FYI: From the European Commission: human rights guidance for 3 business sectors
Hi, As you can see below European Commission just released human rights guidance for 3 business sectors. I have helped COM and specifically IHRB with their piece of the work, and I know others on this list have also helped. Everything from more formal support to extremely good comments that have helped making the documents what they finally ended up being. Patrik Fältström Head of Research and Development Netnod Begin forwarded message:
From: <entr-csr@ec.europa.eu> Subject: From the European Commission: human rights guidance for 3 business sectors Date: 17 juni 2013 18:23:09 CEST To: <entr-csr@ec.europa.eu>
We are pleased to announce the publication of the European Commission Sector Guides on Implementing the UN Guiding Principles on Business and Human Rights.
Download the Guides here: http://ec.europa.eu/enterprise/newsroom/cf/itemdetail.cfm?item_id=6711&lang=en&title=European%2DCommission%2Dpublishes%2Dhuman%2Drights%2Dguidance%2Dfor%2D3%2Dbusiness%2Dsectors
The Guides – for employment and recruitment agencies, ICT companies, and oil and gas companies – were developed over the past 18 months by Shift and IHRB through extensive research and multistakeholder consultation with representatives from the three industries as well as governments, trade unions, civil society, academia and other experts. Read more about the Guides’ development here.
Each Guide offers practical advice on how to implement the corporate responsibility to respect human rights in day-to-day business operations in each industry through step-by-step guidance. At each step, they summarise what the UN Guiding Principles expect, offer a range of approaches and examples for how to put them into practice, and link users to additional resources that can support their work. They are intended to help companies “translate” respect for human rights into their own systems and cultures.
Many thanks to all those who have contributed to this process.
Best regards,
CSR Team
European Commission Enterprise and Industry Directorate-General Unit ENTR.D.1
On 17 Jun, 2013, at 20:16, Patrik Fältström <patrik@frobbit.se> wrote:
I have helped COM and specifically IHRB with their piece of the work...
Patrik, I know you have also been very involved in helping with the Data Retention legislation. With all the discussion around Prism it might be interesting if you could bring people up to date on where we are now on that. Gordon
On 17 Jun, 2013, at 21:28, Gordon Lennox <gordon.lennox.13@gmail.com> wrote:
On 17 Jun, 2013, at 20:16, Patrik Fältström <patrik@frobbit.se> wrote:
I have helped COM and specifically IHRB with their piece of the work...
Patrik,
I know you have also been very involved in helping with the Data Retention legislation.
With all the discussion around Prism it might be interesting if you could bring people up to date on where we are now on that.
Gordon
Sweden and the Data Retention Directive... "The European Court of Justice in a decision dated 30 May ordered Sweden to pay a lump sum of €3 million euros for its delay in transposing the controversial 2006 EU data retention directive into national law in time. ..." http://www.ip-watch.org/2013/06/01/eu-anti-terror-data-retention-directive-m... :-) Gordon
On 18 jun 2013, at 22:05, Gordon Lennox <gordon.lennox.13@gmail.com> wrote:
On 17 Jun, 2013, at 21:28, Gordon Lennox <gordon.lennox.13@gmail.com> wrote:
On 17 Jun, 2013, at 20:16, Patrik Fältström <patrik@frobbit.se> wrote:
I have helped COM and specifically IHRB with their piece of the work...
Patrik,
I know you have also been very involved in helping with the Data Retention legislation.
With all the discussion around Prism it might be interesting if you could bring people up to date on where we are now on that.
Gordon
Sweden and the Data Retention Directive...
"The European Court of Justice in a decision dated 30 May ordered Sweden to pay a lump sum of €3 million euros for its delay in transposing the controversial 2006 EU data retention directive into national law in time.
..."
http://www.ip-watch.org/2013/06/01/eu-anti-terror-data-retention-directive-m...
First of all, I think the money Sweden have to pay is worth it, given how (relatively) good the Swedish implementation is compared to for example Denmark ;-) Joke aside, and while trying to ignore the fact I am from Sweden and think the Swedish implementation is quite correct, there have been I think two problems with the DRD. 1. Participation in various groups The participation in various groups that discuss the directive have been the entities that do want such tools. Other groups (for example Article29) have strongly been against the directive. Because of this, COM have had a very hard time trying to find what the real consensus is. I have felt quite lonely in various expert groups that have reviewed the implementations that have existed. 2. Relationship with technology The directive do talk about things like "messages". And give examples like SMS, email, MMS etc. And "web browsing" is something different, not included in the directive and in Sweden explicitly excluded. I even wrote a few papers for COM on the matter. The problem was that the people that want DRD to cover as much as possible claimed also web based messaging (i.e. the HTTP transaction) did fall under the directive. My response has all the time been that we have to choose between: (a) requiring DPI so that only webmail http transactions are included or (b) treat webmail as any other http transaction, i.e. not be covered. In Sweden we did pick alternative (b) btw. This discussion completely stalled because some "experts" did claim there is *no* difference from a technical perspective between web based access to messages and IMAP or POP based access. We also had issues with various NAT implementations, or risk thereof (CGN anyone?). There was a discussion on whether the directive itself should be implemented, or the intention of the directive, and if the latter, if more should be covered than what the directive describes. Should (for example) *ALL* NAT devices in EU be required to log any port/address mapping? Yes, some people did want that, and now go back to (1) above, and understand the discussion was quite difficult. So, we do know that the directive did not really lead to the harmonization one wanted, and the question is what COM will do. I know that a new expert group is to be created. See mail below. I have myself decided to no longer have time to work on this. Specifically given the enormous problems I had related to (2) above. It was impossible to win. Begin forwarded message:
From: <Christian.D'CUNHA@ec.europa.eu> Subject: Data Retention Expert Group Date: 19 april 2013 16:05:07 GMT+01:00 To: <HOME-DATA-RETENTION@ec.europa.eu>
Dear all
With apologies for the group email, I thought you might find the attached documents of interest.
The Commission has decided to set up a new expert group on data retention, following the expiry of the previous group which met from 2008-2012, and applications to be a member are invited and should be sent by 3 June 2013.
Further details, including French and German versions of the Commission decision and call for applications, will be on our website early next week. Please feel free to forward on to whoever you think might be interested.
Have a good weekend.
Christian
Patrik
In message <EAB46D0D-1F32-40AB-BA11-3687635046E9@frobbit.se>, at 15:42:46 on Wed, 19 Jun 2013, Patrik Fältström <patrik@frobbit.se> writes
The problem was that the people that want DRD to cover as much as possible claimed also web based messaging (i.e. the HTTP transaction) did fall under the directive. My response has all the time been that we have to choose between: (a) requiring DPI so that only webmail http transactions are included or (b) treat webmail as any other http transaction, i.e. not be covered. In Sweden we did pick alternative (b) btw.
This discussion completely stalled because some "experts" did claim there is *no* difference from a technical perspective between web based access to messages and IMAP or POP based access.
There is of course a technical (operational) difference between IMAP/POP and Webmail, which should be fairly easy to demonstrate. However, from a regulatory (public policy) point of view, it's clear that all forms of email are "messages", including webmail. The objectives of law enforcement would probably be satisfied if logging of webmail was restricted to messages to/from a small set of "top 10" global providers. They are never looking for universal solutions, just to pick the low-hanging fruit. [I know some people will say "but the criminals will just move to a different and less well known webmail provider", but any tech-savvy criminal will already be communicating by something other than IMAP/POP or Webmail, so they need a different approach anyway.] -- Roland Perry
roland@internetpolicyagency.com:
There is of course a technical (operational) difference between IMAP/POP and Webmail, which should be fairly easy to demonstrate.
However, from a regulatory (public policy) point of view, it's clear that all forms of email are "messages", including webmail.
Umm ... I have a gut feeling that someone is trying to split hairs here. E-mail has existed in many ways, shapes, and forms over the years. "Webmail" doesn't strike me as a well defined term, and you have to be careful using IMAP/POP as terminology for e-mail. E-mail can be carried in the strangest of ways, and the following chain is far from unusual: web browser --> web server --> mail server --> SMTP connection --> mail server --> Microsoft Exchange server --> IMAP connection --> web server --> web client. Which part is or isn't involved? (This is a rhetorical question - no need to answer.) E-mail is message passing between users. I'm not sure the protocol matters that much ... Best regards, /Lars-Johan Liman #---------------------------------------------------------------------- # Lars-Johan Liman, M.Sc. ! E-mail: liman@netnod.se # Senior Systems Specialist ! Tel: +46 8 - 562 860 12 # Netnod Internet Exchange, Stockholm ! http://www.netnod.se/ #----------------------------------------------------------------------
On 30 jun 2013, at 20:39, Lars-Johan Liman <liman@autonomica.se> wrote:
web browser --> web server --> mail server --> SMTP connection --> mail server --> Microsoft Exchange server --> IMAP connection --> web server --> web client.
Which part is or isn't involved? (This is a rhetorical question - no need to answer.)
E-mail is message passing between users. I'm not sure the protocol matters that much ...
I think it is the other way around. To be able to know what to save data about, one must have recommendations that do say exactly where and what to retain. In the paper I wrote that was not accepted I explained exactly what Lars-Johan explain above, and concluded that as SMTP and IMAP connections are involved data about the messages will be retained. I.e. webmail consists of one "web" transaction between client and web server, and one email transaction from the web server to the mail server. If now mail is to be retained the mail transaction has to be retained. As web transactions are not to be retained that leg should and will not be retained -- even if it is a web transaction that as a result will generate email. That was not acceptable by the parties that to me obviously where not happy with the result during the discussions in the European Parliament where it to be at least was clear that web should not be retained. And I get somewhat bad taste in my mount when I heard people after decision is taken in the European Parliament that web is not to be retained still try to retain "some" web transactions. Patrik
In message <48096A22-98BD-49F3-8D80-713070256165@frobbit.se>, at 21:26:22 on Sun, 30 Jun 2013, Patrik Fältström <paf@frobbit.se> writes
In the paper I wrote that was not accepted I explained exactly what Lars-Johan explain above, and concluded that as SMTP and IMAP connections are involved data about the messages will be retained.
I.e. webmail consists of one "web" transaction between client and web server, and one email transaction from the web server to the mail server. If now mail is to be retained the mail transaction has to be retained. As web transactions are not to be retained that leg should and will not be retained -- even if it is a web transaction that as a result will generate email.
Whereas I am suggesting that a suitable compromise would be to retain the details of transactions between client and web-servers-known-to-be-mail-systems. Like Hotmail, Gmail and so on.
That was not acceptable by the parties that to me obviously where not happy with the result during the discussions in the European Parliament where it to be at least was clear that web should not be retained.
And I get somewhat bad taste in my mount when I heard people after decision is taken in the European Parliament that web is not to be retained still try to retain "some" web transactions.
I don't think that an "Internet e-mail service" should be excluded simply because it takes place on port 25. They are only very tenuously "web" transactions[1] anyway, rather than http[s] transactions. And no, this isn't splitting hairs, it's trying to assert some clarity in the terminology. The lack of clarity isn't helped by organisations like the BBC constantly inviting viewers to "email us via our website". By which they mean fill in a web form, which might or might not then get successfully emailed to someone inside the BBC by the web server. NB. In this context, I'm not advocating logging and retaining which pages at http://news.bbc.co.uk people browse to, although I know some people who would, especially if it's http://www.howtomakeabomb.com ps The reason I'm especially interested in this is that the list of data types in Article 5 is partly based on some work I did in 2001 (and subsequent pre-Directive Data Retention laws in the UK). [1] I can't remember the last time I clicked on a hyperlink pointing to www.gmail.com, it's either an app on my Windows task bar, a different app on my Android phone, or a parameter entered into my POP3 client (yes, you can access gmail by POP3 too, as I'm sure you know; and why does the access protocol make any difference to whether the transaction should be logged/retained, either in terms of common sense, or what it says in the directive?) -- Roland Perry
In message <m5EgMcTuvU0RFAJN@internetpolicyagency.com>, at 10:29:18 on Mon, 1 Jul 2013, Roland Perry <roland@internetpolicyagency.com> writes
I don't think that an "Internet e-mail service" should be excluded simply because it takes place on port 25.
Apologies for brain-fade. Port 80, obviously. -- Roland Perry
Can you share the paper? Gordon On 30 Jun, 2013, at 21:26, Patrik Fältström <paf@frobbit.se> wrote:
In the paper I wrote that was not accepted...
In message <22k3lbqw7f.fsf@ziptop.autonomica.net>, at 20:39:48 on Sun, 30 Jun 2013, Lars-Johan Liman <liman@autonomica.se> writes
There is of course a technical (operational) difference between IMAP/POP and Webmail, which should be fairly easy to demonstrate.
However, from a regulatory (public policy) point of view, it's clear that all forms of email are "messages", including webmail.
Umm ... I have a gut feeling that someone is trying to split hairs here.
Actually, I was trying to glue some hairs back together. -- Roland Perry
This message was removed from the archive because it was considered to be spam.
participants (6)
-
unknown@example.com -
Gordon Lennox -
Lars-Johan Liman -
Patrik Fältström -
Patrik Fältström -
Roland Perry