FSFE asks to include software into the list of re-usable public sector information

The Directive on the re-use of public sector information (Directive 2003/98/EC, revised in 2013 by Directive 2013/37/EU – ‘PSI Directive’) establishes a common legal framework for a European market for government-held data (public sector information). It is built around two key pillars of the internal market: transparency and fair competition.

The PSI Directive focuses on economic aspects of re-use of information gathered by governments, and while it does mention some societal impact of such re-use, its main focus is on contributing to a cross-borer European data economy by making re-usable data held by governments accessible both for commercial and non-commercial purposes (i.e. “open data”). The objective of PSI Directive is not to establish truly “open government” as such, although it does contribute to such goal by demanding the re-usability of government-held data based on open and machine-readable formats.

For Free Software the PSI Directive is important because it affects re-use of documents as in texts, databases, audio files and film fragments, but explicitly excludes “computer programmes” from its scope for no apparent reason in the recital 9 of Directive 2003/98/EC.

However, despite this explicit exclusion of software in the PSI Directive recital, EU member states are not precluded from creating their own rules for opening up data held by public bodies and including “software” into the list of re-usable government-held information. First, the PSI Directive establishes “minimum” requirements for member states to follow when opening up their data, and second, the exclusion of computer programmes from the scope of the Directive is enshrined in its non-legislative part: recitals, acting solely as a guidance to the interpretation of the legislative part: the articles.

The recent case in France is a good example why there are no evident reason why the EU member states should exclude software from the list or re-usable and open data held by governments. In particular, France’s “Digital Republic” law, adopted in 2016, (LOI n° 2016-1321 du 7 octobre 2016 pour une République numérique) considers source code as a possible administrative document that must be made available in an open standard format that can be easily reused and processed.

Therefore, our response to the PSI Directive public consultation can be summarised to:

  • Consider source code owned by a public administration as a ‘document’ within the scope of the Directive.
  • Algorithmic accountability in government decision-making process is a must for truly transparent government, therefore, the software developed for public sector that is used in delivering tasks of public interest either by a publicly owned company or a private company, should be made available as Free Software.
  • Free Software is crucial for scientific verification of research results, and it is absolutely necessary to make sure that Open Science policies include the requirement to publish software tools and applications produced during publicly funded research under Free Software licences.
  • No special agreements with private services for delivering tasks of public interest shall ever preclude the re-usability of government-held data by both commercial and non-commercial Free Software. Public bodies shall focus on making data available in open and accessible formats.
  • Sui generis database rights cannot be invoked in order to preclude the re-usability of government-held data.
  • Minimum level of harmonisation for the relationship between Freedom of Information (FoI) laws and the PSI Directive is needed in order to bring the EU closer to the cross-border market for public sector information.

Please find our submission to the public consultation in full here.

Image: CC0

EU Ministers call for more Free Software in governmental infrastructure

On 6 October, 32 European Ministers in charge of eGovernment policy signed Tallinn Declaration on eGovernment that calls for more collaboration, interoperable solutions and sharing of good practices throughout public administrations and across borders. Amongst many other things, the EU ministers recognised the need to make more use of Free Software solutions and Open Standards when (re)building governmental digital systems.

Tallinn Declaration, lead by the Estonian presidency in the EU, has been adopted on 6 October 2017. It is a ministerial declaration that marks a new political commitment at EU and EFTA (European Free Trade Area) level on priorities to ensure user-centric digital public services for both citizens and businesses cross-border. While having no legislative power, ministerial declaration marks a political commitment to ensure the digital transformation of public administrations through a set of commonly agreed principles and actions.

The FSFE has previously submitted its input for the aforementioned declaration during the public consultation round, asking for greater inclusion of Free Software in delivering truly inclusive, trustworthy and interoperable digital services to all citizens and businesses across the EU.

The adopted Tallinn Declaration proves to be a forward-looking document that acknowledges the importance of Free Software in order to ensure the principle of ‘interoperability by default’, and expresses the will of all signed EU countries to:

make more use of open source solutions and/or open standards when (re)building ICT systems and solutions (among else, to avoid vendor lock-ins)[…]

Additionally, the signatories call upon the European Commission to:

consider strengthening the requirements for use of open source solutions and standards when (re)building of ICT systems and solutions takes place with EU funding, including by an appropriate open licence policy – by 2020

The last point is especially noteworthy, as it explicitly calls for the European Commission to make use of Free Software and Open Standards in building their ICT infrastructure with EU funds, making the point in line with our “Public Money, Public Code” campaign that is targeted at the demand for all publicly financed software developed for the public sector to be publicly made available under Free Software licence.

What’s next?

Tallinn Declaration sets several deadlines for its implementation in the next few years: with the annual presentation on the progress of implementation of the declaration in the respective countries across the EU and EFTA through the eGovernment Action Plan Steering Board. The signatories also called upon the Austrian Presidency of the Council of the EU to take stock of the implementation of Tallinn Declaration in autumn 2018.

While reinstating the fact that ministerial declaration has no legislative power inflicted on the signed countries, it nevertheless expresses the political will of the EU and EFTA countries to digitise their governments in the most user-friendly and efficient way. The fact that it explicitly recognises the role of Free Software and Open Standards for a trustworthy, transparent and open eGovernment on a high level, along with a demand for strengthened reuse of ICT solutions based on Free Software in the EU public sector, is a valuable step forward establishing a real “Public Money, Public Code” reality across Europe.

Hence, it is always worthy to have a ‘good’ declaration, than no declaration at all. Now it all depends on a proper implementation.

Myths and Legends of Copyright Reform: A New Hope


Copyright reform is in its full force. After the European Commission (EC) revealed its notorious plans to modernise copyright to address new dying businesses age back in September 2016, the proposal has slowly moved to the hands of the European Parliament (EP).

With Malta being currently in charge of the EU council and copyright reform being its top priority, Maltese MEP Therese Comodini Cachia is leading EP efforts in copyright on behalf of the Committee of Legal Affairs (JURI). Her efforts are being noteworthy: from the task to bring the difficult over-lobbied copyright reform to a more balanced form, to the attempt to do it in a fully transparent way (her Draft Report includes an annex of numerous lobby and advocacy groups who advised Comodini Cachia on the way). A 58-page long report is a lot to handle, especially for the weak-nerved. However, not less noteworthy, and I would say, even more remarkable is the Draft Opinion of the Scottish MEP Catherine Stihler of the Committee on the Internal Market and Consumer Protection (IMCO). Only slightly shorter from Comodini Cachia’s draft report (in length, but not on the content), a 43-pager includes several points and proposals, that JURI report is unfortunately falling short on.

Text and data mining

One of the slightly more progressive points in the EC proposal is the proposed new mandatory exception for text and data mining (TDM) (Article 3). Well, at least the EC tried to give TDM a mandatory exception, but the efforts were completely neutralised in the same article by granting the rightholders an extremely broad right to apply any necessary technical protection measure (TPM) in order to “secure” their works. In addition to that, the scope of the new exception is extremely limited: the mandatory exception concerns only research organisations with the lawful access to the copyrighted works, and excludes everyone else with the same lawful access to copyrighted material.

The Draft Opinion rightfully states that “a more challenging approach” in regards to TDM exception should have been taken by the European Commission:

“[…]the Rapporteur believes that limiting the proposed EU exception to a narrow definition of research organisations is counterproductive”

Furthermore, the rapporteur goes even further by attempting to limit the scope of dangerously far-reaching technical protection measures and proposes:

“a simple rule, which does not discriminate between users or purposes and ensures a strictly limited and transparent usage of technological protection measures where appropriate[emphasis added]”

As such, the suggested amendments to the EC proposal by the rapporteur Stihler expand the notion of TDM exception beneficiaries to include everybody, as in “any individual or entity, public or private, with lawful access to mine content”.

Concerning TPM, the rapporteur strictly limits their far-reaching scope in the amendment 32 by stating that:

“any contractual provision or technical protection contrary to the exception[…] shall be unenforceable.”

This is a significant improvement to the existing TPM and other digital ‘restrictions’ management (DRM) system established by the InfoSoc Directive (2001/29/EC); and to the currently proposed text in the EC copyright proposal.

The limited scope of TPM is slightly watered down in the Amendment 33 where the rapporteur proposes to strictly allow rightholders to apply TPM but only in the cases when these are to ensure security and integrity of the networks and databases where the works are hosted. The proposed amendment shifts the focus of the EC suggested paragraph to a more favourable situation when first, TPM cannot be used to interfere with legitimate exercise of TDM. Second, when TPM are to be used, then only in exceptional circumstances for network and database security.

The Draft Report by Comodini Cachia proposes to delete the mentioning of TPM in TDM exception. This is a semi-favourable approach, as essentially avoiding TPM does not address its shortcomings in existing framework established by Info Soc directive that does not protect any exceptions from far-reaching TPM. Hence, the explicit restriction on digital restriction as proposed by the draft opinion is a much more stronger stance in the right direction.

Publishers’ neighbouring right

EC initially proposed a completely arbitrary quasi-copyright for press publishers (“neighbouring right”) for the digital uses of works authored by journalists, justifying it with the need to “ensure the sustainability of the press publishing sector” at the expense of online services (Article 11). This is a clear indication of copyright gone too far, when being an author is not enough in order to reap benefits of one’s intellectual creation. In fact, authors are not even once mentioned in the EC proposal. The focus of copyright in the digital age, according to the EC, has shifted to industries and ‘intermediaries’ in a broader sense.

The rapporteur Stihler is, however, not convinced by the EC reasoning, and believes that “introduction of a press publishers right under Article 11 lacks sufficient justification.”

The Rapporteur believes that there is no need to create a new right as publishers have the full right to opt-out of the ecosystem any time using simple technical means.[…] There are potentially more effective ways of promoting high-quality journalism and publishing via tax incentives instead of adding an additional layer of copyright legislation.

The proposed changes to the EC text are, thus, deletion of Article 11 that introduces new ancillary right to press publishers.

The Draft Report, unfortunately, is less ambitious in this regard. The rapporteur Comodini Cachia proposes to replace neighbouring rights for press publishers with the right to bring proceedings in their own name before tribunals against infringers of the rights held by the authors of the works contained in their press publication and to be presumed to have representation over the works contributed. This essentially gives publishers the right to use other people’s copyright to go after everybody they consider to be an ‘infringer’.

ISP liability

Current framework for Internet Service Providers’ (ISP) liability for the actions of third parties who use their services to infringe copyright is set in e-Commerce Directive (2000/31/EC). According to e-Commerce rules, the ISPs enjoy certain amount of ‘safe harbour’ when it comes to the actions performed by their users. In addition to the ‘safe harbour’ there is no general monitoring obligation to actively seek for copyright infringements on their services, inter alia prohibited by the European Court of Justice. However, the IPS need to act accordingly as soon as they obtain knowledge (or should have obtained such knowledge) of potential copyright infringement on their services (so-called notice-and-take-down procedure).

With the copyright reform, the EC promised not to touch e-Commerce and the rule of intermediary liability, however, the proposal indicated the opposite. The EC imposed on *any* ISP that *stores and provides to the public access to large amounts of works or other subject matter uploaded by their users* an obligation to take [technical] measures to ensure “functioning of agreements concluded with rightholders for the use of their works”. The EC is even going further by explicitly mentioning the technology that might be compliant with that article: content ID, mostly used by YouTube (aka Google). It is noteworthy, that Google itself has stated that technology is not the answer when it comes to such sensitive matter as copyright exceptions and users’ rights. Furthermore, technology cannot be built to do lawyers’ job and verify whether the claimed content actually belongs to rightholder.

The aforementioned provision has received much of a backlash, mostly due to the fact that it goes against and beyond e-Commerce Directive, and all existing jurisprudence concerning prohibited monitoring obligation, making the proposal, hence, highly questionable in legal sense.

The rapporteur Stihler has duly recognised the imbalance and the inherent incompatibility of Article 13 and existing legal framework:

The Rapporteur firmly supports the notion that the value gap has to be addressed and emphasises that creators and rights holders are to receive a fair and balanced compensation for the exploitation of their works from online service providers. However, this should be achieved without negative impacts on the digital economy or internet freedoms of consumers. The current wording of Article 13 fails to achieve this.

The proposed measures are also very technologically specific, according to the rapporteur Stihler:

The use of filtering potentially harms the interests of users, as there are many legitimate uses of copyright content that filtering technologies are often not advanced enough to accommodate.

The proposed Article 13 is, hence, modified by the Amendment 63 that recognises the ‘safe harbour’ provisions and the prohibition of monitoring obligation under the e-Commerce Directive.

The Draft Report also addresses the Article 13 in a slightly similar manner, however, it does not address the technical neutrality in the same way as the Draft Opinion. The ‘measures’ the amended Article 13 is referring to are not balanced with prohibition of monitoring obligation as in Draft Opinion. In addition, the focus of the article in IMCO Draft Opinion is completely shifted to the balanced agreements between service providers and rightholders, while the JURI Draft Report follows the rationale of the EC proposal: appropriate and proportionate measures to ensure the functioning of agreements concluded with rightholders for the use of their works. While the difference seems to be minimal, it is actually crucial to shift the discourse in a more technologically neutral way by emphasising the conclusion of ‘balanced agreements’, rather than an obligation to impose merely technical ‘measure’.

User generated content

In addition, the Rapporteur Stihler proposes a completely new exception in the Article 13 specifically designed for ‘user generated content’ (UCG; amendment 66) that is completely missing from the EC proposal, nor the JURI Draft Report:

“[…]in order to allow natural persons to use an existing work or other subject matter in the creation of a new work or other subject- matter, and use the new work or other subject matter, provided that:
(a) the work or other subject-matter has already been lawfully made available to the public;
(b) the use of the new work is done solely for non-commercial purposes;
(c) the source -including, if available, the name of the author, performer, producer, or broadcaster -is indicated;
(d) there is a certain level of creativity in the new work which substantially differentiates it from the original work”

UCG is a pure creation of online environment and its recognition is one step towards a reasonable modernised copyright framework that adapts to the changing digital environment and realities, instead of frantically trying to punish us for moving forward in our creative thinking online.

Conclusion

IMCO Draft Opinion has addressed several shortcomings of the EC copyright proposal, however, it is only one of the voices within the Parliament. Consequently, it is still up for vote in the committee after another round of amendments from its members. On the other hand, the aforementioned Comodini Cachia’s darft report – the main Parliamentary effort – is less ambitious in its wording, although it does attempt to address the main shortcomings of the EC proposal. The copyright saga is, hence, far from over.


Image: original “Copyright hacking” by entapir (2012), available here (CC BY 2.0)

EIF v.3. – citizens demand for more Free Software, while businesses seek to promote true Open Standards

As reported earlier, the European Commission (EC) is currently revising the European Interoperability Framework, a set of guidelines, recommendations and standards for the EU e-governmental services. In the end of June 2016, the EC closed its 12 weeks long open public consultation. The FSFE provided its answers to the EC where we highlighted the need for promotion of Open Standards and Free Software – key enablers of interoperability.

According to the recently published Factual Summary of the contributions received by the EC, we were not the only ones to see the plausible effect of Free Software and Open Standards to the interoperability in the EU public sector. The majority of the respondents identified “the use of proprietary IT solutions by public administrations, often creating a situation of vendor lock-in” to be a problem for interoperability in the EU.

According to the analysis, the majority of the comments raised by citizens on the draft EIF were related to:

“the need for openness (i.e. open data, open standards, open file formats, open source projects) and transparency.”

The additional action that was suggested to be included in the revised strategy by business/private organisations was to:

“promote the use of (true) open standards and support of standards in new technologies”.

We hope the European Commission will include the wishes of EU citizens and businesses and will follow them when revising the EIF.


Image Open by opensource.com, CC BY-SA 2.0.

Copyright reform: Mo money to publishers, mo problems for everyone else

In the last week of August 2016, two major leaks of the EU copyright reform became public: draft Impact Assessment, and draft Proposal for a Directive on copyright in the digital single market. FSFE has previously followed the reform on several occasions and provided the comments on Parliamentary own-initiative report, and within the general comments on Digital Single Market strategy.

In our assessments we asked for making clear that no exception to copyright should be ever limited by Digital Restrictions Management (DRM), to provide for a fully harmonised set of exceptions, including for currently uncertain situation with Text and Data Mining (TDM), and to strengthen the principle of technological neutrality.

The draft Proposal together with the draft Impact Assessment, however, is far from actually tackling the existing problems with outdated copyright protection. Furthermore, they seem like a cry out of threatened businesses to secure their place under the sun at the expense of others. Instead of dealing with the problems that are actually hampering the EU from achieving the desired digital single market, the proposed reform conveniently “backed up” with contradictory Impact Assessment, ignores the existing problems, disregards fundamental rights and leans towards reinforcing the same issues in a larger and more “harmonised” way.

Text and Data Mining – new field for DRM and beyond?

The purpose of ongoing copyright reform is inter alia addressing existing disparities between different member states and to bring more legal clarity on copyright into the digital sphere. FSFE also supported that reasoning and asked the EC to uphold these plans for uniform rules across the EU for the interpretation of exceptions and limitations. This inter alia is most likely achievable by introducing legislative requirements of mandatory exceptions, as this will not leave any space to manuoeuvre within the member states, allowing the necessary level of harmonisation across the EU.

In particular, we argued for an explicit right to extract data from lawfully accessed protected work. The Proposal includes a mandatory exception for uses of text and data mining technologies in the field of scientific research, illustration for teaching, and for preservation of cultural heritage. The draft Proposal does include a reference to the fact that licensing, including open licences do not address the question of text and data mining with the necessary clarity, as they often just do not have any reference to TDM.

The mandatory exception for TDM is therefore a welcomed approach. The downside with the exception as proposed by the EC is however the fact that it is only granted to ‘research organisations’ – university, a research institute or any other non-profit organisation of a public interest with the primary goal of conducting scientific research and to provide educational services. The scope of such mandatory exception is hence limited, excluding everyone else with lawful access to protected works (citizens, SMEs etc).
The exception of TDM directed to everyone who has lawfully accessed the work, according to the Commission, is unfavourable simply because “this option would have a strong negative effect on publisher’s TDM licensing market”. Ignoring the benefits to innovation, and the fact that such exception would open opportunities for more businesses, the EC is evidently in favour of securing existing situation of publishers’ taking advantage of current legal unclarity.

Technical safeguards

In addition, TDM exception has a reference to the right of rightholders to apply technical safeguards to their works, as according to the Draft Proposal, new TDM exceptions has a potential to inflict “high number of access requests to an downloads of their works”. This is a reference to so-called Digital Restrictions Management (DRM) that is widely used by the rightholders to arbitrarily restrict users’ freedom to access and use the lawfully acquired works and devices within the limits of copyright law. A slight hope to restrict this arbitrary practice at least in TDM exception is contained in the second part of the proposed provision which requires that “such measures shall not go beyond what is necessary” to achieve the objective to ensure security and integrity of the networks and databases where the works are hosted. In addition, these measures should not undermine the effective application of the exception.

Whilst it is definitely a better approach to address the lawfulness of DRM and include a safeguard for an effective application of the exception, it is however, a worrisome direction to see such requirement in a copyright regulation. It is evident that the rightholders would need to ensure the technical security and integrity of their databases and networks in any case, irrespective whether the users’ access their works under a legitimate TDM exception or any other use. This vague provision sounds like rightholders can receive a wide-reaching right in name of copyright to apply any technical measure that is “necessary” to safeguard their right. The provision lacks the requirement of proportionality in addition to necessity: when the measure is not only necessary to stop the unlawful access to the database but is also proportionate with the alleged aim and purpose of such measure.

Link Tax – EC says ‘no’ but means ‘yes’

The tensions between hyperlinks and copyright have been on agenda of European Court of Justice on several occasions: when can a link to copyrighted material constitute a copyright infringement and why? The reform of existing European copyright rules can be seen as an opportunity to bring some clarity to the question and secure the fundamental principle of internet: linking, i.e. as in mere referencing to or quoting *existing* content online shall be considered a lawful use of protected work per se.

However, the EC decided to go after hyperlinks from a different direction: in the name of *holy* news publishers who are losing their revenues because of online uses to “ensure the sustainability of the publishing industry”. In a nutshell, news publishers are granted with so-called “neighbouring rights” for the reproduction and and making available to the public of publications in respect of online uses. This means that news publishers get exclusive rights to prohibit any reproduction or “the communication to the public” of their stories: including the snippets of the text or hyperlinks. According to the EU case-law, the text as long as 11 words is considered to be “literary work” protected by copyright laws. Publishers enjoying such broad and widespread right without any counterbalance from the other side is a serious threat to the existing online environment and to the internet we know, not mentioning the implications of freedom of expression and the diversity of media.

According to the Impact Assessment, publishers are currently in the most disadvantageous situation, as they “rely on authors’ copyright that is transferred to them”. When did copyright become the right to maximise the revenues of struggling business models making their money off creativity of other people? Furthermore, the Impact Assessment acknowledges the fact that so-called “ancillary rights” for publishers, already introduced in Spain (i.e. compensation to publishers from online service providers) and Germany (i.e. exclusive right covering specifically the making available of press products to the public) , have not proven effective to address publishers’ problems so far, in particular as they have not resulted in increased revenues for publishers from the major online service providers. Yet, the EC is convinced that the best solution would be to just combine two failed solutions and impose it on the rest of the member states.

Conclusion

The leaked documents indicate the worrisome direction taken by the EC in order to bring the EU to digital single market. Unfortunately, the EC is disregarding everything that can help the EU to enhance its digital environment. Instead of acknowledging the change internet has brought to the use and distribution of copyrighted material, the EC is frantically trying to secure the interests of fading businesses and their revenues first, rather than authors.

UPDATE: The official published documents on the reform confirm the plans of the European Commission as indicated by the leaks in unchanged form.


Image: Tom Morris, CC-BY-SA-3.0.

On carrots and sticks: 5G Manifesto


In the beginning of May 2016, FSFE together with 72 organisations supported strong net neutrality rules in the joint letter addressed to the EU telecom regulators. The Body of European Regulators of Electronic Communication (BEREC) is currently negotiating the creation of guidelines to implement the recently adopted EU Regulation 2015/2120 on open internet access.

In the joint letter, we together with other civil society organisations urged BEREC and the national agencies to respect the Regulation’s goal to “ensure the continued functioning of the internet ecosystem as an engine of innovation”, respecting the Charter of Fundamental Rights of the EU.

However, on 7 July the European Commission endorsed and welcomed another point of view, presented by the 17 biggest EU Internet Service Providers (ISP) who oppose the idea of strong net neutrality rules. In the so-called “5G Manifesto”, the coalition of ISP states the following:

“we must highlight the danger of restrictive Net Neutrality rules, in the context of 5G technologies, business applications and beyond”

“The EU and Member States must reconcile the need for Open Internet with pragmatic rules that foster innovation. The current Net Neutrality guidelines, as put forward by BEREC, create significant uncertainties around 5G return on investment”

Stick

According to the coalition, the Net Neutrality guidelines are “too prescriptive” and as such do not meet the demand of the market and rapid developments within. The coalition is calling the Commission to “take a positive stance on innovation and stick to it”, by allowing network discrimination under the term “network slicing”.

EDRi, one of the leading campaigners for Net Neutrality and a co-signer of the aforementioned letter to BEREC, has strongly criticised the “5G Manifesto”, stating that it includes “absurd threat not to invest in profitable new technologies”.

The Commission is clearly not seeing the real implications of endorsing such policies on the innovation, especially in the digital sector. Furthermore, the Manifesto is indeed imposing threats on the EC: net neutrality vs fast connection – no middle ground. The Manifesto is arguing for “network slicing” justifying the discrimination for public safety services.

Existing rules on neutrality do allow traffic management in ‘special cases’: Article 3(3) of the EU Regulation 2015/2120 does not preclude internet access services from implementing reasonable traffic management measures that are transparent, non-discriminatory and proportionate, and based on objectively different technical quality of service requirements of specific categories of traffic. While Article 3(5) governs so-called specialised services (i.e. “other than internet access services”) that ISP are free to offer. It is difficult to see how these provisions might exclude public safety considerations if they’re “objectively” different from the technical quality perspective or need to be offered outside of open internet. At the same time it is easy to see why ISP would want to achieve that special status by trying to get this exception as broad as possible.

What BEREC is expected to do is to fill the gaps in the legislation by clarifying the implementation of the law, and to not create new rules. What the Commission is expected to do is to “stick” to its existing primary law, including the one on open internet access, and the protection of fundamental rights and freedoms. The latter includes the freedom to conduct business, but it does not include the right to maximise its profits at expense of others.

Carrot

What do telcos promise in return? Telcos promise to invest into 5G. Such promise might be luring for the Commission, as the Commission calls it [“the most critical building block of the digital society”. The argument of net neutrality slowing down the internet is not a new one, and the 5G Manifesto might have hit the Commission’s tender spot. What is necessary to acknowledge, is that internet has been operating based on openness since its nascence and all the legislators need to do is to safeguard that openness in order to inter alia finally achieve the desired 5G. Internet won’t stop evolving because a part of service providers want to slice the cake according to their needs.

Net neutrality and open internet is not a new formula created by legislators in Brussels: it’s the basic, fundamental quality of internet that needs to be preserved to secure further development and future innovations. In conclusion, the EU will only need one “stick” to deliver carrots to everyone: to stick to support open internet for everyone.

The image is licensed under CC BY 3.0 US, Attribution: Luis Prado, from The Noun Project

EC: Free Software to enhance cybersecurity

On 5 July, the European Commission signed a contractual arrangement on a public-private partnership (PPP) for cybersecurity industrial research and innovation between the European Union, and a newly-established European Cyber Security Organisation (ECSO). The latter is supposed to represent a wide variety of stakeholders such as large companies, start-ups, research centres, universities, clusters and association as well as European Member State’s local, regional and national administrations. The partnership is supposed to trigger €1.8 billion of investment by 2020 under Horizon2020 initiative, in which the EU allocates he total budget up to EUR 450 million.

In the accompanying communication, the Commission identifies the importance of collaborative efforts in the area of cybersecurity, the transparency and information sharing. In regard to information sharing, the Commission acknowledged the difficulties amongst the businesses to share information about cyberthreats with their peers or authorities in the fear of possible liability for the breach of confidentiality. In this regard the Commission intends to set up anonymous information exchange in order to facilitate such intelligence exchange.

In addition, the Commission stressed “the lack of interoperable solutions (technical standards), practices (process standards) and EU-wide mechanisms of certification” that are affecting the single market in cybersecurity. There is no doubt that such concerns can be significantly decreased by using Free Software as much as possible. The security advantages of Free Software have also amongst the others been previously recognised by the European Parliament in its own-initiative report on Digital Single Market. Therefore, within the anticipated establishment of the PPP for cybersecurity (cPPP), the Commission highlights that:

In this context, the development of open source software and open standards can help foster trust, transparency and disruptive innovation, and should therefore also be a part of the investment made in this cPPP.

The newly established ECSO, whose role is to support the cPPP, is currently calling out for members in different groups. It is currently unclear how the membership will be divided between these groups, however the stakeholders’ platform is intended to be mostly industry-led.

We hope that the Commission will in practice uphold its plans to include Free Software communities into standardisation processes as has been indicated in several documents throughout the whole Digital Single Market initiative, including but not limited to the area of cybersecurity.

EIF v.3: makes you miss noughties

CC0

European Interoperability Framework (EIF) – an EU initiative that aims to support the establishment of European public services, is designed to ensure interoperability of such services across all member states. Since 2004, when the first non-official document was published, the EIF is currently undergoing its third revision.

History lesson

The first EIF dates back to 2004 when Free Software was entering the debate on the EU level. The first version was a non-official document but by that time had a remarkable impact on the member states and their national eGovernment policies. Furthermore, its Open Standard definition (!) still serves a strong example for national policies. Most notable was its approach towards standard-essential patents (SEPs) that had to be made “irrevocably available on a royalty-free basis”, and that the availability of the standard specification “must be permissible to all to copy, distribute and use it for no fee or at a nominal fee”.

In 2010, the European Commission (EC) decided to update the EIF in order to change its status to a more official document. With the revision it became clear that with the EIF v.2 the EC did not want to follow the examples of several member states which continued to base their policies on the former EIF and its definition of Open Standards.

The definition of Open Standards in the EIF v.2 transformed to a weaker term “open specifications” that are only available for everyone to study, instead of all four freedoms guaranteed by the former version. The approach towards patents did also “slightly” change: the EC introduced FRAND (so-called “fair, reasonable, and non-discriminatory”) licensing terms that were supposed to allow the implementation of specification in both proprietary and Free Software, in addition to the royalty-free terms. FSFE followed extensively the process of EIF v.2, and identified the possible “inspiration” for the EC to water down the strong favour towards Open Standards and Free Software.

Today, in the light of the Digital Single Market initiatives, the EIF is yet again going through another revision. Digitisation of European industries cannot overlook public sector, and the EC is currently asking for the public opinion in its public consultation on this matter. As a part of this consultation, the public is invited to comment on the draft revision (EIF v.3, dated to February 2016) until 29 June 2016.

UnFRAND me, please!

On the first glance, the revision includes a slightly better approach towards “IPR” as it now gives preference to the royalty-free licensing terms for open specifications but still includes FRAND as the basis for the balanced framework that “fosters competition since providers working under various business models may compete to deliver products, technologies and services based on such specifications”.

What it lacks in this particular approach is that FRAND is not simply a question of paying royalties or not. It has been proved and showed on numerous occasions that FRAND is incompatible with Free Software in a way that cannot be fixed by simply changing the Free Software licence. It’s an inherent compatibility that restricts standard’s implementation in Free Software because FRAND impedes the exercise of four freedoms granted by Free Software: to use, study, share and improve. FRAND doesn’t allow any of these by default, and interferes with the collaborative innovation space. It requires to negotiate an individual licence every time a standard implementer (let’s say Free Software project) wants to build the service based on the standardised technology used by the public administration, and to provide the same service back to that same public administration. FRAND requires to pay royalties, usually based on the number of distributed copies of that service that in the case of Free Software is almost impossible to track. Even if Free Software project finally agrees on the individual licence with the acceptable royalty for the patent holder, any other public administration who wishes to reuse such service, needs to re-enter the negotiation with the patent holder in order to obtain the same rights. In conclusion, the technology rests where it sits and is only called a standard on the paper, imposed on the users and service providers by the poor “interoperability” policies.

European Intraoperability Framework

So what about interoperability? Well, in theory it is possible to achieve so-called interoperability by imposing on everyone the same tools and solutions, preferably provided by the same service-providers. However, this scenario has a different name: intraoperability. According to Bob Sutor, intraoperability is a situation when “one product is somehow central and dominant, either by marketshare, attitude, or acquiescence. The connectivity is supported by protocols and data formats that favor the central software, and those are often prescribed by the provider.”

Interoperability, on the other hand, has to ultimately serve the values enshrined in the EU founding treaties, i.e. fair competition and protection of fundamental rights and freedoms. And it is about time the EU starts to promote real interoperability in order to, among many other things, get rid of its ICT lock-in.

Despite all its efforts to decrease its vendor lock-in, the EU stays in it steadily according to the recent “Study on the best practices for ICT procurement based on standards in order to promote efficiency and reduce lock-in” (PWC study for the EC, 2016). 52% of all respondents amongst public administrations have experienced vendor lock-in, the awareness of its negative implications is high (65%), but the situation leaves many respondents to “almost feel powerless to question any alternative”.

EIF could be a good chance to take a strong stance towards lock-in and leave no backdoors and compromises, however the EC seems to be cautious in affecting the existing lock-in situation, at least with its EIF revision.

Public consultation: have your say!

Important revisions for Open Standards and Free Software are not that common in the EU but if they happen, we should take that opportunity and have our voice heard.

Probably the most important aspect in the revised EIF that needs to be addressed, is the point on FRAND. Several recent Digital Single Market communications in particular on ICT standards follow the same faulty reasoning and are sprinkled with FRAND all over. We, Free Software community, should voice our concerns, and the revision of the EIF is one of the opportunities to do that.

Glyn Moody gives a useful overview of the situation and his response to the consultation. He asks the EC to uphold and reintroduce the “openness” principle present in the EIF v.2 to the revised version, and suggests to improve the point on FRAND:

In the section “Openness of formalised specifications,” the following is ambiguous: “Intellectual property rights related to the specification are licensed on FRAND terms or preferably on a royalty-free basis in a way that allows implementation in both proprietary and open source software.”

I believe it should be rewritten along the following lines: “Intellectual property rights related to the specification are licensed either on FRAND terms or preferably on a royalty-free basis, but in either case, in such a way that allows implementation in both proprietary software and by all open-source projects.” This makes clear that FRAND licensing must not only be compatible with open source, but that it must be compatible with all open source projects.”

As we can see, Moody’s approach towards FRAND is more flexible. He asks the EC to ensure that no Free Software project is excluded due to FRAND licensing. While it’s definitely a much more plausible approach (also because in the end there is no consensus on what constitutes FRAND), it is important to consider that FRAND is more than a question of licensing. It is a development and distribution system that goes against collaborative innovation – the core idea of Free Software.

Furthermore, FRAND is not suitable to software sector in general, as it emanated from the telecommunication sector and through traditional standard-setting organisations (SSOs). Software, internet and web, the way we know them today, have developed in a more collaborative way, thanks to Open Standards, and through fora and consortia. There is a strong trend in the SSOs working in these fields towards the absence of FRAND in their standardisation policies and practice. Hence, there is no pressing need to stiffle innovation and constrain competition by introducing harmful FRAND licensing.

Fair, reasonable and non-discriminatory licensing terms towards Free Software in standardisation can only be achieved by ‘restriction-free’ approach:

“free from legal or technical clauses that limit its utilisation by any party or in any business model”.

Therefore, I encourage everyone to provide their answers to the European Commission before 29 June and address FRAND issue in the section of “any further comments” in the end of the questionnaire, even if it’s just one sentence about the topic, e.g. “FRAND is harmful to Free Software, that is a strong basis for interoperability, and therefore should be discouraged in standards concerning software”.

As a community, we should show the Commission that we care about these issues and that we want to be included in the standardisation processes, as envisaged by the European Commission in another recent standardisation communication.

UPDATE: 27/06/2016 – Please find the FSFE’s response to the consultation here.

To encrypt, or not to encrypt – there is no question

Never ever has right to privacy been more threatened than now. The original idea of “interference with correspondence” has evolved around sneaky governments snooping in citizens private lives through intelligence agency workers steaming sealed letters. No one questions that secretly reading private letters is wrong. Digital has, however, blurred the lines of what is private or not, or what is intended to be private. Furthermore, users and consumers are being reassured that giving away their privacy and anonymity online is not a big deal. It is encouraged and claimed to be for our own good.

While our ways of communication and imparting information have changed, our basic human rights have not, despite the social media where it seems that we want to share the details of private lives, baby pictures and eating habits with the whole world. It might seem that due to this exhibitionist world we live in, no one should care about privacy any more. “D’oh silly, it’s internet!”.

Described as the greatest invention of humanity after the wheel, printing press, and light bulb, the internet brought us to a new era and transformed the way we live. It is unthinkable in the offline world to give up our privacy or any other fundamental right in order to receive better services or goods. That it is, for example, possible to circumvent the absolute prohibition of torture in order to get everyone’s life more convenient and fun. Sounds brutal but this is exactly what we are forced to do online by agreeing to endless terms of service in order to be able to communicate, impart information or express ourselves.

One might argue that neither right to privacy, nor freedom of expression are absolute, unlike the prohibition of torture. As we need to disclose our private information in certain cases, we cannot express ourselves the way we want: especially when our expression may harm others. However, there is a necessity to remind ourselves that human rights are inaliable, indivisible, and interdependent. And there is a reason why right to privacy and freedom of expression are often perceived together in courts. There is simply no one without the other.

“Anonymity” is closely linked to both of these rights, especially in the digital age, as it has contributed to a robust internet public sphere. The Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, called anonymity “one of the most important advances enabled by the internet, and allows individuals to express themselves freely without fear of retribution or condemnation“. What is helping to maintain the necessary anonymity is a strong end-to-end encryption. Demands to weaken this, either for the “national security” or “fight the terrorists” are weakening everyone’s security online, according to the Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kay’s, about the use of encryption and anonymity in digital communications (‘the Report’, 22 may 2015).

Even if one is okay to reveal such details to the commercial actors for allegedly better and targeted ads, this bulk of data is a honey pot to the snooping governments and criminals. It is technically impossible to ensure that the data in question can be only accessed by legitimate powers. Backdoors can and will be used by everyone.

What is however often overlooked in the debate of human rights online is the right to hold opinions. While freedom of expression is not absolute and can be limited (e.g. hate speech), right to hold opinions is not allowed to be restricted by law or other power, according to the International Covenant on Civil and Political Rights. The ability to hold an opinion freely was seen to be a fundamental element of human dignity and democratic self-governance during the negotiations of the Covenant. The Report emphasizes that the mechanics of holding opinions have evolved in the digital age and exposed individuals to significant vulnerabilities. Individuals regularly hold opinions online, saving their views and their search and browse histories, e.g. on hard drives, in the cloud, and in e-mail archives. Hence the balance between these three fundamental rights can be easily shaken, and the disturbance of one non-absolute right, even for allegedly legitimate reasons, will create the chain reaction that will lead to the more grave consequences. Strong encryption is necessary to preserve this balance.

Bruce Schneier has an excellent answer to everyone who claim they have nothing to hide or have no fear of surveillance. Encryption can save lives but only if we all do it. Using encryption only for sending sensitive data, indicates by its essence that the content is private or sensitive. This can be considered a basis per se for persecution or discrimination by authorities without even knowing what’s the content of that communication.

Everyone should care about privacy online because this is the only way to ensure that every individual, company, whistleblower, dissident, activist or not would feel safe to communicate, access and impart information, conduct business and express themselves in a safe way.

In light of last year’s Paris attacks, the debate over encryption has intensified. More voices are advocating for encryption with backdoors, or the ban of end-to-end encryption whatsoever. Achieving the goals of national security cannot be done without obeying to human rights law. Fortunately, not all governments are following this slippery slope, and do recognise the importance of strong encryption to society: for example in Netherlands, the government refused to take restrictive legal measures considering the development, availability and use of encryption within the country.

In the end of 2015, we wanted to remind policymakers how to secure their private communication online and distributed our ‘e-mail self-defense’ leaflets in the European Parliament.


Photo taken by Xander Bouwman, original can be found here.

What the “cloud” is going on in ETSI?


As a part of the route taken by the European Commission to “unleash the innovative potential in Europe” and investing in ICT solutions such as “cloud”, the European Telecommunications Standards Institute (ETSI) has been requested to identify a detailed map of the standards required to support EU policy in such areas as security, interoperability, data portability and reversibility. ETSI therefore launched the Cloud Standards Coordination (CSC) initiative in collaboration with numerous stakeholders: cloud industry players, public authorities, user associations and more than 20 standards setting organisations.

The CSC involves series of reports on various topics: needs of cloud computing users’, interoperability and security, standards maturity assessment, but one of those is particularly interesting: titled “Standards and Open Source”, it claims to “investigate the relationship and the interactions between standardisation and Open Source based software and solutions in Cloud Computing”. The rationale behind such document is, according to the Report, in following statement: “Open Source development plays a very important role and changes significantly the traditional approach to standardisation”. The start is rather promising as it instantly gives hope to the closer assessment of Open Standards, the prerequisite for Free Software.

Next the Report attempts to make a clear distinction between Standards and Free Software. No objections so far. Standards and Free Software are indeed different concepts, and according to the Report “are serving rather different purposes and have developed different ways to achieve their own goals”.

Then the Report identifies the purpose of the document, i.e. the “realisation that in more and more cases standards setting organisations have found it useful to address some of the ways of working of Open Source organisations [OSS], and vice-versa.” The hope for addressing Open Standards has slightly shrunk. “Some of the ways of working” is rather vague definition of the basis for analysis, but okay, it could still potentially include the evaluation of Open Standards.

Further digging into the definitions provided in the Report: standards are praised as “stable”, “focused on core functionality”, “widespread”, “interoperable” and “technology neutral”. No mention of Open Standards whatsoever throughout the whole Report. Furthermore it seems that in fear of “unclear definition” of “open”, the word ‘open’ in front of standards is avoided like the plague. A small disclaimer in the beginning states that the report is not addressing the debate on the many meanings of “open”. The disclaimer, nor the introduction is giving any further insight about which unclarity concerning the term “open” the authors of the Report are excluding from the scope of it.

If the Report was trying to stay neutral in this regard, then it failed to do so. The Report explicitly states that due to the characteristics of Free Software, the latter is incompatible with Standards by stating the following:

  • “OSS is not concerned with interoperability”, while “the major objective” of standards is “to guarantee interoperability”
  • “impossible to find similar ways of working and expected outcome”,
  • “OSS do not feel the pressing need for cooperation”.

 

The approach taken in the Report towards analysing the “ways of working” of OSS is somehow confusing and contradictory: it acknowledges the importance of Free Software in standardisation, and at the same time rejects it by stating that OSS is not willing to cooperate with standard setting organisations that per se are the cornerstone of interoperability according to the Report. This statement is rather surprising, because it slightly goes against the current policy aim to “cut through the jungle of standards” taken by the EU. Using jungle when describing standardisation does not sound as this is a particularly easy process and self-sufficient for interoperable solutions.

A little background check on ETSI and a simple internet search unveil its close cooperation with Trusted Computing Group (TCG), that according to ETSI allegedly “develops, defines and promotes open, vendor-neutral, global industry standards supportive of a hardware-based root of trust, for interoperable trusted computing platforms”. Notoriously, the group is not in favour of ‘openness’ and avoidance of customer lock-in, and especially is not the hardware-based root of trust. TCG is responsible for developing far-reaching restrictions on the use of hardware, in the form of Trusted Platform Module that restricts users from replacing proprietary hardware with Free equivalents. IBM, Microsoft, Hawlett-Packard, the members of TCG, are also one of the 700 members of ETSI.

In addition it is noteworthy, that considering the fact that CSC initiative is supposed to be a collaboration between numerous “prominent” players: cloud industry players, public authorities, user associations and standards setting organisations, only the list of collaborating standard setting organisations is public. Therefore, it is difficult to assess how much are the user interests actually represented in this collaboration, and whether ETSI collaborated with any of Free Software actors when drafting the Report.

What is clear is that ETSI participates in the European standard setting scene and is envisaged to produce results in order for Europe to finally have its ‘own’ push in the standardisation processes. As their work is supposed to be linked to the European policies, then it would have at least been logical to use EU’s own definition of Open Standards when preparing the Report.

According to the European Interoperability Framework, definition of ‘open’ in ‘standard’ has to fulfill following criteria:

 

  • The standard is adopted and maintained by a not-for-profit organisation, and its ongoing development is based on an open decision-making procedure available to all interested parties.
  • The standard has been published and its specification document is available either freely or at a nominal charge. It must be permissible to all to copy, distribute and use it.
  • The intellectual property of (parts of) the standard is made irrevocably available on a royalty-free basis. There are no constraints on the re-use of the standard

 

And what has this all to do with “cloud”? Based on the obvious lack of actually addressing cloud in the Report, the answer is left open. Perhaps the reason of avoiding cloud in the Report may derive from the fact that the concept may seem too fuzzy for the ETSI, as after all:

“There is no cloud – just other people’s computers”

Image: Creative Commons License
No Cloud is licensed under a Creative Commons Attribution 4.0 International License.