The “Communication” BigBrotherAward goes to the Federal Minister of Justice, Ms Brigitte Zypries. Ms Zypries, you have been awarded for a bill that will introduce the retention of all telecommunications connection data in Germany, deliberately ignoring jurisdiction by the Federal Constitutional Court (Bundesverfassungsgericht, Germany’s highest court, whose tasks include ruling on the compatibility of individual laws with the constitution). The court had ruled in 1983 in its verdict on the census (Volkszählung, a census that was controversially designed to include the entire population) that the collection of non-anonymised data for undetermined or not-yet-determined purposes is unconstitutional.

The basis for your bill is an EU directive, officially named “2006/24/EG”. According to this directive, all member states have to oblige providers and operators of public communications networks to retain so-called traffic data. This registration of telecommunications users does not require a specific cause. The collected data are to enable unambiguous tracing and identification of both source and destination of a message by date, time, duration and type of message, as well as the determination of telecom equipment and location of mobile devices, such as a mobile phones. The storage is to last from six months to two years. Germany will have to implement this directive – if it stays in its current form. But this is doubtful, as Ireland is already pursuing an Action of Annulment at the European Court of Justice. A date for a decision has not yet been set.

The BigBrotherAwards jury acknowledges that the directive is binding for the German legislator. A refusal to implement it would lead to infringement procedures by the EU against the Federal Republic of Germany. We have also taken into account that some traffic data are retained even today by telecommunications providers, albeit only for accounting purposes. We are also aware, Ms Zypries, that in your bill you adopted the shortest retention time facilitated by the directive, i.e. six months.

But these considerations, Ms Minister, cannot quite exonerate you as a laureate: retaining traffic data without suspicion is evidently incompatible with the aforementioned jurisdiction by the Federal Constitutional Court. National judicature and European legislation are obviously in conflict here. This could have prompted you to work towards Germany joining Ireland's court action. At the very least, this should have been reason to postpone the bill until there is a decision in the European Court of Justice. If Ireland succeeds in overturning the EU directive, Germany will not be bound to implement it either.

Ms Zypries, we would have expected you to refuse to implement the EU directive in German law, even when faced with infringement procedures, for the following reasons: Information about who communicated with whom, at what time, for how long, and from where, is far too important in a free communication society to allow it to be retained in every case and without a basis. After all, this would inevitably imply holding the entire population under suspicion as the data could be needed for future criminal investigations. Everyone of us could break the law some time.

You also talk about “threat prevention” in connection with your bill. Does this mean you perceive every citizen as a potential threat? Additionally, you argue that the German secret services might find our data useful some time in the future. We could turn into public enemies (Verfassungsfeind, literally “enemy of the constitution”) within six months, and of course it would be, in your eyes, a pity if the spooks couldn't figure out our contacts of the last half year.

In 2005, the Bundestag (the Lower House in Germany’s federal parliament) already considered the question of data retention. After considerable controversy the idea was decisively rejected, not least because of its questionable compatibility with the constitution. The delegates were carried by the belief that the privacy of citizens' communication relationships is an elementary foundation of a democratic society based on unrestricted communication. They may also have heard the echo of the aforementioned census verdict: insecurity about the extent of data collection by the government may lead to a decline in the exercise of our basic rights.

It is our wish that the delegates of this election period, too, will not lose sight of how much our democratic, constitutional state depends on human dialogue being unrestricted and free of surveillance. We strongly appeal to every parliamentarian to reject your data retention bill!

Ms Minister, grant me one last word of warning. Three years ago you received a BigBrotherAward for holding on to the Major Eavesdropping Attack (Großer Lauschangriff, the German name for audio surveillance being used on private homes in the course of state investigations) as an instrument in criminal investigations. Should your track record concerning data protection not improve in coming years, the jury sooner or later will have to look into the possibility of nominating you for the unpopular Lifetime Award.

Until then – for a shameful second time – congratulations, Ms Zypries, Federal Minister of Justice.

The BigBrotherAward 2007 in the “Technology” category goes to PTV Planung Transport Verkehr AG represented by Dr Hans Hubschneider for their system for individual rating of car insurances with the so-called “pay-as-you-drive” technology, i.e. a device that records routes and driving behaviour in a car and transmits these data to the insurance company.

The idea sounds alluring: You drive sensibly and carefully, and in return you pay less for your car insurance. But how does the insurance company know whether someone drives carefully, keeps to speed limits and spends less time on the Autobahn? The technology involved is called “pay-as-you-drive”. It is supposed to motivate drivers, especially beginners, to drive safely – via their wallets.

Similar to the toll data collecting devices built into most German lorries, pay-as-you-drive works through satellite navigation and data transmission via mobile networks. Additionally, a number of other data sources within the vehicle can be tapped: acceleration sensors, setting of indicators, electronic tyre pressure measurements – even an alcohol tester can be connected to the device. All data are then transmitted to the insurance company on a regular basis. In addition, speed limits can be stored on electronic street maps within the device. Theoretically, pay-as-you-drive systems could even write out electronic speeding or parking tickets. There is no limit to surveillance fantasies, as in modern cars just about all technical parameters can be obtained from their on-board computers.

The main concern lies with the centralised processing of the data. In order to always work with the most recent maps and to keep the complexity of the pay-as-you-drive black box manageable, travel data are transmitted via GSM to the insurance company’s headquarters. The data will thus not be stored directly in the black box, decentralised and secure against Nosey Parkers; instead, the box regularly transmits its knowledge about the driver to the insurance company. There, the data will be matched with recent maps, and it will be checked whether “voluntary restrictions” from the insurance policy and legal proscriptions have been adhered to. And at the same time official bodies and other needy people can help themselves to these data from the troughs of the insurance company or its technical contractor.

Ever since the introduction of road charges for freight vehicles in Germany, we know how lecherous some state authorities become when it comes to gaining access to the data of the control system and the on-board units in the lorries. It is therefore an illusion to believe that the data collected through the pay-as-you-drive black box will remain in the hands of the car owner and the insurance company. The law regulating the collection of road charges, which had been expanded specially in its final version to cover data protection issues, has come under pressure since the German government changed in 2005. Until now, the use of toll data is strictly limited to specific purposes. Use for criminal investigations, e.g., is prohibited. That could soon be over, if prosecutors and some politicians get their way.

In the United Kingdom, pay-as-you-drive systems are already being tested. A number of insurance companies in Germany have voiced their interest in introducing this technology here. PTV with their “Roadrunner” kit are offering a platform for individual travel data collection that can be used for route-based car insurance schemes.

We don’t want to hold off bestowing a Big Brother Award until an insurance company puts a policy based on total surveillance on the market. Although it will always be pointed out that pay-as-you-drive rates are, of course, voluntary, in some sense customers will indeed be pressured towards putting a black box in their cars: through money.

Young beginners especially will not think twice about the technology when monetary savings are on offer – and then they will get used to comprehensive surveillance of their driving behaviour and their daily habits from an early stage. The success of loyalty and bonus cards shows that many citizens are willing to trade in their private sphere for ever so small rewards.

Pay-as-you-drive systems are not a “neutral” technology. Their sole function is monitoring and surveillance of drivers’ behaviour. Big Brother is watching you in your car.

Our heartfelt congratulations, Dr Hans Hubschneider of PTV Planung Transport Verkehr AG in Karlsruhe.

Monika Harms

The BigBrotherAward 2007 in the “Business” category goes to Deutsche Bahn AG (German Railways PLC) represented by their CEO, Hartmut Mehdorn, for their systematic endeavours to make anonymous travelling practically impossible.

“You can get your bread rolls from the vending machine.” I have not yet heard this sentence from my bakery assistant. And she has never added that for a mere five euro surcharge I could get the same goods from her over the counter. I would only have to join the 5-metre-long queue on the right. And neither has she told me that I could also place my order on the Internet and it would then be posted to me within two days – only then my address, taste preferences and credit card number would be stored in a centralised database.

If I want to travel with Deutsche Bahn, announcements like these are a painful reality.

But this is no consumer protection anti-award, it’s not about the everyday frustrations experienced when dealing with a large company with a service-adverse culture – this award is about the data leech that is Deutsche Bahn AG. I would like to take you on a journey to my observations of the systematic erosion of anonymous travel. Get on board and let the following remarks drift by your ears.

Apparently, Deutsche Bahn want to know all, and they work the switches in a planned and effective way.

First stop. Deutsche Bahn AG are sidetracking travel agencies (traditionally a convenient alternative for buying railway tickets in Germany). Sales commissions have been reduced so much that travel agencies can no longer afford to sell tickets without a surcharge. For the agencies, this means: this is the end of the line – everyone leave, please. This has handed Deutsche Bahn immediate control on ticket sales. We will now continue to our second stop.

The ticket counter at the station: staff levels are kept so low that customers have to bring a good amount of time to buy a ticket. Buying at the counter is up to 5 euros more expensive, every seat reservation is 2 euros extra. Anyone with less money or time to spare will seek other ways to buy tickets. We have now reached a branch on our line.

You could travel via the Internet, for one thing. You can guess what that means. Deutsche Bahn, who have called themselves “enterprise future” (Unternehmen Zukunft) in the past, knows you with your full address and account number.

So you’d rather take the detour via the ticket machine? Hardly any of these accept cash, so you’ll have to take your debit card. Are you using a BahnCard 25 or 50, the pass for a year’s 25 or 50 percent discount, in other words, the key to getting tickets for a somewhat reasonable price? Before giving the discount, the machine demands – unnecessarily, as your eligibility will only be checked for real when your ticket is checked on the train – that you insert the BahnCard: time to say goodbye to privacy. Only the very savvy will discover that you can just press “cancel” on the “insert your BahnCard” screen and still get a discount ticket.

While we’re on that detour, let’s take some time to give that BahnCard a good look. Did you state your date of birth on the application form? Why? There is no reason for Deutsche Bahn to know your date of birth. This is only useful for data leeching and, by German data protection laws, it is simply illegal to make it a mandatory item. It’s been a few years now that the Berlin Data Protection Commissioner informed us in writing that he had complained about this to Deutsche Bahn. The effect, up to now, has been nil.

A junior who ordered his BahnCard at a travel agency showed his ID and insisted that instead of his date of birth, only a remark would be stored that he was eligible to buy a BahnCard for the reduced price available to customers of his age – without recording his date of birth. His BahnCard, which he had paid for in advance, was never posted to him. Discussions were conducted over the phone with the data leech’s minions, to no avail. The travel agency that had accepted the case no longer exists. The money is lost.

The Berlin Data Protection Commissioner’s representative had fewer objections to the mandatory picture on every BahnCard. Personally, it makes me feel uneasy if a state enterprise that is about to go private and is practicing almost ubiquitous video surveillance across Germany – which can probably be monitored from the centre in Berlin – receives my picture as a digital file and stores it for years on end. Especially since the picture is not actually required as an identifying feature on the BahnCard. I can always prove my identity and eligibility to possess and use a BahnCard by showing a photo ID.

That is why my own BahnCard has neither a picture nor a date of birth. My age – watch out, ladies, this is printed on the BahnCard – is given as 95 years.

In another instance this issue became an unwanted emergency brake. On a stay in Berlin, I wanted to rent one of these beautiful bicycles that you can conveniently unlock with your mobile phone. After a lengthy conversation with the friendly service assistant, during which I stated my name and address, it came to the crunch: I was supposed to give my date of birth as an initial password. That was necessary, advised the lady on the phone. I just sighed and went on to walk.

The really anonymous and comfortable vehicle must be the BahnCard 100. The fast lane for rich people, even on the data collecting highway – so you would think. Make a one-off 3,400 euro payment, then just get on the train and go for a whole year, without clicking your way through the internet or fiddling with papers. But even here the data leech is waiting in its perfidious hideaway: an RFID spychip has been integrated into the card. This chip can be read clandestinely, without consent from or a warning to the card holder. Let us remind you: In 2004 the Metro corporation was forced to recall their “Payback” loyalty cards, which they had secretly bugged with spy chips, bringing the whole RFID industry into disrepute. The responsible CEO at Metro has meanwhile had to resign from his post.

We had already mentioned the BahnCard chip in a feature on our website in 2005. Three days after publication, the company’s Data Protection Commissioner called us and asked if Deutsche Bahn was now due for a BigBrotherAward. “Bis repetita non placent”, we reassured, educated Asterix readers that we are – “repetition is unpleasant”. RFID cards were so yesterday. We could hear him sigh with relief. He promised that Deutsche Bahn would inform customers clearly about the chip in the future.

Contacted by a customer who wanted his BahnCard 100 without the chip, the same man claimed – after our phone conversation – that the chip was not activated. But the chip responds to every reader that uses the appropriate standard. If readers were as widespread as the industry was imagining back in 2003, a BahnCard 100 would ultimately be a bug that would reveal its owner’s location through its unique number. Such data must not be released! At least the owners have a right to know what they are carrying with them. I have gone to the trouble of looking through all newsletters of Deutsche Bahn published after that phone conversation. Not a word since. Nothing at all.

Then there are these fellow travellers on our round-trip who collect points. Bahn Comfort Points. Okay, word has got around by now that collecting points and privacy don’t exactly go together in harmony. But, apparently, as many as half of all BahnCard owners have opted to enter their card into the point collection scheme. Deutsche Bahn AG guarantee in the privacy statement on their website that no data would leave the corporation, nothing would be shared with third parties. This is contradicted by a remark on Wikipedia that says something different, so I investigate.

On the website of the Loyalty Partner company, there is a result. The company has gathered a consortium around it that manages Bahn bonus points. BahnCards are manufactured by Bamberg-based GHP Holding. Incidentally, GHP also manage HappyDigits transactions (HappyDigits being a loyalty program by Deutsche Telekom and other companies in the retail, tourism and other sectors). And Loyalty Partner themselves, on whose website I read this, run the Payback loyalty scheme, winners of the BigBrotherAward in 2000. Payback, HappyDights, and Bahn Comfort, all under the roof of the same consortium. What a muddle – no wonder Deutsche Bahn are not ready to admit this openly. And the train rolls on and on.

The data leech appears in many forms and places. It is therefore understandable, even though it might appear oversensitive, if people feel uneasy when the camera in the mobile device that conductors use to check online ticket barcodes is pointed straight at their face.

Where will the journey take us? Starting in early November 2007, a new billing system is going to enter a pilot trial. Test participants will receive specially prepared mobile phones that record every cell on the journey. At the start and end of a journey, they transmit their data to Deutsche Bahn AG. You could hardly generate a better movement profile.

As we move along, more and ever more data are being accumulated; in every new case, a sensibility for data economy must be insisted upon by Data Protection Commissioners before the leech withdraws its segments. With repayment coupons issued for delays or returned tickets, a legal penalty case had to be initiated before Deutsche Bahn refrained from demanding huge amounts of personal data.

It does seem in many cases that Deutsche Bahn has fairly elaborate procedures and processes in place to avoid data abuse. But a strange gut feeling remains. A state-owned company that collects such amounts of movement data is a high risk. A corporation that is given the goal of making a profit does not exactly guarantee confidentiality in handling person-relatable data.

There are 10,000 vending machines all over Germany, selling not bread rolls but railway tickets. 10,000 machines for which neither social security contributions nor income tax are paid. 10,000 machines that are all coordinated by being linked to the same large computing centre. 10,000 machines which, together with their stooges, the home PCs with an internet connection, suck data and deliver it to their masters. 10,000 machines that are monitored by video lest they run away … because even they cannot stand the cold social climate any more.

Mr Mehdorn, you’ve missed the train! Congratulations, Deutsche Bahn AG, for the BigBrotherAward 2007.

The BigBrotherAward 2006 in the category “Government Authorities” goes to the Conference of State Ministers for Education (Kultusministerkonferenz der Länder, KMK) for their entire ignorance (or in red-tape parlance: “a certain lack of observance”) of data protection requirements in the attempt to introduce life-long, nationally unified student IDs.

One could state as an excuse that “Law” is not usually taught as a school subject, so the Ladies and Gentlemen in the Conference may not necessarily have any knowledge of German law, having gone through the German educational system.

But shouldn’t one at least be able to show a basic knowledge of democratic principles if one wants to steer legislative processes? And shouldn’t this knowledge have been conveyed in “social studies” classes, so that one could have grasped and understood the meaning and requirements of data protection, informational self-determination and personality rights? This demand does not seem to have been fulfilled in the members of the KMK. Another German PISA disaster in the subject of data protection and democracy education!

But let’s start at the beginning:

Since the year 2000 the KMK is attempting to design the collection of data in school statistics in a nationally unified way, to pool them centrally, and gather them in relation to individuals (and that means related to pupils and teachers).

They justify this by pointing — on the whole perhaps understandably — to the necessity of reliable statistical data in order to make informed choices in educational policies. Not just since PISA and the newest OECD study is it obvious that “there’s something rotten” in our educational system, and fundamental changes are bitterly needed. But whether the supposedly deficient statistics are first and foremost responsible for this, and whether — as in traditional arguments of number-addicted controllers — it is personalised data, of all things, that might bring the much sought-after changes, seems to be somewhat questionable.

In May 2003, the 174^th minister’s convention of the KMK decided, under the heading “core data items for school-statistical individual data in the federal states”, on a “soon to be initiated changeover in the school statistics towards individual data.” This means a requirement to the states that they build up a unified data collection system for public and private pre-schools, schools and institutions of further and adult education.

From the cradle to the grave — or at least to the first job or the release into unemployment, students from general or vocational schools, from health schools and, in the future, even from pre-schools and adult education institutions should receive a unique reference number, which relates to their life-long educational profile.

This requires that the software for school administration used in the individual states cover at least the core items defined by the KMK, and they need to be technically able to communicate these data to the central database. Core items include sex and date of birth as well as specifications about first language, nationality, religious affiliation, schools and tuition received there, remedial teaching (i.e. significant deficits in certain areas of learning), and whether one has any “migration background”. Incidentally, a lot of person-related data will be collected also about the teachers. As it seems, the KMK does not notice the requirement for involving teachers’ representatives in such decisions at all.

Who will be interested in the national education database, once it is installed? Didn’t we just learn through the TollCollect case that however heartfelt the promises made today about a strict legal limitation of intended usage may be, and however intricate the data protection concept, this does not prevent an arbitrary rededication once a particular political pressure is developed? So, is it really so unlikely that not only police and security authorities might be interested in such a beautiful collection, but also employers, banks and insurance companies? You want a loan from your bank? Having passed school only by the skin of your teeth? Then it might just be that that your bank doubts whether your job is sufficiently secure and you will be able to pay it off. You had the pleasure of taking part in a remedial programme for “emotional and social skills development”? Sorry, fat chance of getting an apprenticeship in banking.

Do we have to fear in the future that at the age of 30 we will not get a loan, life insurance or job in Bremen, all because we had to repeat the odd year at school between age 12 to 18 in Munich? — You think this is an exaggeration? You think that the KMK will quite certainly, and securely, have excluded such desires?

The really bad thing about it all is that the KMK hasn’t even reached the stage yet of thinking coherently and comprehensibly about the aims wished for, nor to formulate them. There is no documentation of concrete purposes and questions which the data should answer. A shortcoming in a project that has been pursued for six years now, which in any private enterprise would have justly earned the people responsible a severe reprimand from the supervisory authorities. In the same vein there is no satisfying definition of which institution is to run the centralised database, nor where, nor what the particular duties for that institution should be.

But in pursuit of the good old traditions of the hunter-gatherers one is eagerly working on definitions and demands of what data are to be collected. There is ample description of master data, definition of export interfaces, software re-programming, browbeating of schools, general exertion of pressure. But there is little thought devoted to personality rights of the students and the teachers affected, and just as little consideration is given to the determination of technical and organisational protection measures. “Who may do what, when, and with what?” does not seem to be a question to even once have crossed the minds of the ladies and gentlemen from the KMK. Concepts of access, authorisation, roles? Not found. Protection of communication and transfer channels? Not found. Minimum requirements for authorisation protocols in the school’s software? Not found. Concepts for anonymisation? Not found.

Has the KMK even realised that its project interferes considerably with the personality rights of the people affected? I fear that the answer to this is also: Not found.

The working group on “data acquisition strategy”, anyway, which is to “prioritise recommendations for action under professional and pragmatic aspects”, obviously understands data protection only as a possible cause of “restrictions”. With this it perpetuates the stance of the statistics commission: Their understanding of data protection in a report in 2005 about the state of implementation of the KMK’s project was restricted to reporting data protection concerns voiced by some federal states. They obviously regarded the facts that the state of Saxony (Sachsen) has now stopped the collection of individual data altogether and the state of Schleswig-Holstein demands to include data protection considerations only as annoying acts of grumbling.

So it seems that it is high time the KMK turn the operation “back on its feet again”, as the Schleswig-Holstein data protection commissioner demands, and heed the basic standards of project and data protection management.

Congratulations, Conference of State Ministers for Education! Director’s office! Now!

So now Big Brother is to be firmly placed on the autobahn, after all. And this is how: After a series of murders of women, each committed near the German motorways, suspicion fell upon a truck-driver. This also marks the birth of the idea to use data from the new toll system, which originally were meant to serve only toll fee collection, for criminal prosecution. But this is — with good reason, we think — not allowed by existing legislation. Now a draft bill from the offices of Federal Interior Minister, Dr Wolfgang Schäuble, is going around the ministries, aiming at the abolition of these tight restrictions. The promise made by legislators that the toll collection infrastructure would never turn into a surveillance infrastructure is about to be broken in the near future. Incidentally, when the 2002 BBA was given to the operators of the toll-system, TollCollect, we had warned of this already — and we really don't enjoy being right with sinister predictions.

In September 2006 it was decided to introduce a fee for computers with access to the internet, a radio or a TV card, applicable if the owner is not already paying a radio or TV licence fee. This will create a grand new field of work for the house-to-house investigators from the GEZ (Gebühreneinzugszentrale), the organisation that collects these fees and is always on the lookout for licence dodgers. And it will make the system of financing public broadcasting even more complicated than it is now. The GEZ received the Big Brother Award in 2003 for their lifetime achievement. Their sounding out of neighbours and buying of databases with household data was extensively criticised by us at the time. In our recently published book, Schwarzbuch Datenschutz (Data Protection Blackbook), which revisits the most noteworthy recipients of the past years, editors Rena Tangens and padeluun from the BBA jury propose and discuss various alternative ways of financing public radio and TV. These all aim at getting away from an equipment-based system and towards a citizen-financed one. For as long as the system is based on individual appliances having to be registered, the GEZ will go on snooping about in our living rooms and offices. A per capita fee from every citizen would be in accordance with the political aim: “Yes, we want a public radio and TV service as a cultural asset for Germany.” But this should then also be free of commercial advertising. More on this can be read in the book [available only in German, though].

On October 8, 2006, EU Commissioner Viviane Reding announced a groundbreaking vote: Only 15 percent of the participants in an online consultation set up by the EU Commission believe that the industry would protect the privacy of citizens sufficiently on the basis of voluntary self-commitment. More than half (55 percent) expressly wish for legal regulation of RFID users and producers. FoeBuD member Jan E. Hennig has been to several RFID conferences of the European Commission and has introduced FoeBuD's thoughts and opinions about RFID and privacy there personally and in writing.

The RFID lobby invests millions in PR ventures and influence on politicians. That the RFID industry still cannot bypass the idea of data protection any longer is almost exclusively due to the — mostly voluntary — work of civil rights groups like the FoeBuD, for instance through giving the 2003 BigBrotherAward to the “Future Store” of the METRO Group, the beginning of FoeBuD’s StopRFID campaign.

Not all nominees for the Big Brother Award have made it. Several times, the jury had great difficulty not to sanction a violation of data protection with one of our unwanted prizes. But data leeches who think they might run off unharmed only because we hand out too few main prizes are harbouring a false sense of security. Because there still are our notes of disapproval.

Again this year, many nominations were concerned with unnecessary data collection. Of these we present only three that demonstrate thoughtless use of personal data:
The students of a business school of higher education in Bielefeld (Fachhochschule des Mittelstands) are demanding that visitors to one of their events supply a complete professional profile: name, address, position, company, fax, phone, e mail — all required entries for the internet-based application form, with the reasoning that “we need to print proper name tags, don't we?”

In May 2006, the first league football club Energie Cottbus took all data from the ID cards of ticket buyers, who could buy a maximum of four tickets per person. But they didn’t even plan to link tickets to individual people — which makes the purpose of this data collection simply incomprehensible.

Downright impudent is the behaviour of the German association of yachtsmen (Deutscher Segler-Verband): Those who do not want their participation in a regatta published on the internet have to pay 10 Euros as a “service charge”. Informational self-determination is degenerated into a tradeable commodity.

The Interior Minister of the southwestern state of Baden-Wuerttemberg, Mr Heribert Rech, is also due for a reprimand. He had his ministry develop a questionnaire to be used in the naturalisation procedure, the so-called Muslim test, and some of the questions that presumed Muslims are given must be considered part of the inviolable core of private life choices. People wanting to be naturalised are questioned about family affairs or personal reactions to other people’s sexual orientation. This is not only discriminating but also a data protection problem. Answers to such questions are simply none of the state’s business — just like attitudes and lifestyles of its citizens are of no concern to it either, as long as no criminal acts are involved. So to assess adherence to the constitution, of all things, Mr Rech has installed a questionnaire and a procedure that contradict the very spirit of the constitution.

There are more violations to reprimand of the legitimate right to be left to one’s private life. The tabloid Bild-Zeitung for one with its “reader come reporter” campaign sounded the attack on the privacy of the famous, and the not so famous. Snapshots of socialites, spectacular accidents or people caught unaware in the nude are now distributed all over the country and remunerated with 500 Euros for the hobby paparazzi. The respect for privacy and thus human dignity of fellow citizens is severely put into question through this kind of gutter journalism. The jury strongly disapproves of this kind of instigation to voyeurism and together with society-critic Karl Kraus hopes “that a growing number will be gripped with horror that such things have a place in a cultured society.”

There is much talk of voluntariness in connection with mass DNA-surveys. They enjoy increasing popularity as a means of criminal prosecution. The last great DNA-manhunt took place in the town of Coswig, near Dresden, in July 2006. After two sexual assaults, at first 3,000 men were asked — on court order — to volunteer mouth swipes, but no match was found. Then about 100,000 men living in the Dresden area were to be asked to take part in saliva tests. The BBA jury says: a refusal to participate in such tests cannot justify suspicion. Therefore it is more than alarming that the refusers have to reckon with being criminally investigated, having their alibis checked or even investigators turning up at their workplace.

We further want to draw attention to the second largest prying campaign since the Football World Cup: not only professional but also hobby air pilots and everybody who has “more than sporadic” access to airport areas must have themselves explored since January 2005. With the revision of the law on air security, the Luftsicherheitsgesetz, (which originally also contained the possibility of firing at a hijacked passenger plane), a reliability test was introduced at the beginning of last year. To pass this is a prerequisite for earning or keeping a flying licence. The examination involves numerous inquiries with the police and intelligence agencies. Applicants do not only have to arrange for these annual inquiries themselves, they must also pay for them out of their own pockets. It is not known whether there is a definitive catalogue of rules, listing which facts would put someone’s reliability in doubt. Since the introduction of this test, pilots have to fear that e.g. certain foreign contacts might lead to a revocation of their licence.

And last but not least: As we know from their verdict on the so-called Major Eavesdropping Attack¹ from March 3, 2005, the Federal Constitutional Court (Bundesverfassungsgericht, Germany’s highest court), attaches great value to giving special protection to a core area of private life, such as phone conversations to one's spouse. On the same day, the judges also declared unconstitutional the authorisation for telecommunications tapping by the customs authority and called on the parliament to protect privacy in these areas as well. They set the Federal Parliament (Bundestag) a deadline of December 31, 2004. The parliamentarians adhered and removed the unconstitutional parts from the German foreign trade law, but, with minor changes, reintroduced them in the customs investigation service law. And the regulations stipulated by the Constitutional Court for the protection of core areas of privacy were still missing. So there was still legislation in force that was incompatible with the Constitutional Court’s requirements. At least the new law was again time-limited and due to expire on 31 December 2005 — but then the Bundestag extended this obviously unconstitutional law for another year. We take note: The German Federal Parliament refuses obedience to the Constitutional Court. A clear reason for a reprimand from the BBA jury!

You see: Even below the threshold of prize-worthiness in the Big Brother Awards, data leeches of official and private varieties are up to mischief. There continues to be a great demand for everyone to be alert and refuse to accept a surveillance society. We hope that this will continue to find a response in numerous nominations of data leeches.

The BigBrotherAward 2006 in the category "Technology" goes to Philips GmbH Consumer Electronics Division, represented by CEO Mr Ronald de Jong, for the specification that CD burners write their unique serial number on CD‑Rs and thus facilitate traceability of storage media to the individual burner.

With the introduction of recordable CDs and the required burners, the so-called Orange Book Standard was created. This document describes the technical processes and design parameters that a recordable CD and the respective CD drive must follow. A major player in setting down these standards was Philips with its consumer electronics division. The division complied — thus the story goes — with demands from the entertainment industry and introduced unique markers of home-burned CDs into the specifications. From now on, all new burners were to leave their unique serial number on the CD during the burning process.

With this serial number the entertainment industry hopes to trace “bootlegged” copies of music and other copyrighted CDs, i.e. unlicensed duplications of storage media, in order to be able to prosecute the bootleggers. In actual fact, though, the burnt-in code leaves a data trace that might give all CD creators a difficult time of explaining themselves. The user of a burner is not warned of this fact, and burner producers are not forthcoming in declaring which devices write such a code on media. But the dangers are obvious: Anonymous sharing of data is no longer possible — copies can be traced back to the device with which they were made. A similar feat was already recognised by the Big Brother Awards jury in 2005, when they honoured secretly printed codes from colour photocopiers.

Regular visitors of German cinemas know the advertisement spots from ZKM Kinomarketing: “Bootleggers will go to jail for five years!” What is not said in these spots is that this is the maximum penalty for criminal breach of copyrights on a commercial scale. Those who ever went to a market place in Eastern Europe or Asia will know what is meant here: Professionally made bootleg copies of music, films and software are sold there in vast quantities. These CDs, though, are mass-produced in professional CD-pressing works. Without the serial number of the machine, naturally. Production with a home CD burner would be far too time-consuming. So the Philips technology doesn't help here. It only affects the private user.

Let us state it clearly: It is not a punishable offence in Germany to burn, i.e. copy music CDs for private use. Even if campaigns from the entertainment industry would like to paint a different picture. The law only says that technically effective copy protection measures must not be circumvented, and the music must not come from an “obviously illegal” source.

Through a fee on empty storage media, which is included in the retail price of recordable CDs and CD burners and goes to the German copyright collecting agency GEMA, originators of copyrighted material do even get compensation. There is, therefore, not the slightest reason to attach this quasi-secret mark to the CDs. Nevertheless, many devices continue to write the code on discs — because it is specified in the Orange Book Standard.

We heartily congratulate you, Mr Ronald de Jong from Philips, vicariously for all producers of CD burners that leave a serial number on CDs.

Footnote:
Technically speaking, the recorder identification (RID) is placed in the so-called “sub-code Q channel”, which also contains information about the running time of a piece and song titles. The RID consists of three characters to identify the producer, four characters for the model and (at least) five more for the serial number of the individual device.

The BigBrotherAward 2006 in the “Consumer Protection” category goes to the Association of German Insurers (Gesamtverband der Deutschen Versicherungswirtschaft, GDV) represented by its president, Dr Bernhard Schareck for the insurance industry’s “warnings and indications” databases, which insurers use to exchange substantial amounts of data about millions of citizens — with undisclosed criteria, without sufficient legal foundation, and unknown to the people affected.

The insurance companies organised in the Association¹ are maintaining a joint database called “Uniwagnis” (uni[versal?] peril), in which data about insurance customers, but other people as well, are stored without their knowledge. The database, according to the Association, is about uncovering insurance fraud, but it is really a “black list” — and any person regarded  by any member company as “bad risk”, or a not so lucrative customer, could be recorded in it.

“No, not everyone (is thrown into this code pool). As a prerequisite, one has to have somehow been involved in a loss, and the insured person must be under suspicion of fraud. But the fraud does not need to be proven.”

(From an Association statement in their magazine, “Positions”)

There are about 10 million entries in the “Uniwagnis” database. How is that possible? How does one appear in this list?

Sooner than you think, actually. Imagine you had a car accident on a country road at night. Fortunately, there was a witness whose statement to the police confirms what happened. Imagine further that you are a student and the car was not registered to yourself but to your mother or your flatmate. You may not see anything wrong here, but each of these details would seem suspicious to insurers, “earning” you negative points on a secret scale of the insurers’ scoring system. By the time you exceed 60 points — for whatever reason — your car insurer would rate you as a “suspicious customer” and enter you in the “warnings” database of the Insurers’ Association. And because you were deemed suspicious, the same label would apply to everyone else involved in your accident: the registered car owner, the friendly witness and the assessor who evaluated the damage.

The warnings database does not only get involved when you claim your insurance, but as soon as somebody wants to enter into one — such as legal, life or disability insurance. Whenever one of the associated insurers receives an insurance application, “Uniwagnis” is activated through an interface in the background. Entries into the system are automatically passed on to the Association, regardless whether the customer only wanted to acquaint themselves with the terms and conditions and even if they expressly objected to their data being shared².

If “Uniwagnis” finds a hit, i.e. the newly entered personal data matches an existing record, that record is displayed. In theory, the employee of the querying insurance should now phone the insurance supplying the data and ask about the details. But in practice the mere existence of a matching record will suffice to give you special treatment. It is a stigmatisation with a consequence: being entered in the warnings database might for example lead to increased insurance premiums or prevent you from getting an insurance at all.

An example: legal expenses insurance will often take as little as two claims within one year as grounds for cancelling the contract. And you could even lose your legal insurance if for three times in three years you had only asked about getting coverage — no matter if the insurance was then actually claimed or had to pay at all. So, if you suffer from a difficult neighbour or landlord who would keep sending you those worrying letters so that in the course of 36 months you had raised this three times with your legal insurer, just to be on the safe side (without ever actually using it!), you might still end up with a terminated contract and a notice in “Uniwagnis”. Which would mean that all legal insurers are aware of this and might not insure you, or only do so for a higher fee. By asking your insurance to do only the slightest beginnings of its actual purpose — which is to be potentially called upon in case of loss — you might end up stored in a “fraud aversion” database without even knowing it.

Every two to three weeks, every insurance receives the full amount of data reported about millions of people. This data is transferred whether the insurance has a justifiable interest in it or not. A clear case of data being transferred for nothing but “stockpiling” — which is plainly illegal under the German Data Protection Act.

The Insurers’ Association does not see anything illegal in its actions: after all, the customers had consented to their data being shared, a clause they signed in their insurance contract. But do customers actually know what they are signing? Explanations are not given in the contract itself, only in a separate leaflet. The “Merkblatt zur Datenverarbeitung" (leaflet on data processing) comprises four sheets of small print. Often the customers won’t even be shown the leaflet before signing — let alone have the individual items be explained to them — because they are only sent it later with their insurance certificate. The same insurers that usually reply to complaints about their business practices by saying that customers were simply not reading their contracts actually conceal vital information from them. Customers are deliberately led to believe that giving consent to data sharing was just a formality. And customers like to believe it, because their mind is focused on other issues at the time they enter into an insurance contract.

Everyone who is reported into the warnings database would actually have to be notified by the insurance and be given an opportunity to comment. This does not only apply to insurance customers but even more so to related persons such as car owners, witnesses and assessors, because these people never even signed a contract with the insurance to begin with. But the insurances are not notifying anyone, as this would lead to a negative image and many complaints. And complaints management is expensive. So the storing goes on, without any kind of transparency.

“If you want to find out if your name is stored in one of the ‘warnings databases’ of the insurance industry, you’d better take a few days off work ...”, writes Finanztest, a major German financial services consumer magazine³. This is because the only way for customers to find out is to ask each insurer individually what they have reported to the Association — it is the individual companies who are legally obliged to respond to such queries. The Association refuses to give this information to citizens and considers itself not obliged to do so. Firstly, the Association says it is acting as a subsidiary of the insurances (citing § 11 of the German Data Protection Act), and secondly, they claim that the data is stored in a coded way, making it no longer personal or person-relatable.

This is what the Insurers’ Association calls “coding”: if you search the database for, say, “Petra Meyer” and “Hamburg”, you are given all existing records of people in Hamburg whose names sound similar (Petra Mayer, Petra Meyer, Petra Meier etc.) with address, possibly date of birth, reason for being reported and contact number for the reporting insurer. Using the address or date of birth, a link to the individual person can be made without any external information. If necessary, further data can be obtained through a call to the reporting insurance without the knowledge of the affected person. The data are therefore neither anonymous nor “pseudonymous”, in spite of the Association’s claims. All participants can relate the data to the person, so the data is person-related. The system is even lacking an effective prevention of queries out of mere curiosity or for advertising and marketing purposes.

There seems to be an abundance of lawyers who are happy to author (partly outrageous) justifications for the insurers’ practices. A law professor commissioned by the Association argues in a legal assessment⁴ that a “justifiable interest” for sharing the data would not need to be demonstrated at all, because the insurers had an interest in the warnings database as a whole. And he seriously holds out the view that it would be sufficient information to the customer if the “leaflet on data processing” would be kept in insurance agents’ offices so that customers “could inspect it”.

Another expertise⁵ commissioned by the consumer association VzBv⁶ however makes it clear that the declaration of consent to data sharing that is commonly used at present is ineffective because of serious legal shortcomings⁷. The consent given by consumers to the sharing of data is neither “conscious” nor “informed”, as mandated by law. Customers are not informed about the contents or the possible consequences of their data being shared, and they are not given an alternative decision. If customers do not consent, they might “potentially” not be given insurance.

The “warnings and indications” database does not only serve the stated purpose of tracking down insurance fraud, it facilitates a price cartel for the insurers. It is an obvious goal of the insurers to filter out so-called “bad risks” and insure these only against a higher premium or not at all. The insurers are thus using the warnings and indications database as a market information device to restrict competition, which is illegal and to the disadvantage of the consumer. That is a case to look at not only in terms of data protection, but also for the German monopolies commission.

How do the insurances succeed again and again in pushing through their positions in politics and new laws? “The Association of the German Insurers and the Association of Private Health Insurances are not very visible in public, but the more are they active behind the scenes. Because insurance giants such as Allianz AG are among the economic heavyweights, the industry is finding open ears in every political party”, says the daily newspaper “Die Welt”. The insurance lobby has a huge influence. Some parliament speeches or draft laws come straight from the insurers’ writing desks⁸

Sometimes their links to TV editors are too short as well. Between 2000 and 2005, the Insurers’ Association clandestinely bought themselves product placements in Marienhof, a successful soap on Germany’s nationwide public broadcasting station, ARD. Commissioned dialogues and magazine features are probably far more effective than conventional advertising — on the other hand, they’re completely illegal.

It seems that transparency is the last thing the organised insurance industry would want for its own activities — but their customers just can’t be transparent enough for them.

As legal scholar Daniel J. Solove concludes: Databases fundamentally change the way decisions in the administration are made and judgements that influence our lives are worked out. Databases are not the basic cause, but they enforce an already existing imbalance of power and tend to leave the people powerless⁹. The “warnings and indications” database of the insurance industry is a prime example.

We want our politicians to develop more spine against powerful lobbying organisations. We wish consumer associations and data protection commissioners more effectiveness in confrontations with the insurance industry. Our advice to the insurers themselves is to change their data protection and business practices profoundly — before the word “insurance fraud” takes on a whole new meaning in the public arena.

Congratulations, dear Association of German Insurers, dear Dr Schareck — you, for one, have been notified in advance; now you are stored in the public “warnings and indications” file that is the Big Brother Awards.