"This policy brief sketches the outline of a common European position, rooted in the idea that outside zones of conventional hostilities, the deliberate taking of human life must be justified
on an individual basis according to the imperative necessity of acting in order to prevent either the loss of other lives or serious harm to the life of the nation. It argues that such a position would
now offer a basis for renewed engagement with the Obama administration, which has endorsed a similar standard as a matter of policy, even if its interpretation of many key terms remains unclear and its
underlying legal arguments remain different. Finally, it suggests that European states will need to clarify their own understanding and reach agreement among themselves on some parts of the relevant legal
framework as they refine their position and pursue discussions with the United States. None of these efforts will necessarily be easy. But unless the EU defines a position on remotely piloted aircraft and
targeted killing, it risks neglecting its own interests and missing an opportunity to help shape global standards in an area that is vital to international peace and security."
"Modeling mass surveillance disclosure regulations on an updated form of environmental impact statement will help protect everyone’s privacy: Mandating disclosure and impact analysis by those
proposing to watch us in and through public spaces will enable an informed conversation about privacy in public. Additionally, the need to build consideration of the consequences of surveillance into
project planning, as well as the danger of bad publicity arising from excessive surveillance proposals, will act as a counterweight to the adoption of mass data collection projects, just as it did in the
environmental context. In the long run, well-crafted disclosure and analysis rules could pave the way for more systematic protection for privacy — as it did in the environmental context. Effective US
regulation of mass surveillance will require that we know a great deal about who and what is being recorded and about the costs and benefits of personal information acquisition and uses. At present we
know relatively little about how to measure these; a privacy equivalent of environmental impact statements will not only provide case studies, but occasions to grow expertise."
"This handbook on European data protection law is jointly prepared by the European Union Agency for Fundamental Rights and the Council of Europe together with the Registry of the European Court of Human Rights. It is the third in a series of legal handbooks jointly prepared by the EU Agency for Fundamental Rights and the Council of Europe. […] The aim of this handbook is to raise awareness and improve knowledge of data protection rules in European Union and Council of Europe member states by serving as the main point of reference to which readers can turn. It is designed for non-specialist legal professionals, judges, national data protection authorities and other persons working in the field of data protection."
"Democratic and Republican senators have been busy drafting legislation that would establish national requirements for data security and breach notice. The following bills have been
introduced over the last year: Data Security and Breach Notification Act, Toomey (R-PA); Personal Data Privacy and Security Act, Leahy (D-VT); Data Security Act, Carper (D-DE) and Blunt (R-MO); Data
Security and Breach Notification Act, Rockefeller (D-WV); and Personal Data Protection and Breach Accountability Act, Blumenthal (D-CT). This post provides a side-by-side comparison of these five data-
breach bills, which would impose varying standards and penalties. The comparison focuses on the breach-notification requirements of each bill; it does not discuss the standards that some bills would
establish for internal security protocols to safeguard stored data."
"In June 2013 the entire discourse changed dramatically. The catalyst for the right’s recent rise to the top of international political and human rights agendas was last year’s series of
revelations by Edward Snowden, the former NSA contractor. The importance of the Snowden revelations cannot be overstated, as they finally gave us the evidence of what we had most feared: that governments
acting with scant attention to legal protections, are using invasive techniques to collect as much as they can, while compromising the systems that we all rely upon. Equally, these revelations
accelerated, in leaps and bounds, the process of building public knowledge about global surveillance arrangements and capabilities. Awareness of, and interest in, the right to privacy is now
unprecedented. And so it was that 2013 became the year that privacy advocates finally gained traction in the halls of national parliaments and the United Nations General Assembly; that strong civil
society coalitions were formed across borders and regions; that the world’s 101st data protection law was adopted (by South Africa). Privacy became, in the words of Human Rights Watch, ‘the right whose
time has come’."
"This thesis scrutinizes the proportionality and describes the subsidiarity of proposals for security breach notification laws (hereafter: SBNLs) in the European Union. […] The laws that have
been assessed are Article 31 of the proposed Data Protection Regulation (hereafter: PDPR) and Article 14 of the proposed Cybersecurity Directive (hereafter: PCD). Article 31 PDPR concerns a single
uniform personal data breach notification obligation. A personal data breach entails the unauthorized access to and/or theft of personal data. Article 14 PCD concerns the harmonization of national
(significant) loss of integrity breach notification obligations. […] This thesis challenges the aforementioned assumption that determination of causality is straightforward. This is done by a more
substantive assessment of the proportionality test. This thesis contributes an empirical study from a security economics perspective, in order to substantively review (the complexity of) effects of SBNLs.
Do the (expected) effects of SBNLs match the aims it should attain according to the European proposals? And are these effects desirable?"
"The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework
consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references
that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the
organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics
of their approach to managing cybersecurity risk. The Executive Order also requires that the Framework include a methodology to protect individual privacy and civil liberties when critical infrastructure
organizations conduct cybersecurity activities. While processes and existing needs will differ, the Framework can assist organizations in incorporating privacy and civil liberties as part of a
comprehensive cybersecurity program."
"A recent news story by Glenn Greenwald and Jeremy Scahill details the use of NSA signals intelligence (SIGINT) – including cellphone and SIM card data – to locate and kill suspected militants
in Afghanistan, Iraq, Pakistan, Somalia, and Yemen. It has long been public knowledge that US operations use mobile phone SIGINT in this way to carry out military strikes (since at least 2004)—and that so
do our allies such as Canada (since at least 2004) and Israel (since at least 2003). So what’s new here? The key revelation in the Greenwald and Scahill story is that the United States may be
increasingly dependent on such SIGINT and that this form of intelligence can have serious reliability problems in some situations–with the result that the wrong people may be killed."
"Apps running on mobile and social platforms have transformed the global gaming market and disrupted the order of the technology industry. The emerging platforms and business models like app
stores and freemium pricing are rippling through — if not ripping apart — enterprise tech sectors. A few Nordic companies — including Rovio, King.com, and Supercell — are showing tremendous success from
beyond Silicon Valley. But will the emerging app economy reboot a struggling Europe, jump-starting job growth and infusing European Union countries with startup energy? Signs are promising. This report
focuses on sizing and qualifying the EU app ecosystem, with an eye toward revenue generation, jobs supported, and the bottlenecks still facing EU app developers."
"16 It is thus apparent from that provision that the concept of communication to the public includes two cumulative criteria, namely, an ‘act of communication’ of a work and the communication
of that work to a ‘public’ […] 20 […] the provision of clickable links to protected works must be considered to be ‘making available’ and, therefore, an ‘act of communication’ […] 21 So far as
concerns the second of the abovementioned criteria, that is, that the protected work must in fact be communicated to a ‘public’, it follows from Article 3(1) of Directive 2001/29 that, by the term
‘public’, that provision refers to an indeterminate number of potential recipients and implies, moreover, a fairly large number of persons […] 22 An act of communication such as that made by the
manager of a website by means of clickable links is aimed at all potential users of the site managed by that person, that is to say, an indeterminate and fairly large number of recipients. 23 In those
circumstances, it must be held that the manager is making a communication to a public. 24 None the less, according to settled case-law, in order to be covered by the concept of ‘communication to the
public’, within the meaning of Article 3(1) of Directive 2001/29, a communication, such as that at issue in the main proceedings, concerning the same works as those covered by the initial communication
and made, as in the case of the initial communication, on the Internet, and therefore by the same technical means, must also be directed at a new public, that is to say, at a public that was not taken
into account by the copyright holders when they authorised the initial communication to the public […]"
"[The European Parliament,] 19. Calls on the US authorities and the EU Member States to prohibit blanket mass surveillance activities and bulk processing of personal data; 20. Calls on certain
EU Member States, including the UK, Germany, France, Sweden and the Netherlands, to revise where necessary their national legislation and practices governing the activities of intelligence services so as
to ensure that they are in line with the standards of the European Convention on Human Rights and comply with their fundamental rights obligations as regards data protection, privacy and presumption of
innocence; in particular, given the extensive media reports referring to mass surveillance in the UK, would emphasise that the current legal framework which is made up of a ‘complex interaction’ between
three separate pieces of legislation - the Human Rights Act 1998, the Intelligence Services Act 1994 and the Regulation of Investigatory Powers Act 2000 – should be revised;"
"We are asked to advise Tom Watson MP, Chair of the All Party Parliamentary Group on Drones, on the lawfulness of five possible scenarios concerning state surveillance in the United Kingdom.
[…] The five scenarios are necessarily to some degree based on assumed facts. However, we have been referred to a number of news reports arising out of the recent disclosures made by Edward Snowden,
upon which the scenarios are based."
"Counterterrorism professionals routinely face decisions that appear to require trade-offs between moral values such as privacy, liberty and security, and broader human rights considerations.
Given that ethics are integral to this field, it is essential that counterterrorism professionals are proficient at making these types of decision. However, there is no existing overview of the methods
that may support ethical decision-making specifically aimed at counterterrorism practitioners. To address this gap, the Research and Documentation Centre (Wetenschappelijk Onderzoek- en
Documentatiecentrum, WODC) of the Dutch Ministry of Security and Justice (Ministerie van Veiligheid en Justitie), on behalf of the National Coordinator for Counterterrorism and Security (Nationaal
Coördinator Terrorismebestrijding en Veiligheid, NCTV), commissioned RAND Europe to develop an inventory of methods to support ethical decision-making for the counterterrorism field. The objective of this
study is not to recommend which methods should be developed, strengthened or implemented in the Netherlands. Rather, the aim is to outline the methods that counterterrorism professionals could draw on to
support their ethical decision-making process."
"Therein lies the two contrasts starkly evident within data privacy news in 2013: The attempts to direct and curb behavior at a government level that sometimes take years between passage and
force […] contrasted with the matter of weeks it took one individual to collect and disseminate tens of thousands of ostensibly extraordinarily sensitive documents. The concerted efforts within the EU
to even propose a new standard law for data privacy again contrasted with the efforts of one individual to undermine years of U.S.-EU negotiation, diplomacy, and representations. 2013 was the year big
data, concerns about data privacy, and one man proved Archimedes’ assertion from ~250 BC; with at least 57,974 or so documents still awaiting release, 2014 should shape up to be even more
"When it comes to the fight for free expression and privacy in technology, 2013 changed everything. This was the year we received confirmation and disturbing details about the NSA programs
that are sweeping up information on hundreds of millions of people in the United States and around the world. This set off a cascade of events, from EFF’s newest lawsuit against the NSA to protests in the
streets to a United Nations resolution to Congressional bills both promising and terrifying. In December, a federal judge even found the surveillance likely unconstitutional, calling it ‘almost-
Orwellian.’ It was also a year we lost a beloved friend and activist, Aaron Swartz. Aaron was a fellow freedom fighter working to bring the world access to knowledge. We’re still mourning his suicide,
which was spurred in part by an aggressive prosecution under the vaguely worded and over-penalized Computer Fraud and Abuse Act (CFAA). In his memory, EFF and our friends at Demand Progress created a
coalition to fight for reform of the CFAA."