De laatste weken is een serieus probleem in TLS (SSL) uitgebreid in het nieuws geweest. In eerste instantie leek het probleem slechts in uitzonderingsgevallen een veiligheidsrisico op te leveren. Maar varianten kwamen snel en binnen dagen was er een exploit waarmee wachtwoorden van Twitter accounts bemachtigd konden worden.

OpenSSL bracht direct na de bekendmaking met spoed een nieuwe release uit (0.9.8l) met een workaround. Maar ook alle andere libraries die TLS implementeren (GnuTLS, Microsoft's cryptokit, Mozilla's NSS, Opera etc.) zijn in principe kwetsbaar. Het probleem zat 'm namelijk niet in de implementatie, maar in de specificatie van het TLS protocol zelf.

( Wat is het probleem en hoe wordt het misbruikt... )

Het nieuwe systeem voor pinnen dat de Nederlandse banken vanaf volgend jaar invoeren, is nu al gekraakt, zo luidde de kop van de Telegraaf afgelopen woensdag - en een hele serie nieuwssites en kranten nam dit over. De aanleiding was een VPRO-uitzending over de risico's van de nieuwe EMV-pinpas. De aanvallen zijn echter niet nieuw, en de pinpas ook niet. De nieuwsartikelen bevatten bovendien bar weinig achtergrondinformatie, waardoor vooral op het gevoel wordt gespeeld.

Deze EMV-bankpas gebruikt een chip in plaats van een magneetstrip. In principe is dat veiliger, omdat de chip een processor bevat die zelf berekeningen kan uitvoeren en bijvoorbeeld bepaalde data uit het (encrypted) geheugen op de chip pas na authenticatie doorgeeft. Bij een magneetstrip zit alle logica in de betaalautomaat en bevat de kaart zelf alleen data (zoals een rekeningnummer en geldigheidstermijn) die iedereen uit kan lezen.

Het is ook niet zo dat de kaart pas volgend jaar ingevoerd wordt: banken zijn al een aantal jaren bezig met het vervangen. Op dit moment zijn alle bankautomaten al geschikt voor de nieuwe passen. En iedereen die nu een nieuwe bankpas krijgt, zal daarop ook en EMV-capable chip meekrijgen. Ook nieuwe betaalautomaten voor winkels die op dit moment geleverd worden, kunnen overweg met deze chips. Veel winkeliers staan echter nog niet te springen om hun automaten te vervangen, omdat de kosten hiervan veelal voor hun eigen rekening zijn. Maar wanneer de publiciteitscampagne volgend jaar begint, is een groot deel van de infrastructuur al lang uitgerold.

EMV is een internationale standaard (oorspronkelijk van Europay, Mastercard en Visa) voor transacties van betaalautomaten en -passen. In diverse andere landen, zoals het Verenigd Koninkrijk sinds 2005, worden de EMV-passen al een tijdje gebruikt. Hoewel iedereen een transactiesysteem kan bouwen op basis van deze standaard, zijn er op dit moment slechts twee beschikbaar: Maestro (van Mastercard) en V-Pay (van Visa).Ondanks de internationale ondersteuning, is op dit moment het Nederlands systeem van Currence echt beduidend goedkoper in het gebruik; vooral voor winkeliers - en dus voor de klanten. Toch zal het oude transactiesysteem binnenkort echt uitgefaseerd worden.

Bij het chipsysteem is het kopieren van een kaart door deze door een kaartlezer te halen ('skimmen') niet meer mogelijk. De fraude door een bezorger die aan de deur een pakketje komt bezorgen waarvoor men een klein bedrag moet pinnen (waarbij het apparaat vervolgens niet blijkt te werken, maar wel je kaart en pincode gekopieerd zijn), zal dan ook niet meer werken. Maar diverse andere aanvallen blijven mogelijk.

Het onderzoek waar deze week in de media naar werd verwezen, komt uit een rapport dat in 2006 werd gepubliceerd. Het meest opvallende is een 'man-in-the-middle' aanval. Hierbij plaatst een aanvaller een eigen kaartlezer voor de winkelterminal. Deze leest de data van een bankpas en stuurt aangepaste data naar een echte betaalautomaat. Hierdoor kan bijvoorbeeld een heel ander bedrag afgeschreven worden dan de klant te zien krijgt. Dit is bijvoorbeeld mogelijk met een opzetstuk voor de automaat, zoals dat ook bij 'skimmen' gebruikt wordt.

Iets geavanceerder is een 'fake' betaalautomaat die data wireless overstuurt naar een 'fake' betaalpas. Op het moment dat een nietsvermoedende klant wil betalen bij deze automaat, kan de 'fake' betaalpas bij een andere automaat (bijvoorbeeld de juwelier in het aangrenzende pand) een transactie beginnen met de data van de originele bankpas.

Het grote nadeel van deze aanvallen is dat de transactie alleen 'live' (online) uitgevoerd kan worden. Het is niet mogelijk om data te kopieren en die later te misbruiken. Dat maakt het niet alleen moeilijker om een succesvolle aanval uit te voeren, maar ook gemakkelijker om deze op te sporen. Een aanvaller kan de apparatuur niet meer dagenlang onopgemerkt laten hangen. En ook kan er niet meer anoniem geld gepind worden bij een bank met kaarten die op een NS station zijn gekopieerd: alleen de aangesloten automaat kan misbruikt worden. Met een wireless verbinding naar de buren, kom je wel iets verder, maar daarbij is het risico dat je betrapt wordt ook groter.

Een ander groot probleem is dat de EMV-betaalpassen en -automaten voorlopig zowel het oude als het nieuwe systeem zullen ondersteunen. De magneetstrip op de pas is nog steeds nodig om in het buitenland te kunnen pinnen - en de lezer op de betaalautomaat is net zo goed nodig om buitenlanders hier te laten betalen. Zolang het oude systeem nog in gebruik is, kan het uiteraard nog steeds misbruikt worden door skimmers. En dat zal nog zeker een aantal jaren het geval zijn.

Update: Er zijn nog wel enkele belangrijke verschillen tussen de Engelse en de Nederlandse EMV-passen. De Nederlandse implementatie gebruikt extra extensies die bijdragen aan de veiligheid. Zo wordt Dynamic Data Authentication (DDA) gebruikt in plaats van Static (SDA), wat het clonen van een chip en offline gebruik onmogelijk maakt. Bovendien wordt de PIN-code bij een transactie niet onversleuteld naar de kaart gestuurd. Daarnaast bevatte de Engelse chip oorspronkelijk alle informatie die ook op de magneetstrip staat, wat het maken van een geclonede kaart met magneetstrip eenvoudig maakt na het onderscheppen van een transactie. De Nederlandse chip bevat slechts een gedeelte van de benodigde info.

Meer informatie over het Engelse onderzoek staat online op de site van de University of Cambridge.

I have created a new PGP key and ask people to use and sign this new key. There are several reasons for the creation of this new key,

• Use SHA-2 instead of SHA-1 for message digests.
  The use of SHA-1 is deprecated by 2010¹.
  Recent attacks show that SHA-1 is even less secure than assumed.
  
• Use at least 2048 bits keys for RSA/DSA (4096 bits for the primary key).
  1024 bits keys for RSA and DSA are deprecated by 2010¹.
  
• Link the key to my new OpenPGP v2.0 card, replacing the old card.
  The new card can handle key sizes larger than 1024 bits.
  
• The old key has been around for nearly 9 years. Even though none of the systems it was on were compromised, a clean start seems appropriate.
  

My old PGP key has not been compromised and will remain valid for some time yet, but I prefer all future correspondence to use the new one. The new key has been signed by the old one, so if you trust that one already, you can verify that the new key is indeed approved (signed) by me. I would like all people who previously signed my old PGP key, to sign the new key as well.

( Key usage and details )

Edit: I recommend this interesting article,
How to prepare for migration off of SHA-1 in OpenPGP

Just a short reminder that the T-DOSE Call for Papers is now open. T­-DOSE is a free annual event held in The Netherlands to promote use and development of open source software. The deadline for submitting abstracts is 31. August.

The conference itself will be 3+4. October 2009. Once again this is in Eindhoven on the Fontys University of Applied Sciences. My colleague is one of the main event organisers. Did I mention it's free?

Let's see, what have the politicians and other organisations been up to in the last few weeks in order to upset the Dutch internet users...
All the links refer to articles in Dutch, mostly from Tweakers as I didn't feel like chasing down translations. No elaborate comments this time either.

National politics

• The Dutch Senate has finally agreed with the data retention legislation for internet and telephone traffic. This is the Dutch implementation of the 2006 European Directive on this topic. This means ISPs and telcos are forced to keep all your communications traffic information for 6 months. The companies won't receive any compensation for the investments this requires. Nobody quite knows yet how this information will be used.
  
• A new taxation for internet users was suggested, to rescue newspapers. An influential committee asked for suggestions on how to rescue the old media wrote a rather unimpressive report about this. The government minister quickly discarded the internet tax recommendation from it.
  
• Parlementary committee suggests criminalising downloads of copyrighted content. Downloading movies from the internet (for personal use) is actually legal in NL now - but sharing them or uploading these elsewhere isn't. The full report on the future of copyright in the Netherlands, actually has some very interesting other remarks and I'd recommend reading it.
  

European politics

• Just yesterday, the European Commission gave high priority to getting adolescents to pay for content rather then download it for free from the internet. It remains to be seen how this translates into actions.
  
• France just keeps trying to clear their three-strikes law. The latest legislation that passed the Assemblé at least includes legal judgement before disconnecting internet users.
  

Legal

• Brein (the legal muscle of the Dutch entertainment industry) has sued the Pirate Bay, but failed to even get a subpoena delivered. That's no problem as their real plan is to get a judge to force Dutch ISPs to block internet access to the Pirate Bay. This was just before the Pirate Bay sold out.
  
• Brein has also stepped up actions against Usenet providers, getting UseNetBase offline with threats and suing FTD for lots of money after FTD started legal proceedings against Brein to stop their harassments. In the US, RIAA was successful in a similar case against Usenet.com.
  

The PGP Web of Trust is a familiar phrase for PGP users. It refers to the distributed trust model of PGP keys. ( PGP Web of Trust )

However PGP keysinging parties aren't the only way to check identities of other (internet) users. First of all there are already several other signature-based identity trust schemes; such as CAcert (for server and client SSL keys) and the Thawte web of trust (for SSL client keys). They use techniques similar to PGP, and also build a trust model through face-to-face meetings and ID checks. However here signatures can only be made by people whose identity has previously been confirmed by other users.

The Gossamer Spider Web of Trust uses these other schemes to further increase the PGP Web of Trust. If people have been 'assured' via CAcert, Thawte (or similar ID-verification schemes), they may receive PGP signatures as well - without going through the full procedure again. The PGP signatures granted, based on these other schemes will generally include an additional OpenPGP flag to indicate that 'casual checking' has been done, rather than 'extensive verification' with the usual face-to-face meeting. This makes it easier to get new PGP keys confirmed by a range of users, without losing credibility.

The GSWoT procedure is that your credentials from another Web of Trust are checked by a small group of volunteers, and if they are happy, your PGP key will be signed by the GSWoT root signing key. Other Gossamer users will then likely follow suit and sign your key as well, after 'casually checking' your identity. At the moment the Gossamer Spider Web of Trust has members from all over the world, but it's still a relatively small group of about 70 people.

There are many other ways to obtain a reasonable trust in somebody's identity without personally checking their passport. Another common method is to transfer a small amount of money (e.g. 1 euro) to somebody with your PGP public key ID or fingerprint as comment. If the name on the bank statement matches the name on the public key, this is also a good indication of identity. When exchanging ID information with somebody in this way, I would also sign their PGP key with a 'casually checked' trust signature.

The largest Dutch Usenet access provider FTD has filed a lawsuit against Brein, a Dutch organisation that claims to protect the copyrights of the entertainment industry. This is a response to the continuous allegations by Brein calling FTD's activities obviously illegal.

FTD (Fight to Defeat) has had several previous run-ins with Brein after Brein shifted its focus towards Usenet from peer-to-peer traffic (in particular torrent sites) earlier this year. The services of FTD had already been modified to remove easy accessible links to illegal content (nzb- lists).

For Brein this was not enough, and a legal action by Brein in the form of a kort geding (preliminary injunction) was anticipated. This has been cut short by the start of a more in-depth court case by FTD: a bodemprocedure (proceeding on the merits). The complaint not only calls for a rectification from Brein, but also calls for a court ruling on the legality of downloading illegally-offered content from the internet - and the facilitation of this. This is generally considered legal by the Dutch fair-use exception on copyright, but Brein has been challenging this law (in public relations; legally and politically) for a long time. This court case might set a clear legal precedent on this issue.

Because this case will actually be handled thoroughly, it might take years before it comes to a conclusion. In response, Brein has called this a delaying tactic only and announced that it will still seek a preliminary injunction anyway, forcing FTD to stop its business pending this case. If Brein wins that, it could theoretically force FTD out of business before a ruling is issued on the other case. If that happens, the full legal issues of this subject will remain cloudy for a while longer - something that Brein will restrict the options for internet downloaders even further.

However I hope that this case will be played out in full (and the appeals that are likely to follow it as well). It would be good to have clear legal distinction of what is legal and what is not, concerning internet downloads in the Netherlands. And it would be better it this confirms that there is no such thing as illegal downloads of films - and that providers merely act as neutral conduits of information and are not responsible for the possibly illegal actions of their users.

I will be following this case with interest, even more because one of FTD's legal consultants is a friend of mine.

What is SHA-1 then?

( the Secure Hash Algorithm )

Is SHA-1 really broken?

( no, but it is weakened )

So what happened then?

( mathematicians found flaws )

This means that attacks may now be practical to compute on existing computer clusters - owned by large, well-funded organisations (WFO).

Should I continue to use SHA-1?

( no, but there is no rush )

What are the alternatives?

( SHA-2 and soon SHA-3 )

Where's the catch?

( you're not alone, but communicate with others )

What about public-key crypto?

( GnuPG is moving )

What can I do?

Well, that's up to you really. There is no cause for panic, so there is plenty of time to evaluate your options. And unless you are a developer of security applications or handling top secret data, there's nothing to disturb your slumber.

For developers it is probably a good idea to take a close look at the deployment of SHA-256. Even though there are some small cracks appearing, this is probably the most interesting hash function until SHA-3 will come along in 2012.

For public key cryptography, the conservative choice would be to switch to DSA-2048 or RSA-2048 keys. NIST gives these algorithms another 20 years (through 2030) and they combine well with the mentioned SHA-256 hash.

After years of difficult discussions, the Dutch Department of Justice and most major ISPs and hosting providers have presented an agreement today on how to deal with illegal content on the internet. Participation to this agreement is voluntarily and it does not include any new law or judicial changes. However it does clearly outline the roles of all parties and the (legal) responsibilities of users and providers when dealing with disputed content. Also sites such as Ebay/Marktplaats and rights-group Brein (the Dutch RIAA) have signed this agreement.

The core of the notice-and-take-down code of conduct is the procedure for getting content removed. The complainant should first attempt to contact the user who published the document directly. Only if he cannot be found, or won't respond can the provider be contacted with a takedown notice. If the content is obviously illegal, the provider must then take it offline directly.

If the legal status of the content is not completely obvious, the provider will contact the publisher instead. Only if the publisher still won't remove the contant, nor contact the complaintant, then the provider can remove the content or hand over contact details of the publisher to the complainant. The complainant can then start legal actions against the publisher.

Note that this procedure was already common practice with many companies and the NTD code doesn't bring any real changes. Still, providers have responded with relief, as it is finally clear what their responsibilities are regarding accountability of content, of content removal and of when they should (may) hand over personal details of their customers. Brein reacted more cautiously: they still want personal details in every case, so that they can keep on sueing everybody for copyright offenses.

It is expected that most internet access, hosting and content providers who didn't sign the agreement, will still use it as a guideline for their operations.

Read more about it on Webwereld (in Dutch).

The Dutch internet firewall which is to be enforced by national police has been much in the news lately, however so far there has been little information about the technical background. Everybody assumed it would be simple enough to circumvent by terrorists and others with some technical knowledge who prefer to stay out of reach of the Big Brother.

However some digging by Dutch technews site Webwereld sheds some new light on this in their 13. October article. Apparently all the KLPD 'child pornography does' is offer a proxy for the DNS server of the ISP concerned. That is: all DNS queries for a hostname on the 'black list' will receive the IP address of a general police-maintained website in response.

"A spokesman admits that the filter can be bypassed easily by configuring your computer to use another nameserver - or by typing the IP address rather than a hostname while surfing websites." The spokesman continues to proclaim that it is unlikely that the adverage user will bother changing their nameserver.

Although I will agree with the adverage user, this might be different for child abusers who wish to stay out of the reach of law enforcement. Changing your nameserver or even setting up a hosts file for a few specific sites isn't quite rocket science.

Hell, even I've been running my own nameserver on my gateway for many years, competely ignoring the nameservers of my ISP. The operating system I'm using even offers this option by default. Granted, I'm more internet savvy than the adverage user, but I'm still a bit disappointed by the sheer simplicity of the 'great Dutch internet firewall'. Would have expected the KLPD to come up with something a bit more creative...

Ofcourse it wouldn't take long for Parliament to raise its voice when child pornography is concerned. On 4. October a majority of the parties called on the Justice Minister to force all ISPs to implement the proposed filter by the end of this year. The Minister however was reluctant to pass a law on this yet, and said he would use the next three months for constructive talks with the main ISPs. The message was clear however: if there is no movement in positions soon, then the government will (be forced to) pass a law that likely will please neither the public prosecution (as the law might be at odds with the constitution and EU directives) nor any of the ISPs. A voluntarily agreement by the ISPs would be much more desirable (well, not for the ISPs as it might leave them open to civil lawsuits if this agreement lacks a proper legal basis).

KPN (the major Dutch ISP) was quick to respond to the outcry and repeat that they would be happy to comply with a filter. And although they stress this point, they still include the same 'but's. They will comply if only this list would be supervised by a judge (or "public commissioner") rather than a police (KLPD) officer. Also guarantees must be in place that the list remain limited to child pornography (no terrorism, hate-sites, animal-rights, etc.). And KPN sets even more prerequisites: since the filter is introduced specifically for sites in uncooperative countries, KPN has stipulated it won't have sites in EU member states on the list. An additional demand is that providers cannot be hold responsible and that they won't have to hand over customer contact details just because the customer visits one of blocked sites.

The demands by KPN are not unreasonable and the Justice Dept. will probably give in to most of these. The main problem remains the legal basis and the demand for a judicial approval. These are also issues that UPC (the only provider so far to have signed an agreement with the police) has completely ignored. Since the legal context for a new law is complicated, the Justice Dept. prefers a voluntarily settlement or a simple law only needed to clear up loose ends.

All the other Dutch ISPs have remained unusually quiet. However it is generally assumed that the other Dutch providers (there are quite a few) will follow KPN's lead in this issue. At least for the moment. It becomes a completely different ballgame if KPN fails to reach an agreement and Parliament decides to push new legislation disregading international legal issues. Most Dutch ISPs won't bother fighting a legal (EU) battle against the government. It's not only expensive, it is likely bad PR as well, since the ISPs will be portrayed as promoting child pornography.

Note that although parties are getting closer to an agreement, it is likely that both sides won't shift much in position for the remainder of the year. The period until the deadline set by the Justice Minister (and the looming legislative threat by Parliament) will likely be used optimally for discussion and trying to get the other side to move first. Especially within the government some shifting is likely, since there are many internal forces with conflicting interests. But personally I fully expect an agreement will be reached just before (or after) the deadline.

Note that both the police (KLPD) and KPN have been (and will continue to) actively discuss the issue with other ISPs as well. But the others are probably smart to keep schtumm for as long as possible. And when KPN and especially KPN subsidiary ISP xs4all -which has always be on the forefront for civil/digital rights- will reach an agreement, both sides can be pretty sure that all other providers follow suit... Probably voluntarily -as xs4all is expected to get out of it what it can get- but there is little doubt that any bystanders shall be forced to comply with any deal between the KLPD and KPN as well.

This posting contains personal opions

Early September the Dutch national police (KLPD) will start blacklisting certain websites - primarily to block access for Dutch websurfers to child pornography. However although this plan was announced over a year ago, so far only a single provider (UPC), offering cable-internet access through the Chello internet service in some parts of the country, has actually agreed to implement and enforce the filter for all their customers from the start.

The major player in the broadband market, KPN (with subsidiaries xs4all, Tiscali and others) is still negotiating with the police, but so far refusing to implement the filter as it is. Their main argument is that it lacks any judicial foundation and there is absolutely no legal background on what exactly will be blocked in the future. Since it is a voluntarily agreement to ban certain sites now, the ISP is likely be responsible (accountable) when the 'wrong' content might be blocked: a content provider could sue the ISP for compensation if it denies its customers from accessing their site. Also there is no guarantee whatsoever that this list will remain limited to child pornography sites. KPN is willing to implement the filter when a proper legal background is established (e.g. let a judge decide about the entries this blacklist rather than just any police officer): trias politica and all that.

XS4all takes a more principal stand that internet access should be free and they will not be blocking any content unless forced to do so by law. All other ISPs appear to be watching what happens and not agreeing with anybody too soon. The Dutch government is now considering enforcing strict internet content blocking laws (which imho would be a very bad idea to decide on too fast).

UPC did already agree to this deal with the police in back February and was expecting all other players to follow suit quickly. However now they find themselves alone on a tricky legal slope, not being sure where it will take them. And with the risk of actually losing customers for blocking 'freedom of speech', rather than winning more by actively 'working against child pornography'.

Since child pornography is one of those keywords that triggers hasty and erratic responses by politicians (just like terrorism), proposals for new bills enforcing ISPs to implement the great Dutch firewall without delay will probably show up soon in parliament. Luckily it takes more than a few loud MPs for something to become a real law in this country. But it will be interesting to see how the government will respond to the reluctant attitude of the Dutch internet providers. And there will definately be some providers (and civil right movements) who may be willing to fight this up to the highest courts.

Background story from other media in Dutch and a summary in English.

Two daring people have started the organisation of an open source conference in Eindhoven later this year. T-DOSE will take place on 2/3 December 2006 at the Eindhoven University of Technology (TUE). Although it is not especially targetted at students, it aims for a technical conference with some prominent speakers and no admission fee.

The main part of this event will be talks about anything open source related. But since there are plenty rooms available, community meetings and developer rooms will be very welcome as well.

At the moment the main organisers are busy looking for any volunteers (in the greater Eindhoven region) willing to assist with the organisation. Think about PR, contacting speakers, practical organisation etc. Ofcourse there will be a lot of work to do on the event itself as well - any volunteers are welcome. The call for papers and the booking of rooms has not yet started. See the website for more information - as it comes available. I also know a bit more than written here, so feel free to ask me for details.

This summer, during two weekends (18/19 July, 16/17 August) so called "Open Source Summercamps" will be held in the MediaPlaza in Utrecht (NL). These events are sponsored by several Dutch open source communities and participation is completely free for anybody who's interested.

There will be lots of opportunities to talk about your own projects: 7 parrallel tracks are available each day in rooms ranging from 20 to 250 seats. At the moment the organisers are pusing hard for more volunteers to book a room. So if you have a project you want to talk about, please let them (or me) know. It is no problem to book a room for an entire day (if you can fill it with up). There is also no requirement for papers: everything is welcome. The targetted audience is rather technical, but tracks will probably cover lots of topics at different depths.

If you want to talk about your own (open source) program, promote an open initiative (like CAcert or Wikipedia) or discuss the impact of new developments in hardware or legislature with others, then this is your chance to do so before a really interested audience.

The summercamps are organised by NLUUG, NLLGG, OSOSS (and maybe HollandOpen).

Yes, this is spam. I'm not involved in organising this, but can offer more information if you're interested and can put you in contact with the organisers. At the moment the project doesn't yet have a website. If anybody reading this is willing to do a talk, I may even be persuaded to assist.

This afternoon the EU Justice ministers have approved the new data retention legislation. This requires European telco's and ISP's to store usage data of their users to help fighting terrorism.

Only yesterday the Dutch parliament passed a motion (with support from coalition partners) to keep the minister Donner from supporting this legislation - which he promptly decided to ignore. Donner also repeated his previous statement that Dutch telephone communication data will be stored for one year, and internet traffic data for 6 months.

During today's discussion, Donner called for the establishment of an independent organisation -not related to the justice department- that would safeguard this data. This should prevent police and justice detectives from browsing through this information without a court order. ISP's and civil rights organisations have called for this since the discussion was started. The topic of restitution for providers was once again carefully avoided.

European countries now have 18 months to implement the EU directive in national legislation. This means discussion in the Netherlands is not over yet. During the discussion in the European Parliament all Dutch political parties voted to reject this legislation, with the exception of Donner's CDA party. Since yesterday, the concerns seem to be shared by the Dutch parliament.

Due to pressure from the UK presidency, the EU data retention proposal has been rushed through parliament much faster than the usual EU bureaucracy pace. As expected the proposal was accepted by the major parties with little change.

( Consequences in the Netherlands )

This is not a good day for internet providers or civil liberties organisations. The Dutch government today announce a new legislation (that still requires parliament and senate approval) that gives the law enforcement services the right to customer information from ISPs (and banks, and airline companies, and ...)

At the moment privacy laws require a legal need (public attorney request) before this kind of information may be handed out. But new rules would make it easier to trace people and connections without any incriminiating evidence or concrete suspicions. It is yet another step in the direction of the "if you aren't guilty you don't have anything to hide" dogma.

Combined with the recent ruling that obliges internet providers to give out personal details on customers who may infringe other's rights or reputation (think film sharing and online slander) - also now without any legal testing - this puts ISPs in a position where they'll be handing out lots of information. And still the ISPs will remain liable for civil privacy-infringement lawsuits from customers for handing out their details to the intelligence service or third-parties, when it later turns out that the party demanding the information did not have a strong enough case. This really puts ISPs between a rock and a hard place: damned if they do, damned if they don't.


Note that the proposed legislation does not affect data-taps. And it does in fact already apply to the telephone companies: for historical reasons the intelligence service may trace (traffic) details of any telephone conversation... I wonder how long it will take them to ban the popular sale of mobiles without registering personal details.

This evening the EU ministers have reached a deal on data-retention for telecom and internet providers. Despite strong language from the UK presidency, France and a few others, the period for which records must be kept, has been limited to a "mere" 6-24 months. Countries may choose how long exactly - and may even opt for longer periods (Ireland already has a 3-year limit; Poland may want 15 years).

Since this is quite a step down from periods mentioned earlier, it is unfortunately very likely that the Commission and Parliament will throw in the towel and data-retention for email and web-traffic is becoming a fact real soon. It was decided that countries may, but need not, give providers any compensation to implement this - the NL was a big opponent of giving any compensation.

The European Parliament is expected to vote on the issue within two weeks. Despite strong opposition from some groups, the major parties are expected to back the proposal. Update: Ireland and some other countries reject the proposal because they feel this is an internal matter, ranther than an EU-matter.

The Dutch Justice Minister responded enthousiastically and already suggested the retention period for Dutch telcos would be a year, but six months for internet providers. Earlier a few Dutch ISPs claimed they won't be able to support and/or afford this directive and will go out of business. However I think it is unlikely that any of the major providers will actually stick by this claim.

The ICANN-Verisign proposed settlement agreement was one of the top stories today. It isn't very interesting imho: ICANN gets editing capabilities for the root DNS zone (which most people'd assumed they had already; and Verisign retains full control of the .com zone for a while longer (which won't surprise people either).

So it's business as usuall, and the mighty still get mightier. It seems that ICANN is more likely to survive the near future now, even if the UN (read EU) gets any kind of say in the root DNS management. It seems very unlikely that that will happen though: the US opposes this move vehemently and the techies who actually maintain the root nameservers (IETF, ISC, RIPE, etc) seem to agree that UN involvement will only lead to more political suffering and less stability. And although nobody really likes ICANN, most alternatives on the table sound even worse. So for now this money-wasting, tld-proliferating, clueless committee will get the benifit of the doubt and the current status-quo remains. Surprisingly, stability of root DNS service isn't really mentioned in this agreement - thank $diety for cluefull techies.

Dutch Justice Minister Donner manages to pick a fight with internet providers and the civil rights movement almost every week these days. If it isn't about the
bewaarplicht (obligation to keep internet traffic of all customers on record for three years) or the notice-and-takedown policy (obligation to take a site offline immediately when somebody complains) then it is about his wire-tapping plans.

( All providers now sue the state )