let's the next speaker coastal feelers the managing director of Adrian dater is the association of all net political NGOs in Europe so making sure this goes out to all member organizations custom is going to be speaking to us today about censoring the web and how that makes us less secure the mantle of anti-terror measures please give her a warm welcome in a round of applause good morning I have to sort out the slides I think I broke the adapter it's okay ok yep okay yeah good morning again my name is Koosman phila I work for Audrey in Brussels as Jared angel said where the umbrella organization for civil rights groups from across Europe and we defend human rights in the digital age so today I have the pleasure of talking to you about something rather depressing I'm afraid that is to say the most recent anti-terrorism measures how they are censoring the web and how they are making us less secure so this has really taken a lot of address time in the last month's and you will see why in the next 20 minutes so I think you could talk endlessly about anti-terrorism measures and states everywhere in Europe we're super busy passing one after the other so I will concentrate today rather on the what and the why rather than how and give you three main ingredients and this is populism opportunism and ideology I will speak only very quickly about how populism has driven the security agenda for the past 15 years then I'll explain how the latest attacks were a brilliant opportunity to pass even more without assessing the existing measures and lastly I'm going to explain a bit more in detail the ideology especially the ideology behind the new anti-terrorism directive and then at the end well we'll see what we can do now so how has populism driven the security agenda since nine eleven to understand this you just need to look at the wave of measures a study from december two thousand thirteen counted over 230 counterterrorism measures since nine eleven only adopted by the you so at the EU level not counting what happened in the member states and this year is really just the tiny tiny fraction of them so why did the EU passo many measures so I think it's a big question but the part of the answer is out of sheer populism because after each attack after 911 after Madrid of the London and so on every time there was a new wave of measures and never ever were the existing ones assessed for their efficiency and since there's no real evidence for the efficiency the only visible impact of this these measures seem to be to demonstrate to the public that politicians are doing something and then we had the attacks in France Belgium and Denmark in 2015 2016 and this was an incredible opportunity to pass even more surveillance measures so I was at this anti-terrorism event in the European Parliament last week where the Belgian Minister for interior yawn yawn bomb quoted Churchill and he really said never waste a good crisis i'm not i'm not kidding so at the U level this was the occasion to fast-track the surveillance of air passengers so the passenger name record directive we had the so-called EU internet forum this was an informal project where the Commission said together with Google Facebook and Twitter to see how these companies can censor the web on a voluntary basis then we had the Europol regulation with catastrophic oversight and there was even the creation of a new commissioner job so we now have sir Julian canning in charge of security and but most importantly most most importantly they pass and fast-track the anti-terrorism directive that I will explain in more detail now so for over 15 years now we have observed a big populist push to adopt even more surveillance measures with the attacks of the past years there was an opportunity to pass even more and now instead of evidence-based policymaking we have this proposal for a new directive whose contents are purely based on ideology and this ideology is to collect more and more data to find short-term measures instead of finding efficient long-term solutions and it is an ideology to control and monitor and to pass more repressive measures instead of considering the social problems that are underlying so before diving into the nasty bits of the anti-terrorism directive let's do a super short

excursion to remind you how the legislative process works in Brussels so in most cases lawmaking starts with a public debate or an event then the political discussions in the institution start and this can take the form of expert roundtables and the Commission hearings in the European Parliament or in most of the cases the European Commission also launches a public consultation then the Commission comes up with different policy options and starts writing a proposal internally

choosing one of the options and then it publishes publishes legislative proposal together with an impact assessment and this impact assessment usually explains why they chose that instrument it assesses the impact and the efficiency and it assesses what impact it has also on fundamental rights so the Commission proposes the texts and then parliamentarians and also the Council of the European Union suggests modifications then in most cases in the final stages of lawmaking in Brussels you have a process that's called tri logs and they are called tri logs because the three institutions start negotiating and agree then on a text and come to a decision this is very in transparent because during dry locks you can't get access to the negotiating documents you don't know who proposes what and sometimes there's completely new text on the table that has never been democratically approved by the Parliament and then at the very end you have the implementation phase in the Member States and sometimes this process can take years for example the data protection reform took more than five years the net neutrality regulation that Thomas learning I will talk about later today took around two years so let's have a look at the anti-terrorism directive so we had the Paris attacks on 13th of November followed by almost no political debates in the in the institutions there was no public consultation by the Commission and only two weeks later in beginning of december the commission published a proposal for this directive so either the commission wrote the text in two weeks or what I find more likely it had it already somewhere in a drawer and also there was no impact assessment while the excuse was because of the attacks because of terrorism something needed to be adopted quickly and what this means is that nobody has analyzed if the proposal if the measures would work first of all and nobody has checked if the measures undermine fundamental rights or not you could also say the proposal is based on zero evidence and apparently terrorism is taken so seriously by policymakers in the you that beliefs seem to be sufficient and evidence is not needed

going back to the timeline on these three months after the publication of the proposal by the Commission the 28 member states had come to an agreement of their common position it's also sometimes called the general approach if you compare this to the data protection reform it took the member-states three and a half years to come to a general approach so this means that on top of the complete lack of evidence to support the Commission proposal the other two institutions are now adding more elements when nobody has a clue if they would work or not so

apparently no political debate is needed to identify really effective measures and then on top of this the political

environment is super toxic in Brussels so this year is a press release by the conservative group in the parliament just after the year Paris attacks and it says that terrorists would happily vote left and this was really super successful in the parliament because it intimidated parliamentarians from the centre and from the left to vote in favor of the measures or at least abstain and some social democrats really do not ever wish to be in this position again and do not ever wish to be accused like this again so the result of this was there were some surprising votes in favor which meant that the proposed text was mostly modified to the worse by the European Parliament so this means instead of a fact-based approach the directive is being pushed through very quickly and emotions prevail over evidence and arguments so what's in this

directive the main goal is to regulate terrorist offences of course and the support for these activities and this includes provisions on the financing of terrorist groups travel training their radicalization and they're also quite a few words on what to do in the online world so what's on the table with regard

to cyber cyber the four most problematic areas are firstly vague definitions secondly blocking and censorship thirdly the weakening of encryption and the proposal to to intercept communications on a massive scale and attacks against information systems so for instance the text says that there is a growing misuse of the internet and this was simply assumed no figures are presented why they think that this is the case then

what the hell is in direct provocation I don't know what is the radicalization of citizens it again this is nowhere explained or defined and then lastly what is meant by by a glorification and justification of terrorism again there is no definition and the fact that this is not defined is definitely going to have a nasty impact on freedom of expression because this is already the case in France where similar laws are in place in France the undefined glorification is in law and this has recently led to the prosecution of a 16 year old who published an ironic drawing

on Facebook and he clearly didn't fit the terrorist profile at all and still he was taken into custody and only

recently a homeless guy was condemned to

nine months prison and what he did was he was taken into hospital for alcohol poisoning while he was clearly super drunk and then he started shouting around crazy stuff about going back to Syria and he got nine months prison for this and this is not the only case of where a homeless guy our person ended up in prison for for glorification of terrorism and even an eight year old was arrested by police on the basis of glorification and justification where nobody knows what this includes or not and clearly the kid didn't know what he was saying

so policymakers don't even try to write let the legislative text that make sense

there are contradictions everywhere in the anti-terrorism directive and a countless number of words are open to interpretation so the second problem is

the addition of web blocking the European Parliament reporter missu Amaya from the CSU introduced this in recital 7 and 14 and firstly it states that the suggested measures of the directive should be without prejudice to voluntary action by Internet industry so this sort of wedding we have already seen it an actor and it means that member states can encourage service provide providers to arbitrarily sensor and monitor the networks so basically states hand over the responsibility to private actors Facebook Google Twitter and go up put in

the position of police judge and jury over our freedom of expression online and according to a number of expert bodies from the OSCE to the Council of Europe this is clearly in breach of article 10 of the European Convention on Human Rights and then it states that member states should take all necessary measures to remove or block X access to web pages so you have to note that the text doesn't say they may do so so this is more towards an obligation to introduce web blocking and nobody ever explained why it should be necessary to

do so so this is again a purely ideological addition it lacks any kind of evidence that this measure might

actually work because we all know the problem with internet blocking is that you can have lots of collateral damage because legitimate speech is taken down then throughout the entire text there's no mention of a court order which is highly problematic from the rule of law point of view and then lastly of course the content will remain there it will remain available and it's no it doesn't take a lot of knowledge to circumvent blocking so the suggested text even goes against the

Commission's own evidence because in at least two papers the Commission itself called web blocking inefficient but the Commission doesn't seem to care that council and Parliament are adding that sort of text to the directive instead it's very likely that will soon get more online censorship across Europe and random restrictive actions by companies on this basis so the third part is super

wearing and it's on encryption and interception of communications and hear the text also remains super vague and I think the fact that it's vague is probably not a bug but it's a feature because member states can then implement the text as they wish on the national level in any case so the text by the

Parliament suggests that member states need to ensure the easy collection of undefined electronic evidence and it's not explained at all what this means there's no definition to be found in the entire text but you get the feeling that this text is trying to make sure that law enforcement will be able to get access to communications by any means that they wish and one way to do this is by pushing for encryption backdoors sure electronic evidence can mean anything but if you put this in the context of other proposals that were on the table in the parliament then it becomes pretty clear here the conservative parliamentarian in charge mr. Amaya also pointed out that anonymous communication tools like tor are a problem for law enforcement this part didn't get through the Lieber vote though

it also becomes clear what it means if you look at the recent German French initiative and it becomes clear that the

intention is has something to do with encryption if you look at this questionnaire that the council presidency has just distributed to the Member States so this means that in the

name of security governments are actively working on making their citizens less secure but there's also

good news about encryption back doors and that's that the resistance in Brussels has become pretty big also from other sectors like industry but the bad news is that they seem to move to alternatives so they want to allow the use of straight state Trojans and they want to allow the book interception of communications so here the text suggests that law enforcement should have the possibility to use effective investigative tools and again this is kept very broad to allow the member states to do what they want and then it goes on to say that law enforcement should include the interception of communications electronic surveillance and the taking of audio and audio recordings and visual images so this is again not very detailed and leaves the lower open to very very extensive surveillance measures so since the

ideology is to collect more and more data there's no need to care about the right of privacy no need to care about

the principles that are the foundation of our democracies the last problematic

part of the directive is attacks against information systems and article 3 here of the proposed directive lists all of the different offenses and this includes of course a text that cause death or injury to people the use of nuclear or biological weapons and so on but the Parliament of epidermis Wow Maya also added attacks against information systems and this means that interfering or even just accessing without prior authorization of an information system can be considered a terrorist offense so any sort of security research also becomes punishable and well threatening to do so also becomes punishable so if I say tonight on Twitter I am going to test the security of company X then I will have committed a crime under this directive so the text makes unauthorized access to information systems a

terrorist the fence and even if it is to test the security of a company or for research reasons and this then of course also penalizes the responsible disclosure of vulnerabilities so in sum

the council added surveillance and interception the Parliament added web blocking and I get a text against information systems and yes where are we now so unfortunately we have super late in the process now because this thing has been rushed through very quickly the third trilogue discussions have just taken place on 28th of September and we're getting closer and closer to a decision so it is possible that we are going to have a plenary vote in the parliament in December but this is only going to be a rubber stamping at that point and it's almost impossible to get any changes through now and once the directive is adopted member states will need to pass legislation to implement the directive within two years so the huge problem that we have is that the directive is being pushed super quickly too quickly to get proper attention of

media and it's possible that the press will only wake up once this thing has been adopted and as I said it's open to interpretation so we'll get lots of fun during the implementation phase at the national level especially with web blocking but there's

or some things that can be done firstly you can block and tweet about it you can phone mrs. so Maya since she is still negotiating in the try locks and then maybe more fruitful you could contact all snd people all the social democrats in the parliament especially from germany and tell them i will not vote for you in the bundestag swine if you are adopting this directive or you can also contact the representation of your member states and brussels and your ministry yeah so I think I ran over time sorry that's all i hope i haven't depressed you too much but yeah i guess we can talk about this later if you want