Workplace (2012)

Bofrost

The BigBrotherAward 2012 in the “Workplace” category goes to Bofrost (a German-based manufacturer and home delivery service for frozen foods), for unlawfully prying into data on a computer belonging to the staff council. Bofrost have evaluated an electronic file belonging to the staff council, and they have used a staff council paper that they discovered as grounds to make a staff council member redundant. Industrial courts have confirmed the illegality of these actions in several cases. On another staff council member’s computer, the remote control software Ultra VNC was installed without the staff council’s consent. A court settlement was required to make Bofrost ensure that they would no longer do this in the future.
Laudator:
Prof. Dr. Peter Wedde am Redner.innenpult der BigBrotherAwards 2021.
Prof. Dr. Peter Wedde, Frankfurt University of Applied Science

The BigBrotherAward 2012 in the “Workplace” category goes to Bofrost Dienstleistungs GmbH & Co. KG, Bofrost Services.

Bofrost receive this award for unabashedly accessing a legally protected electronic file belonging to the staff council. Bofrost seem to have no sense of guilt despite having been found to be in violation of the law; they continued to pursue industrial law court proceedings in higher courts, after losing in the first instance.

[Note to international readers: a staff council, or works council, is a ‘shop-floor’ organization representing employees at the company level in labour negotiations. Staff councils are a major element of the co-determination provisions in German industrial law. Companies above a certain size must establish a staff council, consisting of regular employees and elected by the whole workforce. Staff council members carry out their duties using some of their regular working hours. They must not be obstructed and can only be dismissed for “extraordinary” reasons.]

On their website, Bofrost declare their intention to act as a “pragmatic, cooperative, reliable and enterprising” business. A member of the company’s staff council got to experience that cooperative pragmatism. He was accused of having written a position paper in support of sacked employees during his working hours, which Bofrost regarded as inadmissible. This paper had been e-mailed from a staff council computer to their legal secretary.

Bofrost got to know of this e-mail during industrial law proceedings against these sacked employees. The company then wanted the staff council to reveal who had written the paper. When the staff council refused to answer, Bofrost accessed relevant data that belonged to the staff council secretly, without the staff council’s actual knowledge. Bofrost claimed that a company framework agreement would authorise this and that the staff council had been notified of the access and asked to consent to the data being examined. Interesting how easy data espionage can become in a constitutional democracy. Naturally, the staff council did not agree and objected to the request to access the data.

The information that was then obtained secretly and without actual knowledge of the staff council led to consequences. The staff council member received an extraordinary dismissal. The reason given by the employer was that writing such position papers was not among the tasks of the staff council, therefore the paper’s author had defrauded the company by misusing his work time.

Bofrost’s actions led to a number of industrial law cases, which were all lost by the company. The local industrial court of the city of Wesel declared the dismissal invalid. In another case, the same court ruled that Bofrost was generally not permitted to access the staff council’s electronic data.

Although the industrial court’s decisions were an all-round slap in the face for Bofrost, the company was not deterred from appealing the decision in the dismissal case. The higher industrial court went ahead and slapped Bofrost again: accessing staff council data was declared unlawful on the 7th of March, and no appeal was allowed.

Another case shows that the company is not willing to listen to plausible and judicially confirmed arguments. Staff council members at another Bofrost site noticed that remote control software had suddenly appeared on their computers. This had been secretly installed by Bofrost and enabled clandestine access to staff council data. The company hadn’t even bothered to go through the legally required processes of prior information and co-determination. The software installation was therefore illegal. There was one consolation though: after this was found out, the software was uninstalled.

This kind of behaviour highlights that employee representative’s rights are not regarded as a desirable quality feature by Bofrost. Numerous privacy scandals of the last few years – we will cite just two examples, Lidl and Daimler – and the debate about protecting employees’ personal rights seem to have completely passed the company by. Could it be that the responsible people were locked into a cold store at the time?

Bofrost, Lidl and the others are not alone. The BigBrotherAwards jury have had several reports of similar cases this year. Again and again, staff council members experience inadmissible inquisition and snooping, during which employers access stored data. And the employers don’t seem to fear making headlines with such privacy scandals at all.

But it could be worse – if the governing coalition in Berlin adopt their draft of an “employee data protection law”, that is. In contrast to what the name suggests, the law will not improve workers’ protection against computer files being spied upon. Instead, it creates new opportunities for companies to collect and analyse data, far beyond what is legally permissible today. The law would legalise many past privacy violations in retrospect. In cases where breaches of duty or criminal behaviour are suspected, monitoring abilities would even be extended. This new law would not protect employees (despite what its name suggests), but company interests. A more approprate name for this “employee data protection law” would therefore be “employee surveillance authorisation law”.

One law would remain unaffected by this change, however: the works constitution act (Betriebsverfassungsgesetz, the main German co-determination law). Bofrost still won’t be able to clandestinely inspect staff council data; such actions are and continue to be forbidden.

We can only advise Bofrost to brush up on their legal knowledge and swiftly put that into practice – before another industrial court pours cold water on them again. With actions like these, Bofrost will clearly miss the aim displayed on their own website: to become one of the best employers in Europe.

Congratulations on the BigBrotherAward, Bofrost.

Laudator.in

Prof. Dr. Peter Wedde am Redner.innenpult der BigBrotherAwards 2021.
Prof. Dr. Peter Wedde, Frankfurt University of Applied Science
Jahr
Kategorie
Technology (2012)

Gamma International

The BigBrotherAward in the category “Technology” goes to Gamma Group, represented in Germany by Gamma International in Munich, personally by its general manager Stephan Oelkers, for their software “FinFisher”. Gamma advertises the ability of its product to exploit security vulnerabilities in iTunes and Skype to plant spyware on the target system, for example by using fake software updates. It also markets the ability of its software “FinSpy Mobile” to remotely access Blackberry personal mobile devices. Gamma software products are being sold to domestic and foreing state agencies. Among other locations it was found during the storming of the headquarters of the Egyptian secret service in Cairo by civil rights activists.
Laudator:
Frank Rosengart am Redner.innenpult der BigBrotherAwards 2021.
Frank Rosengart, Chaos Computer Club (CCC)

The BigBrotherAward in the “Technology” category goes to Gamma Group, represented in Germany by Gamma International in Munich, personally by its general manager Stephan Oelkers, for their software FinFisher. FinFisher is used by authorities to penetrate computer systems in order to install surveillance software.

An excerpt from their sales brochure reads as follows: “Remote surveillance and software-installation products enable access to the target systems (computers and telephones), allowing remote control, data analysis, eavesdropping on encrypted communications and data collection. …”

With frightening frankness, Gamma offer their services on their German website – despite the fact that development and distribution of this kind of spyware is prohibited by German criminal law (Par. 282c StGB). However, this only applies to dealing with private customers, not to sales to domestic official agencies, or the secret police of a foreign dictatorship. At least that was the reason why the Munich prosecution refused to open a case against Gamma.

The so-called “Federal Trojan” (Bundestrojaner) is one of the most controversial investigation tools for the German police and secret services. Once installed on somebody’s personal computer, it enables government agencies to search the machine’s contents remotely and covertly, snoop through e-mails, or record passwords. Even the computer’s microphone and web cam can be activated for surveillance. Although the Federal Constitutional Court has strictly regulated the use of such programs in Germany, other countries are much less squeamish: in Syria, Turkmenistan or Oman the secret police will routinely spy on computers of opposition members, and persecute them for advocating a more democratic state.

Pro-democracy movements are increasingly using the Internet for their activities. Consequently, government agencies would like to be able to observe the “electronic life” of a targeted person. Large-scale control of the Internet as well as targeted examination of private computers, e-mails and Facebook accounts are methods of choice.

Documents found during of the storming of the headquarters of the Egyptian state security agency prove that the secret police was going to hunt down members of the opposition using a Trojan made by Gamma group. The agency ran extensive tests on a Gamma laptop and rated the FinFisher software very positively.

In cooperation with Swiss company Dreamlabs, Gamma have offered a so‑called “Infiltration Proxy” from the FinFisher product family to countries such as Oman or Turkmenistan. With this software, thousands of computers can be equipped with snooping software en masse.

There has been a lot of discussion in Germany about how spyware is planted onto a suspect’s computer. We know from recent cases that the usual method is for agencies to choose direct physical access: a faked break-in to bug the PC at night, or a security check at an airport, where officers would be able to get their hands on a laptop for a few minutes under a false pretence. But there are more elegant solutions: Security holes in applications or in the operating systems can be exploited by agencies using so-called “man-in-the-middle” attacks to install spyware on the computer. The spyware vendor in this case obtains knowledge about software security vulnerabilities on the black market and offers wire-tapping services for the user’s internet connection, in most cases with assistance from the service provider. Whenever affected users run a piece of software with a vulnerability, for instance the iTunes music shop, they will unwittingly install the spy trojan on their machine. A presentation by Gamma explicitly names Apple’s iTunes as an intrusion path for their software.

Gamma Group offer their services in this specific market segment, known as remote intrusion. Their FinFisher product provides agencies with a comfortable tool to intrude into their target person’s computer and place the spy software on it.

Gamma are one of the main sponsors of international security shows such the ISS in Dubai, and there they also offer their FinFisher software to government agencies of countries where human rights are respected to a far lesser degree than here in Germany.

The German Federal Criminal Police Office (Bundeskriminalamt, BKA) has shown interest in Gamma’s FinFisher software and has purchased a test license, as confirmed by the federal government in response to an parliament inquiry.

Structures behind the internationally operating Gamma Group are less than transparent; their exports are handled via other companies. We do therefore not know if we have picked the correct recipient for our award: we do not know who really is behind Gamma in Germany. We have chosen Mr. Stephan Oelkers because he repeatedly appears in presentations and the trade register contains his name with general commercial power of representation.

Congratulations Mr. Oelkers, of Gamma Group.

Laudator.in

Frank Rosengart am Redner.innenpult der BigBrotherAwards 2021.
Frank Rosengart, Chaos Computer Club (CCC)
Jahr
Kategorie
Consumer Protection (2012)

Blizzard Entertainment

The BigBrotherAward 2012 in the “Consumer Protection” category goes to Blizzard Entertainment, for various violations of privacy in their online games, such as World of Warcraft. Using recorded data such as time spent playing, hardware characteristics, synchronisation of friend lists, data on gaming behaviour that is publicly available in part (such as: who solved a certain task), personality profiles and character studies can be created. A patent for such an analysis has already been issued in 2007, to a Google employee. Piece by piece, opportunities for data hoarding are expanded in overly long terms and conditions. But an attempt to compel users to use their real names in public was averted by protesting players – at least for the time being.
Laudator:
Frans Valenta am Redner.innepult während der BigBrotherAwards 2012.
Frans Valenta, Deutsche Vereinigung für Datenschutz e. V. (DVD)

The BigBrotherAward 2012 in the “Consumer Protection” category goes to Blizzard Entertainment, Inc., a division of Activision Blizzard, for turning a playful spare time activity at the computer into a battle for privacy with a seven-headed dragon. A first victory has now gone to the online role-players; but the dragon has only been lightly wounded, and it is rearming.

If you are familiar with fantasy literature and mythological figures, you will know: dragons, especially the multi-headed varieties, are often used to symbolise evil. Such as Hydra, the serpent-like beast Heracles had to slay as the second of his twelve labours. Now online role-players are getting to feel the might of the dragon, too – and not just while they are completing their tasks or “quests”.

There is a dragon that follows the players all the time, and whose presence they can not notice, because it is invisible. It hides away in the terms and conditions, successfully camouflaged under pages and pages of text, which (as we all know from experience) are swiftly clicked away so that one can finally get on with the game.

Just this once, we would like to examine closely what such a dragon looks like, and how it affects the players. A Hydra, for example, possesses nine heads, eight of which are mortal and one immortal. As soon as one head is cut off, two new heads grow in its place. The dragon deployed by Blizzard Entertainment and other online role-play providers, such as second market leader Electronic Arts, has rather similar features.

Once upon a time, around the year 2004 or 2005, online role-players would simply create a cool phantasy name and an enchanted password to open the gates to the dungeons of the virtual worlds. Today’s laureate, the Blizzard dragon decided in 2009 that this was no longer good enough. It wanted to register all users in its universal account system, encompassing several games at once. Since that time, all users are forced to register with an existing email address. Other game providers followed the example. The weapon which the dragon deployed for this assault on privacy was the first of its seven heads: a change of terms.

The Terms

In effect, terms are the immortal “chief” of the games. They force the user to accept all conditions, without exception. Without clicking the “accept” button, users are not granted entry to the “World of Warcraft” and other virtual game environments. By accepting, the users relinquish “all rights and title in and to the service (including without limitation any user accounts, titles, […] characters, character names, stories, dialogue, […] moral rights, […] transcripts of the chat rooms, character profile information, recordings of games)” – this is quoted from Blizzard’s “terms of service”, through which the provider is given wide-ranging influence over the users’ private data.

For example, users must consent to a permanent

Memory Scan

of the computer’s working memory while the game is running, carried out by the provider’s software (the software used by Blizzard is called “Warden”, Electronic Arts has “Origin”). The scan will register all processor activity. These programs were developed because many players were using so-called “bot” programs to collect “gold” or increase their character’s strength. This upset most other users, and there were calls on the providers to respond. The memory scan is meant to detect “bot” programs and prevent cheating. What the providers will do with the information they collect – not all related to gaming – is completely unclear. This led the Electronic Frontier Foundation and other civil rights groups to rate the scanning programs as “spyware”.

The next dragon head with a license to spy is the permission for

Chat Recording.

This affects all the text communication that is typed into small chat windows during the game. At least Blizzard is not storing audio chat recordings, as an automatic analysis is technically unfeasible due to the variety of languages and dialects. At least for now.

A very rich source of spy fodder for our dragon, though, is

Game Recording.

This registers all of a player’s actions chronologically. To prevent users from realising that a data retention and movement profiling scheme is established here,

Player Rankings

were introduced. Honourable mentions will appear for fights, “player versus player” action, for completing “dungeons” and “raids”, for professional skills acquired by one’s character, its reputation, and its participation in so-called “world events”. Reading information about a character is not restricted to the owning player. Everyone who knows the name of a character in a gaming “world” can use the so-called “armory” to access the information on the Internet. This will reveal how often and how long players have been playing.

By observing the way a player has played over time, a

Personality Profile

can be obtained for every player. US patent 20070072676 – filed in 2005 and published in 2007 in the name of a Google researcher – describes in detail how recorded gaming characteristics, time spent in chats, behaviour in trading, territory exploration, decision-making in conflicts, a calm or aggressive style of playing or a player’s readiness to take risks can all be analysed for the purpose of targeted advertising.

Psychologists could well derive from this whether someone might join the military, who should have his credit rating downgraded, who possesses leadership qualities, who should be avoided because of rowdy behaviour, who is a potential game addict or probably unemployed. Some game tasks seem like they were written as a direct recruitment tool for special forces – players may have to carry out targeted killings of civilians, or force confessions by torturing with electric shocks. Tasks like this have a strong resemblance to the Milgram experiment of 1961, which tested ordinary people’s readiness to follow authoritarian orders even if these were clear violations of their conscience.

In the field trial labs of our “dragon creator” Blizzard, everything is recorded. It doesn’t take a lot of imagination to come up with organisations that might show great interest in these player profiles.

“This will not harm me as long as I operate my avatar anonymously”, many players may have thought – that is, until

Friend Lists

were going to be introduced. The friendship scheme would have compelled forum users to use their real name online, instead of a pseudonym. Again, this was prompted by players calling on the provider to act against trolling co players. “Fine, we will personalise our service then”, was Blizzards response, “and while we’re at it, why don’t we include Facebook accounts and their friend lists as well.” In the words of the company, this would “enhance the social-entertainment experience for our players”. At least this feature is optional: Players must actively allow Blizzard’s game “Starcraft II” to access friend lists on Facebook.

A co founder of the company praised the change with the claim that “removing the veil of anonymity typical to online dialogue will contribute to a more positive forum environment, promote constructive conversations, and connect the Blizzard community in ways they haven't been connected before.” But the players were not at all pleased that their employers or neighbours might suddenly be able to identify them as regular online players. Very soon, there were more than 12,000 complaints filling the German forums alone. A “shitstorm” broke loose on the dragon, on Blizzard and its “battle.net”.

The community manager in the US wanted to lead by example and blithely published his real name. Soon, this led to action: at lightning speed, his address, phone number, age, name and age of family members, personal preferences and more details were posted in the Internet forums. Capitulation was achieved within two days. It was announced that “at this time […] real names will not be required for posting on official Blizzard forums”. This was at least a partial victory won by players with their growing desire for protection of their personal rights and data.

Blizzard had already won an Austrian Big Brother Award in 2005, in the “communications and marketing” category, for spying on computer’s working memory and data.

Our reason to give today’s BigBrotherAward is the full interaction between numerous components, under the label “Real ID”. When players log on to, say, “World of Warcraft” and “Starcraft II”, using the same e mail address, they find themselves on Blizzard’s battle.net server and they can see if their friends are online in other Blizzard games. And of course they can be seen themselves, too. If players just want to have a good time in a colourful gaming world and not leave a character fingerprint on the network, they must be very well informed, use separate e mail addresses and take meticulous care to separate their game identities.

The dragon may have lost one head in the failed attempt to introduce real names via Real ID. But soon, two heads will grow back – what will they be? Blizzard’s partial withdrawal was not caused by insight, neither was it for the sake of players’ convenience: it was due to massive protests against a naive mistake in marketing. With comprehensive recording of players’ actions and behavioural patterns, Blizzard and other game providers are paving the way towards personalised in game advertising and character profiles that could easily be shared with third parties after a clandestine change of terms.

To make one thing clear: we do not think that online gaming is evil as such. Blizzard in particular offer some very creative games. We would wish that this BigBrotherAward – and the publicity that comes with it – will make Blizzard rethink its privacy settings, and that players will take the trouble of actually reading the terms. Our hope is to set a signal for the whole gaming industry, for the benefit of consumers.

In that spirit – congratulations, Blizzard Entertainment, on the 2012 BigBrotherAward.

Laudator.in

Frans Valenta am Redner.innepult während der BigBrotherAwards 2012.
Frans Valenta, Deutsche Vereinigung für Datenschutz e. V. (DVD)
Jahr
Politics (2012)

Hans-Peter Friedrich

The BigBrotherAward 2012 in the “Politics” category goes to the Federal Minister of the Interior, Dr. Hans-Peter Friedrich (CSU, the Christian democrats of Bavaria) for establishing a cyber defence centre without authorisation from the German parliament, for establishing a joint defence centre against right-wing extremism also without consulting parliament, and for the plan to soon create a centralised, joint database on “violent right-wing extremism”. The plans for the joint database and the new defence centres cause police, secret services and the military to be networked and integrated in a troublesome way. This is a violation of the German constitution’s historically rooted imperative that these security authorities must work independently and in strict separation.
Laudator:
Portraitaufnahme von Rolf Gössner.
Dr. Rolf Gössner, Internationale Liga für Menschenrechte (ILFM)

The BigBrotherAward 2012 in the “Politics” category goes to the Federal Minister of the Interior Dr. Hans-Peter Friedrich (CSU, the Christian democrats of Bavaria) for establishing a cyber defence centre without authorisation from the German parliament, for establishing a joint defence centre against right-wing extremism also without consulting parliament, and for the plan to soon create a centralised, joint database on “violent right-wing extremism”.

The plans for the joint database and the new defence centres cause police, secret services and the military to be networked and integrated in a troublesome way. This is a violation of the German constitution’s historically rooted imperative that these security authorities must work independently and in strict separation.

The full text is not yet available in English, sorry.

Laudator.in

Portraitaufnahme von Rolf Gössner.
Dr. Rolf Gössner, Internationale Liga für Menschenrechte (ILFM)
Jahr
Kategorie
Government & Administration (2012)

Saxon Minister of the Interior

The BigBrotherAwards 2012 in the category “Government and Administration” goes to the Saxon Minister of the Interior, Mr. Markus Ulbig, for mobile phone cell queries in the region of Dresden. After about 20,000 people demonstrated against a Nazi parade on 19 February 2011 in Dresden, Saxon’s Criminal Police Office (Landeskriminalamt) and Dresden police requested telecommunications connection data for 28 mobile phone cells, most of them in the vicinity of the demonstration. Data from these requests soon surfaced as evidence in criminal cases, for which a mobile phone cell query would certainly have been denied. The laureate insists to this day that the data tsunami thus created, more than one million records for more than 55,000 identified subscribers, was legal.
Laudator:
Sönke Hilbrans am Redner.innenpult der BigBrotherAwards 2012.
Sönke Hilbrans, Deutsche Vereinigung für Datenschutz (DVD)

The BigBrotherAward 2012 in the category “Government and Administration” goes to the Saxon Minister of the Interior, Mr. Markus Ulbig, for 28 mobile phone cell queries in the area of Dresden.

The original events leading to this prize date back more than a year, and had we known at the time, the beautiful little statue would have been in Dresden for a year now. But the scandal from February 2011 started trickling through to the public only last summer.

But let us start at the beginning: On 19 February 2011, 20,000 people demonstrated in Dresden against the annual Nazi parade. Our laureate’s police started investigating some of these demonstrators for 23 criminal offences within a known timeframe in 14 exactly known locations.

Encouraged by the police and the Saxon’s Criminal Police Office (Landeskriminalamt), the prosecution authority in Dresden submitted a request for cell phone connection data to the local court. What followed was a veritable data landslide. On behalf of the Criminal Police Office, cell data for three locations in the Dresden area was requested for a timeframe of several hours. Additionally, connection data for a 12-hour timeframe was requested for the entire southern city centre, where the demonstration had taken place, and for the vicinity of a building housing a youth convention centre, party offices and lawyers’ offices for a full 48 hours. Shortly afterwards the mobile phone service providers transferred a staggering 1,000,702 records for 323,503 subscribers to the investigating authorities.

This wasn’t kept under cover for long: as early as summer 2011, data from these requests surfaced in inappropriate places – investigations for which a phone cell query would certainly have been denied. The investigated persons were surprised to read that they had made a phone call during the demonstration, at a given place and time. This raised some questions.

Scrambling for answers, the state government initially only admitted to having obtained 460 records, but by July 2011 40,732 subscribers had been identified, and by the end of the year that number had risen to 55,000. At the same time the acknowledged number of connection records rose steadily and on 23 November 2011 reached 1,067,433.

The large majority of these records were collected on 19 February 2011 between 7 a.m. and 7 p.m., in an area with several hundred thousands of residents, some 20,000 protesters according to police estimates, and 6,642 police officers. This is what people call a data tsunami, and it has later been called a “Saxon Fukushima”.

So what was it all for? Only a tiny fraction of the records had been requested to assist in criminal investigations. The major part was intended to be used for investigations against suspected members of what was probably a small suspected criminal organisation. What is the point of attempting to find a group of maybe one or two dozen people in a database of more than a million records? Apparently the Saxon police, headed by the laureate, Interior Minister Markus Ulbig, had the ambition to search for the proverbial needle in the haystack. Unfortunately, Mr. Ulbig, this is not a haystack which your officers are searching, but private communications of tens of thousands of citizens, which enjoy special legal protections. Most of these citizens were not in the city centre of Dresden just for fun, but because they live and work there. What makes this matter particularly juicy is that there were also tens of thousands exercising their constitutional right to freedom of assembly, in order to give publicity to an important social matter and voice their disgust over Nazis running wild.

In passing, the laureate’s Saxon police obtained mobile phone connection data for an entire large demonstration, with which they can now determine: who was there? For how long? Who called whom? What were that movements of individual groups?

What the Saxon police achieved with these phone cell queries amounts to an “impromptu data retention”. Didn’t the Federal Constitutional Court reject Germany’s data retention law just one year earlier?

The Saxon data protection commissioner – the state’s voice of reason, in a way – had to assert, rather shocked, that nobody seemed to have asked questions about the measure’s proportionality.

Our laureate is no security apparatchik, but an administrative civil servant. On the Ministry’s website he prides himself on his local origins, and on having been mayor of a district town: “His ear close to the local people’s hearts”. But unfortunately he has shown a lack of sound footing, or sense of proportion, in his tenacious defence of his subordinates’ actions. His behaviour exposed Saxony to an undignified debate, which further revealed that there are accomplices in this data madness. The laureate absolved his officials of all culpability on the grounds that the phone cell queries had been initiated by prosecutors and ordered by judges. The prosecutors and judges to whom the blame had been shifted declared that they saw no need to answer to some data protection activists’ criticisms. The buck kept being passed around – the data records are still not deleted.

We must also hold against our laureate that he and his accomplices have not shown any sign of regret in the past 14 months. Phone owners are still being identified, while the intention is that most affected people will never know that they were devoured by the big investigator’s suction device.

Congratulations, Minister Markus Ulbig!

Laudator.in

Sönke Hilbrans am Redner.innenpult der BigBrotherAwards 2012.
Sönke Hilbrans, Deutsche Vereinigung für Datenschutz (DVD)
Jahr
Technology (2011)

Peuterey

The BigBrotherAward 2011 in the category Technology goes to the fashion brand Peuterey, represented by the Düsseldorf fashion agency Torsten Müller. This negative prize is awarded to Peuterey for covertly deploying RFID tags in clothes. These tags are remotely readable, unnoticed by the customer. The tab containing this “spy chip” is imprinted “Don't remove this label”, without any information about the hidden chip. This is a massive violation of the customers' rights to informational self-determination.
Laudator:
padeluun am Redner.innenpult der BigBrotherAwards 2021.
padeluun, Digitalcourage

The BigBrotherAward 2011 in the category Technology goes to the fashion brand Peuterey, represented by the Düsseldorf fashion agency Torsten Müller.

This negative prize is awarded to Peuterey for covertly deploying RFID tags in clothes. These tags are remotely readable, unnoticed by the customer. The tab containing this “spy chip” is imprinted “Don't remove this label”, without any information about the hidden chip. This is a massive violation of the customers' rights to informational self-determination.

The full English text is not yet available, sorry.

Laudator.in

padeluun am Redner.innenpult der BigBrotherAwards 2021.
padeluun, Digitalcourage
Jahr
Kategorie

Government & Administration: Census

The BigBrotherAward 2011 in the category Government and Administration goes to the chairman of the Census Commission, Prof. Dr. Gert G. Wagner for the all-encompassing population survey in Germany called “Zensus 2011”. He is awarded this negative prize representatively for all those involved. The current census will create profiles from more than 80 million people’s sensitive data, which will be stored in person-related form for up to four years after the deadline of 9 May 2011. Data from population registers, the Federal Employment Agency (Bundesagentur für Arbeit), and federal employers are misused for the purpose without adequately informing citizens, and without any means for appeal.

The BigBrotherAward 2011 in the category Government and Administration goes to the chairman of the

Census Commission

Prof. Dr. Prof. Dr. Gert G. Wagner for the all-encompassing population survey in Germany called “Zensus 2011”. He is awarded this negative prize representatively for all those involved. The current census will create profiles from more than 80 million people’s sensitive data, which will be stored in person-related form for up to four years after the deadline of 9 May 2011. Data from population registers, the Federal Employment Agency (Bundesagentur für Arbeit), and federal employers are misused for the purpose without adequately informing citizens, and without any means for appeal.

The full English text is not yet available, sorry.

 
Workplace (2011)

German Federal Customs Administration

The BigBrotherAward 2011 in the “Workplace” category goes to the German Federal Customs Administration. They allow themselves to be exploited by the Russian state as they require German companies to cross-check their employees against Russian anti-terror lists. These lists are compiled by the Russian secret service FSB (formerly KGB) pursuant to a confidential Russian law. In consequence, energy companies, for example, that comply with the obligations of the Federal Customs Administration will subsequently be favoured by GASPROM for energy supplies. There are now several hundred German companies participating in the process. – Attention: April Fool's Day! – It is not GASPROM that is favouring customers, but European and American companies. To participate in trade facilitation agreements, companies are asked to agree to voluntary security checks. These involve cross-checking employee data against European and sometimes US anti-terror lists, even though this practice is prohibited by German data protection legislation.
Laudator:
Prof. Dr. Peter Wedde am Redner.innenpult der BigBrotherAwards 2021.
Prof. Dr. Peter Wedde, Frankfurt University of Applied Science

The BigBrotherAward 2011 in the “Workplace” category goes to the German Federal Customs Administration.

They allow themselves to be exploited by the Russian state as they require German companies to cross-check their employees against Russian anti-terror lists. These lists are compiled by the Russian secret service FSB (formerly KGB) pursuant to a confidential Russian law. In consequence, energy companies, for example, that comply with the obligations of the Federal Customs Administration will subsequently be favoured by GASPROM for energy supplies. There are now several hundred German companies participating in the process. – Attention: April Fool's Day! – It is not GASPROM that is favouring customers, but European and American companies. To participate in trade facilitation agreements, companies are asked to agree to voluntary security checks. These involve cross-checking employee data against European and sometimes US anti-terror lists, even though this practice is prohibited by German data protection legislation.

The full English text is not yet available, sorry.

Laudator.in

Prof. Dr. Peter Wedde am Redner.innenpult der BigBrotherAwards 2021.
Prof. Dr. Peter Wedde, Frankfurt University of Applied Science
Jahr
Kategorie

Politics: Uwe Schünemann

The BigBrotherAward 2011 in the “Politics” Category goes to The Interior Minister of the federal state of Lower Saxony, Uwe Schünemann (CDU, Germany’s conservative party), for the first proven instance of German police using a miniature surveillance drone at a political gathering. During demonstrations and protest events against the transport of nuclear waste in the Wendland region in November 2010, there have been four instances of “flying eyes” covertly spying on and controlling demonstrators from the air. Such airborne surveillance is highly disputed in legal circles – it can violate personality rights of the affected persons, and it can have highly intimidating and deterring effects on participants of a public gathering.

Laudation: Rolf Gössner

The BigBrotherAward in the “Politics” category goes to

The Interior Minister of Lower Saxony

Uwe Schünemann

(CDU, Germany’s conservative party)

for the first proven instance of German police using a miniature surveillance drone to secretly spy on demonstrations and protest events against the transport of nuclear waste in the Wendland region (in eastern Lower Saxony, this region contains Germany’s main nuclear waste disposal facilities at Gorleben, including explorations for a deep final repository). Affected were countless demonstration participants who in November 2010 protested in their thousands against radioactive waste and the irresponsible nuclear policy of the German government.

1. They are small, silent and unobtrusive – and they’re not just used for military purposes. Not just for the deadly hunt for Taliban and terrorists far away in the Hindu Kush, but also in “civilian” missions including police surveillance at home in the Wendland. Almost unnoticed, not much louder than a swarm of houseflies, the unmanned and remote-controlled flying object hovered above demonstrators’ heads in November 2010, and unnoticed, the remote-controllable cameras filmed what went on before their lenses. The pin-sharp images of the protests were radioed to and recorded by police on the ground, who were then able to evaluate the footage.

The intention of Schünemann’s “flying eye” was to spy on the mass protests in secret. Such use of police drones at demonstrations is highly disputed in legal circles, not least because of the intimidating and deterring effects this can have on people taking part in public gatherings. With his “Big Brother of the air”, the minister has covertly added to the many restrictions to the freedom of assembly, and further undermined an elementary basic right that is under serious threat already.

The citizens’ initiative Lüchow-Dannenberg (the district of L.-D. is roughly identical to the Wendland region) objected against the use of this new surveillance technology, on the grounds that it violated personality rights of the affected people and also the constitutional principle of proportionality. It seems that the drone operations in the Wendland were so secret that a legal review by the state’s Data Protection Commissioner had not taken place and even the police officer in charge had not been informed in time.

The Interior Minister at first said that what had been made were harmless panoramic images of the protest scene. But this claim contradicts police statements that the footage was also used to secure evidence and investigate criminal acts after the event. For this purpose, image details must have been enlarged so that faces could be identified – technologically, this is easily possible. However, personality rights of the people concerned are violated in this way.

2. Although the use of police drones can thus lead to violations of personality rights and of the freedom of assembly, there are no explicit or specific legal regulations for it up to now. Conventional video surveillance of public gatherings on a large scale has been regular police practice for long. But the Federal Constitutional Court has now decided that an overall recording of such events without specific cause is an illegitimate intrusion on the basic right of freedom of assembly (case reference 1 R 2492/08). And the Administrative Court of Berlin ruled in 2010 that monitoring a demonstration by video is unlawful even with the existence of a concrete case (reference VG 1 K 905.09). Capturing just panoramic views for planning police action was deemed inadmissible as well, because targetting and zooming in on individual people would always be possible. The video monitoring could lead to participants being “intimated by the feeling of being observed”, or even deterred from participating. “This would damage not only the free development of the individual, but also the public interest.” The Higher Administrative Court of the state of North Rhine-Westphalia came to the same conclusion in a similar case (ruling of 23 Nov 2010, reference OVG Münster 5 A 228/09).

These rulings must of course apply to the monitoring of public gatherings through police drones as well – but they were ignored in the Wendland. If people know of such airborne espionage, they can be severely deterred from exercising their right to freedom of assembly.

3. The type of police drone used in the Wendland was the MD4 200 by Microdrones, a company based in Kreuztal. The Interior Ministry of Lower Saxony had procured this flying device in late 2008 at a cost of about 50,000 €. It can take off vertically, is just over 600g in weight and about 90cm in length, and it features four electrically driven low-noise rotors. Also called quadrocopter or gyroplane, it can carry cameras for daylight, dusk, or infrared imaging up to a 200g load. It can be controlled remotely or fly pre programmed or autonomously using GPS.

Unmanned aviation devices have become much more important in the last few years, after a “drones” project group between police forces at the federal and the state level started work in 2007. Federal Police and police forces in the states of Hesse, North Rhine-Westphalia and Saxony are increasingly using police drones in “live” operations as well – for example to identify hooligans and violent criminals at football games. Also, at least one police drone was sighted at demonstrations and blockades against a Neonazi march in Dresden (in Saxony) in February 2011.

Interior Minister Schünemann and police forces across Germany see wide potentials for the use of mini-drones: at large rallies, for traffic control, kidnappings and hostage takings, to pursue robbers, search for missing persons, to secure evidence and to direct police operations, investigate environmental or drug offences, monitor railway facilities or borders, respond to catastrophic events, etc. It would also be possible to equip the drones with smoke-balls, pepper spray, tear gas or tasers; and one could imagine entire drone squadrons that control public events or urban districts automatically, guided by intelligent software, and follow suspect groups or persons. There is intense work on such projects, anyway.

According to the EU surveillance and research project INDECT, for example, police on the beat could take hand-held drones along – to find suspect persons and pursue them. These drones would feature high-resolution cameras that could observe the suspects automatically, using face-recognition software, and supply all information required for a seizure or arrest; at the same time, evidence for a subsequent trial could be secured. Such mobile surveillance systems are also being developed to combat uprisings in urban areas.1 During the European football championships in Poland and Ukraine in 2012, some INDECT systems will be tested under “real-life” conditions for the task of monitoring sports arenas. Among the goals are identification of hooligans and early recognition of conspicuous behaviour – e.g. by recording football chants and scanning them for threatening voice patterns.2 In a research project by Frontex, the EU agency for external border security, drones are being developed specifically to monitor borders and “combat terrorism”.3

4. Interior Minister Schünemann is a “repeat offender”. He was already “penalised” with a BigBrotherAward in 2003 – for enabling preventive telecommunications monitoring in Lower Saxony’s police law, among other issues. He had to share that award, unlike this one today, with his colleague Interior Ministers in Bavaria, Rhineland-Palatinate, and Thuringia. As he played truant at the awards ceremony and shunned the artistic prize trophy, I used an opportunity three years later to re stage the procedure in front of a larger audience. It happened during a TV appointment in the morning show at Sat.1 (one of Germany’s larger private TV channels). Invited as breakfast studio guests were Schünemann, the head of the Federal Criminal Police Office (Bundeskriminalamt, BKA) Jörg Ziercke, and myself. I had secretly planned the raid on Schünemann with the studio directors. Just before the end of the show, I conjured up a framed photo of the award and gave a short award speech to castigate Schünemann’s preventive surveillance, which by then had been ruled to be unconstitutional by the Federal Constitutional Court. Instinctively, almost ceremoniously, Schünemann stood up, accepted the photo, politely said “thank you” as the cameras were running, and left the studio, red-faced.

Uwe Schünemann has not heeded the warning he received with that negative award, or with the Constitutional Court ruling that declared preventive telecommunications surveillance to be unconstitutional (reference 1 BvR 668/04) – instead, he has continued to commit further civil rights and data violations. The “conviction offender in security politics”, as former Data Protection Commissioner of Lower Saxony Burckhard Nedden has labelled him, is merciless in deporting illegal migrants, pushes for expanded CCTV surveillance, calls for electronic tagging of “dangerous foreigners” and “violence-prone islamists” without prior judicial approval, as well as secret searches of homes, Internet censorship against child and youth pornography and a renewal of the overall retention of all telecommunications data independent of suspicion.

That is why the unrepentant Interior Minister deserves to feel the full and undivided impact of the BigBrotherAward for his debut of police drones in the Wendland. Congratulations, Mr Schünemann.

Sources (all in German):

1 Among others: www.spiegel.de/panorama/0,1518,701310,00.html

2 www.heute.de/ZDFheute/inhalt/20/0,3672,8144084,00.html [Link not available]

3 www.ag-friedensforschung.de/themen/Waffen/drohnen4.html

 

Kategorie
Communication (2011)

Apple

Another BigBrotherAward 2011 in the category “Communication“ goes to Apple GmbH in Munich for taking their customers hostage by way of expensive hardware and subsequently blackmailing them into accepting a questionable privacy policy. If you buy a fancy new iPhone for a few hundred Euros, you also want to actually use it. Customers have virtually no choice but to consent to about 117 iPhone display pages of conditions and privacy policies – or else they can only use their nifty gadget for telephone calls, at most. In particular, users’ localisation or positioning data is highly coveted by “apps” providers and advertisers for the purpose of personalised advertising.
Laudator:
Frank Rosengart am Redner.innenpult der BigBrotherAwards 2021.
Frank Rosengart, Chaos Computer Club (CCC)
Andreas Bogk am Redner.innenpult während der BigBrotherAwards 2011.
Andreas Bogk, Chaos Computer Club (CCC)

The BigBrotherAward 2011 in the “Communication” category goes to Apple GmbH in Munich for taking their customers hostage by way of expensive hardware and subsequently blackmailing them into accepting a questionable privacy policy.

An iPhone is a fancy piece of hardware and costs a few hundred Euros. And once you bought it, of course you will want to actually use it for a wide variety of tasks. After switching it on for the first time, the device welcomes you with the request to enter your “Apple ID”, or at least to give your user account details for iTunes (Apple's online shop for music, films and software). Without entering these data, you can only use the gadget for telephony. For nothing else. You won't be able to use any of the functions for which you actually chose to buy the iPhone. Eager to fully use the device, hardly any customer will be prepared to delve into the small print – as much as 117 pages on the small screen. But you'd better read it all – in particular the chapter called “Privacy Policy”.

In this chapter, the company reserves the right to “share this personal information with [Apple's affiliates] and use it consistent with this Privacy Policy.” This is not restricted to credit card numbers to process music purchases, but includes “occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used”. Apple wants to “better understand customer behavior and improve (its) products, services, and advertising”. Additionally, Apple and its “partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device.”

Whenever a company wants to collect such data, the German Federal Data Protection Law requires the user's explicit consent. A simple checkbox “I agree” during the phone's update procedure will probably not suffice here. Also, it is completely unclear how one might declare one's dissent to the sharing of data. The Federal Data Protection Law explicitly requires the consent to be voluntary in §4a. But imagine you just bought a device for several hundred Euros and might not be able to use it unless you declare your consent to the “Privacy Policy” – it is questionable, to say the least, that your consent will be voluntary.

More generally, you might wonder what you actually bought into when you acqured such a gadget. Which customer rights apply? Could you claim for a “defect” when the terms and conditions are modified, possibly even at a later date, to the customer's disadvantage? Apple seems to be very confident – and most customers will reluctantly bite the bullet.

Other manufacturers prove that it is possible to offer such a product without compulsory assimilation of customer data. With Apple, though, the customer has no choice. To add software, he is forced to use iTunes or the AppStore, and therefore consent to Apple's conditions. It's a matter of sink or swim.

Apple's corporate strategy seems to be focused on gathering as much user data as possible, similar to social networks. In particular, users’ localisation or positioning data is highly coveted by Apple's advertising partners for the purpose of personalised, location-based advertising.

Since evidently not enough customers are complaining against Apple's use of customer data, we hereby raise this complaint by presenting a BigBrotherAward in the category “Communication” to Apple GmbH in Munich.

Laudator.in

Frank Rosengart am Redner.innenpult der BigBrotherAwards 2021.
Frank Rosengart, Chaos Computer Club (CCC)
Andreas Bogk am Redner.innenpult während der BigBrotherAwards 2011.
Andreas Bogk, Chaos Computer Club (CCC)
Jahr
Kategorie

About BigBrotherAwards

In a compelling, entertaining and accessible format, we present these negative awards to companies, organisations, and politicians. The BigBrotherAwards highlight privacy and data protection offenders in business and politics, or as the French paper Le Monde once put it, they are the “Oscars for data leeches”.

Organised by (among others):

BigBrother Awards International (Logo)

BigBrotherAwards International

The BigBrotherAwards are an international project: Questionable practices have been decorated with these awards in 19 countries so far.