A techie toolbox

The EC argued for the need of a toolkit as national authorities are developing mobile applications (apps) to monitor and mitigate the COVID-19 pandemic. The Commission agrees that contact tracing, as usually done manually by public health authorities, is a time-consuming process and that the “promising” technology and apps in particular could be useful tools for Member States.

However, the EC points out that, in order for apps to be efficient, they need to be adopted by 60-75% of population – a very high threshold for a voluntary app. As comparison, in the famous case of Singapore, only 20% of the population downloaded the app.

The toolbox calls for a series of concrete requirements for these apps: interoperability (apps must work well with each other in order to be able to trace transnational cases); voluntary; approved by the national health authorities; privacy-preserving and dismantled as soon as they are no longer needed.

The time principle was a key point in our statement laying out fundamental rights – based recommendations for COVID-19 responses. On apps in particular, EDRi member Access Now advocates that access to health data shall be limited to those who need information to conduct treatment, research, and otherwise address the crisis . Finally, EDRi members Chaos Computer Club (CCC), Free Software Foundation Europe (FSFE) and noyb are among those that agree on the need for the apps to be voluntary.

Decentralised or centralised, that is the question

The Toolbox describes two categories of apps: those that operate via decentralised processing of personal data, which would be stored only on a person’s own device; and those operating via a centralised back-end server which would collect the data. The EC argues that this data should be reduced to the “absolute minimum” necessary, with technical requirements compiled by ENISA (encryption, communications security, user authentication….) and “preferably” the Member State should be the controller for the processing of personal data. The Annexes list key recommendations, background information on contact tracing , background on symptom checker functionalities and an inventory of existing mobile solutions against COVID-19.

Our member noyb agrees with the Commission requiring strong encryption, an essential element of secure technologies for which we have also advocated before. More, EDRi member CCC sides with the decentralisation option rather than a centralised one, as well as with strong communication security and privacy requirements.

Readers who liked the Toolbox… also liked the Guidelines

The Commision guidance summarises some of the key points of the Toolbox but provides more insight on some of the features, as well details on ensuring data protection and privacy safeguards. The guidance focuses on apps which are voluntary and that offer one or more functionalities: provide accurate information to individuals about the pandemic or provide questionnaires for self-assessment and guidance for individuals (symptom checker). Other functionalities could include alerting individuals if they have been in close contact with an infected person (contact tracing and warning functionality) and/or provide means of communication between patients and doctors.

The guidance relies heavily on references to the ePrivacy Directive (currently blocked by EU Member States from becoming an updated Regulation for 3 years and 4 months) and the General Data Protection Regulation (GDPR) . The references include data minimisation, purpose limitation, time limitation (apps deactivated after the pandemic is over) and top-of the-art security protections.

Our member Access Now has thoroughly gone through the data protection and privacy requirements of purpose limitation, data minimisation and time limitation , largely coinciding with the Commission, while Bits of Freedom has also mentioned the minimal use of data needed and time limitation, in addition to the apps being based on scientific insight and demonstrable effectiveness.

Location data is not necessary, decentralisation is

The Commission states that location data is not necessary for the purpose of contact tracing functionalities and that it would even be “difficult to justify in light of the principle of data minimisation”, and that it can create “security and privacy issues”. Regarding the debate of centralisation vs decentralisation, the Commission believes that decentralisation is more in line with the minimisation principle and that, as Bits of Freedom, CCC and many other groups have suggested, only “health authorities should have access to proximity data [which should be encrypted]” and therefore no law enforcement agencies can access the data. What about the well-intended but risky use of data for “statistics and scientific research”? Commission says no, unless it is necessary and included in the general list of purposes and clearly communicated to users.

Get us some open code. And add good-old strong encryption to go with it, please

The Commission asks for the source code to be made public and available for review. In addition to this, the Commission calls for the use of encryption when transmitting the data to national health authorities, if that is one of the functionalities. Both of these conclusions have been some of the key requests from EDRi members such as FSFE, both for transparency and security purposes but also as a an appeal for solidarity. We consider the call for openness as a positive request from the Commission.

Finally, the guidance brings back the forgotten Data Protection Authorities (DPAs) who, as we have also suggested, should be the ones consulted and fully involved when developing and implementing the apps.

Moving forward

We have many uncertainties regarding the actual pandemic, especially regarding whether any technical solution will help or not. Furthermore, it is unclear how these technologies should be designed, developed and deployed in order to avoid mass surveillance of citizens, stigmatisation of those who are sick and reinforced discrimination of people living in poverty, people of colour and other individuals of groups at risks who are already disproportionately affected by the pandemic.

The voices of experts and civil society must be taken into consideration, before taking the road of an endless “war on virus” that normalises mass surveillance. If proven that technologies are indeed helpful to combat this crisis, technological solutions need to comply with very strong core principles. Many of these strong principles are already present in the Commission’s two documents and in many of the civil society views in this ongoing debate.

In the meantime, strong public health systems, strong human rights protections (including extra protections for key workers), a human-rights centric patent system that puts humans at its core and open access to scientific knowledge are key principles that should be implemented now.

Read more:

Press Release: EDRi calls for fundamental rights-based responses to COVID-19 (01.04.2020)
https://edri.org/edri-calls-for-fundamental-rights-based-responses-to-covid-19/

noyb – Active overview of projects using personal data to combat SARS-CoV-2.
https://gdprhub.eu/index.php?title=Data_Protection_under_SARS-CoV-2

Privacy International – Extraordinary powers need extraordinary protections. (20. 03. 2020)
https://privacyinternational.org/news-analysis/3461/extraordinary-powers-need-extraordinary-protections

Access Now – Protect digital rights, promote public health: toward a better coronavirus response. (05. 03. 2020)
https://www.accessnow.org/protect-digital-rights-promote-public-health-towards-a-better-coronavirus-response/

Ada Love Lace Institute: Exit through the App Store? (20. 04. 2020)
https://www.adalovelaceinstitute.org/wp-content/uploads/2020/04/Ada-Lovelace-Institute-Rapid-Evidence-Review-Exit-through-the-App-Store-April-2020-1.pdf

European Commission – Mobile applications to support contact tracing in the EU’s fight against COVID-19: Common EU Toolbox for Member States (15. 04. 2020)
https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf

European Commission (COMMUNICATION)- Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection (16. 04. 2020)
https://ec.europa.eu/info/sites/info/files/5_en_act_part1_v3.pdf

The Communications and Media Manager leads and is responsible for EDRi’s strategic communications and engagement with the media. We are looking for an individual that will bring a strategic and creative mindset to communicate about complex human rights and technology issues in a diverse, fast-changing political environment. The successful candidate will have a strong track record in working with European and national media, excellent storytelling and drafting skills, as well as the ability to establish a network of journalists.

We are an equal opportunities employer with a strong commitment to transparency and inclusion. We strive to have a diverse and inclusive working environment. We encourage individual members of groups at risk of discrimination to apply for this post.

Job title: Communications and Media Manager
Start date (expected): July 2020
Reports to: Executive Director
Location: EDRi Office, Brussels, Belgium

RESPONSIBILITIES:
As Communications and Media Manager, working closely with EDRi’s Policy, Campaigns and Network colleagues, you will:

• Develop EDRi’s communications and media engagement long term strategies and short term plans;
• Promote EDRi’s work and narrative to the media, raising the profile of the EDRi network, including by helping to disseminate their work;
• Establish and maintain a robust network of media contacts and relationships;
• Support the production and secure the publication of EDRi op-eds and other materials in leading outlets;
• Write, edit and send press releases and manage media inquiries;
• Support the production and editing of content for EDRi’s website and of the EDRi-gram bi-monthly newsletter;
• Oversee EDRi’s social media presence;
• Oversee the editing and design of EDRi’s publications;
• Analyse media coverage and contribute to report on EDRi’s media exposure and communication work.

QUALIFICATIONS AND EXPERIENCE:

• Minimum 3 years of relevant experience in a similar role;
• A university degree in journalism, communications, media studies, EU affairs, public relations or related field or equivalent experience;
• Demonstrable knowledge of the European media landscape and of European institutions, and an interest in communicating about and framing of human rights, in particular privacy, surveillance and law enforcement, freedom of expression, as well as other internet policy issues;
• Experience in media relations, leading networks of journalists and creating networks of influence;
• Exceptional writing skills in particular for op-eds and press releases;
• Ability to create visuals for social media, work on simple graphic designs and formatting.
• Strong multitasking abilities and ability to manage multiple deadlines;
• Experience of working with and in small teams;
• Excellent level of English;
• Knowledge of another European language is an advantage;
• Knowledge of database management systems, mailing list and free and open software is an advantage.

HOW TO APPLY:
To apply, please send a maximum one-page cover letter and a maximum two-page CV in English (including two professional references) and in .pdf format to applications(at)edri.org by 22^ndMay 2020.

Please note that only shortlisted candidates will be contacted.

The state of play in Hungary:

On 30 March 2020, the Prime Minister of Hungary was granted sweeping powers to rule the country by decree. Hungary has been under the EU’s spotlight over the last two years for failing to comply with the EU’s core values, with the European Parliament launching infringement proceedings about the deteriorating respect for the rule of law, and civil society raising serious concerns including lack of respect for privacy and data protection, evidence of widespread state surveillance, and infringements on freedom of expression online. Following the enactment of a state of emergency on 11 March and the tabling of the indefinite decree on 23 March, ostensibly in response to the coronavirus pandemic, EU Parliament representatives issued a clear warning to Hungary, stating that “extraordinary measure adopted by the Hungarian government in response to the pandemic must respect the EU’s founding values.” This warning did little to temper Orbán’s ambitions, and leaves the people of Hungary vulnerable to expanded powers which can be abused long after the spread of coronavirus has been checked.

The state of play in Poland:

The European Parliament have also raised concerns about the worsening rule of law in Poland, in particular threats to the independence of the judiciary, with investigations activated in 2016. On 19 March 2020, the country’s efforts to tackle the spread of coronavirus received widespread attention when the government announced the use of a ‘Civil Quarantine’ app which they explained would require people in quarantine to send geo-located selfies within 20 minutes of receiving an alert – or face a visit from the police. according to the announcement, the app even uses controversial facial recognition technology to scan the selfies.

Early in April, the Polish government looked to make the use of the app mandatory, in a move which, as reported by EDRi member Panoptykon, was not proportionate [PL] (due to factors like people’s images being sent to government servers) and additionally not compliant with Poland’s constitution [PL]. Panoptykon emphasise important rules [PL] when implementing technological applications to combat COVID-19 such as minimising the data collected and having strict time periods for its retention, which states must follow in order to comply with fundamental rights.

The state of play in the UK:

The UK’s Coronavirus Act was passed on 25 March 2020, giving the UK government a suite of extraordinary powers for a period of 2 years. Following pressure from civil society, who called the proposed Bill “draconian”, the disproportiontely long period for the restrictions of people’s rights was adjusted to include parliamentary checks every 6 months. Yet NGOs have continued to question why the Bill is not up for renewal every 30 days, given the enormous potential for abuse of power that can happen when people’s fundamental rights protections are suspended or reduced. This is especially important given that, as EDRi member Privacy International has pointed out, the UK already has worryingly wide powers over forms of surveillance including bulk data interception and retention.

The UK has also come under fire for the sharp rise in disproportionate police responses since the introduction of the Bill, including stopping people from using their own gardens or using drones to chastise dog walkers. If not properly limited by law, these powers (and their abuse) have the potential to continue in ordinary times, further feeding the government’s surveillance machine.

POLITICO reports that UK authorities are not alone, with countries across Europe exploiting the climate of fear to encourage people to spy on and report their neighbours, alongside a rise in vigilante attacks, public shamings and even support for police violence. Such behaviour indicates an increasingly hostile, undemocratic and extra-judicial way of enforcing lockdowns. And it is frighteningly reminiscent of some of the most brutal, repressive twentieth-century police states.

What an open door could mean for the future of digital rights:

Allowing states to dispense with the rule of law in times of crisis risks putting those rights in a position of vulnerability in ordinary times, too. The legitimation and normalisation of surveillance infrastructures creates a sense that being watched and analysed all the time is normal (it is not) and contributes to societies filled with suspicion, abuse and mistrust. Before coronavirus was a household name, for example, Hungary’s secretive Szitakötő project was preparing to install 35,000 facial recognition cameras across the country for mass surveillance. This would allow the state to undermine the principle of investigatory warrants, and instead watch and analyse everyone, all the time. The current, indefinite state of emergency could remove any potential checks and balances on the Szitakötő plans, and allow Orbán to push through a wide range of ever-more-violatory measures such as repression of the free media, freedom of expression and political dissent.

Throughout 2019, Poland made its aspirations for global AI leadership clear, having experimented with automating state welfare since at least 2015. As UN Special Rapporteur Philip Alston has emphasised, the global uptake of “automated welfare” is a direct result of government goals to spend less on welfare, control people’s behaviour and punish those who do not conform. There is a risk that the Polish state could exploit new tech, like their quarantine app, to expand an undemocratic agenda and make technology the go-to solution for any public or societal issue. And the UK is already infamous for having one of the highest rates of surveillance cameras per capita in the world. Combined with the fact that the UK’s health service have employed the help of notorious personal-data-exploiting software company Palantir to manage coronavirus data, this suggests that the UK’s pre-existing public-private surveillance economy is the one area profiting from this crisis.

Conclusion:

Desperate times call for desperate measures – or so the saying goes. But this should not undermine the core values of our societies, especially when we have many reasons to be positive: compassionate and brave health workers treating patients; civil society working to protect rights in coronavirus apps and help governments make the right decisions; and global health organisations working to prevent future incidences of the virus and develop vaccines.

As the EU’s Committee for civil liberties state, mass surveillance does not make us safer. It puts undue limits on our liberties and rights which will continue long after the current emergency has been eased. As a result, we will all be less safe – and that really would be desperate times. In the words of Yuval Noah Harari:

[T]emporary measures have a nasty habit of outlasting emergencies, especially as there is always a new emergency lurking on the horizon […] Centralised monitoring and harsh punishments aren’t the only way to make people comply with beneficial guidelines. […] A self-motivated and well-informed population is usually far more powerful and effective than a policed, ignorant population.

Read more:
Fundamental rights implications of COVID-19 (various dates)
https://fra.europa.eu/en/themes/covid-1

Extraordinary powers need extraordinary protections (20/03/2020)
https://privacyinternational.org/news-analysis/3461/extraordinary-powers-need-extraordinary-protections

Use of smartphone data to manage COVID-19 must respect EU data protection rules (07.04.2020)
https://www.europarl.europa.eu/news/en/press-room/20200406IPR76604/use-of-smartphone-data-to-manage-covid-19-must-respect-eu-data-protection-rules

Contract Tracing in the Real World (12.04.2020)
https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/

(Contribution by Ella Jakubowska, EDRi Policy Intern)

The then former MEP and copyright reform activist Julia Reda led the opposition against the DSM Directive within the European Parliament, pointing towards its likely incompatibility with the EU’s Charter of Fundamental rights. To date, it is still disputed whether the requirements of Article 17 can be met without the installation of upload filters. Upload filters restrict free communication, because they invariably lead to the blocking of legal uses under copyright exceptions such as citations. Platforms that fail to cooperate with rightsholders to block the uploads of infringing content can be held liable for copyright infringements by their users.

The German government promised to avoid the introduction of upload filters as they would restrict free online communication to a critical degree, possibly violating freedoms guaranteed by the German basic law. This concerns the right to freedom of opinion and freedom of information and, depending on the functioning of these filters, the rights to data protection and confidentiality of communications.

Securing fundamental rights in copyright through strategic litigation

Whichever approach will be taken by Germany and other EU member states, the DSM Directive will expose existing problems and cause new ones between copyright law and fundamental rights. Government solutions to these problems are likely to benefit large right holders (music companies, film industry), neglecting the rights of users such as scientists, teachers, activists and also of small copyright holders and authors.

Thus, control © will use strategic litigation to fight for an implementation of the DSM Directive that is in conformity with European and German fundamental rights. Strategic litigation has proven an invaluable tool to combat fundamental rights violations in the digital era. Since 2016, GFF has gone to court to defend civil rights in the face of mass-surveillance, excessive secret service powers or opaque state authorities. Control © will make use of this strategic tool in yet another area of law, profiting from GFF’s and Julia Reda’s combined expertise.

Beyond upload filters: cultural heritage and freedom of science

Beyond upload filters, there are more open questions regarding the interplay of copyright law and fundamental rights. The copyright Directive introduces new rules on digitizing making out-of-print works available. This holds the chance to unlock a huge treasure of pictures, music, poems and other works that are no longer in commercial use. We will help institutions such as libraries, museums and archives to make use of these new opportunities in order to strengthen freedom of culture, science and information.

Finally, academic freedom requires the circulation of knowledge as well as legal certainty. Too often, authors of scientific publications are being forced to cede the rights to their studies to commercial scientific publishers. The paywalls they install impede the access to knowledge and scientific progress. Strategic litigation in this field aims to clarify the regulations around Open Access publishing in order to make this option more feasible for more scientists.

Read more:
Introducing control © – Strategic Litigation for Free Communication (13.04.2020)
http://copyrightblog.kluweriplaw.com/2020/04/13/introducing-control-strategic-litigation-for-free-communication/

Control ©: Copyright and freedom of communication (in German only) (13.04.2020)
https://freiheitsrechte.org/urheberrecht/

About GFF (English)
https://freiheitsrechte.org/english/

(Contribution by Luisa Podsadny, from EDRi member GFF)

In a matter of days, we saw Big Tech present a variety of ‘solutions’ for fighting the coronavirus sweeping the globe. Coupled with extraordinary state powers, the incursion of the private sector leaves open the possibility of grave human rights abuses and far reaching effects on civil liberties, particularly for communities on the margins. While emergency powers can be legitimate if grounded in science and the need to protect health and safety, history shows that states commit abuses in times of exception. New technologies can often facilitate these abuses, particularly against marginalised communities.

As more and more states move increasingly towards a model of bio-surveillance to contain the spread of the pandemic, we are seeing an increase of tracking, automated drones, and other types of technologies developed by the private sector purporting to help manage migration and stop the spread of the virus. However, if previous use of technology is any indication, refugees and people on the move will be disproportionately targeted. Once tools like virus-killing robots, cellphone tracking, and‘artificially intelligent thermal cameras’ are turned on, they will be used against people crossing borders and bring far reaching ramifications. Our research has repeatedly shown that migration technological experiments are often discriminatory, breach privacy, and even endanger lives.

Pandemic responses are political. Making people on the move more trackable and detectable justifies the use of more technology and data collection in the name of public health and national security. Even before the current pandemic, we have already been documenting a worldwide roll-out of migration “techno-solutionism.” These technological experiments occur at many points in a person’s migration journey. Well before you even cross a border, Big Data analytics are used to predict your movement and biometric data is collected about refugees. At the border, AI lie detectors and facial recognition have started to scan people’s faces for signs of deception. Beyond the border, algorithms have made their way into complex decision-making in immigration and refugee determinations, normally undertaken by human officers. A host of people’s fundamental human rights are impacted, including freedom from discrimination, privacy issues, and even life and liberty.

In some cases, increased technology at the border has sadly already meant increased deaths. In late 2019, the European Border and Coast Guard Agency, commonly known as Frontex, announced a new border strategy called ECOSUR which relies on increased staff and new technology like drones. This strategy is similar to the Horizon 2020 ROBORDER project which ‘aims to create a fully functional autonomous border surveillance system with unmanned mobile robots including aerial, water surface, underwater and ground vehicles.’ In the U.S., similar ‘smart-border’ technologies have been called a more ‘humane’ alternative to the Trump Administration’s calls for a physical wall. However, these technologies can have drastic results. For example, border control policies that use new surveillance technologies along the US–Mexico border have actually doubled migrant deaths and pushed migration routes towards more dangerous terrain through the Arizona desert, creating what anthropologist Jason De Leon calls a ‘land of open graves’. Given that the International Organization for Migration (IOM) has reported that due to recent shipwrecks, over 20,000 people have died trying to cross the Mediterranean since 2014, we can only imagine how many more bodies will wash upon the shores of Europe as the situation worsens up in Greece and Turkey.

The COVID pandemic will greatly also affect refugees living in informal settlements or securitised camps. Cases have already been reported on the Greek Island of Lesbos, which has been hosting hundreds of thousands of refugees since the start of the Syrian War in 2011. Italy has also just announced that it has closed its ports to refugee ships because of the coronavirus until July 31. However, the answer to stopping the spread of the virus is not increased surveillance through new technology, building new detention camps, and preventing access into the camps for NGO workers and medical personnel. Instead, we need a redistribution of vital resources, free access to healthcare for all regardless of immigration status, and more empathy and kindness towards people crossing borders.

While technology can offer the promise of novel solutions for an unprecedented global crisis, we must ensure that COVID technology does not unfairly target refugees, racialised communities, the Indigenous communities, and other marginalised groups, and make discriminatory inferences that can lead to detention, family separation, and other irreparable harms. Technological tools can quickly become tools of oppression and surveillance, denying people agency and dignity and contributing to a global climate that is increasingly more hostile to people on the move. Most importantly, technological solutions do not address the root causes of displacement, forced migration, and economic inequality, all of which exacerbate the spread of global pandemics like COVID-19. Unless all of us are healthy, including marginalised communities, no one is.

In times of exception like a global pandemic, the hubris of Big Tech thinking it has all the answers is not the solution to a complex global health crisis.

Read more:
Press Release: EDRi calls for fundamental rights-based responses to COVID-19 (01.04.2020)
https://edri.org/edri-calls-for-fundamental-rights-based-responses-to-covid-19/

Accountable Migration Tech: Transparency, governance and oversight (11.03.2020)
https://edri.org/accountable-migration-tech-transparency-governance-and-oversight

Emerging Voices: Immigration, Iris-Scanning and iBorderCTRL–The Human Rights Impacts of Technological Experiments in Migration (19.08.2019)
http://opiniojuris.org/2019/08/19/emerging-voices-immigration-iris-scanning-and-iborderctrl-the-human-rights-impacts-of-technological-experiments-in-migration/

The Privatization of Migration Control (24.02.2020)
https://www.cigionline.org/articles/privatization-migration-control

(Contribution by Petra Molnar, Mozilla Fellow, EDRi)

“The information gathered by the two organizations so far shows that the most problematic [violations] are, essentially, multiple issues involving the privacy of people who are put under quarantine, the spread of disinformation and the dangerous misconceptions regarding the virus in the online and social media networks, as well as the increase of internet scams.”

The data gathered by the two organizations through the blog’s database feature indicate that in just over the last two weeks, 80 people have been arrested, some of them jailed, for spreading fake news and disinformation, with the most draconian examples in Turkey, Serbia, Hungary and Montenegro.

One such noteworthy example occurred in the Serbian city of Novi Sad where Nova,rs journalist Ana Lalić was arrested for “upsetting the public.” Lalić had published an article describing the chaotic conditions of the Clinical Center of Vojvodina, their “chronic lack of equipment” and under-preparedness. It was the Center who then filed the complaint against her and which led to her 48-hour sentence. Her arrest provoked the reaction from organisations across Europe like EDRi member Article 19 or Freedom House.

Governments in Montenegro and Moldova made public the personal health data of people infected with COVID-19, while official websites and hospital computer systems suffered cyber-attacks in Croatia and Romania. Some countries like Slovakia are considering lifting rights enshrined under the EU General Data Protection Regulation (GDPR), while Serbia imposed surveillance and phone tracking to limit freedom of movement.

Potentially infected citizens have been obliged to submit to new forms of control by law. In Serbia since the declaration of a state of emergency was declared and all citizens arriving from abroad must undergo quarantine. During a March 19 press conference, Serbian President Aleksandar Vučić stated that the police is “following” Italian telephone numbers, checking which citizens use roaming and constantly tracking their locations. This was specifically aimed at members of the Serbian diaspora who returned from Italy and are supposed to self-isolate in their homes. He also warned the people who leave their phones behind that the state has “another way” of tracking them if they violate quarantine, but didn’t explain the method.

In neighboring Montenegro, the National Coordination Body for Infectious Diseases decided to publish the names and surnames of people who must undergo quarantine online, after it determined that certain persons violated the measure, and as a result “exposing the whole Montenegro to risk.” Civic alliance challenged this measure through a complaint submitted to the Constitutional Court of Montenegro.

In Croatia, concerned citizens developed a website samoizolacija.hr (meaning “Self-isolation”), which allegedly enabled anyone to anonymously report quarantine violators to the police. The site was been subsequently shut down, and the Ministry of Interior initiated criminal investigations against suspected violators of privacy rights.

Crisis Headquarters of the Federation of Bosnia and Herzegovina issued a recommendation on how to publish the personal data of citizens who violate the prevention measures, as government institutions at cantonal and local level started publishing data about people in isolation and self-isolation, including lists of people identified as infected by the coronavirus. In response, on March 24, the Personal Data Protection Agency of Bosnia and Herzegovina issued a decision forbidding the publication of personal data of citizens tested positive for the coronavirus or those subjected to isolation and self-isolation measures.

Perkov also raised the issue of whether these measures are effective, in particular because this puts people in danger. In Montenegro, infected people whose identities were revealed on social networks, have been subjected to hate speech.

“Furthermore, is the idea behind such measures the public shaming of people who disrespect the obligation for self-isolation or the reduction of number of violations? The criteria of proportionality and necessity have not been properly respected and their adequacy had not been justified.”

The above cases of publication of health data online involve direct violation of the laws that designate them as protected at the highest legal level. In other words, these violations go against laws of the highest order that protect fundamental rights in the digital environment, and they are doing so under the guise of the COVID-19 crisis response, as if it were an open invitation to break the rules of free and protected societies.

Read more:

Digital Rights in the time of COVID-19 (23.03.2020)
https://bird.tools/mapping-digital-rights-during-coronavirus-outbreak/

Serbian government revokes controversial COVID-19-related decree used as pretext to arrests journalists (02.04.2020)
globalvoices.org/2020/04/07/serbian-government-revokes-controversial-covid-19-related-decree-used-as-pretext-to-arrests-journalists/ (opens in a new tab)” href=”globalvoices.org/2020/04/07/serbian-government-revokes-controversial-covid-19-related-decree-used-as-pretext-to-arrests-journalists/” target=”_blank”>globalvoices.org/2020/04/07/serbian-government-revokes-controversial-covid-19-related-decree-used-as-pretext-to-arrests-journalists/

Europe’s other Coronavirus victim: information and data rights (24.03.2020)
balkaninsight.com/2020/03/24/europes-other-coronavirus-victim-information-and-data-rights/ (opens in a new tab)” href=”balkaninsight.com/2020/03/24/europes-other-coronavirus-victim-information-and-data-rights/” target=”_blank”>balkaninsight.com/2020/03/24/europes-other-coronavirus-victim-information-and-data-rights/

Montenegrin Coronavirus patients’ identities exposed online (18.03.2020)
https://bird.tools/montenegrin-coronavirus-patients-identities-exposed-online/

(In Serbian) Vučić: Ne ostavljajte telefone, nećete nas prevariti! ZNAMO da se krećete (19.03.2020)
https://mondo.rs/Info/Drustvo/a1298105/Aleksandar-Vucic-policija-telefonski-brojevi-policijski-sat-upozorenje-krecu-se.html

(In Serbian) Podnijeli inicijativu za ocjenu ustavnosti Odluke NKT-a (23.03.2020)
http://www.rtcg.me/koronavirus/crnagora/273340/podnijeli-inicijativu-za-ocjenu-ustavnosti-odluke-nkt-a.html

(Contribution by Filip Stojanovski from EDRi member Metamorphosis)

Project Description

EDRi seeks a consultant to conduct research (a “mapping” exercise) into the existing points of engagement with anti-discrimination issues within the digital rights field. This project will involve providing a comprehensive picture of the key actors, initiatives and organisations related to this topic, and forming an analysis of the progress needed to reach a robust level of engagement with anti-discrimination. The deadline to apply is Thursday 30th April 2020.

Objective: To advance EDRi’s understanding of the intersections between digital rights and anti-discrimination by outlining the most relevant work being conducted in the field, specifically the key actors, organisations and activities.

Person specification: The ideal candidate has experience conducting similar sectoral mapping exercises; a familiarity with the European digital rights field; and a sound understanding of discrimination issues in the European context.

Activities

This project will consist of the following:

• Conducting a mapping exercise outlining the key actors, organisations and activities across Europe focused on anti-discrimination issues in digital spaces. The scoping should span a wide range of data points including, but not limited to:
  • actors, from key individuals, projects and initiatives, firms, institutions, organisations and collectives;
  • forms of discrimination and exclusion, including on race/ethnicity, migration status, class, age, gender, sexual orientation, gender identity, disability, religion, from an intersectional perspective;
  • geographies, (the mapping should include input from as many European countries as possible);
  • related areas, we foresee a non-exhaustive possibility of areas the consultant may uncover, from social welfare, policing, employment, issues digital platforms, digital inclusion, diversity.
• Providing an assessment of the extent of engagement with anti-discrimination issues in the digital rights field according to the research findings.
• Engaging on a regular basis with EDRi to report on progress and findings.

Outputs: We ask that the consultant provide one report summarising the results of the mapping exercise and analysis.

Working methods: We propose that the research is conducted by combination of:

• desk research
• (online) interviews
• other methodologies in addition according to the researchers’ discretion.

Timeline

The deadline to apply to the call is Thursday 30th April 2020. The project duration is 2 months, ideally between May and June 2020. The final timeline is to be decided upon agreement. The key phases of the project are:

• Scoping (early May 2020): consultant and EDRi undergo introductions, define the scope and methodologies
• Research and drafting (May 2020): consultant carries out and drafts mapping
• Feedback and Revisions (June 2020): feedback from EDRi and revisions.

Background

This project forms part of a broader process in which EDRi aims to progress toward greater inclusivity in in the European digital rights movement, ensuring interconnections with a broad range of social justice issues and fully delivering on our commitment to protect the digital rights of all.

Great strides have been made to highlight the need for technology and digital rights field to reflect on broader social justice issues, such as discrimination, state violence inequalities, social exclusion and how they relate to digital rights. However, many such initiatives reside in the Unites States, with minimal reflection in mainstream the digital rights environment.

Further details: The consultant will report directly to Sarah Chander (Senior Policy Adviser at EDRi). Remuneration is negotiable depending on experience.

How to apply

Send an email to Sarah at sarah.chander(at)edri(dot)org by Thursday 30th April 2020 with “Anti-Discrimination Consultant” in the subject line, with a CV and a brief paragraph outlining your suitability for the project.

We are an equal opportunities employer with a strong commitment to transparency and inclusion. We strive to have a diverse and inclusive working environment. We therefore encourage individual members of groups at risk of discrimination to apply for this post.

The DSA is as a unique opportunity to improve the functioning of platforms as public space in our democratic societies, to uphold people’s rights and freedoms, and to shape the internet as an open, safe and accountable infrastructure for everybody.

These recommendations are the results of 8 months of collaboration in the EDRi network and beyond, including with groups that represent victims of illegal content. We look forward to engaging on this very important piece of legislation in the next period. EDRi encourages other civil society organisations and citizens to reply to the upcoming Commission consultation and support the protection of fundamental rights online.

Read more:

Full Paper: ‘Digital Services Act: Platform Regulation Done Right’ (09. 04. 2020)
https://edri.org/wp-content/uploads/2020/04/DSA_EDRiPositionPaper.pdf


Summary ‘Digital Services Act: Platform Regulation Done Right’ (09. 04. 2020)
https://edri.org/wp-content/uploads/2020/04/DSA_EDRiPositionPaper_Summary.pdf

EDRi’s Head of Policy, Diego Naranjo, explains that:

EDRi supports necessary, proportionate measures, fully in line with national and international human rights and data protection and privacy legislation, taken in order to tackle the COVID – 19 global pandemic. These measures must not, however, set a precedent for rolling back the fundamental rights obligations enshrined in European law.

EDRi recognises that Coronavirus (COVID-19) disease poses a global public health challenge of unprecedented proportions. The use of good-quality data can support the development of evidence-based responses. However, we are witnessing a surge of emergency-related policy initiatives, some of them risking the abuse of sensitive personal data in an attempt to safeguard public health. When acting to address such a crisis, measures must comply with international human rights law and cannot lead to disproportionate and unnecessary actions. It is also vital that measures are not extended once we are no longer in a state of emergency.

EDRi’s Executive Director, Claire Fernandez, emphasises that:

In times of crisis, our authorities and communities must show responsibility, resilience, solidarity, and offer support to healthcare systems in order to protect our lives. States’ emergency responses to the COVID-19 pandemic must be proportionate, however, and be re-evaluated at specified intervals. By doing this, states will prevent the normalisation of rights-limiting measures, scope creep, data retention or enhanced surveillance that will otherwise be harmful long after the impacts of the pandemic have been managed.

In these times of pandemic and emergency measures, EDRi expresses solidarity towards collective protection and support for our health systems. We will continue monitoring and denouncing abuses of human rights in times when people are particularly vulnerable.

Read full statement: EDRi calls for fundamental rights-based responses to COVID-19:https://edri.org/covid19-edri-coronavirus-fundamentalrights/

EDRi Members and Observers’ Responses to COVID-19:

Joint civil society statement – “States use of digital surveillance technologies to fight pandemic must respect human rights.” https://edri.org/wp-content/uploads/2020/04/Joint-statement-COVID-19-and-surveillance-FINAL1.pdf

noyb – Active overview of projects using personal data to combat SARS-CoV-2. https://gdprhub.eu/index.php?title=Data_Protection_under_SARS-CoV-2

Access Now – “Protect digital rights, promote public health: toward a better coronavirus response.” https://www.accessnow.org/protect-digital-rights-promote-public-health-towards-a-better-coronavirus-response/

Article 19 – “Coronavirus: New ARTICLE 19 briefing on tackling misinformation.” https://www.article19.org/resources/coronavirus-new-article-19-briefing-on-tackling-misinformation/

Bits of Freedom – “Privacy is geen absoluut recht, maar wel een noodzaak.” https://www.bitsoffreedom.nl/2020/03/20/privacy-is-geen-absoluut-recht-maar-wel-een-noodzaak/

Defesa dos Dereitos Digitais (D3) – ” A pandemia COVID19 e os direitos digitais.” https://direitosdigitais.pt/comunicacao/noticias/88-a-pandemia-covid19-e-os-direitos-digitais

Digitalcourage – “Coronavirus: Tipps fürs Onlineleben und Grundrechtsfragen.” https://digitalcourage.de/corona

Digitale Gesellschaft – “Menschenrechte gelten nicht nur in „guten“ Zeiten.” https://digitalegesellschaft.de/2020/03/menschenrechte-gelten-nicht-nur-in-guten-zeiten/

EFF – “EFF and COVID-19: Protecting Openness, Security, and Civil Liberties.” https://www.eff.org/deeplinks/2020/03/eff-and-covid-19-protecting-openness-security-and-civil-liberties

epicenter.works – “Digital rights implications of the COVID-19 crisis.” https://en.epicenter.works/content/digital-rights-implications-of-the-covid-19-crisis

GFF – “Corona und Grundrechte: Fragen und Antworten.” https://freiheitsrechte.org/corona-und-grundrechte/

Hermes Center – “Il Centro Hermes chiede al governo una risposta all’emergenza COVID-19 nel pieno rispetto dei diritti umani.” https://www.hermescenter.org/hermes-governo-emergenza-covid19-rispetto-privacy-diritti-umani/

Homo Digitalis – “Homo Digitalis για την πανδημία του Κορωνοϊού.” https://www.homodigitalis.gr/posts/5340

noyb – “Data protection in times of corona: not a question of if, but of how.” https://noyb.eu/en/data-protection-times-corona

Open Rights Group – “In the Coronavirus crisis, privacy will be compromised—but our right to know must not be.” https://www.openrightsgroup.org/blog/2020/in-the-coronavirus-crisis-privacy-will-be-compromised-but-our-right-to-know-must-not-be

Panoptykon – “Wolność i prywatność w dobie koronawirusa.” https://panoptykon.org/wiadomosc/wolnosc-i-prywatnosc-w-dobie-koronawirusa

Privacy International – “Extraordinary powers need extraordinary protections.” https://privacyinternational.org/news-analysis/3461/extraordinary-powers-need-extraordinary-protections

SHARE Foundation – “Digitalna prava, pandemija i Balkan.” https://www.sharefoundation.info/sr/digitalna-prava-pandemija-i-balkan/

Section 215 is a provision of the PATRIOT Act known as the “business records” provision. It allows the government and law enforcement agencies to order third parties to produce “specific and tangible” things such as books, records, papers, documents, and other items, when the FBI is conducting either an investigation into a “foreign intelligence,” or an investigation to protect against “international terrorism” or “clandestine intelligence activities” (even if the investigation targets US citizens). It has been at the centre of many controversies of government overreaching and privacy violations. As EDRi member the Electronic Frontier Foundation (EFF) explained:

In the hearings last year, witnesses confirmed that the 215 ‘business records’ provision may allow the government to collect sensitive information, like medical records, location data, or even possibly footage from a Ring camera.

Section 215 had been the centrepiece of Edward Snowden’s leaks to The Guardian in 2013, where he revealed that the Bush and Obama administrations had been abusing the aforementioned provision to obtain phone data of US citizens in bulk. It was the most egregious violation of privacy by the US government in recent history; and it happened in secret. The Snowden leaks provoked a legislative reaction by Congress with the passage of the USA FREEDOM Act, which took several measures to curtail the authority of law enforcement agencies, though extended Section 215 almost in its entirety to the end of 2019, and later to March 2020.

The threat has not gone away

Section 215, along with at least two other provisions (the roving wiretap and lone wolf surveillance authorities), were meant to be included in FISA reform legislation designed to introduce amendments and changes that would increase protections of individual privacy against governmental intrusion. This was the hope of a host of activist groups, non-profit organizations, etc., that saw the expiration of these provisions as a chance to overhaul the information access system in the US. The reforms were timed to take advantage of FISA’s expiration date of March 15, 2020.

However, last week the House of Representatives passed a bill that essentially extended Section 215 for three more years through 2023 – though this House bill did include several minor changes that took some of the criticism into account, like extending prison penalties for engaging in secret surveillance. When the bill went to the Senate for final approval, however, Majority Leader Mitch McConnell (Republican) and the Senate, instead of voting on the bill and debating its proposed changes, decided to punt any decision regarding this legislative proposal and unanimously passed an extension of Section 215 of the USA PATRIOT Act for 77 days, though it would still be subject to opposition from recessed House members and to presidential approval. What would this extension mean? It would essentially delay any kind of discussion on whether Section 215 will be allowed to expire and what kind of replacement parameters will be introduced.

What happens now?

It remains unclear what will happen to Section 215, now that the COVID-19 crisis has thrown the political landscape into disarray. But, as the USA FREEDOM Act bipartisan effort demonstrates, the push to maintain this overbearing and invasive legislation endures. EDRi member EFF, who has been regularly advocating for privacy and legislative reform, is actively pushing for change:

It is past time for reform. Congress has already extended these authorities without reform once, without debate and without consideration of any meaningful privacy and civil liberties safeguards. If Congress attempts to extend these authorities again without significant reform, we urge members to vote no and to allow the authorities to sunset entirely.

What matters now is that this landmark legislative provision is allowed to sunset, and the reform process for the authority to access private data by law enforcement agencies begins anew. Whether we will see this hope come to fruition, however, remains to be seen.

Read more:

Reform or Expire (26.02.2020)
https://www.eff.org/deeplinks/2020/02/reform-or-expire

Enough is enough: Let it expire (18.03.2020)
https://www.eff.org/Enough-is-enough-let-215-expire

Congress extends Section 215 surveillance program (29.11.2019)
https://epic.org/2019/11/congress-extends-section-215-s.html

EPIC to Congress: End Section 215 Surveillance Program (10.12.2019)
https://epic.org/2019/12/epic-to-congress-end-section-2-1.html

Three FISA authorities sunset in December: Here’s what you need to know (16.01.2019)
https://www.lawfareblog.com/three-fisa-authorities-sunset-december-heres-what-you-need-know

What happened to FISA reform? (17.03.2020)
https://www.lawfareblog.com/what-happened-fisa-reform

(Contribution by Rafael Hernández, communications intern, EDRi)