35C3 preroll music
[Filler, please remove in amara]
Herald Angel: And now to announce the
speakers. These are Diego Naranjo, who's a
senior policy advisor at EDri and Andreea
Belu, who's a campaigns and communications
manager also at EDRi. EDRi stands for
European Digital Rights which is an
umbrella organization of European NGOs
active in the field of freedom, rights and
the digital sphere. CCC is actually
founding member of it. And they will be
talking about "Citizens or subjects? The
battle to control our bodies, speech and
communications". The floor is yours.
applause
Andreea Belu: This one this one here. This
is my phone. There are many like it but
this one is mine. My phone is my best
friend. It is my life and I should master
it as I master my life. This is my phone.
But what makes it mine? I mean it might be
quite obvious right now that I'm holding
it for all of you. What is not that
obvious though is that my phone is also
holding me. On one hand we use our phones,
we use it to connect to the Internet, get
online with our friends, exchange
opinions, coordinate actions. On the other
hand, we are used. We are used by third
parties, governmental, private, who
through our phones, through our devices,
monitor. They monitor our location, our
bodies, our speech, the content we share.
At EU level right now there is a sort of a
pattern. There is this tendency, a trend
almost. Certain laws like the ePrivacy,
the Copyright Directive, the Terrorist
Regulation, have this very central core
that we call the body and speech control.
It looks like it is really the driving
force in the moment. So in the next 40
minutes or so, what we will do is give you
short updates about these laws. Talk to
you a bit about what their impact is on
us, and what do they mean past the Article
X and Y, and hopefully convince you to get
involved in changing how they look right
now.
Diego Naranjo: While we represent European
Digital Rights as Walter was mentioning
before we are 39 human rights
organizations from all across Europe. We
work on all sorts of human rights in the
online environments, so-called digital
rights. We work on data protection, net
neutrality, privacy, freedom of expression
online and so on, and Andreea and I are
glad to be for the very first time here at
35C3.
Andreea: Now to continue that quote, that
adapted quote from Full Metal Jacket, my
phone without me is useless. Without my
phone I am useless. We spend most of our
seconds of our lifetime around devices
that are connected to the internet,
whether a phone, a computer, a fridge or
whatnot. This means that these devices
pretty much become attached to our bodies,
especially a phone. Tracking these devices
therefore is equal to tracking our bodies.
Controlling our bodies. For the purpose of
this presentation, we will talk about
online tracking in terms of location
tracking, the tracking of our devices, the
behavior tracking of users on websites -
how much do they spend on, I don't know
what part of a website, where do they
navigate next, how many clicks they give,
and the tracking of communications sent
between two devices.
Diego: First location tracking. They are
on average more screens on most of the
households than we have people. We carry
some of these devices in our pockets and
they have more personal information than
most diaries used to have before. Our
phones need to be tracked because they
need to be able to receive and send calls,
messages, data. But this opens of course
new ways to use location data for
commercial purposes, but also for a state
surveillance.
Andreea: When it comes to behavioral
tracking, tracking our behavior
online provides a lot more information
than just location. It adds on top of it,
right? A user can then be targeted
according to that tracking. And the more
this tracking targeting process basically
represents the business model of the
Internet nowadays. For this reason the
more complex and detailed someone's
profiling is, well, the more accurate the
targeting can be done, the more effective
and efficient, most of the times. And
therefore more valuable the data about the
profile is. You can see here a really cool
infographic from Cracked Labs, an Acxiom
and Oracle profiling of populations. You
see the amount of variables and the amount
of information and the depth where it
goes, and you get that business model, a
cash flow.
Diego: And this business model is quite
interesting. I wouldn't imagine a postman
going to my physical mailbox at home going
through my letters and then pouring some
leaflets for advertising in there
according to what he reads. Right now
Gmail and many other services, that's what
they do, they leave out as, you well know,
reading your emails to sell you stuff that
you don't really need. Facebook conversations
now through the API are an option,
they want to read them, those
conversations in order to find patterns
for example for intellectual property and
infringements, especially for
counterfeiting but not only, also for
copyright. Now also WhatsApp metadata is
used by Facebook in order to know who your
friends are, who you contact, who your
family is, in order for that social media
services to gain more and more power, more
and more data, and more and more profit of
course. The life of others. Right? I got a
good movie. If you haven't seen the movie,
I guess everyone has seen it. If not you
should. It's basically about a Stasi agent
who follows the life of an individual
through a period of time, and after
there's no other revelations. This movie
has changed in a way from drama to soft
comedy because the capabilities of
surveillance services, to veil all of
us, to get so much data, also for
companies to get so much intimate
information from us, has doubled, tripled
or perhaps exponentially grown compared to
what the Stasi would do back then. And all
of this... to some extent it's going to be
regulated by this regulation with a very,
very long name. I guess half of you will
have fell asleep already by going through
it, but I'll go through it quickly to
let you know what is this about. Why do we
need to know about ePrivacy Regulation,
why it is important for the control of our
bodies and our devices. The ePrivacy is
about online tracking and you might have
heard of the cookie directive, that one
bringing all those cookie banners on your
screens in part due to a bad
implementation of this directive. It is
also about your emails. Who's going to be
able to read your emails or use the data
from your emails to sell you advertising
or not. How confidential that information
can be. It's also about your chats. How
would you communicate nowadays with
your WhatsApp, Signal, Wire, or any other
devices. And finally it's also about
location data. Who can track you, why can
they track you and what are the safeguards
that that need to be put in place in order
to safeguard your privacy. And I can
imagine many of you saying well don't we
have already this GDPR thingy of the
emails I received in May. Yes we do have
that. But the GDPR was not enough. After
more than four years of discussions to
achieve this General Data Protection
Regulation we have achieved a lot, and
GDPR was our best possible outcome in that
current political scenario. And there's a
lot to do regarding the implementation
though.
We have seen problems in Romania,
in Spain, and we expect that to happen in
many other places. But we still need a
specific instrument to cover the right to
privacy in electronic communications,
including everything we mentioned before.
Metadata, chats, location data, the
content of your communications and so on.
Andreea: So ePrivacy is basically meant to
complement GDPR and be more focused on
exactly the topics that Diego mentioned.
What did we advocate for and still do?
Privacy by design and privacy by default
should be the core principles, the pillars
of this regulation. Moreover politicians
need to recognize the value of maintaining
and enhancing secure encryption. Cookie
walls--I mean we should be able to visit a
website without having to agree to being
tracked by cookies. This is another topic
that we strongly advocated for.
Finally, content should be protected
together with metadata in storage and in
transit. And we actually succeeded last
year in 2017 at the end. The parliament
adopted a very good text, a very strong
text. It supported most of the
problems that, no, it addressed most of
the problems that we pointed out and
supported the values that we're going
through. But, this has been quite a ride.
I mean it wasn't easy. As Diego said we're
a network, 39 organizations. They're not
just the legal people or tech people, it's
a combination of both. So when we provided
our input in the shape of analysis or
recommendations, some bulleted there, all
sorts of skills were combined. And this
played a big part of our success, the fact
that we were able to provide a
comprehensive yet complex analysis of what
encryption should look like, of what
cookies should act like, and also a legal
analysis of existing legislation. The
diversity of our skills became productive.
Diego: Did we win? Well, we are on our
way. After the EU parliament adopted its
position, now it needs to sort of enter
into discussion with the member states in
what is called the Council of the EU. For
the Parliament with a strong position is
now to talk with the rest of the member
states. Currently there are negotiations
around the ePrivacy are not really moving
forward. They are being delayed by their
national governments. They are claiming
that there are issues that need to be
tackled. That it is very technical, that
we already had the GDPR and we need to see
how it is implemented, and Member States
feared that another layer of protection
may impede that some businesses grow in
the European Union. And if this was not
enough they also are afraid of getting bad
press from the press right now. It depends
to a high extent on behavioural
advertising. They say that without
tracking all over the internet they are
unable to to sustain their business model.
And of course since the national
governments, the politicians, are afraid
of that bad press from the press, then
they are quite cautious to move forward.
Online we exercise our free speech and in
many ways, but one of those ways is the
way we produce, share, or enjoy our
content online. Our opinions, the people
with whom we communicate, can be seen as a
threat in a given time by certain
governments. We have seen the trend in
certain governments such in Poland,
Hungary and to a certain extent as well in
Spain. All of these
information can be as well very profitable
as we see with the mainstream social media
platforms we were mentioning before. So
there are political and economical reasons
to control speech and that's why the best
way to control speech is to control the
way that content is shared online. Right
now there are two proposals that raise a
huge threat to freedom of expression
online. Both propose upload filters by
increasing liability for platforms or
making platform companies responsible for
the content which they host. One of them
is the famous or infamous Article 13 or
the Copyright Directive proposal. And the
second one is the regulation to prevent
the dissemination of terrorist content
online. Both of them, as you will see,
they are just another way to make private
companies the police and the dad of the
Internet. This is the first one. The
proposal for act again with a long name.
Just stick to the short name, the
Copyright Directive. And this Copyright
Directive is based on a fable. The fable
goes like this. There are a wide range of
lonely and poor songwriters in their attic
trying to produce songs for their
audience. Then there are these big
platforms, mainly YouTube but also others,
that allow these uploads and gain profit.
And these platforms give some pennies,
some small amount of money, for these
authors. And the difference between what
they earn and what they should be earning
is what they call the value gap. The fable
though conveniently hides the fact that
the music industry keeps saying year after
year after year that they increase their
revenues to a high percentage every year.
And that keeps growing, especially in the
online world. What is the solution to this
problem? Well as you can imagine it's a
magical algorithm that will solve this
problem. And this algorithm will filter
each and every file that you upload to
these platforms, will identify it and
match it against a database, and will
block or allow the content depending if it
is licensed or not and if they like you or
not and then according to their terms of
service in the end. As we will mention
there are some technical and legal
problems with upload filters.
In essence, if they are implemented,
it will mean that
YouTube and Facebook will
officially become the police and the dad
of the internet. The other big fight that
we have is around terrorism, or to be
specific, about terrorist content online.
After the Cold War we needed a new
official enemy. Once communism fell.
Terrorism is a new threat. It's very real
to some extent. We we lived through it in
Brussels recently, but it has been also
exaggerated and inserted in our daily
lives. We see that in the airport
controls, surveillance online, and
offline, restrictions to freedom of
assembly and expression all over Europe.
And whenever a terrorist attack occurs we
see pushes for legislation and measures
that restricts our freedoms. Usually those
restrictions stay even though the risk or
the threat has disappeared or has been
reduced. Again there we go with a long
name. Let's stick to the short name.
TERREG. It's the regulation to prevent
dissemination of content of terrorist
content. These proposals allegedly aims at
reducing terrorist content online. Note:
not illegal content. Terrorist content. In
order to reduce risks of radicalization.
I've always -- and what we have seen
through experience that a lot of
radicalization happens outside the online
world, and that radicalization has other
causes which are not online content.
It seems that the politicians need to send
a strong signal before the EU elections.
We need to do something strong against
terrorism, and the way to do that is
through three measures. Three. As we will
see in a minute. First, Speedy González
takedowns. My favorite. Platforms will
need to remove content which has been
declared terrorist content by some
competent authorities. And this definition
of terrorist content is of course vague,
and also incoherent with other relevant
pieces of legislation which are already in
place but not implemented all across the
EU. This removal needs to happen in one
hour. This is sort of fast food principles
applied to online world, to other visual
material. And they give you some sort of
complaint mechanism, so do you have any
problem with that, your content being
taken down, you can go and say this
content is legal please take it back. But
in practice as you read it you will see
that it's likely to be quite ineffective.
First of all, also overblocking will not
be penalized. So if they overblock legal
content nothing will happen. If they leave
one piece of content which is illegal on
their platform they will face a sanction.
The second issue is those of measures for
voluntary consideration. According to this
second measure, the states will be able to
tell platforms, "I have seen this
terrorist content in your platform. This
looks bad. Really really bad. So I really
felt I had to ask you, could you be so
kind to have a look, just if you wish? Of
course I have no worries.", and the
platform then will decide according to
their own priorities how to deal with this
voluntary request. Third. Good old upload
filters, that's the third measure they are
proposing. Upload filters, or general
monitoring obligations in legal jargon,
are prohibited in EU legislation. But
anyway let's propose them. We'll see what
happens. And in order to be able to push
them in the legislation, let's give them
an Orwellian twist to our filters, like
let's call them in a different way. So we
call them proactive measures. Platforms
will need to proactively prevent that
certain content is uploaded. How will they
prevent this? Upload filters of course.
I meant, proactive measures. And whether
it is copyright or terrorist content, we
see the same trend. We see this one size
fits all solution: a filter, an algorithm
that will compare all the content that is
uploaded, will match it against a certain
database, and that will block it or not.
We will need many filters, not only one
filter. We need filters for audio, for
images, for text, and also one
specifically for terrorist content.
Whatever that is defined. So this is
basically the principle of law making
today. We really want filters, what can we
invent to have them?
Andreea: So we've got an issue with
filters, well, quite a few issues. But in
big, an issue. First of all, they're
illegal. The European Court of Justice
said like this: "A social network cannot
be obliged to install a general filtering
covering all of its users in order to
prevent the unlawful use of musical and
audio-visual work". In the case SABAM
versus Netlog. Despite this it seems that
automated content filters are okay. Not
general filtering covering all of its
users. Of course there are the technical
issues.
Diego: Yeah, there's some technical
issues. One of my best example of that,
the magnificent examples of how filters do
not work. Well James Rhodes the pianist
that a few weeks ago tried to upload a
video of himself playing Bach in his
living room. Then the algorithm detected
some copyrighted content owned by Sony
Music and automatically took down the
content. Of course he complained, he took
the content back. But it set a good
example of how filters do not work,
because one piece of Bach, who died around
three or four hundred years ago, is of
course out of copyright. And if the video
of a famous artist is taken down, we can
imagine the same for many of your content.
Andreea: So not only that filters don't
recognize what is actually copyrighted and
what is not, but they also don't recognize
exceptions, such as remixes, caricatures
or parodies. When it comes to copyright,
filters can't tell, and this is why memes
were a central part of the protest against
Article 13. And this is why we will show
soon why this filter has huge potential
for a political tool. Another issue with
the automated content filter is that they
don't even recognize contexts either.
When it comes to hate speech or terrorist
content, they can't tell nuances. A girl
decided to share her traumatic experience
of receiving a lot of injuries and... not
injuries, insults, insults in her mailbox
from this person who was hating her a lot
and threatening her, so she took it and
copy-pasted it on her Facebook account,
and made a post, and her profile was taken
down. Why? Because the automated solutions
can't tell that she was the victim, not
the actual perpetrator, right? And this is
very likely to continue happening if this
is the "solution" put forward.
Diego: That is also a problem for SMEs of
course, because these tools, these
filters, are very expensive. YouTube spent
around $100,000,000 to develop Content ID
which is the best, worst, filter we have
now online. So we can imagine how this is
gonna go for European SMEs that will need
to copy that model, probably getting a
license for them, I can imagine, in order
to implement those filters online. In the
end this will just empower these big
companies who already have their filters
in place or they will just keep doing
their business as usual and these new
companies that would like to develop a
different business model will be prevented
from doing so because they will need to
spend a lot of money on these filters.
Andreea: Then there's the issue of
privatized law enforcement, the
privatization of law enforcement.
Attributes change. Past state attributes
are now shifted over - "Can you take care
of it?" - to entities that are not really
driven by the same values that a state
should at least be driven by. I'll just
give you one example from a project called
Demon Dollar Project, a study commissioned
by the Parliament to look at hate speech
definition in different EU member states.
Their conclusion: There are huge
disparities between what it means, "hate
speech" - what hate speech means in
Germany compared to what hate speech means
in Romania to what it means in the UK. So
in this context, how can we ask a company
like Google or Facebook to find the
definition? I mean, are their terms and
conditions the standard that we should see
as the one influencing our legal
definitions, am I the only one seeing a
conflict of interest here?
Diego: And there's a problem there that
once we have these filters for copyright
infringements or any other purposes, like
terrorist content, we of course will have
it as a political tool. Once we have these
for copyright why are you not going to
look for those dissidents in in every
country. These things change very often, I
see that in Spain but I see it all across
the EU nowadays. So once we have them in
place over one thing one small thing like
copyright, why not for something else,
something more political.
Andreea: There is a really interesting
example coming from Denmark some year or a
year and a half ago. The Social Democrats
announced their immigration plan. They
made the video in which Mette Fredriksen
talked about how great their plan is and
so on. Some people were happy some sad.
Some of the sad ones decided to criticize
the plan and made a video about it.
It was a critique during which they
caricatured her, but they used two audio
bits from their announcement video.
Social Democrats sent a letter to the NGO
accusing them of copyright infringement
and threatening a lawsuit. Obviously the
NGO thought: "Yeah we don't really have
enough money to go through a big court
case, so we're just going to take the
video down." They took it down. Now, why
is this case important? If an automated
content filter for copyrighted material
would have been in place, the Social
Democrats wouldn't have to even lift a
finger. The job would be automatically
done. Why? Automated content filters can't
tell exceptions, such as parodies. And
this is a very clear case on how copyright
infringement can be strategically used to
silence any critical voices in the
political sphere.
Diego: So we see a few threats to
fundamental rights. First on privacy that
we need to scan every piece of content so
they can discard this information. Then we
will live in a sort of blackbox society
and that will affect the freedom of
speech. We will face also overcensoring,
overblocking, chilling effects and these
tools are going to be repurposed as a
political tool. In a nutshell, rights can
only be restricted when there is approved
necessity, when the measure is
proportional and when this measure is also
effective. This filters are not necessary
for the ends they want to achieve. They
are not proportional, as we have seen, and
they are not effective, as we have seen as
well. So these in effect these are an
unlawful restriction of freedom of
expression and privacy rights.
Andreea: Now obviously we were also
unhappy about these and, I mentioned
before, how we organize within our network
to fight to get strong a privacy. When it
comes to copyright, this fight went out of
our network. It got a lot of people mad,
people like librarians, startups, the U.N.
special rapporteur, all of those there,
basically. And more. And even YouTube
in the end who thought about endorsing our
right to campaign. What we learned from
these fights is that we really need to
share knowledge between us. We need to
team up, coordinate actions, be patient
with each other. When it comes to
different skills, it is important to unite
them. When it comes to different
perspectives, it is important to
acknowledge them. If we're separate
individuals, by ourselves we're just many;
but if we're together, we're one big
giant. That is where the impact lays. Now,
this is basically a call to you. If you're
worried about anything that we've told you
today, if you want to support our fight,
if you think that laws aimed at
controlling our bodies and our speech
should not be the ones that should rule us
and our internet, I think it's time to get
involved. Whether you're a journalist
writing about privacy or other topics,
whether you're a lawyer working in a human
rights organization, whether you're a
technical mindset, whether you have no
clue about laws or anything like that,
come talk to us. We will have two
workshops, one on e-privacy, one on
upload filters we'll be answering more
questions if you have and you can't ask
them today and try to put together an
action plan. We also have a cluster called
"about freedom" that you can see there but
is right by the info point in SSL.
And do you have any questions or
comments? Thank you. applause
Angel: There is ample time for Q and A,
so fire away if you have questions. Go to
a microphone, wave your hands.
Signal Angel, are there any questions on
the internet? Nope. Uh, mycrophone number
one!
inaudible question from the audience
Diego: So the question is if the content
is encrypted, how companies will be
obliged to implement its filters?
Microphone 1: Yes.
Diego: Good question, I don't know.
I don't think that's gonna be possible.
They got to find a way to do that because
either did they ban the encryption in the
channels or they -- it doesn't matter
because they will make you liable.
If you have platforms with very encrypted
channels and you have everything on
either but by any reason they
find any copyrighted content which is not
licensed, which you're not paying money
for, that will make you liable. Perhaps in
practice they will not be able to find you
to make you liable because they will not
be able to access the content but if they
find a way to do so they will they will
make you pay.
M1: Thank you.
Angel: Okay, microphone number two.
Microphone 2: Thank you very much for
the presentation. You've been talking a
lot about upload filters. A lot of the
telcos and lobbyists are saying that the
upload filters don't exist, that trial
mechanism for the copyright reform is as
I've heard ending in January and there
will be a solution in the European
legislation process. How will we be able
to inform this process and influence it to
try and make it better before the European
elections?
Diego: Well we still have time, that's why
we are here, one of our main goals to be
35C3 apart from enjoying the conference
for the very first time is to mobilize all
of those who have not been mobilized yet.
Thousands of people have been active they
have been tweeting they have been calling
their MEPs, the members of the European
Parliament, they have been contacting the
national governments. We still have time.
The vote will be some time around January
February. We still don't know. We. We are
afraid there's gonna be sooner than
expected, but this is the last push, the
last push to say no to the entire
directive and say no to upload filters.
And that's why we are here because we
still have time. Worst case scenario:
We'll go to the implementation phase, of
course, we go to a national member state
and say "Do not do this. This goes against
the Charter of Fundamental Rights and then
we will stop it there. Better either now,
which is my my hope, or in the worst case
scenario we will stop it for sure, in
member states.
applause
Angel: Microphone number one.
Microphone 1: You talked about
voluntary measures that companies are
somehow asked to implement. What are the
incentives for the companies to do so?
Diego: What do the companies have to do
with that?
M1: Why should they do that,
because it's voluntary, you said.
Diego: Well they could do that for
different reasons because they could get
bad PR. Imagine you are a small company in
Hungary and then goes Orban and tells you
"You need to block this because I think
that this is terrorism. It comes from a
human rights organization." What would you
do, if you understand me? That depends on
perhaps not on the government, but on the
general structure. You could get bad PR
from the government, you could be, perhaps
too because you're not acting promptly on
on these serious content, but it's true
that is only for your voluntary
consideration.
Angel: Again microphone number one.
Microphone 1: Thanks for the talk. So,
I also think, when I see a problem, oh
there is a technical solution. So it's
hard for me to admit, maybe not. But it
does look like it's the case but also when
you mention in the workshop maybe more
with a... I mean anybody can come, but
more eventually with a legal background. I
don't have it. I'm a developer, but I want
to understand how a system is working and
I understand a little bit about the
European process and the regulatory
process but not so much. So what's the
most efficient way for me as a developer
to get a better grasp of how this system,
all those laws and regulation, are getting
implemented and all the different steps.
Diego: Well yeah. We didn't come to the
Lawyers Computer Congress,we came to the
Chaos Computer Congress, so we can
make chaos out of it. We need developers,
we need lawyers, we need journalists, we
need graphic designers, we need people
with all sorts of skills. As Andreea was
saying before, and we need developers to
develop tools that work so we are capable
of developing any calling tool, any
tweeting or any sort of tool that we can
use to transport our message and take it
to Brussels, take it to the members of the
European Parliament, take to the national
member states. We really need you, if we
need something, it's developers. We have
enough lawyers in this world. I think we
have too many with myself already, so we
need you tomorrow and the day after
tomorrow.
Angel: Okay. Any other questions? In that
case, I'll ask one myself. Andreea, what
will be a good start at the member state
level to start campaigning if you've never
campaigned before? Andreea: What, what?
Can you please repeat?
Angel: What would be a good start. If you
wanted to campaign at the member state
level ... ?
Andreea: ...and never campaigned before.
Angel: Yes. Campaigning for Dummies.
Andreea: Well we've got a lot of
organizations in EU member states. So, as
a person who has never campaigned before
and was looking for someone to campaign
with two years ago in Denmark, I was
advised to look for the Danish EDRi
member. So I did and we managed to
organize a lot of great workshops in
Denmark when nothing existed, because IT-
Pol, the Danish member, had a very complex
grasp of the political environment and
most of EDRi members understand how this
is, how the dynamic is working, both
politically, but also journalists, also
what the the interests of certain
nationalities are. So I would say that:
find your first EDRi organization, that is
the first step and then unite with the
rest.
Diego: And there's another way. Remember
you can always contact consumer
organizations. You can contact directly
your members of the parliament. You can
organize yourself with two or three
friends and make a few phone calls, that's
also already enough you can do, there are
many ways for you to help out.
Andreea: Of course, make sure you contact
your country's MEP at the European level.
We are being represented and we get to
actually elect the parliamentaries,
they're the only ones who are elected by
us and not just proposed by governments or
other politicians. So if we want to be
connected to our country member state but
influence a law at the European level like
the ones we talked about, it is very
important to let our EU parliamentaries
know that we are here and we hear them and
they came from our country to represent us
at EU level.
Angel: Thank you. Any other questions?
Signal Angel, do we have questions from
the Internet?
Signal Angel: Unfortunately not.
Angel: Well in that case we're finished.
Thank you all for your attention.
applause
subtitles created by c3subtitles.de
in the year 2020. Join, and help us!