Sunday, 20 May 2012 20:36

Wireless pickpocketing through RFID

A debit or credit card with an RFID chip? Not a good idea! Watch the video below:

These days, of all human rights the right to privacy finds itself under the most pressure. Therefore, it is of great importance that the government, being the largest privacy violator, is tightly controlled by means of proper legislation. With good checks & balances, for the government itself as well as for monitoring possible privacy violators such as Microsoft, Google, Apple and large ICT companies like Cisco and Intergraph that set up entire electronic surveillance infrastructures in China.

Under the ‘principle of security’, current Western democracies are increasingly being led by suspicion, hate and control instead of the principles of trust, love and freedom. And all of this to protect those last three mentioned? In the view of Privacy First, the line in the sand has already been drawn in 2001. Under the guise of security our legislation has been heavily modified to the disadvantage of individual citizens and through function creep the boundaries of the application of this legislation are continuously being stretched. Will loitering youth and football hooligans soon be seen as criminal or terrorist organisations under our judicial system? And what about everyone who thinks or acts differently? Where can we draw the line? And who makes the decisions over this? And who will scrutinize the decision maker and the executor?

At the moment, it is under the big heading of ‘profiling’ that ever more privacy violations take place. The aim of profiling is tracking entire populations or target groups in order to identify so-called 'outliers' through criteria and norms that are to be imposed. Outliers are deviations from the norm: people who behave differently than the ‘normal group’, or a specific group the government has set its eyes upon, whoever it may concern. People who have unpaid bills, who drive too fast, who gather in groups, attorneys, journalists, activists, airplane passengers, those entitled to public aid, sect members, etc. Just identify and track them, you never know if there’s someone amongst them who hasn’t abided by the rules or who fits a certain profile you’re looking for.

Profiling is characterised by four aspects that in our perception are in conflict with the Dutch Constitution as the basis for our constitutional State:

  • The reversion of a fundamental principle of law: citizens are tracked en masse without a concrete, reasonable suspicion of a crime. Through profiling everyone becomes a potential suspect and everyone’s privacy can be violated unpunished.
  • With the current state of technology, profiling is aimed at continuous, real-time identification instead of passive registration and analysis of data of a citizen under reasonable suspicion. So we move from registration to identification, without the authorization and awareness of the trustful citizen. In this way, out of its own distrust the government abuses the good faith of citizens and in so doing imposes its own standard criteria. Without any democratic evaluation or strict legal guarantees.
  • The application of the technology used for profiling is based on the principle that ‘everything’s allowed if it’s technically possible’. For the greater part this development is invisible for citizens. Subway stations, trains, busses, trams, inner cities, police helmets and even parking machines (!) in Amsterdam are incessantly being equipped with cameras. These are linked to central control rooms and, where possible, fitted with identification and pattern recognition software in order to be able to directly perceive ‘suspicious matters’. The mantra of our government: ‘ill doers are ill deemers’.
  • Increasing restrictions to internet freedom of companies and individuals. Since 2010 all our personal telephone and email correspondence are being stored. All this is being done to prepare for profiling. At the moment the US Congress is working on a legislative proposal (Cyber Intelligence Sharing and Protection Act, CISPA) which grants private businesses and the US government the right to spy on citizens at any given moment and for as long as they want and to report them in case there are ‘outliers’. All of this without the need for a warrant. WikiLeaks, child porn, copying illegal content and the like are all too readily used to introduce new legislation to further restrict our internet freedom and which is to be applied in other areas the government wants to have control over. Preferably on a worldwide scale, without any democratic scrutiny. The government obliges citizens to increasingly use online services: the Citizen ‘Service’ (Control that is) Number (in Dutch: Burger Service Nummer, BSN), the Electronic Child File (Elektronisch Kind Dossier, EKD/DDJGZ), the Electronic Student File (Elektronisch Leerlingen Dossier, ELD), Diagnosis Treatment Combinations in healthcare (Diagnose Behandel Combinaties, DBC’s), etc. Of every citizen an ‘electronic life file’ comes into existence which in conjunction with electronic traces are to become able to predict suspect or deviant behaviour. Preferably in real-time and online. All of this, naturally, to protect our freedom...

In case fingerprints in passports will be replaced by new biometric features, the road will be cleared for a much worse form of profiling. Through the use of facial scans in databases, citizens will be able to be identified and tracked in public spaces in real-time and to be singled out through profiling on the basis of criteria predetermined by ‘someone’. In this process the government deliberately focuses on modifying the technology. As a result, there is 'fortunately' no need to talk about whether or not biometrics are actually desirable in our society, and if so, under which conditions and guarantees. Privacy First advocates for 'privacy by design' and privacy enhanced technologies as well as strict legislation with regard to biometrics and profiling. Because we don’t want to leave our children behind in an electronic concentration camp...

For a free, open and vivid 2012!

Bas Filippini,
Chairman of the Privacy First Foundation

Postscript: in the context of the National Privacy Debate, this column has also been published (in Dutch) as an Opinion by Dutch web-magazine Webwereld: http://webwereld.nl/opinie/110383/profiling-het-grootste-gevaar-voor-privacy--opinie-.html and http://nationaalprivacydebat.nl/article/ww/110383/profiling-het-grootste-gevaar-voor-privacy-opinie

Published in Profiling

The following article by Privacy First employee Vincent Böhre was published this month in the periodical De Filosoof (‘The Philosopher’, University of Utrecht). Tomorrow the Dutch Passport Act will be high on the Dutch political agenda: in a debate with the Minister of the Interior Liesbeth Spies the compulsory taking of fingerprints for Dutch passports and ID cards will be discussed. Privacy First has recently (again) emphasized to all political parties in the Dutch House of Representatives to have passports without fingerprints introduced as soon as possible and to make a request to the government to have the Passport Regulation revised at the European level. This in order for the compulsory taking of fingerprints to be done away with also for passports, or at least to become of a voluntarily nature. The text below offers a quick recap with a positive twist. A pdf version of the original article in Dutch can be found HERE (pp. 6-7).

The biometric passport as an unintended privacy gift

‘‘Late 2001, the Christian-democratic political party CDA proposed storing the fingerprints of every Dutch citizen through passports for criminal investigation purposes. However, this proposal was immediately scrapped by other political parties because it would lead to a Big Brother society. Nonetheless, an even more far-reaching proposal became law seven years later almost inconspicuously. Under the new Dutch Passport Act, apart from criminal investigation and prosecution, everyone’s fingerprints and facial scan (biometric data) could also be used for counter-terrorism, domestic and foreign State security, disaster control and personal identification. However, none of these legal purposes had been discussed in Parliament.[1] In fact, the new Passport Act was accepted by the Senate even without a vote. The media merely stood by and watched how it happened. How could things have gotten this far?

‘Bystander syndrome’

In a certain way the Passport Act was (and is) emblematic for the Dutch era after '9/11'. An era in which (presupposed) anti-terrorism measures could be steered through Parliament with the greatest of ease. After all, such measures would enhance our security, we were continuously told. By nature people are inclined to believe the authorities and to accept the status quo. From a human rights point of view, one could consider the post-9/11 era as a huge Milgram experiment: without too much resistance many human rights have for years been put to the rack of society. The realization of the new Passport Act is no exception. Every Member of the Senate could at least have made a request for a parliamentary vote. Journalists and scientists could have blown the whistle on time. Instead, they all stood there and watched since, of course, the law would make the Netherlands a ‘more secure’ place. But what was this assumption based on? Wasn’t the Netherlands actually going to be less secure by the massive storage of fingerprints in travel documents and affiliated databases? This question has never been asked in public, let alone discussed and answered.

Disproportionate

The prime argument by the Dutch government for the introduction of fingerprints in passports and ID cards has, since the late 90s, been the following: it would prevent look-alike fraud with travel documents. Look-alike fraud is a form of abuse whereby someone uses an authentic travel document of someone else to whom his or her appearance resembles. Questions about the scale of this type of fraud have hardly ever been asked in Parliament. From a recent FOIA-request filed by Privacy First, it appeared that we’re dealing with only a few dozen cases each year (with Dutch travel documents on Dutch territory).[2] In light thereof the introduction of fingerprints in travel documents of 17 million Dutch citizens is completely disproportionate. Not to mention the dozens, if not hundreds of millions of Euros that the government has spent on this project.

Risks

With the introduction of a ‘biometric identity infrastructure’ a new form of fraud comes to life that is extremely difficult to trace and combat: biometric identity fraud, for instance through hacking. Not just with guileless citizens and companies, but also in the public sphere (espionage). Moreover, it has been pointed out that in 21-25% of cases the biometric data in the chip of Dutch travel documents cannot be read (verified). So in the event of passport control, there is a high risk that citizens become unjustly suspected of fraud. The biometric passport is no good for combating terrorism either: terrorists generally use their own, authentic travel documents. Unfortunately, little is publicly known about the way security and intelligence agencies use biometrics, even though some purposes are easy to predict: identification of suspects unwilling to speak and ‘interesting’ persons in public space, the recognition of emotions, lie detection and the recognition or use of doubles. The same applies to the domain of criminal investigation and prosecution, also in conjunction with camera surveillance and automatic facial recognition. In addition, the RFID (Radio Frequency Identification)-aspect of the chip in the document enables it to be read from a distance: citizens can be identified and tracked without it being noticed. With regard to personal identification, one could think of the possible introduction of fingerprints at banks, social services, the internet, etc. (Since the end of last year, a Dutch pilot project with mobile finger scanners for the police is ongoing.) Finally, there’s the domain of fighting disasters: biometrics used for the identification of casualties in the event of large-scale disasters or as a logistic means. All in all these possibilities for the use of biometrics go dozens, if not a hundred steps beyond the mere combating of look-alike fraud with travel documents. One ought to realize that all of these possibilities will sooner or later be put into practice. In jargon this is called ‘function creep’; historically seen it’s inevitable. Scientific research into future applications of biometrics continuously takes place. What’s more, even in our part of the world a democratic constitutional State is no invariable matter of fact. It is therefore very dubious whether our world will become ‘more secure’ by the large-scale use of biometrics.  

Positive change

It is exactly this concern which brought about a small Dutch revolution in the summer of 2009: at the time, the enactment of the new Passport Act led to a torrent of criticism and to the coming into being of the current Dutch privacy movement. New privacy organizations such as Privacy First proliferated, social coalitions were forged and lawsuits against the new Passport Act were filed.[3] This boomerang effect within society continues to this day. Since that time the right to privacy is ever higher on the societal and political agenda. In that sense the biometric passport has so far proved to be an unintended gift from heaven.''



[1]
See Vincent Böhre, Happy Landings? Het biometrische paspoort als zwarte doos (Happy landings? The biometric passport as a black box), Wetenschappelijke Raad voor het Regeringsbeleid, WRR (Scientific Council for Government Policy) October 2010, http://www.wrr.nl/publicaties/publicatie/article/happy-landings-het-biometrische-paspoort-als-zwarte-doos-46/.
[2]
See Privacy First, Revealing figures about look-alike fraud with Dutch travel documents (20 March 2012).
[3]
See Böhre supra footnote 1, p. 111 ff.
Published in Meta-Privacy
These days, of all human rights the right to privacy finds itself under the most pressure. Therefore, it is of great importance that the government, being the largest privacy violator, is tightly controlled by means of proper legislation. With good checks & balances, for the government itself as well as for monitoring possible privacy violators such as Microsoft, Google, Apple and large ICT companies like Cisco and Intergraph that set up entire electronic surveillance infrastructures in China.

Under the ‘principle of security’, current Western democracies are increasingly being led by suspicion, hate and control instead of the principles of trust, love and freedom. And all of this to protect those last three mentioned? In the view of Privacy First, the line in the sand has already been drawn in 2001. Under the guise of security our legislation has been heavily modified to the disadvantage of individual citizens and through function creep the boundaries of the application of this legislation are continuously being stretched. Will loitering youth and football hooligans soon be seen as criminal or terrorist organisations under our judicial system? And what about everyone who thinks or acts differently? Where can we draw the line? And who makes the decisions over this? And who will scrutinize the decision maker and the executor?

At the moment, it is under the big heading of ‘profiling’ that ever more privacy violations take place. The aim of profiling is tracking entire populations or target groups in order to identify so-called 'outliers' through criteria and norms that are to be imposed. Outliers are deviations from the norm: people who behave differently than the ‘normal group’, or a specific group the government has set its eyes upon, whoever it may concern. People who have unpaid bills, who drive too fast, who gather in groups, attorneys, journalists, activists, airplane passengers, those entitled to public aid, sect members, etc. Just identify and track them, you never know if there’s someone amongst them who hasn’t abided by the rules or who fits a certain profile you’re looking for.

Profiling is characterised by four aspects that in our perception are in conflict with the Dutch Constitution as the basis for our constitutional State:

  • The reversion of a fundamental principle of law: citizens are tracked en masse without a concrete, reasonable suspicion of a crime. Through profiling everyone becomes a potential suspect and everyone’s privacy can be violated unpunished.
  • With the current state of technology, profiling is aimed at continuous, real-time identification instead of passive registration and analysis of data of a citizen under reasonable suspicion. So we move from registration to identification, without the authorization and awareness of the trustful citizen. In this way, out of its own distrust the government abuses the good faith of citizens and in so doing imposes its own standard criteria. Without any democratic evaluation or strict legal guarantees.
  • The application of the technology used for profiling is based on the principle that ‘everything’s allowed if it’s technically possible’. For the greater part this development is invisible for citizens. Subway stations, trains, busses, trams, inner cities, police helmets and even parking machines (!) in Amsterdam are incessantly being equipped with cameras. These are linked to central control rooms and, where possible, fitted with identification and pattern recognition software in order to be able to directly perceive ‘suspicious matters’. The mantra of our government: ‘ill doers are ill deemers’.
  • Increasing restrictions to internet freedom of companies and individuals. Since 2010 all our personal telephone and email correspondence are being stored. All this is being done to prepare for profiling. At the moment the US Congress is working on a legislative proposal (Cyber Intelligence Sharing and Protection Act, CISPA) which grants private businesses and the US government the right to spy on citizens at any given moment and for as long as they want and to report them in case there are ‘outliers’. All of this without the need for a warrant. WikiLeaks, child porn, copying illegal content and the like are all too readily used to introduce new legislation to further restrict our internet freedom and which is to be applied in other areas the government wants to have control over. Preferably on a worldwide scale, without any democratic scrutiny. The government obliges citizens to increasingly use online services: the Citizen ‘Service’ (Control that is) Number (in Dutch: Burger Service Nummer, BSN), the Electronic Child File (Elektronisch Kind Dossier, EKD/DDJGZ), the Electronic Student File (Elektronisch Leerlingen Dossier, ELD), Diagnosis Treatment Combinations in healthcare (Diagnose Behandel Combinaties, DBC’s), etc. Of every citizen an ‘electronic life file’ comes into existence which in conjunction with electronic traces are to become able to predict suspect or deviant behaviour. Preferably in real-time and online. All of this, naturally, to protect our freedom...

In case fingerprints in passports will be replaced by new biometric features, the road will be cleared for a much worse form of profiling. Through the use of facial scans in databases, citizens will be able to be identified and tracked in public spaces in real-time and to be singled out through profiling on the basis of criteria predetermined by ‘someone’. In this process the government deliberately focuses on modifying the technology. As a result, there is 'fortunately' no need to talk about whether or not biometrics are actually desirable in our society, and if so, under which conditions and guarantees. Privacy First advocates for 'privacy by design' and privacy enhanced technologies as well as strict legislation with regard to biometrics and profiling. Because we don’t want to leave our children behind in an electronic concentration camp...

For a free, open and vivid 2012!

Bas Filippini,
Chairman of the Privacy First Foundation

Postscript: in the context of the National Privacy Debate, this column has also been published (in Dutch) as an Opinion by Dutch web-magazine Webwereld: http://webwereld.nl/opinie/110383/profiling-het-grootste-gevaar-voor-privacy--opinie-.html and http://nationaalprivacydebat.nl/article/ww/110383/profiling-het-grootste-gevaar-voor-privacy-opinie

Published in Columns

This week an excellent article about biometrics by internet journalist Jean-Marc Manach appeared in French web-magazine 'OWNI'. Many current issues and uncertainties around biometrics are discussed in this article, including the Dutch situation: 

"20% d'empreintes inutilisables

Les eurodéputés rappellent également qu'aux Pays-Bas, une étude menée sur plus de 400 passeports a révélé que les empreintes digitales étaient inutilisables dans plus de 20% des cas...

Sophia in 't Veld, de l'Alliance des démocrates et libéraux pour l'Europe (ADLE) révéla par ailleurs qu'au Pays-Bas, les passeports biométriques avaient été justifiés au motif de la lutte contre la fraude et l'usurpation d'identité, mais que le ministère de l'Intérieur avait toujours refusé de rendre public le nombre de cas recensés, au motif que le chiffre serait «inconnu», «pas public», «confidentiel» ou «secret».

Or, des documents obtenus par l'ONG Privacy First révèlent que les autorités n'ont dénombré que 46 cas d'usurpation en 2008, 33 en 2009 et 21 en 2010, sur une population de 17 millions d'habitants..."

Read the entire article HERE, or click HERE for an 'English version' in Google Translate.

Friday, 13 April 2012 16:11

Save the internet from the U.S.

The following (translated) call reached us this week from Avaaz (in Dutch) and is fully supported by Privacy First:

‘‘At this very moment, the American Congress wants to secretly adopt a legislative proposal which enables them to spy on internet users everywhere in the world, hoping the world won’t notice it. Last time around we contributed to the fight against the attack on the internet, now let’s do it again.

Over a 100 Congress members support the legislative proposal (CISPA) which grants private businesses and the American government the right to spy on every one of us, at any given moment and for as long as they want without the need for a warrant. This is the third time the American Congress tries to attack our internet freedom. We helped defeat the Stop Online Privacy Act (SOPA) and the Protect IP Act (PIPA) – now we can defeat this new ‘Big Brother law’.

Our global indignation has previously played a leading role in protecting the internet against governments that want to track and control us online. Let’s once more stand united and thwart this law for good. Sign the petition and forward it to anyone who uses the internet: http://www.avaaz.org/en/stop_cispa

The Cyber Intelligence Sharing and Protection Act (CISPA) determines that in a mere case of suspicion of a cyber threat, companies that allow us internet access have the right to collect information about our online activities, to share this information with the government and to refuse notifying us about this. Afterwards they enjoy immunity from prosecution for privacy violations or whichever other illegal activity it may concern. This implies an insane dismantling of the privacy we all have faith in during our daily habits of sending emails, having Skype chats, performing search actions, etc.

But we know the American Congress is afraid of the world’s reaction. It is the third time that they put the attack on our internet freedom in a new jacket in order to push it through after all. The name of the law is repeatedly being changed in the hope that citizens won’t notice it. NGOs that deal with internet rights, like the Electronic Frontier Foundation, have already condemned the legislative proposal on account of violation of privacy protection. It’s time for us to speak out.

Sign the petition for Congress against CISPA. As soon as we have 250.00 signatures we will hand over our petition to every one of the 100 American representatives who support this law: http://www.avaaz.org/en/stop_cispa

Every day internet freedom has to endure the threats from governments from all over the world, but the US can cause the greatest damage since most of the internet’s infrastructure is situated there. Time and again our movement has proved that global public opinion contributes to stopping the US from threatening our internet. Let’s do this again.’’

Published in Online Privacy
Thursday, 29 March 2012 17:03

Privacy First endorses the Earth Charter

Declaration of endorsement of the Earth Charter by the Privacy First Foundation 

« Privacy is the new green »
 

The Privacy First Foundation hereby endorses the Earth Charter. We subscribe to the ideas and goals of this document and we support the common pursuit of a righteous, sustainable and peaceful world. To that end, the worldwide preservation and promotion of the universal right to privacy is of primary importance. In order to achieve this goal, Privacy First shall be guided by the values and principles of the Earth Charter.

Privacy is the basis of our democracy under the rule of law. Without privacy, there can be no free personal development and no free democratic dynamics. Of all human rights, the right to privacy today finds itself under the most pressure. Through the rise of modern information and communications technology (ICT) the physical and virtual world become ever more integrated and societies become increasingly transparent. The digital revolution offers sovereign peoples as well as individuals from all over the globe new chances and opportunities in terms of democratisation and socio-economic empowerment. However, it also provides governments with the technical resources to suppress these processes. Information technology ought to serve the free individual, not the other way around. Therefore, in a sustainable information society the privacy of every single individual is to be optimally safeguarded.

The same positive change in recent decades with regard to the environment has to be made in the coming years in the field of privacy. Indeed, the toxic leakages of the past have become the data leakages of today. As large groups of people are stricken by environmentally unfriendly practices, the same goes for practices which are privacy-unfriendly. In both these fields our habitat and the private sphere are inextricably linked as parts of a whole. In terms of human rights this is already evinced by the European development of a 'green interpretation' of Article 8 of the European Convention on Human Rights, through which the right to privacy has received an environmental dimension. Conversely, the values and principles of the Earth Charter are a relevant guideline with regard to the protection of our privacy. In the spirit of the Earth Charter, this translates into the following principles for Privacy First:

1. In every public and industrial policy, positive human freedom and the human dimension are to fulfil a central role.

2. Privacy is the most fundamental freedom and apart from private life and personal development, this comprises the protection of personal data, confidential communication and the integrity of the person and body.

3. Both companies and government authorities have a duty of care for appropriate privacy protection. This duty also extends across national borders.

4. Everyone has the right to informational self-determination: the right to personal control over one's own personal data.

5. The human body is inviolable. The right to physical integrity is absolute in the sense that any infringements thereupon are only permissible with the consent of the individual.

6. ICT companies are required to act in a socially responsible, ethical and transparent manner. In this respect they also have a chain responsibility over the customers and suppliers within their line of business.

7. Privacy Impact Assessments are required in every situation in which one's privacy could be interfered with. Measures which can lead to large-scale and irreversible privacy violations are prohibited a priori.

8. Government authorities and companies which violate people's privacy have a duty to repair the situation and to compensate for any damage.

9. In order to defend themselves against any (impending) privacy violations by government authorities or companies, citizens shall have at their disposal both individual as well as collective legal remedies. The government safeguards individual legal protection and a collective right of action.

10. Any complicity by companies in foreign privacy violations shall be prevented and punished. This can be realised through the installation of international sanctioning mechanisms.

11. Everyone has the right to free internet access. Governments and companies facilitate this right.

12. Everyone has the right to active administrative transparency. This comprises the right to timely, correct and integral government information.

13. Privacy-sensitive information technology needs to live up to the highest standards of 'privacy by design'. This can be achieved through the use of privacy enhancing technologies (PET).

14. Every generation of people is responsible for the privacy protection of future generations.

15. A privacy friendly future starts with our youth. Therefore privacy education is to become compulsory in primary, secondary and higher education.

Privacy First Foundation,
Amsterdam, March 29, 2012

The official declaration of endorsement by Privacy First can be downloaded HEREpdf.

Published in Meta-Privacy

Thanks to a FOIA-request by the Privacy First Foundation, the official figures about look-alike fraud with Dutch passports and ID-cards have today, for the first time, become public. From these figures it emerges that the Dutch biometric passport with fingerprints is an absolutely disproportionate measure, the introduction of which should never have been allowed.

The primary argument from the Dutch government for introducing fingerprints in passports and ID-cards has for years been the same: fighting look-alike fraud. Look-alike fraud is a form of abuse whereby someone uses an authentic travel document of someone else to whom his appearance resembles. This kind of swindler is also called an impostor. Questions about the scale of this type of fraud have hardly ever been asked, not by members of Dutch Parliament, nor by scientists or journalists. Those who raised a question about it in the last ten years were usually provided with an answer that left them none the wiser: figures about look-alike fraud would be ‘unknown’, ‘not publicly available’, ‘confidential’, or ‘secret’. The answer to the most recent parliamentary question in this respect dates back to October 2010:

- Question: ‘‘Is it true that the figures of look-alike fraud with ID documents are known, but that you are unwilling to provide them to the House of Representatives? Are you actually prepared to provide these figures to the House of Representatives?’’
- Answer by Dutch State Secretary Ank Bijleveld (Ministry of the Interior): ‘‘No, this is not true. Since such figures are unknown to me, it’s obvious I cannot send them to you.’’ (Dutch source)

Those who have been asking supplementary questions in recent years were often told we would be facing a massive phenomenon. In this way the idea of a 'dark figure' of crime of almost mythical proportions came into existence. That is to say, without any trace of evidence. So recently the Privacy First Foundation filed a FOIA-request to the department of the Dutch government that has been keeping track of the figures on look-alike fraud for years: the Dutch Expertise Centre on Identity fraud and Documents (Expertisecentrum Identiteitsfraude & Documenten, ECID) based at Schiphol Airport. The ECID falls under the Royal Netherlands Marechaussee (KMar) and is thus part of the Dutch Ministry of Defence. Privacy First knew from a reliable source that those figures could be found in the clear annual reports of the ECID from 2008 onwards. So recently we have simply made a request for those reports by email. Subsequently Privacy First received the Statistic Annual Overviews on Document Fraud (Statistische Jaaroverzichten Documentfraude) from 2008 to 2010 from the Ministry of Defence. (Update: the statistics from 2011 followed on 29 May 2012.) The following figures result from these annual reports relating to look-alike fraud with Dutch passports and ID-cards on Dutch soil:   

2008: 46 cases (source: Statistisch Jaaroverzicht Documentfraude 2008, p. 45)

2009: 33 cases (source: Statistisch Jaaroverzicht Documentfraude 2009, pp. 42-43)

2010: 21 cases (source: Statistisch Jaaroverzicht Documentfraude 2010, pp. 52-53)

2011: 19 cases (source: Statistisch Jaaroverzicht Documentfraude 2011, pp. 52-53).

The Netherlands has 17 million inhabitants. By now almost 7.5 million of those had their fingerprints taken to combat a handful of cases of look-alike fraud. By any standard this is a completely disproportionate situation and thereby forms a collective violation of the right to privacy of all Dutch citizens. Privacy First regards these figures as a strong backing in its lawsuit against the Dutch government regarding the new Dutch Passport Act and hereby makes a call to the government to immediately stop the compulsory taking of fingerprints for passports and ID-cards. Regardless of whether or not that’s against European policy.

Update 22 March 2012: At first Privacy First showed the numbers 63 (2009) and 52 (2010). However, those figures were based on a calculating error (they were counted twice), for which we apologise.  

Update 30 March 2012: internal documents from the Dutch Ministry of the Interior from 2004 also imply a relatively low figure for fraud and, moreover, high costs for introducing biometric technology in travel documents. Privacy First recently obtained these documents through a large-scale FOIA investigation that has been ongoing since April 2011.

Update 29 May 2012: Today Privacy First finally received the long-awaited Statistisch Jaaroverzicht Documentfraude 2011 from the Dutch Ministry of Defence. The number of cases of look-alike fraud with Dutch passports and ID-cards on Dutch soil (as far as the KMar is aware) according to this report were respectively... 11 and 8, so just 19 in total. We have updated the list of cases from 2008 to 2010 above with the figures from 2011. So the idea of look-alike fraud as a very small-scale phenomenon is once more confirmed. To burden the entire Dutch population with biometric passports and ID-cards as a countermeasure is and will be completely disproportionate and therefore unlawful.

Published in FOIA Requests

Since a few days there is justified commotion over two new Dutch government plans that will grossly invade people's privacy. The first one is a plan by Dutch Minister for Immigration, Integration and Asylum Affairs Gerd Leers of the Christian-democratic party CDA to start creating automatic risk profiles of every airplane passenger. Before going on a business trip or on vacation, you will get a little green, yellow, orange or red flag behind your name. Without you knowing it. This is no hint at a surprise party, no, it’s because in the eyes of the Dutch government you may be a dangerous terrorist. At Schiphol Airport you are hopefully amongst those who can quickly go passed the security checks for people with green flags. In case you have a different flag you’ll be taken apart, thoroughly checked and interrogated and as a consequence you might miss your flight. The legislative proposal hasn’t yet been sent to the Dutch House of Representatives, but the government is already starting to build the corresponding central infrastructure (PARDEX). This is the state of democracy in the Netherlands in 2012.

The second plan has been concocted by Dutch State Secretary for Social Affairs and Employment Paul de Krom of the liberal party VVD. In terms of protection of privacy, De Krom happens to be just as uncompromising: his idea is to create comprehensive profiles of everyone entitled to social welfare from now on, on the basis of all the possible databases that can be linked to the municipal population register. In case an anomaly is found in your digital profile, you immediately appear on the radar of a central control room, a sort of Central Command for public benefits. Subsequently, it’s up to you to prove something’s not right with your profile, otherwise you may lose your benefit.  

Both proposals are all about profiling: creating and keeping up-to-date detailed risk profiles of ordinary citizens. In an ocean of information that for 99% derives from innocent people, Leers and De Krom are hoping to catch that 1% of (potential) troublemakers. (Do you remember 'The One Percent Doctrineby Dick Cheney?) In other words, it’s an inversion of the classic principle that the government is only allowed to intrude upon your privacy once there’s a reasonable suspicion of a crime. After all, through profiling everyone is treated as a (potential) suspect beforehand. This effectively turns the right to privacy into fiction.

Yesterday night this topic was discussed on Dutch radio programme Dichtbij Nederland (‘Close to the Netherlands’) on NTR, Radio 5. Apart from Vincent Böhre of Privacy First, two experts took part in the debate: criminologist Marianne van den Anker (former municipal councillor of the regional political party Leefbaar (‘Livable’) Rotterdam, dealing with security) and Marc Jacobs (writer and former police commissioner). The whole discussion can be listened to HERE (starting at 17m48s).

Published in Profiling

The Netherlands is a democratic constitutional State. This implies that every government action is to be 1) democratically legitimized and 2) subject to the rule of law. Therefore the law decides what the government has to adhere by. Whereas the prohibition on vigilante justice applies to every citizen, it also applies to the government itself. In that sense the government fulfils an important exemplary role. But what if the government ignores a judicial verdict? In that case citizens in a constitutional State are fortunately able to go to court again to call the government to order. This is what happened last year in a lawsuit against the Dutch Healthcare Authority (Nederlandse Zorgautoriteit, NZa) about medical privacy and professional confidentiality within the Mental Health Sector (Geestelijke Gezondheidszorg, GGZ). Last week the Dutch Trade and Industry Appeals Tribunal (College van Beroep voor het bedrijfsleven, CBb) judged that the NZa had not adhered by an earlier verdict of the CBb and still has to do so. Here below Privacy First briefly clarifies the CBb’s verdict.  

In 2008, so-called Diagnosis Treatment Combinations (Diagnose Behandel Combinaties, DBCs) were introduced in the Netherlands. This means that every medical treatment has a special code. This code is printed on your invoice and on that of your health insurance company so it can verify your expense claim. Furthermore, a short description (‘layman’s description’) is indicated on the expense claim. Every DBC registration is also entered (pseudonymously) in a central government database: the DBC Information System (DIS). This database can be consulted among others by the Dutch Central Agency for Statistics (Centraal Bureau voor de Statistiek, CBS). Through linkage these DBC data can easily be tracked back to private individuals. All of this constitutes a violation of the medical privacy (of patients) and the professional confidentiality (of medical specialists) in medical healthcare, including curative mental healthcare. A few years ago a number of independent psychiatrists & psychotherapists (being represented among others by the KDVP Foundation and the DeVrijePsych) rightly alarmed the NZa about this. However, their objections against the DBC system were declared unfounded by the NZa, after which legal action with the CBb followed. In August 2010 the CBb decided in favour of the psychiatrists & psychotherapists: the NZa was summoned to henceforth exclude them from the DBC system. However, the NZa happened to be reluctant to live up to the verdict, after which new proceedings with the CBb followed to reconfirm the earlier verdict. In its verdict of 8 March 2012 the CBb judged that the NZa has not lived up to the earlier verdict:

‘‘Based on what was stated earlier, the question whether or not [the NZa], in its new decision on appeal, has in the right way implemented the earlier verdict of the CBb, has to be answered in the negative.’’ (para. 5.33)

The guiding consideration in the earlier verdict of the CBb reads as follows:‘‘Providing diagnosis data about individual patients to health insurance companies violates the medical privacy of these very patients. Appellants have extensively elucidated which objections - from the perspective of the patient, the treatment and that of the professional confidentiality - are linked to the passing on of this sort of information to third parties that are not involved with the treatment. In the view of the CBb these objections are substantial: it concerns diagnoses that affect the core area of private life of the individuals involved, which makes information about this very privacy-sensitive. In addition, when it comes to the treatment of mental disorders confidentiality and secrecy are of great importance, as appellants have maintained.’’ (para. 2.4.4.3)

In the new verdict the CBb obliges the NZa to design an opt-out privacy regulation for the provision of diagnosis data for the treatment of mental disorders within the Mental Health Sector:

‘‘The outcome of the modification to the expense claim-system will in any case need to be that the obligation to indicate the diagnosis-classification code, as well as the obligation to indicate other data on the expense claim with which a diagnosis can be deduced, will be discontinued as such.’’ (para. 5.42)

In this context the CBb concludes on the one hand that the NZa (and the Dutch Ministry of Health) has the competence to realize this, and on the other hand that an exemption regulation (opt-out) is very well achievable. As the brand-new winner of a Dutch 'Big Brother Award', this is an excellent opportunity for Minister of Health Edith Schippers to restore her reputation with regard to privacy by closely monitoring the NZa’s implementation of the verdict. Privacy First is keen on keeping an eye on this.

Update 10 June 2012: Meanwhile the NZa has lived up to the verdict of the CBb by adjusting its rules. As of 7 June 2012, new NZa-policy rules within the Mental Health Sector apply according to the ‘letter and the spirit’ of the CBb:

1. In order to protect their privacy, patients who undergo psychiatric or psychotherapy treatment can reject indicating the diagnosis on the expense claim. In case patients want to make use of their health insurance, they must compose a ‘privacy statement’ together with the practitioner and send it to their insurance company. In that case it’s no longer compulsory to indicate the diagnosis. However, the medical advisor of the health insurance company may make inquiries respecting patient confidentiality.

2. For patients who pay for themselves, indicating the diagnosis is no longer compulsory. There is no need for a privacy statement.

3. In these two cases sending DBC registrations to the DBC Information System (DIS) is no longer compulsory either.

You can find more about this HERE on the weblog of the DeVrijePsych (in Dutch). Click HERE to read the entire decision (in Dutch) by the NZa dated 7 June 2012.

Update 7 July 2012: Privacy First appears to have been celebrating too soon: The KDVP Foundation appeals to the new policy rules of the NZa. ‘‘The opt-out regulation designed by the NZa is incomplete, ineffective and in practice it is hence useless with regard to insured healthcare within the Mental Health Sector’’, KDVP states on its website. Among other things, the NZa appears to have ‘‘failed to provide the necessary information about the introduction of a privacy opt-out regulation for the Mental Health Sector’’ and has insufficiently defined the regulation in order to prevent that diagnosis data can (still) be exchanged. With the current opt-out regulation it can in fact not be prevented ‘‘that diagnosis data can still be deduced from codifications and declared amounts of money.’’ You can read the entire point of view of the KDVP Foundation HERE (in Dutch). It would be to the credit of the NZa if it were to mend the flaws in the opt-out regulation that were ascertained by the KDVP Foundation as soon as possible.
Published in Medical Privacy
Page 15 of 20

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
privacy coalitie deelnemer

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon