developing and selling in response to the new position? Are there other applications that IBM would consider within the remit of this position, but which have already been stopped? When and why were they stopped?
3. What are the features of the applications that will be stopped?
4. Does IBM have government contracts at the moment that fall into these categories in the United States and elsewhere? Which governments are IBM’s business partners for facial (or other biometric) recognition, analysis or processing software products?
5. In the statement, IBM states that it opposes use of technology “mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency.” Are these values and principles reinforced in IBM’s contracts with clients/customers or in a human rights policy or statement? How is compliance with these values and Principles ensured?
6. What are IBM’s structures, policies and processes to meet and demonstrate human rights compliance? Does IBM conduct human rights impact assessments or human rights due diligence on its products, in particular taking into account privacy concerns? Which stakeholders are included in IBM’s analyses?
7. Was the recent statement developed in conjunction with human rights experts, and are any human rights experts supporting IBM with its implementation? Did IBM consult communities most impacted by use of its technology?
8. In the statement, IBM speaks of “general purpose” technology. How do you define this, and does this mean that IBM anticipates that there will be exceptions? How are exceptions being justified, given the similarly violatory nature of both general purpose and specific purpose tools?
9. Also linked to the “general purpose”, what specific purposes would IBM not support with your technology and by what criteria? What specific purposes would IBM therefore support?
10. In the statement, IBM refers to “IBM facial recognition and software analysis”. Does IBM continue to (re)sell general purpose software from others?
11. In the statement, IBM talks about “domestic law enforcement agencies”. What about military, border police, intelligence, security services etc?
12. IBM places the statement in the context of federal policing, national policy and other US-specific areas. Is IBM taking action outside of the US context, recognising that such technologies are equally harmful in the EU and other regions?
13. Will IBM apply the commitments in this statement to other areas of business or technologies such as smart city and smart policing projects?

We are looking forward to your response.

Sincerely,

Diego Naranjo, Head of Policy<close

WTF is OTF?

OTF is an independent non-profit grantee of the United States Agency for Global Media (USAGM). OTF has supported crucial projects such as the security technology behind encryption in WhatsApp and Signal, discovering software vulnerabilities and creating censorship circumvention technologies that enable us to communicate securely. These secure technologies, although important for everyone, are obviously even more important for those who are at risk, such as human rights defenders, independent journalists, and individuals subject to censorship.

According to Save Internet Freedom Tech, there is a real risks (derived from corporate lobbying) that the new leadership at USAGM will “seek to dismantle OTF and re-allocate all of its US government funding to support a narrow set of anti-censorship tools without a transparent and open review process”. An open letter calling to ensure the work of OTF is open for signatories.

Digital sovereignty: a critical resilience strategy in Europe

For most of the critical infrastructures and services we use everyday, public funding is essential. As renown economist Mariana Mazzucato explains the Internet itself, GPS, the touchscreen display in your device, as well as the voice-activated personal assistant (Siri) are all a result of public funding. Same is the case for Google’s algorithm, that was funded by the National Science Foundation.

The European Union has taken some positive steps in this direction recently, especially with the FOSSA pilot project and the Next Generation Internet initiative. The threats on OTF, whether they materialise or not, should be a wake-up call for a European Commission that has set “digital sovereignty” as one of the key goals for the current term. If digital sovereignty means something, it means building the infrastructures, helping to create services, funding research and supporting critical civil society that make Europe resilient towards the security risks that an increasingly interconnected environment with growing remote work that a post-pandemic society will need. If with a very humble budget of 15 million dollars OTF could do all of that, what could we the EU do with a similar, or increased, budget? If digital sovereignty is to be a serious goal and not a buzz word, we need to direct resources to make that happen, sooner than later.

Read more:

Save Internet Freedom Tech
https://saveinternetfreedom.tech/

Taxpayers Helped Apple, but Apple Won’t Help Them (08.03.2013)
https://hbr.org/2013/03/taxpayers-helped-apple-but-app

Naomi Klein: How big tech plans to profit from the pandemic (13.05.2020)
https://www.theguardian.com/news/2020/may/13/naomi-klein-how-big-tech-plans-to-profit-from-coronavirus-pandemic

CEO of Open Technology Fund Resigns After Closed-Source Lobbying Effort (17.06.2020)
https://www.vice.com/en_us/article/935k5p/open-technology-fund-ceo-resigns

(Contribution by Diego Naranjo, EDRi Head of Policy)

The COVID-19 pandemic has given rise to conventional and unconventional technologies deployed by public authorities across the EU to combat its spread. Some of these technologies have raised serious concerns as regards privacy and data protection of individuals. The use of drones for surveillance purposes is one of such technologies.

In October 2019, Greek law-makers reformed, via the Presidential Decree 98/2019, the applicable rules on police drones. The new legislation allows for the Hellenic Police to broadly use drones in policing and border management activities. We must bear in mind that before the adoption of these new provisions, the Hellenic Police could not deploy drones for such activities. Instead, police drones were allowed to be used in activities such as the prevention of forest fires or in search & rescue activities in the event of a natural disaster or in the aftermath of an accident.

A few months after the adoption of these new rules, in spring 2020, the Hellenic Police already managed to use them to their full extent, in order to ensure compliance with the lockdown measures against COVID-19.

A brief assessment of the new legal rules on police drones

The Presidential Decree 98/2019 consists of only one (!) paragraph and provides that the police may use drones to facilitate air support to policing, surveillance and transmission of information to ground police forces. This information may regard various police duties, such as:

• “preventing and combating crime”,
• “tackling illegal migration in border regions”, and
• “controlling order and traffic”.

These cases are described in the law rather vaguely, which, in addition to the broad scope of the duties itself, leaves a wide interpretation in the hands of the police for the cases they may employ drones and the information they may collect and share. The Presidential Decree does not specify, for example, that drones could be used only to fight serious crime subject to prior judicial authorisation. Thus, the new rules allow for an indiscriminate and blanket use of drones for any kind of policing and border management activities, opening the way for drone operations even for petty theft crimes without any prior authorisation.

Moreover, it is highly possible that during drone operations, images and video footage of identifiable individuals will be captured. Given the indiscriminate permission of the use of drones, the state surveillance in public spaces is likely to increase and create a serious interference with human rights such as privacy, data protection, freedom of expression and freedom of assembly. Thus, such a use could lead to a massive increase in the capabilities for omnipresent state surveillance, and catalyse human rights abuse.

Additionally, the applicable European and national data protection legislation shall be in force when personal data are processed and form part of a filing system or are intended to form part of a filing system. However, the Presidential Decree 98/2019 does not provide any details regarding data processing activities related to the use of drones. Moreover, it does not provide any safeguards or specific control mechanisms protecting against the abusive use of drones by the Hellenic Police (such as the retention period of the data collected, information to be made available to the data subjects, records of processing activities, logging, designation of a data protection officer, etc.). Finally, articles 27-28 of the Law Enforcement Directive and articles 65 & 67 of the Greek Law 4624/2019 foresee that the Hellenic Police shall, prior to any processing activities that use new technologies, consult the Hellenic DPA and carry out a data protection impact assessment. However, the Presidential Decree omits any reference to such obligations.

The use of drones during the COVID-19 lockdown measures

In April 2020, numerous news media reported that the Hellenic Police would deploy drones during the Easter holidays to ensure compliance with the lockdown measures against COVID-19. In addition to this, in April 2020 the Hellenic Deputy Minister of Citizen Protection, Mr. Oikonomou, confirmed that the Hellenic Police aimed to deploy drones during the Easter holidays in order to ensure compliance with the movement restriction measures related to COVID-19. These drones were used in urban areas, such as Athens and Thessaloniki, aiming at monitoring population’s movement.

In April 2020 Homo Digitalis filed an official query with the Ministry of Citizen Protection requesting more information about this deployment and notified the Hellenic DPA on this regard. The reply to this query is still pending. Moreover, Homo Digitalis published a related report analysing in depth all the aforementioned legal issues and highlighting the serious risks that arise from the deployment of drones by the Hellenic Police.

Homo Digitalis keeps a close eye on the related developments. For example, in June 2020 the Hellenic Police announced a public procurement contract of 136.000 euro for the acquisition of two drones in the context of the project HEFESTOS (Hellenic anti-Fraud Equipment and relevant trainings for Strengthening the Operability against Smuggling), while a few days ago the Western Greece Region concluded a contract with the Hellenic Police in order to acquire drones for policing activities within the framework of the project INTERREG 2014-2020. Finally, news media reported that drones are soon to be deployed in the Evros border with Turkey, as well.

Read more:

Ban Biometric Mass Surveillance! (13.05.2020)
https://edri.org/wp-content/uploads/2020/05/Paper-Ban-Biometric-Mass-Surveillance.pdf#page=14

(In Greek) Homo Digitalis, COVID-19 and Digital Rights Issues (22.04.2020) https://www.homodigitalis.gr/wp-content/uploads/2020/04/HomoDigitalis_Report_COVID19_and_Digital_Rights_in_Greece_22.04.2020_Final.pdf

(In Greek) Official Query to the Ministry of Citizen Protection (30.04.2020)
https://www.homodigitalis.gr/posts/6579

(In Greek) Presidential Decree 98/2019 (25.10.2019)
https://www.kodiko.gr/nomologia/document_navigation/570607/p.d.-98-2019

Homo Digitalis
https://www.homodigitalis.gr/

(Contribution by Eleftherios Chelioudakis & Antigoni Logotheti, from EDRi member Homo Digitalis, Greece)

The Court’s ruling represents a major victory for digital freedoms, not only for French people, but potentially for all Europeans. In past years, France has been championing its law enforcement model for the fight against (potentially) illegal online content at the European Union (EU) level, especially in the framework of the Terrorist Content Regulation, currently in hard-nosed negotiations. The setback received after the Constitutional Court’s decision will likely re-shuffle the cards in the current and future European content regulation-related files.

The Avia law is “not necessary, appropriate and proportionate”

In its decision, the Constitutional Council held that certain provisions infringe “on freedom of speech and communication, and are not necessary, appropriate and proportionate to the aim pursued”. Looking at the details of the ruling, the following legal measures in the law that were used to strike down seemingly illegal content were quashed by the Court:

• The sort of “notice-and-action” system by which any user can flag “manifestly illegal” content (among a long pre-set list of offenses) and the notified online service provider is required to remove it within 24 hours,
• The reduction of the intermediary’s deadline to remove illegal terrorist content and child sexual abuse material to one hour after the receipt of a notification by an administrative authority.
• All the best-efforts obligations linked to the unconstitutional removal measures above such as transparency obligations (in terms of access to redress mechanisms and content moderation practices, including the number of removed content, the rate of wrong takedowns,…)
• The power given to the Conseil supérieur de l’audiovisuel (ie. French High Audiovisual Council) with an oversight mandate to monitor the implementation of those best-efforts obligations.

Plot twist!

The Court’s decision will have a decisive impact on the European negotiations on the draft Regulation against the dissemination of terrorist content online. The European Commission hastily published the draft legislation under pressure from France and Germany in 2018 looking towards a quick adoption to serve the Commission’s electoral communication strategy. However, since the trilogues started, the European Parliament and the Council of Member States have been facing a persistent deadlock regarding the proposal’s main measures.

In this context, the Constitutional Council’s ruling comes as a massive blow in the Commission’s and France’s well-rounded advocacy. In particular, France has been pushing to expand the definition of what constitutes a “competent authority” (institutions with legal authority to make content determinations) under the Regulation to include administrative (aka law enforcement) authorities. Consequently, law enforcement agents would be allowed to issue orders to remove or disable access to illegal terrorist content within an hour. The Council declared this type of measure as a clear breach of the French Constitution, pointing out the lack of judiciary involvement in the decision to determine whether a specific content published is illegal or not, and the incentives (in the form of strict deadlines and heavy sanctions) to over zealously block perfectly legal speech. It draws similar conclusions for the legal arrangements that address potential hate speech.

In general, the Council underlines that only the removal of manifestly illegal content can be ordered without a judge’s prior authorization. However, assessing that a certain piece of content is manifestly illegal requires a minimum of analysis, which is impossible in such a short time frame. Inevitably, this decision weakens the pro-censorship hardliners’ position in European debates.

Ahead of the Digital Services Act, a legislative package which will update the EU rules governing online service providers’ responsibilities, the European legislators should pay particular attention to this ruling to guarantee the respect of fundamental rights. EDRi and its members will continue to monitor the development of these files and engage with the institutions in the upcoming period.

Read more:

(In French) La Quadrature Du Net, Loi haine: le Conseil constitutionnel refuse la censure sans juge (18.06.2020)
https://www.laquadrature.net/2020/06/18/loi-haine-le-conseil-constitutionnel-refuse-la-censure-sans-juge/

EFF, Victory! French High Court Rules That Most of Hate Speech Bill Would Undermine Free Expression (18.06.2020)
https://www.eff.org/press/releases/victory-french-high-court-rules-most-hate-speech-bill-would-undermine-free-expression

Constitutional Council declares French hate speech ‘Avia’ law unconstitutional (18.06.2020)
https://www.article19.org/resources/france-constitutional-council-declares-french-hate-speech-avialaw-unconstitutional/

France’s law on hate speech gets a thumbs down (04.12.2019)
https://edri.org/frances-law-on-hate-speech-gets-thumbs-down/

(Contribution by Chloé Berthélémy, EDRi Policy Advisor)

Colossal privacy violations of voters’ data

At the end of March 2020, independent Maltese media reported that a database containing 337,384 records of Maltese voters’ personal information had been freely accessible online for at least a year. The data did not only include the fields available in the published electoral register but also included mobile and fixed telephone numbers, dates of birth, polling booth and polling box numbers, and a numerical identifier indicating an individual’s political affiliation.

How could this happen?

Maltese voters are enrolled in the Maltese electoral register, which is maintained by the Electoral Commission – a body set up by the Maltese Constitution and whose role it is to maintain the register and organise local, national and European Parliament elections. Around the end of March it was discovered that, C-Planet IT Solutions, an IT company connected to the Labour Party to have stored a copy of the electoral register in an open directory, which was indexed by Google. The database was unprotected and accessible to anyone with a web browser, reported the Times of Malta.

Data protection and democracy

After the Cambridge Analytica scandal, everyone understands the fundamental role of data protection in a democracy, especially when the data at stake includes political opinions. As a principle, the GDPR prohibits the processing of data revealing political opinions. What is even more worrying is the total lack of protection of these data which were publicly accessible by everyone.

In a democracy, we cannot accept the processing of political data spiraling out of control. Political parties in particular should not be using voters’ information for purposes other than what the law permits them to do. Could you imagine your political preferences being used to deny you access to a public service or an employment opportunity?

Romain ROBERT, data protection lawyer at noyb.

Civil society in Malta reacts. 

Against this context, two NGOs – the Daphne Foundation and Repubblika –have teamed up and organised a platform that allows citizens affected by this data breach to sue C-Planet IT Solutions Limited and any other entity involved. An investigation has been launched by the Maltese DPA, but the class action targets civil damages, including moral damages. The Daphne Caruana Galizia Foundation set up a tool that allows everyone to check what information was collected on them. They invite everyone wanting to join the collective action to visit the FAQ. Also, if you want to join a complaint filed by noyb outside Malta, please contact them at info@noyb.eu. 

Read more:

Investigation after huge data leak leaves 337,000 voters’ records exposed (01.04.2020)
https://timesofmalta.com/articles/view/massive-data-leak-leaves-more-than-377000-voting-records-exposed.782483

Collective action against C-Planet data breach (03.04.2020)
https://www.daphne.foundation/en/2020/04/03/collective-action-data-breach

IDPC launches investigation after over 330,000 voters’ personal data leaked in security breach (01.04.2020)
https://www.maltatoday.com.mt/news/national/101403/over_330000_voters_personal_data_leaked_in_security_breach#.Xuh6ABMzbGI

Labour Party distances itself from massive data breach (02.04.2020)
https://timesofmalta.com/articles/view/labour-party-holds-emergency-meeting-over-data-breach.782906

(Contribution by Ala Krinickytė, from EDRi member noyb)

The role of the United States (US) in trying to get South Africa to abandon the reform has been a matter of public record ever since the US Trade Representative started an investigation late last year that could have led to South Africa losing trade benefits when importing goods to the US. But details of the EU Commission’s intervention on behalf of the entertainment industry have only become known in recent days, following a freedom of information request to DG Trade².

According to the documents, entertainment industry groups approached DG Trade in 2019 with the initial idea that the European Commission should send a “demarche”, a letter submitted by the EU Ambassador to South Africa “to the highest levels of the South African government” in order “to eliminate the negative impact that the Bills would have on the creators they aim to support”. Actual creators’ associations, meanwhile, had no problems with the bill and wrote to DG Trade shortly thereafter, urging them to let the South African copyright reform go ahead, which would drastically improve the position of the original authors and performers vis-à-vis their much more powerful international publishers. In their letter, they pointed out that “performers and other creative workers in South Africa have been subsidizing the industry for far too long. The overwhelming majority live a very precarious life.”

Indeed, income inequality in South Africa is the highest in the world and the publishing industry caters mostly to the wealthy – majority white – elite in the country. The copyright bill tries to address this income inequality on several fronts, by allowing the copying of textbooks that are not offered at affordable prices, and by improving the negotiating position of, majority low income and majority Black, authors and performers. The contractual protections proposed in the South African copyright bill are not unlike those included in the 2019 EU copyright Directive.

Despite the authors’ and performers’ explicit support for the bill, the European Commission decided to follow the entertainment industry’s call for intervention. On 20 March 2020, a month after a lobby meeting between DG Trade and representatives of the MPA and IFPI, the EU Ambassador to South Africa sent a letter to the South African President, urging him not to sign the copyright bill into law. The letter contains thinly veiled threats that European businesses would pull investments from South Africa should the copyright law go ahead, although DG Trade’s interactions that led to sending the letter were primarily with US-based entertainment companies such as the Hollywood studios organized in MPA. In other words, the European Commission was intervening on behalf of US entertainment companies to deny Black South African authors and performers the same contractual rights that it recently granted European authors. Despite its claims towards the South African government that it was “consulting widely”, the internal documents show that the European Commission did not consult with European civil society at all. If civil society had been consulted, the European Commission would know that there is broad support for the introduction of fair use and the rapid implementation of the Marrakesh treaty.

The European Commission’s intervention in South Africa’s democratic process is not just worrying from corporate lobbying perspective. It also highlights the extreme hypocrisy in its international copyright policy. In negotiations on international copyright treaties, the Commission has long been opposed to any global standards on copyright exceptions. Even in the case of the Marrakesh treaty, designed to provide access to knowledge for the blind, the EU had to be dragged to the negotiating table kicking and screaming. It has rebuffed recent initiatives to draft a treaty for global exceptions for libraries and educational institutions, arguing that the cultural differences between countries are too significant to have a one-size-fits-all approach and that countries should be free to adopt the copyright exceptions that fit their specific circumstances. South Africa was trying to do just that – to introduce fair use provisions and educational exceptions specific to the post-Apartheid democracy that is still struggling with huge income inequality and structural discrimination.

The European Commission’s hypocrisy in intervening to bring this reform to a halt is perhaps only surpassed by that of the US government, which is denying another country the same fair use provision that has supported the US economy for decades. While we may not expect any better from the US government, we should hold the European Commission to a higher standard. This is why EDRi is calling upon the European Parliament’s Trade committee to put the issue on the agenda and question the Commission about its aggressive lobbying on behalf of the entertainment industry. EDRi is also preparing a letter to Trade Commissioner Hogan to bring accountability to the European Commission’s international copyright policies.

Read more:

Twitter thread on @Senficon (19.06.2020)
https://twitter.com/Senficon/status/1274046358622740481

Blind SA Constitutional Challenge Of The Copyright Amendment Bill (19.06.2020)
https://blindsa.org.za/2020/06/19/blind-sa-constitutional-challenge-of-the-copyright-amendment-bill/

EEAS letter to the Office of the South African President on the South African Draft Copyright Bill (28.04.2020)
https://www.asktheeu.org/en/request/eeas_letter_to_the_office_of_the_2

Mr President, stand up to Trump and Big Hollywood (10.11.2019)
https://www.dailymaverick.co.za/article/2019-11-10-mr-president-stand-up-to-trump-and-big-hollywood/#gsc.tab=0

Footnotes:

1. https://blindsa.org.za/2020/06/19/blind-sa-constitutional-challenge-of-the-copyright-amendment-bill/
2. https://www.asktheeu.org/en/request/eeas_letter_to_the_office_of_the_2

(Contribution by Julia Reda, from EDRi member GFF)

The dangerous allure of science fiction

Early in the coronavirus outbreak, pandemic guilty-pleasure film, Contagion, skyrocketed to the top of streaming sites’ most watched lists. One of the film’s most interesting plot points (mild spoiler alert) is the suggestion of a simple form of immunity passport. Wristbands for people who have been vaccinated are presented as an obvious solution – and why wouldn’t they be? Various forms of immunity passport are a compelling idea. It sounds as if they could allow us to get back to a more normal life. But the reality is not as clear-cut as in the movies, and the threats to how we live our lives – in particular, the people that could be most harmed by such schemes – mean that we must be incredibly cautious. Consequently, as it stands now, the lack of evidence, combined with the size of the threat that these schemes pose to fundamental rights and freedoms, reveal that – digital or otherwise – immunity passports must not be rolled out.

Immunity passports – science fact says “no”

In the last few weeks, “digital immunity passports”, certificates, apps, and other similar ideas have become prominent in discussions about how to exit from global lockdowns, with proposals popping up in Germany, Italy, Colombia, Argentina and the US to name a few. It is a legitimate policy goal to help people find safe ways to exist in this “new normal”. Yet these proposals are all founded on the dangerous fallacy that we know and understand what coronavirus “immunity” looks like.

The WHO have been clear in their assessment that there is “currently no evidence” for immunity, and that such schemes may in fact incentivise risky behaviour. Medical journal The Lancet adds that such proposals are “impractical, but also pose considerable equitable and legal concerns even if such limitations [due to our lack of knowledge about immunity] are rectified.” And science journal Nature warns that immunity passports can actually harm public health. If public health experts are warning against immunity passports – even once we know more about COVID-19 immunity – then why are governments and private actors still pushing them as a silver bullet?

Like with controversial tracking and contact tracing apps, there are a host of privacy and data protection concerns when such schemes become “digital”. Individual health data is very sensitive, as is data about our locations and interactions. As it is often with private companies that are aggressively pushing proposals (hello TransferWise and Bolt in Estonia), there are serious concerns about transparency, accountability, and who really benefits. EDRi has warned that public health tools should be open for public scrutiny, and limited in scope, purpose and time. With private companies rushing to profit from this crisis, can we be confident that this will happen? The lessons learned from digital identification programmes suggests we have reasons to be very sceptical.

A new generation of “haves” and “have nots”

The crux of the problem with immunity passports is that they will likely be used to decide who is and who is not allowed to participate in public life: who can go to work – and therefore earn money to support themselves and their family; who can go to school; and even who can stay in hotels. By essence, these “passports” could decide who can and who cannot exercise their fundamental rights.

As both Privacy International (PI) and Access Now explain, the law tells us that any restrictions on people’s rights must be really well justified, meeting high levels of necessity and proportionality, and must also have a clear legal basis. These criteria mean that measures that limit people’s rights must be demonstrably effective, have no viable alternative, not violate the essence of fundamental rights and have clear safeguards. This is a very high set of criteria that need to be met. In the context of an absence of scientific proof, significant risks created by false positives and false negatives and big concerns about data protection and privacy, the idea of digital immunity passports becomes even more sinister. This hasn’t stopped tech companies like Onfido lobbying their national health services or governments to adopt their services for biometric immunity passports.

Biometric surveillance and the risks of hyper-connected data

In a wider sense, digital immunity passports – especially those linked to people’s sensitive biometric data – are part of a growing mass surveillance infrastructure which can watch, analyse and control people across time and place. Such systems rely on holding mass databases on people (which in itself comes with big risks of hacking and unauthorised sharing) and are damaging to the very core of people’s rights to dignity, privacy and bodily integrity. The combining of health data with biometric data further increases the ability of states and private actors to build up highly detailed, intrusive and intimate records of people. This can, in turn, have a chilling effect on freedom of expression and assembly by disincentivising people from joining protests, suppressing political opposition, and putting human rights defenders and journalists at risk. As Panoptykon Foundation have explained, such systems are ripe for abuse by governments looking to control people’s freedoms.

Discrimination and unequal impacts creating a segregated society

It is foreseeable that the introduction of immunity passports will have unequal and disproportionate impacts upon those that already face the highest levels of poverty, exclusion and discrimination in society. Those with the smallest safety nets, such as people in precarious and low-waged jobs, will be the ones who are least able to stay at home. The pressure to be allowed outside – and the impacts of not being allowed to do so – will therefore be unequally distributed. We know that some people are more at risk if they do contract the virus: those with underlying health conditions, older people and in the UK,black people. This inequality of who suffers the most will replicate the already unequal distribution in our societies. And if immunity passports are administered digitally, then those without access to a device will be automatically excluded. This stratification of society by biological and health characteristics, as well as access to tech, is dangerous and authoritarian.

Don’t let science fiction become reality

Digital immunity passports are no longer the preserve of science fiction. There is a very real risk that these schemes are putting innovation and appearance over public health, in a move often called “technosolutionism”. Digital and biometric immunity passports not only threaten the integrity of our sensitive bodily and health data, but create a stratified society where those who can afford to prove their immunity will have access to spaces and services that the remainder will not– de facto becoming second class citizens. The New York Times calls this “immunoprivilege”.

When the time comes that we have solid scientific evidence about immunity, it will be up to public health officials to work out how this can translate into certification, and for data protection and privacy authorities and experts to help guide governments to ensure that any measures strictly respect and promote fundamental rights and freedoms. Until then, let’s rather focus on improving our national health systems, ensuring that research goes into preventing this and future pandemics (despite the push-back from Big Pharma) and that we build a new society free of virus such as COVID-19 and surveillance capitalism.

Read more:

COVID-19 & Digital Rights: Document Pool (04.05.2020)
https://edri.org/covid-19-digital-rights-document-pool/

Ban Biometric Mass Surveillance (13.05.2020)
https://edri.org/wp-content/uploads/2020/05/Paper-Ban-Biometric-Mass-Surveillance.pdf

Exit through the App Store? (20.04.2020)
https://www.adalovelaceinstitute.org/wp-content/uploads/2020/04/Ada-Lovelace-Institute-Rapid-Evidence-Review-Exit-through-the-App-Store-April-2020-2.pdf

Ten reasons why immunity passports are a bad idea (21.05.2020)
https://www.nature.com/articles/d41586-020-01451-0

(In Polish) Certyfikaty odporności przepustką do normalnego życia? Nie idźmy tą drogą! (29.05.2020)
https://panoptykon.org/certyfikaty-odpornosci-covid

Social media platforms are a vast trove of information about individuals and collectives, including their personal preferences, political and religious views, physical and mental health and the identity of their friends and families. Social media monitoring or social media intelligence (SOCMINT) are the techniques and technologies that allow the monitoring and gathering of information on social media platforms such as Facebook and Twitter.

Life-changing decisions could be made on the basis of this intelligence but yet no quality check on the effectiveness of this form of surveillance is in place as of now. This has particular consequences and a disproportionate negative impact on certain individuals and communities.

What PI found out

In October 2019 Privacy International sent a Freedom of Information request to every local authority in Great Britain asking not only about whether they had conducted an audit, but sought to uncover the extent to which ‘overt’ social media monitoring in particular was being used and for what local authority functions.

We have analysed 136 responses to our Freedom of Information requests, specifically those that were received by November 2019. All responses are publicly available on the platform “What Do They Know”.

Our investigation has found that:

• A significant number of local authorities are now using ‘overt’ social media monitoring as part of their intelligence gathering and investigation activities. This substantially out-paces the use of ‘covert’ social media monitoring
• If you don’t have good privacy settings, your data is fair game for overt social media monitoring.
• There is no quality check on the effectiveness of this form of surveillance on decision making.
• Your social media profile could be used by a local authority, without your knowledge or awareness, in a wide variety of their functions; predominantly intelligence gathering and investigations.

The UK Surveillance Commissioner’s Guidance defines overt social media monitoring as looking at ‘open source’ data, that is, publicly available data, and data where privacy settings are available but not applied. This may include: “List of other users with whom an individual shares a connection (friends/followers); Users’ public posts: audio, images, video content, messages; “likes”, shared posts and events”. According to the Guidance, “[r]epetitive examination/monitoring of public posts as part of an investigation” constitutes instead ‘covert’ monitoring and “must be subject to assessment.”

Who is being targeted?

Everyone is potentially targeted as at some point in our lives we all interact with local authorities as we go through some of the processes listed above. The difference, however, is that we all are affected differently.

As in many other instances when it comes to the digitalisation and use of new technologies, those belonging to already marginalised and precarious groups and who are already subject to additional monitoring and surveillance, are once again experiencing the brunt of such practices.

There are particular groups of the populations which are being impacted dramatically by the use of such techniques because they are dependent and subject to the functions of local authorities such as individuals receiving social assistance/welfare as well as migrants.

We have seen similar developments in the migration sector where for immigration enforcement purposes governments are resorting to social media intelligence. Some of these activities are undertaken directly by government themselves but in some instances, governments are calling on companies to provide them with the tools and/or know-how to undertake these sort of activities.

How to protect those most vulnerable

As local authorities in Great Britain and elsewhere seize on the opportunity to use this treasure trove of information about individuals, use of social media by local authorities is set to rise and in the future we are likely to see more sophisticated tools used to analyse this data, automate decision-making, generate profiles and assumptions.

The collection and processing of personal data obtained from social media as part of local authority investigations and intelligence gathering, must be strictly necessary and proportionate to make a fair assessment of an individual. There needs to be effective oversight over the use of social media monitoring, both overt and covert, to ensure that particular groups of people are not disproportionately affected, and where violations of guidance and policies do occur, they are effectively investigated and sanctioned.

It is urgent to ensure that the necessary and adequate safeguards are in place to protect those in the most vulnerable and precarious positions where such information could lead to tragic life altering decisions such as the denial of welfare support.

Therefore, we urge local authorities to:

• Refrain from using social media monitoring, and avoid it entirely where they do not have a clear, publicly accessible policy regulating this activity

When exceptionally used:

• Local authorities should use social media monitoring only if and when in compliance with their legal obligations, including data protection and human rights.
• Every time a local authority employee views a social media platform, this is recorded in an internal log including, but not limited to, the following information:
  • Date/time of viewing, including duration of viewing of a single page
  • Reason/justification for viewing and/or relevance to internal investigation
  • Information obtained from social platform
  • Why it was considered that the viewing was necessary
  • Pages saved and where saved to

• Local authorities should develop internal policies creating audit mechanisms, including:
  • The availability of a designated staff member to address queries regarding the prospective use of social media monitoring, as well as her/his contact details;
  • A designated officer to review the internal log at regular intervals, with the power to issue internal recommendations

Whilst we may post publicly, we don’t expect local authorities to look at our photos and screenshot our thoughts, and use this without our knowledge to make decisions that could have serious consequences on our life.

The growing intrusion by government authorities’ – without a public and parliamentary debate – also risks impacting what people say online, leading to self-censorship, with the potential deleterious effect on free speech. We may have nothing to hide, but if we know our local authority is looking at our social media accounts, we are likely to self-censor.

Social media platforms should not be reframed as spaces for the state to freely gather information about us and treat people as suspects.

Read more:

When Local Authorities aren’t your Friends (24.05.2020)
https://privacyinternational.org/long-read/3586/when-local-authorities-arent-your-friends

Social Media Monitoring Freedom of Information Act Request to Local Authorities (24.05.2020)
https://privacyinternational.org/long-read/3585/social-media-monitoring-freedom-information-act-request-local-authorities

The use of social media monitoring by local authorities – who is a target? (24.05.2020)
https://privacyinternational.org/explainer/3587/use-social-media-monitoring-local-authorities-who-target

Is your Local Authority looking at your Facebook likes? (01.05.2020)
https://privacyinternational.org/sites/default/files/2020-05/Is%20Your%20Local%20Authority%20Looking%20at%20your%20Facebook%20Likes_%20May2020_0.pdf

Social Media Monitoring – a batch request (07.10.2019)
https://www.whatdotheyknow.com/info_request_batch/858

Social Media Intelligence (23.10.2017)
https://privacyinternational.org/explainer/55/social-media-intelligence

Security Through Human Rights: New Liberties Report (18.10.2017)
https://www.liberties.eu/en/news/security-through-human-rights-liberties-report/13238

(Contribution by Antonella Napolitano from EDRi member Privacy International)

Its monitoring of social networks has revealed that scammers continue to use Facebook advertisements masked as links to articles from the respectable Forbes.com, continuing disinformation trends involving not only China, but also European Union members like Sweden.

On 19 May, the Ministry of Interior Affairs of North Macedonia warned citizens that scammers use social networks and e-mail to distribute links misrepresented as articles from Forbes.com to promote the purchase of a supposed new Chinese cryptocurrency.

Citizens who click on the links and provide personal data to the scammers are then targeted by phone calls persuading them to start ‘investing’ by paying installments of $250 dollars.

Other manipulation techniques are then deployed to make users increase the fee.

The anti cyber-crime unit of the Macedonian police claimed the malicious links lead to a website hosted in Ukraine, allegedly run by a Russian citizen in a manner similar to the debunked OneCoin Ponzi scheme run by Bulgarian fraudster Ruja Ignatova, which inflicted damage worldwide of over $4 billion.

Data publicly provided by Facebook about the geographic reach of the advertisements promoting these links suggest they go far beyond the borders of North Macedonia, activists warn.

Manipulative ads help scammers gather personal data from victims

Metamorphosis identified several similar ads that are active on social networks. Users who click on these ads are redirected to addresses such as this one instead of pages on the Forbes.com website.

Bardhyl Jashari, Executive Director of Metamorphosis, explained: “Misleading advertisements continue to target social network users across the world. Using the public data provided by Facebook about the ads targeting the audience based in North Macedonia as a starting point, the Metamorphosis team revealed that the same ads are served in almost all European countries, as well as countries in the Middle East. Scammers use pages about culture, even about cookies (the edible ones), to launch ads that lead the users to web pages and blogs that look almost the same as the ones the Macedonian police warned about.”

This dangerous trend also touches upon another of Metamorphosis’ areas of involvement. Since its founding in 2004, Metamorphosis has been working on promoting serving and promoting child safety online.

Jashari also noted:

“A very worrisome development is that these organised crime networks also use pages aimed at children and teenagers to camouflage their malicious content. For instance a page branded as community for the popular game MineCraft (titled Minecraft) had been running ads that continue to disseminate disinformation about Sweden, aimed at users in Russia, Austria, Belgium, but also in Singapore, Qatar and United Arab Emirates, and dozens of other countries.”

Users clicking on these ads are taken to a page providing an incentive for them to leave their personal data. In the case of Sweden this was disguised as a discount coupon.

While MineCraft has a huge adult following, it is a particularly popular game among children aged between 9 and 11. This practice helps condition future audiences particularly susceptible to both disinformation and scamming.

What is Metamorphosis doing to combat these tactics?

In November 2019, Metamorphosis’ Critical Thinking for Media-wise Citizens (CriThink) project warned that scammers benefit from established disinformation narratives about Sweden.

Sponsored Facebook posts lure people who had been previously primed through right-wing populist propaganda media networks based in North Macedonia to believe media manipulations about unrest in the country and the European Union (EU), originally published by pro-Kremlin media.

In the same manner, these articles promoted fake news that Sweden has introduced a cryptocurrency opposing the Euro.

To launch these geo-targeted ads, scammers used a series of pages with general interest topics, including some branded as unofficial fan clubs of Western celebrities like actors Liam Neeson and Anthony Michael Hall.

CriThink, which is an initiative supported by the EU Delegation in North Macedonia, educated local social media users on how to use the transparency features of Facebook pages used by the scammers, in order to flag and report the suspicious pages using the mechanisms provided by the platform.

In order to boost citizen engagement in raising media literacy levels, CriThink articles related to social networks provide instructions on how users can use reporting features to alert administrators about harmful content, ranging from hate speech to scams.

Several weeks later, in December 2019, Facebook informed some of its users who participated in the online action that they had removed the ads reported as scams.

Read more:

Cryptocurrency scammers flood Facebook users with ads for fake Forbes.com articles (29.05.2020)
https://globalvoices.org/2020/05/29/cryptocurrency-scammers-flood-facebook-users-with-ads-for-fake-forbes-com-articles/

Cyber-crime unit of Macedonian police warns about a new scam involving fake Chinese cryptocurrency (19.05.2020)
https://meta.mk/en/macedonian-cyber-police-warns-about-a-new-scam-involving-fake-chinese-cryptocurrency/

The £4bn OneCoin scam: how crypto-queen Dr Ruja Ignatova duped ordinary people out of billions — then went missing (15.12.2019)
https://www.thetimes.co.uk/article/the-4bn-onecoin-scam-how-crypto-queen-dr-ruja-ignatova-duped-ordinary-people-out-of-billions-then-went-missing-trqpr52pq

Disinfo: Crime-infested no-go zones exist in multiple European countries (17.10.2019)
https://euvsdisinfo.eu/report/crime-infested-no-go-zones-exist-in-multiple-european-countries/

(In Macebonian) Дезинформации за Шведска се користат како мамка за корисници на „Фејсбук“ од Северна Македонија (18.11.2019)
https://crithink.mk/dezinformaczii-za-shvedska-se-koristat-kako-mamka-za-korisniczi-na-fejsbuk-od-makedonija/

(Contribution by Filip Stojanovski from EDRi member Metamorphosis)

YouTube, Chrome, Android, Gmail, maps and many other digital products without which the internet is unimaginable, are an important segment of the industry which entirely relies on processing personal data. With a significant delay and numerous difficulties, states have begun bringing some order in this field, which directly interferes with basic human rights. The European Union has set this standard by adopting the General Data Protection Regulation (GDPR), while the new Law on Personal Data Protection in Serbia, in place since August 2019, followed this model too.

Although they have been operating in Serbia for a long time, global tech-corporations observe most developing countries as territories for an unregulated exploitation of citizens’ data. At the end of May 2019, SHARE sent the aforementioned request to 20 of the biggest tech companies from around the world, three months before the application of the new Law on Personal Data Protection, reminding them of their obligations towards Serbian citizens and the parameters of the new national law.

Twitter responded to us by saying that they were working on it. A global platform for booking airline tickets, eSky, also contacted us, and appointed their representative in Serbia. In December 2019, when Google and Facebook were dragging their feet in the issue of appointing representatives in the country, SHARE filed misdemeanor charges to the Serbian Commissioner.

Read more:

Open letter to Commissioner for Information of Public Importance and Personal Data Protection (21.05.2020)
https://www.poverenik.rs/images/stories/dokumentacija-nova/razno/GoogleLLCletter-21052020.pdf

(In Serbian) Twitter imenuje predstavnika u Srbiji (17.07.2019)
https://www.sharefoundation.info/sr/odgovorio-nam-twitter/

SHARE files complaints against Facebook and Google (05.12.2019)
https://www.sharefoundation.info/en/share-files-complaints-against-facebook-and-google/

SHARE calls Facebook and Google to appoint their representatives in Serbia (21.05.2019)
www.sharefoundation.info/en/share-calls-facebook-and-google-to-appoint-their-representatives-in-serbia/ (opens in a new tab)” href=”www.sharefoundation.info/en/share-calls-facebook-and-google-to-appoint-their-representatives-in-serbia/” target=”_blank”>www.sharefoundation.info/en/share-calls-facebook-and-google-to-appoint-their-representatives-in-serbia/

Organisations from across Europe insist on a transparent appointment of the Commissioner in Serbia (04.12.2018)
https://www.sharefoundation.info/en/organisations-from-across-europe-insist-on-a-transparent-appointment-of-the-commissioner-in-serbia/

(Contribution by Bojan Perkov from EDRi member SHARE Foundation)