EU ISP Filtering Decision

Court of Justice of the European Union PRESS RELEASE No 126/11 Luxembourg, 24 November 2011 Press and Information Judgment in Case C-70/10 Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) EU law precludes the imposition of an injunction by a national court which requires an internet service provider to install a filtering system with a view to preventing the illegal downloading of files Such an injunction does not comply with the prohibition on imposing a general monitoring obligation on such a provider, or with the requirement to strike a fair balance between, on the one hand, the right to intellectual property, and, on the other, the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information This case has its origin in a dispute between Scarlet Extended SA, an internet service provider, and SABAM, a Belgian management company which is responsible for authorising the use by third parties of the musical works of authors, composers and editors. In 2004, SABAM established that users of Scarlet's services were downloading works in SABAM’s catalogue from the internet, without authorisation and without paying royalties, by means of peer-to-peer networks (a transparent method of file sharing which is independent, decentralised and features advanced search and download functions). Upon application by SABAM, the President of the Tribunal de première instance de Bruxelles (Brussels Court of First Instance, Belgium) ordered Scarlet, in its capacity as an internet service provider, on pain of a periodic penalty, to bring those copyright infringements to an end by making it impossible for its customers to send or receive in any way electronic files containing a musical work in SABAM's repertoire by means of peer-to-peer software. Scarlet appealed to the Cour d'appel de Bruxelles (Brussels Court of Appeal), claiming that the injunction failed to comply with EU law because it imposed on Scarlet, de facto, a general obligation to monitor communications on its network, something which was incompatible with the Directive on electronic commerce1 and with fundamental rights. In that context, the Cour d'appel asks the Court of Justice whether EU law permits Member States to authorise a national court to order an internet service provider to install, on a general basis, as a preventive measure, exclusively at its expense and for an unlimited period, a system for filtering all electronic communications in order to identify illegal file downloads. In its judgment delivered today, the Court points out, first of all, that holders of intellectual-property rights may apply for an injunction against intermediaries, such as internet service providers, whose services are being used by a third party to infringe their rights. The rules for the operation of injunctions are a matter for national law. However, those national rules must respect the limitations arising from European Union law, such as, in particular, the prohibition laid down in the E-Commerce Directive on electronic commerce under which national authorities must not adopt measures which would require an internet service provider to carry out general monitoring of the information that it transmits on its network. 1 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (OJ 2000 L 178, p. 1). In this regard, the Court finds that the injunction in question would require Scarlet to actively monitor all the data relating to each of its customers in order to prevent any infringement of intellectual-property rights. It follows that the injunction would impose general monitoring, something which is incompatible with the E-Commerce Directive. Moreover, such an injunction would not respect the applicable fundamental rights. It is true that the protection of the right to intellectual property is enshrined in the Charter of Fundamental Rights of the EU. There is, however, nothing whatsoever in the wording of the Charter or in the Court's case-law to suggest that that right is inviolable and must for that reason be absolutely protected. In the present case, the injunction requiring the installation of a filtering system involves monitoring, in the interests of copyright holders, all electronic communications made through the network of the internet service provider concerned. That monitoring, moreover, is not limited in time. Such an injunction would thus result in a serious infringement of Scarlet's freedom to conduct its business as it would require Scarlet to install a complicated, costly, permanent computer system at its own expense. What is more, the effects of the injunction would not be limited to Scarlet, as the filtering system would also be liable to infringe the fundamental rights of its customers, namely their right to protection of their personal data and their right to receive or impart information, which are rights safeguarded by the Charter of Fundamental Rights of the EU. It is common ground, first, that the injunction would involve a systematic analysis of all content and the collection and identification of users' IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data. Secondly, the injunction could potentially undermine freedom of information since that system might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications. Consequently, the Court finds that, in adopting the injunction requiring Scarlet to install such a filtering system, the national court would not be respecting the requirement that a fair balance be struck between the right to intellectual property, on the one hand, and the freedom to conduct business, the right to protection of personal data and the right to receive or impart information, on the other. Accordingly, the Court’s reply is that EU law precludes an injunction made against an internet service provider requiring it to install a system for filtering all electronic communications passing via its services which applies indiscriminately to all its customers, as a preventive measure, exclusively at its expense, and for an unlimited period. NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised. Unofficial document for media use, not binding on the Court of Justice. The full text of the judgment is published on the CURIA website on the day of delivery. Press contact: Christopher Fretwell .. (+352) 4303 3355 Pictures of the delivery of the judgment are available from "Europe by Satellite" .. (+32) 2 2964106


Tarih: 11 Ekim 2011 Yer: İstanbul Bilgi Üniversitesi Dolapdere Kampüsü Mahkeme Salonu PROGRAM 09:00-10:00 Kayıt 10:00-10:30 Açılış Konuşmaları Açılış Konuşmaları Prof. Dr. Turgut TARHANLI İstanbul Bilgi Üniversitesi Hukuk Fakültesi Dekanı Prof. Dr. Remzi SANVER İstanbul Bilgi Üniversitesi Rektörü Prof. Dr. Ünal TEKİNALP Türk Ticaret Kanunu Komisyonu Başkanı Hayati YAZICI Gümrük ve Ticaret Bakanı DİJİTAL ŞİRKET PANELİ 10:30-13:30 Oturum Başkanı: Prof. Dr. Ünal TEKİNALP Türk Ticaret Kanunu Komisyon Başkanı İsmail YÜCEL Gümrük ve Ticaret Bakanlığı İç Ticaret Genel Müdürü “Elektronik Ticaret Sicili” Prof. Dr. Vedat AKGİRAY Sermaye Piyasası Kurulu Başkanı Prof. Dr. Tayfun ACARER Bilgi Teknolojileri ve İletişim Kurumu Başkanı “TTK ve Kayıtlı e-Posta Uygulaması” Doç. Dr. Yakup ERGİNCAN Merkezi Kayıt Kuruluşu Genel Müdürü “Kurumsal Yönetim, Yatırımcı İlişkileri ve Şirketler Bilgi Portalı” Ümit YAYLA Merkezi Kayıt Kuruluşu Genel Müdür Yardımcısı “Yeni TTK uyarınca Halka Açık Şirketlerin Genel Kurul Toplantılarına Katılım” Yrd.Doç.Dr. Leyla KESER BERBER İstanbul Bilgi Üniversitesi Bilişim ve Teknoloji Hukuku Enstitüsü Direktörü Türk Ticaret Kanunu Bilişimle İlgili Hükümler İkincil Mevzuat Alt Komisyon Başkanı “Dijital Şirket’e İlişkin Hukuki Çerçeve” 13:30-13:45 Soru/Tartışma 13:45- Kapanış 14:00- Öğle Yemeği

Güvenli İnternet Hizmetine İlişkin Usul ve Esaslar

BİLGİ TEKNOLOJİLERİ VE İLETİŞİM KURULU KARARI Karar Tarihi : 24.08.2011 Karar No : 2011/DK-14/461 Gündem Konusu : Güvenli İnternet Hizmetine İlişkin Usul ve Esaslar. KARAR : 5809 sayılı Kanunun 4 üncü 6 ncı ve 50 inci maddeleri ile 28.07.2010 tarihli ve 27655 sayılı Resmi Gazete’de yayımlanarak yürürlüğe giren Elektronik Haberleşme Sektöründe Tüketici Hakları Yönetmeliğinin 10 uncu maddesi ve ilgili diğer mevzuat hükümleri kapsamında, • 22.02.2011 tarihli ve 2011/DK-10/91 sayılı Kurul Kararı ile onaylanarak yürürlüğe giren “İnternetin Güvenli Kullanımına İlişkin Usul ve Esaslar Taslağı”nın yürürlükten kaldırılması, • Ek’te yer alan “Güvenli İnternet Hizmetine İlişkin Usul ve Esaslar”ın onaylanması, • İşbu Kurul Kararının 22.08.2011 tarihi itibariyle yürürlüğe girmesi hususlarına karar verilmiştir. Ek GÜVENLİ İNTERNET HİZMETİNE İLİŞKİN USUL VE ESASLAR Amaç MADDE 1 – (1) Bu Usul ve Esasların amacı, tercihe dayalı Güvenli İnternet Hizmetine ilişkin Usul ve Esasları düzenlemektir. Kapsam MADDE 2 - (1) Bu Usul ve Esaslar, İnternet hizmeti sunan İşletmeciler ile Güvenli İnternet Hizmetini talep eden aboneleri kapsar. Hukuki dayanak MADDE 3 - (1) Bu Usul ve Esaslar, 28/07/2010 tarih ve 27655 sayılı Resmi Gazete’de yayımlanan Elektronik Haberleşme Sektöründe Tüketici Hakları Yönetmeliğinin 10 uncu maddesine dayanılarak hazırlanmıştır. Tanım ve kısaltmalar MADDE 4 - (1) Bu Usul ve Esaslarda geçen; a) Abone: Mobil İnternet hizmeti dâhil olmak üzere, İşletmeci ile İnternet hizmetinin sunulmasına yönelik olarak yapılan sözleşmeye taraf olan gerçek kişiyi, b) Aile profili: Kurum tarafından İşletmecilere gönderilen aile profiline ilişkin listedeki alan adı, alt alan adı, IP adresi ve portlara abonenin erişiminin sağlanmadığı profili, c) Çocuk profili: Kurum tarafından İşletmecilere gönderilen, çocuk profiline ilişkin listedeki alan adı, alt alan adı, IP adresi ve portlara abonenin erişiminin sağlandığı profili, ç) Dosya bütünlük değeri (Hash Kodu): Bir bilgisayar dosyasının içindeki verilerin matematiksel bir işlemden geçirilmesi sonucu elde edilen ve dosyanın içerisindeki verilerde bir değişiklik yapılıp yapılmadığını kontrol için kullanılan dosyanın özünü belirten değeri, d) Güvenli İnternet Hizmeti: Abonelerin talebi üzerine, ücretsiz olarak sunulan çocuk ve aile profilinden oluşan hizmeti, e) Güvenli İnternet Hizmeti profili: Güvenli İnternet Hizmeti almak isteyen abonelerin ihtiyaçlarına göre seçebilecekleri çocuk ve aile profilinden herhangi birini, f) İşletmeci: Mobil telefon hizmeti sunan İşletmeciler dâhil İnternet erişim hizmeti sunan İşletmecileri ve Türk Telekomünikasyon A.Ş.’yi, g) Kurul: Bilgi Teknolojileri ve İletişim Kurulunu, ğ) Kurum: Bilgi Teknolojileri ve İletişim Kurumunu, h) Profil Düzenleme İnternet Sayfası: İşletmeciler tarafından tasarlanan ve bireysel abonelerin profillerini değiştirmek veya Güvenli İnternet Hizmeti almaktan vazgeçmek istedikleri takdirde söz konusu taleplerini gerçekleştirebildikleri İnternet sayfasını, ı) Uyarıcı ve Bilgilendirici İnternet Sayfası: İşletmeciler tarafından tasarlanan ve kullanıcıların profilleri nedeniyle İnternet sitelerine erişemediklerinde yönlendirilecekleri İnternet sayfasını ifade etmektedir. (2) Bu Usul ve Esaslarda geçen ancak bu maddenin birinci fıkrasında tanımlanmayan kavramlar için ilgili mevzuatta yer alan tanımlar geçerlidir. Mevcut abonelerin durumu MADDE 5 - (1) Güvenli İnternet Hizmetini talep etmeyen abonelerin mevcut İnternet erişim hizmeti, herhangi bir değişiklik olmaksızın sunulmaya devam eder. Güvenli İnternet Hizmeti profilleri MADDE 6 - (1) İşletmeciler, Güvenli İnternet Hizmetini, talep eden abonelere çocuk ve aile profili olmak üzere iki farklı profilde sunarlar. Güvenli İnternet Hizmeti profillerinin seçimi MADDE 7 - (1) Aboneler, Güvenli İnternet Hizmeti taleplerini hizmet aldığı İşletmeciye abonelik sözleşmesinin imzalanması sırasında iletebilir. Ayrıca bu taleplerini çağrı merkezi, bayi kanalı ya da İnternet sitesi aracılığı ile bildirebilir. (2) İşletmeciler Güvenli İnternet Hizmetini abonelere ücretsiz olarak sunarlar. (3) İşletmeciler, abonelik sözleşmelerinde veya abonelik sözleşmelerine ek olarak hazırlanan formlarda ve profil düzenleme sayfasında abonenin kolayca seçim yapabileceği Güvenli İnternet Hizmeti profillerine aşağıda belirtilen şekilde iki profile yer verirler. Abonelerin, aile profilini seçmeleri halinde aşağıda belirtilen alt seçeneklerden birini veya birkaçını seçebilmelerine ya da herhangi bir alt seçim yapmamalarına olanak sağlanır. “Güvenli İnternet Hizmeti talep ediyorsanız aşağıdaki profillerden birisini tercih ediniz. (4) İşletmeciler İnternet erişim hizmeti sunumunda abonenin en son tercihine göre hizmet sunmaya devam ederler. (5) Güvenli İnternet Hizmeti alan abonelere, Profil Düzenleme İnternet Sayfası üzerinden işlem yapabilmeleri amacıyla İşletmeciler tarafından kullanıcı adı ve şifresi sağlanır. (6) İşletmeciler tarafından abonelerine istedikleri an, güvenli bir şekilde kolayca ve ücretsiz olarak profiller arasında geçiş yapabilme ve/veya Güvenli İnternet Hizmeti almaktan vazgeçebilme imkanı sağlanır. Profil düzenleme İnternet sayfası MADDE 8 - (1) Aboneler profillerini değiştirmek veya Güvenli İnternet Hizmeti almaktan vazgeçmek istedikleri takdirde İşletmeciler tarafından tasarlanan Profil Düzenleme İnternet Sayfası aracılığıyla söz konusu taleplerini gerçekleştirebilirler. (2) İşletmeciler Profil Düzenleme İnternet Sayfasında kullanılmak üzere abonelerine ücretsiz olarak mevcut kullanıcı adı ve şifrelerini kullandırabileceği gibi yeni bir kullanıcı adı ve şifre de tahsis edebilirler. (3) Profil Düzenleme İnternet Sayfasında asgari olarak aşağıdaki bilgiler yer alır: a) Ana sayfada yer alan hususlar; i. Geçerli profil, ii. Profil Seçim Menüsü, b) Kullanıcının kullanıcı adı ve şifresini değiştirebileceği bir uygulama ve c) Kurum tarafından gönderilen uyarıcı ve bilinçlendirme amaçlı bilgilendirici metinler. Uyarıcı ve bilgilendirici İnternet sayfası MADDE 9 - (1) Aboneler, profilleri nedeniyle İnternet sitelerine erişemediklerinde İşletmeciler tarafından tasarlanan Uyarıcı ve Bilgilendirici İnternet Sayfasına yönlendirilirler. (2) İşletmeciler Uyarıcı ve Bilgilendirici İnternet Sayfası’nda asgari olarak aşağıdaki bilgileri sunarlar: a) Geçerli profil ve b) Kurum tarafından gönderilen uyarıcı ve bilinçlendirme amaçlı bilgilendirici metinler. Çocuk ve Aile Profil Kriterleri Çalışma Kurulunun yapısı ve görevleri MADDE 10 - (1) Çocuk ve Aile Profil listelerinin oluşturulmasına ilişkin kriterler, Çocuk ve Aile Profil Kriterleri Çalışma Kurulu tarafından tespit edilir. (2) Çocuk ve Aile Profil Kriterleri Çalışma Kurulu, Kurum koordinasyonunda 11 üyeden oluşur. (3) Çocuk ve Aile Profil Kriterleri Çalışma Kurulu, biri başkan olmak üzere Kurumdan 3, Aile ve Sosyal Politikalar Bakanlığından 2, İnternet Kurulunun sivil toplum temsilcisi üyelerinden 2, Türkiye Dijital Oyun Federasyonundan 1 ve psikoloji, pedagoji, sosyoloji, hukuk gibi ilişkili alanlarda uzmanlığı olan kişiler arasından Kurum tarafından seçilen 3 üye’den oluşur. (4) Çocuk ve Aile Profil Kriterleri Çalışma Kurulu’nun tespit ettiği ilkeler çerçevesinde, Çocuk ve Aile Profil listeleri Kurum tarafından belirlenir. Başvuru ve itirazların değerlendirilmesi MADDE 11 - (1) Kullanıcılar ve İnternet site sahipleri, İnternet sitelerinin değerlendirilmesi için Kurumca hazırlanan İnternet sayfası üzerinden başvurabilirler ve itiraz edebilirler. (2) Kullanıcılar, başvurularını Profil Düzenleme İnternet Sayfasında bulunan bağlantı ile, itirazlarını ise Uyarıcı ve Bilgilendirici İnternet Sayfasında bulunan bağlantı vasıtasıyla yaparlar. İlgili başvuru ve itiraza ilişkin İşletmeci adı, kullanıcı profili ile alan adı/IP adresi ve port bilgileri, başvuru ve itirazların doğru değerlendirilebilmesi için İşletmeciler tarafından Kuruma gönderilir. (3) Kurum başvurular ve itirazların değerlendirilmesi için Çocuk ve Aile Profil Kriterleri Çalışma Kurulu'nun görüşüne başvurabilir. Güvenli İnternet Hizmetinin sunumu ve altyapının kurulması MADDE 12 - (1) İşletmeciler Güvenli İnternet Hizmetinin sunulması için gerekli altyapıyı kurarlar ve işletirler. Kurum tarafından İşletmecilere sadece listeler gönderilir. (2) İşletmeciler, Kurum tarafından belirlenen Güvenli İnternet Hizmeti profilleri ile Kurum tarafından İşletmecilere gönderilen listeler üzerinde değişiklik yapamazlar. (3) İşletmeciler, Güvenli İnternet Hizmetine ek olarak değişik isimler altında farklı hizmetler sunabilirler. (4) Toptan düzeyde İnternet hizmetini yeniden satış yöntemi ile sunan İşletmeciler Güvenli İnternet Hizmetini ücretsiz olarak alternatif İşletmecilere sunarlar. Liste veri tabanına erişim MADDE 13 - (1) Güvenli İnternet Hizmeti profillerine ait listeler, İşletmecilerle Kurum arasında kurulmuş bulunan noktadan noktaya güvenli veri hatları üzerinden paylaşılır. (2) Kurum veri tabanında tutulan veriler, güvenli hat üzerinden İşletmecilere gönderilir. İşletmeciler, Kurum tarafından gönderilen verileri ve güncellemeleri sistemlerine en geç 24 saat içinde aktarır ve uygularlar. (3) Kurum tarafından veri tabanında tutulan alan adları ve alt alan adlarının ayrı ayrı dosya bütünlük değeri (hash kodu) alınır ve İşletmecilerle dosya bütünlük değerleri paylaşılır. İşletmeciler kullanıcıların erişmek istediği alan adları ve alt alan adlarının dosya bütünlük değerini alarak kendilerine gönderilen veri tabanından sorgular ve bu yöntemin kullanımı ile ilgili gerekli kontrol mekanizmalarını kurarlar. (4) Kurum veri tabanında tutulan IP adreslerinin ve portların listesi dosya bütünlük değeri hesaplanmaksızın İşletmecilerle paylaşılır. İşletmeciler söz konusu IP adreslerine veya portlara ilişkin sorgulamaları gerçekleştirirler. (5) İşletmeciler, Güvenli İnternet Hizmeti sunumu kapsamında geliştirdikleri yazılım ve donanım çözümlerini yedekli olarak kurarlar. Bilgilendirme metni MADDE 14 - (1) İşletmeciler abonelerine Güvenli İnternet Hizmetinin tanıtımı için içeriği Kurum tarafından uygun görülen bilinçlendirme amaçlı bilgilendirici metinleri gönderirler. İşletmeciler, Usul ve Esasların tanıtımını abonelere fiilen hizmetin sunulmaya başlanılmasından önce kısa mesaj, çağrı merkezi, tek seferde yönlendirilen bilgilendirme sayfası (captive portal), açılır pencere (pop-up) ve/veya fatura yöntemlerinden en az birisi aracılığıyla gerçekleştirirler. Test süreci ve fiilen hizmetin sunulmaya başlanılması MADDE 15 - (1) İşletmeciler Güvenli İnternet Hizmetinin sunulabilmesi için gerekli tüm altyapı ve uygulama çalışmalarını test sürecinin başlamasından önce hazır hale getirirler. (2) Güvenli İnternet Hizmetinin sunumu için test süreci İşletmeciler ile Kurum arasında 22.08.2011 ile 22.11.2011 tarihleri arasında gerçekleştirilir. (3) İşletmecinin uygun görmesi durumunda bu süreçte test amacıyla abone alımı yapılabilir. (4) İşletmeciler 22.11.2011 tarihinden itibaren geçerli olmak üzere test sürecine son vererek abonelere fiilen hizmet sunmaya başlarlar. Yürürlük MADDE 16 - (1) Bu Usul ve Esaslar, 22.08.2011 tarihinde yürürlüğe girer. Yürütme MADDE 17 - (1) Bu Usul ve Esasların hükümlerini Bilgi Teknolojileri ve İletişim Kurulu Başkanı yürütür. . Unofficial translation prepared by ICTA. By-Law on the Principles and Procedures Concerning to the Safe Internet Service Purpose Article 1- (1) The purpose of this By-Law is to define the procedures and principals concerning to the Safe Internet Service requested by subscribers. Scope Article 2- (1) This By-Law covers internet service providers and individual subscribers demanding Safe Internet Service. Legal Basis Article 3- (1) This By-Law is prepared on the basis of Article 10 of “Ordinance on the Consumer Rights In The Telecommunications Sector” published in the Official Gazette dated 28/07/2010 and numbered 27655. Definitions Article 4- (1) The terms used in this By-Law shall have the following meanings: a. Subscriber: Any natural person who is party to a contract with an operator for the provision of internet service, including mobile internet services. b. Family profile: The profile in that the users are not able to access the domain names, sub-domain names, IP addresses, and ports in the list which is sent to the operators by the Authority. c. Child profile: The profile in that the users are only able to access the domain names, sub-domain names, IP addresses and ports in the list related to child profile which is sent to the operators by the Authority. d. Hash code: A hash code is a value obtained by a mathematical function that determines the integrity of a file data. e. Safe Internet Service: The service provided free of charge upon the request of the subscriber and which consists of family and child profiles. f. Safe Internet Service profile: Either child profile or family profile which can be chosen by subscribers who request Safe Internet Service. g. Operator: Any company, which provides internet services including mobile operators and the Turk Telekomunikasyon Inc. h. Board: Information and Communication Technologies Board. i. Authority: Information and Communication Technologies Authority. j. Edit Profile Web Page: The web page, on which individual subscriber can change his/her profile or opt out from Safe Internet Service when he/she wants, designed by the operators. k. Cautionary and informative web page: The web page that is designed by the operators and to which users will be redirected when they try to access a web site being inaccessible according to his/her Safe Internet Service profile. (2) For the terms that have not been defined in the first sub-clause of this article, the definitions set out in other relevant legislations are applicable. Status of existing subscribers Article 5- (1) Existing internet access service of the subscribers, who do not request Safe Internet Service, will continue to be provided in its present form without any change. Safe Internet Service profiles Article 6 – (1) The operators shall provide Safe Internet Service to subscribers, who demand this service, as two separate profiles which are child profile and family profile. Selection of the Safe Internet Service profiles Article 7 – (1) Subscribers can inform the operator about their Safe Internet usage request by means of subscription agreement. Additionally they can inform the operator via dealer, call centre or website. (2) The operators shall provide Safe Internet Service to subscribers free of charge. (3) The operators shall provide Safe Internet Service profile options, which could be easily selected by the subscriber in the subscription agreements or additional subscription forms and in the edit profile web page, as shown below. In case subscribers choose the family profile, selecting one or more of the sub-options mentioned below or selecting none of these sub-options should be made possible for them. “If you want to opt in “Safe Internet Service” please select one of the profiles below. ” (4) The operators shall provide internet access services according to the last preference of the subscriber. (5) A username and a password is provided to the subscribers using Safe Internet Service by the operators in order to enable them to use Edit Profile Web Page. (6) Providing the safety of the system, the operators shall provide opportunity of switching between the profiles and/or of opting out from the Safe Internet Service to the subscribers using Safe Internet Service when they want, in an easy way and free of charge, via call centre or edit profile web page. Edit profile web page ARTICLE 8 – (1) The subscribers can change their profiles or opt out from the Safe Internet Service, when they want, through the Edit Profile Web Page that shall be designed by the operators. (2) The operators can either provide a new username and password to their subscribers or make it possible for subscribers to use their current username and password in the Edit Profile Web Page free of charge. (3) At least the information mentioned below should be provided in the Edit Profile Web Page: a) Information that must take place in the main page; i. Current profile, ii. 'Edit Profile Module' at which username and password will be used, b) An application through which the user can change his/her password and c) Cautionary and informative text sent by the Authority. Cautionary and informative web page ARTICLE 9 – (1) Users are redirected to the Cautionary and Informative Web Page built by the operators, when they try to access to the web pages that are inaccessible according to their profiles. (2) The operators shall provide at least the information listed below in the “Cautionary and Informative Web Page”: a) Current user profile and b) Cautionary and informative texts sent by the Authority. Child and family profiles criteria working board’s structure and tasks ARTICLE 10 – (1) The criteria of the lists that will be used within the concept of the Safe Internet Service is determined by the Child and Family Profiles Criteria Working Board. (2) Child and Family Profiles Criteria Working Board consists of 11 members coordinated by the Authority. (3) Child and Family Profiles Criteria Working Board is made up of 3 members, one of which is the President, from the Authority, 2 members from Ministry of Family and Social Policies, 2 members among non-governmental organization members of the Internet Committee, 1 member from the Digital Games Federation of Turkey, 3 members, who are experts in related branches such as psychology, pedagogy, sociology and law, selected by the Authority. (4) The lists of child and family profiles are determined by the Authority, according to the principles constituted by the Child and Family Profiles Criteria Working Board. Assessment of appeals and objections ARTICLE 11 - (1) The users and owners of the internet sites can appeal and object, via the website provided by the Authority, to the Authority for the assessment of the internet sites. (2) The users can make the appeals via the link on the Edit Profile Web Page and the objections via the link on the Cautionary and Informative Web Page. Operator name, user profile, domain name/IP address and port information, associated with the appeal and objection, are sent to the Authority by the operators for proper assessment of appeals and objections. (3) The Authority can appeal to the opinion of Child and Family Profiles Criteria Working Board regarding the assessment of the objections and appeals. Safe internet service provision and infrastructure building ARTICLE 12 – (1) The operators shall build the infrastructure required for the Safe Internet Service and operate it. Role of the Authority is only to send the lists to the operators. (2) The operators cannot make any change on the Safe Internet Service profiles determined by the Authority and the lists which will be sent by the Authority. (3) In addition to the Safe Internet Service, operators can offer different service packages with different launch names. (4) The operators, which offer internet service via resale, shall offer the Safe Internet Service to alternative operators free of charge. Access to the list database ARTICLE 13 – (1) The lists of Safe Internet Service profiles are shared with operators through point-to-point secure data lines established between the Authority and operators. (2) The data stored in the Authority database will be sent through the secure data line to the operators. The operators shall apply the updates and data sent by the Authority to working systems used for provision of Safe Internet Service in 24 hours. (3) The hash codes of domain and sub-domain names in the database are separately determined by the Authority and these hash codes are shared with the operators. Operators shall search the hash codes of the domain and sub-domain names, which the users want to access, through the database sent to them, and build necessary control mechanisms for the use of this method. (4) The lists of IP addresses and ports in the database of the Authority are shared with the operators without taking the hash codes. The operators shall inquire the said IP addresses or ports. (5) The operators shall set up the systems developed in accordance with the provision of the Safe Internet Service with backups. Informative text ARTICLE 14 – (1) The operators shall send an informative text, the content of which will be determined by the Authority, to the subscribers. Before the service is provided to the users, the operators shall inform the subscribers about introduction of this By-Law using at least one of the methods which are SMS, call centre, captive portal, pop-up and/or billing,. Test process and provision of the service ARTICLE 15 – (1) The operators shall build the required infrastructure and applications for the provision of Safe Internet Service before the test process starts. (2) The test process for the Safe Internet Service shall be carried out between the Authority and the operators from 22.08.2011 to 22.11.2011. (3) If it is considered proper by the operators, the operators can allow subscriptions to the Safe Internet Service during the test process. (3) The test process shall be terminated on 22.11.2011 and the Service shall be provided to the users by this date. Entry into force ARTICLE 16 – (1) This By-Law enters into force in 22.08.2011. Enforcement Article 17 – (1) The provisions of this By-Law shall be enforced by the President of the Information and Communication Technologies Board. Important Notice: In case of divergent interpretation, the original Turkish text shall prevail. Source:

Güvenli İnternet Hizmetine İlişkin Usul ve Esaslar

Bilgi Teknolojileri ve İletişim Kurumu tarafından revize edilen Güvenli İnternet Hizmetine İlişkin usul ve Esaslar Taslağı'na İlşikin Kurul kararı yayımlandı.

Deutsche Telekom Wants ’German Cloud’ to Shield Data From U.S.

Deutsche Telekom AG’s T-Systems information technology unit is pushing regulators to introduce a certificate for German or European cloud operators to help companies guard data from the U.S. government. T-Systems plans to lure customers by emphasizing the security of its servers, over which it delivers its Internet- accessed computing services, Reinhard Clemens, the division’s chief executive officer, told reporters in Bonn on Sept. 12. This includes shielding clients from government access such as that allowed by the U.S. Patriot Act, he said. “The Americans say that no matter what happens I’ll release the data to the government if I’m forced to do so, from anywhere in the world,’” Clemens said. “Certain German companies don’t want others to access their systems. That’s why we’re well-positioned if we can say we’re a European provider in a European legal sphere and no American can get to them.” Deutsche Telekom and other telecommunications companies are promoting cloud-computing offerings as a safe way for businesses to outsource their data centers. A government seal may fence off the cloud offerings of T-Systems and European competitors such as Atos SA and Cap Gemini SA and give them an advantage over U.S. rivals such as Hewlett-Packard Co., Microsoft Corp. and International Business Machines Corp. Some of the surveillance powers of the U.S. Patriot Act, passed after the Sept. 11 attacks, have been opposed by some lawmakers and outside groups, including civil liberties activists. “A German cloud” would be a “safe cloud,” Clemens said. U.S. Exit Deutsche Telekom in March agreed to sell its T-Mobile USA unit for $39 billion to AT&T Inc. The German company is currently trying to salvage the deal after the Justice Department sued Dallas-based AT&T and T-Mobile on Aug. 31, saying a combination of the two companies would substantially reduce competition. The global market for cloud services may surge to $148.8 billion in 2014 from $68.3 billion in 2010, according to researcher Gartner Inc. T-Systems predicts it will generate 2 billion euros ($2.74 billion) more in revenue between 2009 and 2015, mostly from delivering software and data storage to customers via the Internet. A German certificate could be issued by the country’s Technical Inspection Association, based on guidelines developed by the Federal Office for Information Security, Clemens said. The office is in talks with European Union officials to develop common standards across the region, which may result in a European certificate, he said. Reliability Issues Telecommunications companies also need to convince clients about the reliability of cloud services. In May, SAP AG’s head of global solutions, Sanjay Poonen, said an outage on Inc.’s cloud-computing services earlier this year, and a controversy around Google Inc.’s delays in providing e-mail services to 30,000 city employees in Los Angeles could make it harder for the software industry to convince clients to use cloud computing services. In the U.S., a group led by and VCE, a cloud services provider founded by Cisco Systems Inc. and EMC Corp., sent a report to the government on July 26, urging it to accelerate government and commercial uptake of cloud technologies. Apple Inc., aiming to capitalize on a shift away from personal computers, this year introduced the iCloud service that stores music and other files online and keeps devices synchronized wirelessly. The product will let users move their “digital life” from PC hard drives to remote data centers in the “cloud,” the company said at the time. Talks About Standards In the European Union, Commissioner Neelie Kroes, responsible for the region’s Digital Agenda, has asked providers and users of cloud computing to participate in talks about data protection and privacy as well as technical and commercial standards. “The cloud is critical to Europe’s growth,” Kroes said in March. She said the European Union needs to develop the right legal framework, encourage more technology research and push the public sector to use cloud computing. T-Systems’ sales from cloud products are increasing by 49 percent a year, Clemens said, without giving a total sales figure. Companies that operate their own servers tend to run their systems at only as much as 68 percent of capacity because they need to provision for spikes in use, Clemens said. Capacity use in T-Systems’ cloud is higher, he said, declining to provide a figure. Source:

FTC Seeks Comment on Proposed Revisions to Children’s Online Privacy Protection Rule

The Federal Trade Commission is seeking public comment on proposed amendments to the Children’s Online Privacy Protection Rule, which gives parents control over what personal information websites may collect from children under 13. The FTC proposes these amendments to ensure that the Rule continues to protect children’s privacy, as mandated by Congress, as online technologies evolve. The Commission proposes modifications to the Rule in five areas: definitions, including the definitions of “personal information” and “collection,” parental notice, parental consent mechanisms, confidentiality and security of children’s personal information, and the role of self-regulatory “safe harbor” programs. “In this era of rapid technological change, kids are often tech savvy but judgment poor. We want to ensure that the COPPA Rule is effective in helping parents protect their children online, without unnecessarily burdening online businesses,” said FTC Chairman Jon Leibowitz. “We look forward to the continuing thoughtful input from industry, children’s advocates, and other stakeholders as we work to update the Rule.” The Children’s Online Privacy Protection Act (COPPA) requires that operators of websites or online services directed to children under 13, or those that have actual knowledge that they are collecting personal information from children under 13, obtain verifiable consent from parents before collecting, using, or disclosing such information from children. The FTC’s Rule implementing the COPPA statute became effective in 2000. The FTC previously reviewed the COPPA Rule in 2005 and retained it without change. In light of rapidly evolving technology and changes in the way children use and access the Internet, in 2010 the FTC initiated another review of the Rule on an accelerated schedule. On April 5, 2010, the FTC sought public comment on every aspect of the COPPA Rule, posing numerous questions for the public’s consideration. In addition, the FTC held a public roundtable and reviewed 70 comments received from industry representatives, advocacy groups, academics, technologists, and individual members of the public. A brief summary of some of the major changes is below. Definitions The COPPA Rule requires covered operators to obtain parental consent before collecting personal information from children. The FTC proposes updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising. In addition, the Commission proposes modifying the definition of “collection” so operators may allow children to participate in interactive communities, without parental consent, so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public. Parental Notice The proposed amendments also seek to streamline and clarify the direct notice that operators must give parents prior to collecting children’s personal information. The proposed revisions are intended to ensure that key information will be presented to parents in a succinct “just-in-time” notice, and not just in a privacy policy. Parental Consent Mechanisms The FTC also proposes adding new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done. These supplement the nonexclusive list of methods already set forth in the Rule. The FTC proposes eliminating the less-reliable method of parental consent, known as “e-mail plus,” which is available to operators that collect personal information only for internal use. This method currently allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent. To encourage the development of new consent methods, the Commission proposes establishing a voluntary 180-day notice and comment process whereby parties may seek Commission approval of a particular consent mechanism. In addition, the Commission proposes permitting operators participating in a Commission approved safe-harbor program to use a method permitted by that program. Confidentiality and Security Requirements To better protect children’s personal information, the Commission proposes strengthening the Rule’s current confidentiality and security requirements. Specifically, the Commission proposes adding a requirement that operators ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it, that operators retain the information for only as long as is reasonably necessary, and that they properly delete that information by taking reasonable measures to protect against unauthorized access to, or use in connection with, its disposal. Safe Harbor Finally, the FTC proposes to strengthen its oversight of self-regulatory “safe harbor programs” by requiring them to audit their members at least annually and report periodically to the Commission the results of those audits. The Commission vote to issue the Federal Register notice was 5-0. Written comments must be received on or before November 28, 2011. Write “COPPA Rule Review, 16 CFR Part 312, Project No. P-104503” on comments, and file your comment online at by following the instructions on the web-based form. To file comments on paper, mail or deliver comments to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex E) 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook and follow us on Twitter. Source:

German Minister Urges Government to Quit Facebook

German Consumer Protection Minister Ilse Aigner has called on her cabinet colleagues to stop using Facebook, reflecting ongoing German concern that the social networking site threatens data privacy. "Following an extensive legal probe I think it is essential that we should no longer use the Facebook button on all official government Internet sites under our control," she wrote in a letter seen by SPIEGEL. She sent her request to all government ministries at the end of last week. She added that the ministries should avoid using fan pages, a tool which allows users to access information on an organization. She argued there were "justified legal doubts" about fan pages. She wrote that, "logically enough" her ministry did not have a fan page and did not use the social networking site's "Like" button. Aigner herself quit her Facebook account last year in a high-profile move sparked by her concerns for data privacy . 'Like' Button Complaints She wrote that government departments and parliamentarians should "set a good example and show that they give a high priority to the protection of personal data." She added that Facebook had to respect German and European laws. Her comments follow moves by the state of Schleswig-Holstein, which last month said it aims to ban the site's "Like" button. Critics argue that the "Like" button could allow advertisers to track users' tastes and consumer choices. Web advocates and bloggers were outraged at the plan, calling it "data protection hysterical." Germany is notably vigilant regarding the Internet's threat to personal privacy. Global giants like Facebook and Google have repeatedly been in the firing line and the northern state of Schleswig-Holstein even managed to ban Google Street View from its region in 2008. Source:,1518,785712,00.html

New EU Agency to Manage Large IT Systems With Citizen Data

The European Union's General Affairs Council on Monday approved plans to establish a pan-European agency to manage its large-scale IT systems. The new agency will be responsible for the operational management of a vast amount of sensitive data including the second-generation Schengen Information System (a common database which facilitates the exchange of information on individuals between national law enforcement authorities), the Visa Information System (a database that will allow member states to enter, update and consult visa data, including biometric data, electronically) and EURODAC (an IT system for comparing the fingerprints of asylum seekers and illegal immigrants). Given the sensitivity of this information, experts have warned that effective security is essential immediately as large amounts of aggregated data can create a target for cybercriminals. Earlier this year, an attack on the European Commission disrupted email systems, while an attack on the E.U.'s Emissions Trading Scheme saw at least €30 million (US$41 million) of emissions allowances stolen from national registries. The new agency will also be responsible for the management of other IT systems that might be developed in the future. However, any integration of further systems will require a specific decision by the European Council and the European Parliament. The plan is for the agency to start working in summer 2012. The head office will be in Tallin, Estonia, with development and operational management carried out in Strasbourg, France and a back-up site in Sankt Johann im Pongau, Austria. Source:

DigiNotar SSL certificate hack amounts to cyberwar, says expert

"Dutch government revokes certificates used for all its secure online transactions, while CIA, Google, Microsoft and others affected by hack called 'worse than Stuxnet'" The Dutch government says hackers who broke into a web security firm in the Netherlands last month issued hundreds of bogus security certificates that could be used on websites including the CIA and Israel's Mossad, as well as internet giants such as Google, Microsoft and Twitter. More than 500 fake certificates, including some which could be used to send fake Windows updates to computers, and others which could be used when connecting to the CIA's site, were fraudulently issued in the hack, which occurred in July. The Dutch government took the exceptional step of calling a press conference at 1.15am on Saturday morning to announce that it was revoking all trust in digital certificates issued by DigiNotar, which until then had been used for all online tax returns filed in the Netherlands. The government said that browser companies are now rejecting all security certificates issued by the hacked firm. Microsoft's Internet Explorer, Mozilla Firefox and Google's Chrome will all reject certificates from the company. Apple systems require a manual update. Apple has not made any statement on whether it will revoke DigiNotar certificates. The fake certificates could in theory be used to monitor users' communications with those sites without them noticing, but only by an organisation that also has the ability to reroute internet traffic to servers they control – most likely a government. Iran's government has been suspected of involvement in the hack, which led to the creation of hundreds of fake security certificates used to create cryptographically secure links between users and sites. A handful of Iranian users of Google's popular email service are known to have been affected by the faked certificates, which would allow a "man in the middle" attack, where an apparently secure link could in fact be tapped by an intermediary. Security experts noted that earlier this year, Iran announced that it was changing the setup for its domain name servers (DNS) used to make connections to sites – which would give it the ideal opportunity to insert faked certificates into the system. Roel Schouwenberg of the security company Kaspersky warned that the long-term effects of the DigiNotar hack could be more serious than Stuxnet, a computer "worm" that is believed to have been written by US and Israeli computer experts to attack Iran's nuclear facilities by destabilising computer-controlled systems in its uranium centrifuges. "The attack on DigiNotar will put cyberwar on or near the top of the political agenda of western governments," he noted on the Securelist blog. "I remain with my stance that a government operation is the most plausible scenario." He added: "The damage sustained to the Dutch (government) IT infrastructure is quite significant. A lot of services are no longer available. Effectively, communications have been disrupted. Because of this one could make an argument the attack is an act of cyberwar." Source:

Bilişim ve Teknoloji Hukuku Sertifika Programı

Bilişim ve Teknoloji Hukuku Enstitüsü, Bilişim ve Teknoloji Hukuku Master Programında yer alan derslerin, dileyen bireyler tarafından "sertifika" alınabilmesi amacıyla seçilmesini olanaklı kılmıştır. Bilişim ve Teknoloji Hukuku Sertifikası alabilmek için, master programında yer alan Güz ve/veya Bahar Dönemi derslerinden, kişilerin yoğunlaşmak istedikleri branşların ve konuların seçilip, sadece bu derslere katılmak gerekmektedir. Her bir ders 14 hafta devam etmektedir. Sertifika Programının ücreti, adayın seçtiği ders sayısına göre belirlenmektedir. Program 26 Eylül tarihi itibariyle başlayacak olup, ilgilenen adayların adresine e-posta göndermeleri veya 0212 311 5101 no'lu telefonldan bilgi almaları gerekmektedir.

Sweden argues that transposing data retention directive is unnecessary

On 5 September 2011, the Swedish government responded to the European Court of Justice after the Commission referred Sweden to the Court for failing to transpose the Directive on Data Retention (2006/24/EC). Sweden's main argument is that it is unnecessary to transpose the Data Retention Directive, considering the practical effects of existing Swedish legislation. This implicitly means that transposition would be contrary to the European Convention on Human Rights and the Charter of Fundamental Rights, both of which require restrictions on fundamental rights to be necessary and proportional. The Directive on Data Retention 2006/24/EC was adopted in 2006 and the Member States had until 15 September 2007 to transpose it into the national law, and until 15 March 2009 to implement the retention of communications data relating to Internet services. The Directive concerns the storage of traffic and location data resulting from electronic communications. Traffic and location data retained by Internet service providers and phone companies will be made available only to national law enforcement authorities in specific cases and in accordance with the national law. However, retention periods, purpose limitation and access requirement vary vastly across the EU. The European Court of Justice found that Sweden failed to fulfil its obligations to implement the Data Retention Directive in its national legislation on 4 February 2010. Despite this first ruling, Sweden still has not transposed the Directive 2006/24/EC. In the absence of a precise timetable for the transposition of the Directive, the Commission decided to send a letter of formal notice to Sweden in June last year. The Commission asked Sweden for details on the measures Sweden planned to implement the Directive and comply with the Court's decision. Sweden informed the Commission on 21 January 2011 that draft legislation had been submitted to its Parliament in order to transpose the Directive. The legislation was to be adopted in mid-March. However, the Parliament deferred the vote on the draft legislation implementing the Directive on Data Retention for a year, due to the opposition from a minority of parliamentarians. They used a constitutional rule allowing one-sixth of the MPs to suspend the adoption of a proposed legislation. Following this suspension of the legislative process, the European Commission swiftly referred Sweden for a second time to the European Court of Justice, requesting it to impose financial penalties (Case C-270/11). The Commission asked the Court to impose a daily penalty of 40 947 Euros/day after the second ruling and a lump sum of 9 597 Euros/day for each day between the first and the second ruling. The ECJ will have to determine the level of sanctions and if it will take the form of a penalty and/or a lump sum. In its response to the ECJ, Sweden argues that the penalties are disproportionate considering firstly the fact that Sweden does not often fail to fulfil its implementation obligations regarding European directives and secondly that some other Member States likewise fail to implement the Directive without being penalised by any financial penalties. The Swedish government also indicated that since the first ruling, it has taken all procedurally possible measures to implement the Directive. The delay is due to political and legal matters with regards to the sensitive subjects the Directive is dealing with, such as the right to privacy and those debates are delaying the legislative process. It further points out that this controversy is not limited to Sweden. Moreover, according to Sweden, the failure to implement the Directive does not create any barriers for the Single Market. Bearing in mind the Commission's own assertion of the low costs of implementing the Directive (as described in the implementation report), this seems to be difficult for the Commission to deny. According to Sweden, the harmonisation realised by the Directive on Data Retention is only minimal and does not appear to be crucial in achieving competition on the Single Market. In addition, the Directive does not say who finance data retention. It finally appears that the Swedish Government believes that Directive 2002/58/EC on Privacy and Electronic Communications gives the Member States the ability to adopt legislation covering the field of the Data Retention Directive when necessary and that the 2006 Directive's implementation in Sweden is therefore meaningless. The Swedish government especially underlines that the Swedish crime prevention authorities already have sufficient access to data even without full the implementation of the Directive. Furthermore, the differenceasthe implementations across the EU show the limits of the Data Retention directive and create a lack of harmonisation. According to Sweden, further implementation of the Data Retention Directive is superfluous and unnecessary. The question remaining now is whether the European Court of Justice will follow the Swedish defence on the "necessity" of implementing the Data Retention Directive and the Directive's failure to achieve the task on which its legal base is built - harmonisation. The Commission now faces an unenviable task - it either forces a sovereign Member State to impose unnecessary (and therefore illegal) restrictions on fundamental rights or it accepts the challenge of finally acknowledges the failure of the Directive and the inevitable battle with the Council that will result from any serious effort to fix the broken legislation. Data Retention Directive 2006/24/EC (15.03.2006) Judgement of the Court Case C-185/09 (4.02.2010) Commission refers Sweden back to Court to transpose EU legislation (6.04.2011) European Commission Application (31.05.2011) Sweden's response to the ECJ - Case C-270/11 - (5.09.2011) (available only in Swedish) Source:

Ad industry's do-not-track plan blasted by consumer groups

Top consumer advocacy groups in the U.S. and Europe have just sent this letter to top regulators on both sides of the Atlantic urging them not to be wooed by the online advertising industry's call for law makers to keep their hands off online tracking. The letter was drafted by Trans Atlantic Consumer Dialogue, or TACD, a consortium of advocacy groups that champions consumer protection policies. It was sent to David Vladeck, Director of the Bureau of Consumer Protection at the FTC and Jacob Kohnstamm, Chairman of the Article 29 Working Party. The TACD's letter outlines concerns about a version of a do-not-track mechanism recently rolled out by the the Interactive Advertising Bureau, a trade group whose top members include giant data aggregators and online trackers Google, Microsoft and Facebook. The IAB on Aug. 29 required its 500 members to embrace a brand new code of conduct that requires use of a turquoise-colored triangle icon with a lowercase letter 'i' at center; this is the IAB's preferred mechanism for enabling consumers to choose not to be tracked online. "The icon system was designed to quell the growing public uproar over behavioral targeting -- known as online behavioral advertising, or OBA," says Jeffrey Chester, executive director of the Center for Digital Democracy. TACD is asking "both governments to reject the current OBA self-regulatory regime as inadequate, and work with industry and consumer and privacy groups to ensure that significant revisions are made to protect consumer privacy." Chester says consumer advocates are particularly worried that the Obama administration is preparing a new privacy white paper that "likely will rely on this flimsy self-regulatory system as a way to protect consumer privacy." Mike Zaneis, IAB senior vice president and general counsel, counters that he's confident U.S. regulators and law makers are fully versed on industry's arguments as to why it is vital to continue to let data aggregators and online trackers self-regulate themselves. "We are fortunate enough in the U.S. to have thoughtful regulators that take the time to understand our program and let it fully develop before preemptively deeming it inadequate," says Zaneis. "The FTC wants to read the whole book, whereas others read the first chapter and then write their own ending." Source:

Avrupa'da e-Fatura Sektörünün 2011 Yılı İtibariyle Durumu

Türkiye'de Gelir İdaresi Başkanlığı'nın tekelinde yürütülen e-fatura uygulamasına ilişkin bilgiler "" linkinde yer almaktadır. e-Fatura sektörünün, pazarının, e-fatura hizmet sağlayıcıların ve e-fatura yazılımları yapan şirketlerin oluşumuna izin verilmeyen e-fatura uygulamamız, deyim yerindeyse bir sektörün doğmadan öldürülmesinin en güzel örneklrinden birini teşkil etmektedir. e-Fatura'ya ilişkin olarak sadece regülasyonu yapmakla görevli olan kamu kurumunun hem regülasyonu yapıp hem de o işin işletmeciliğine soyunmasının rekabet hukuku ilkeleriyle ne denli bağdaştığı da ayrı tartışma konusudur. e-Fatura uygulamamızın sorunlu diğer bir noktasını da, Türk ispat hukuku oluşturmaktadır. Gerek Türk Ticaret Kanunu gerek Vergi Usul Kanunua göre faturada düzenleyenin imzası bulunmak gerekir. Bu imza; ıslak imza veya 5070 Sayılı Elektronik İmza Kanunu ve onun atıf yaptığı Türk Borçlar Kanunu anlamında güvenli elektronik imza olmak gerekir. 1 Eylül 2011 tarihi itibariyle yürülükte olan Hukuk Muhakemeleri Kanunumuza göre de güvenli elektronik imzalı belgeler mahkeme önünde kesin delil yani senet hükmündedir. Gelir İdaresi Başkanlığı'nın e-fatura uygulamasında ise, bu uygulamadan istifade etmek isteyen şirketlerin kullanmak durumunda bırakıldıkları imza güvenli elektronik imza değil, herhangi bir ssl sertifika niteliğinde olan "mali mühür"'dür. Mali Mühür, Gelir İdaresi Başkanlığı'nın talebi üzerine; aslında görevi tüm kamu sektörüne güvenli elektornik imza vermek olan Tübitak Kamu Sertifikasyon Merkezi tarafından geliştirilen bir uygulamadır ( 5070 Sayılı Kanun ve ilgili mevzuatı uyarınca BTK tarafından regüle edilen elektronik imza sektöründe Elektronik Sertifika Hizmet Sağlayıcı (ESHS) sıfatıyla görev yapan Tübitak'ın, elektronik imzayı yaygınlaştırıp geliştirmek şeklindeki görevleri ile ve ESHS sıfatıyla bağdaşmayan Mali Mühür Sertifika Himzet Sağlayıcısı sıfatının sorgulanması gerekir. Mali mühür sertifikası ile imzalanmış olan e-faturaların Türk ispat hukuku açısından delil değeri "takdiri delil"'dir. Yani tek başına mahkemeyi, hakimi bağlamayan zayıf delil kategorisidir. Gelir İdaresi Başkanlığı'nın bir kanunla ve ilgili mevzuatla ve regülatör bir Kurumun denetiminde hayatımıza girmiş bulunan güvenli elektronik imzayı yaygınlaştıracak önemli uygulamalardan biri olan e-fatura konusunda, neden güvenli elektronik imza yerine, mali mühür'ü tercih ettiğini açıklaması gerekir. Sektörde faaliyet gösteren Elektronik Sertifika Hizmet Sağlayıcı'ların da regülatörleri olan Bilgi Tenolojileri ve İletişim Kurumu aracılığıyla sorunun takipçisi olmaları gerekir. Ülkemizde e-fatura konusunda durum bu iken, Avrupa'da her geçen yıl büyüyen ve gelişen bir bir pazar mevcuttur. İşte bu pazarın 2011 yılı itibariyle ulaştığı son noktayı ve geleceğini değerli Dostum Bruno Koch'un hazırladığı Rapor'dan öğrenebilirsiniz:

Europe Taking Much Stricter Stance on do-not-Track Rules

Europe's privacy regulators are advancing toward adopting much stricter do-not-track rules than what the U.S. online advertising industry prefers. A group called the European Union's Article 29 Data Protection Working Party wants to require data aggregators and advertising networks to obtain specific permission from each European consumer to use each and every tracking cookie -- stealthy programs that track where you go and with whom you associate on the Web. The Working Party has been circulating this document prior to a workshop scheduled later this month with advertising industry representatives. The group is insisting on the use of a form containing a detailed explanation about each tracking cookie, along with an acceptance box consumers must check. The check box must be provided by every entity proposing to place each tracking cookie. "Simply put, the Working Party has rejected every (self-regulation) proposal put forward by industry to avoid the necessity of consumers affirmatively consenting to every placement of cookies by every party proposing to place such cookies," says Chris Wolf, privacy expert at Washington D.C. law firm Hogan Lovells. Why tech giants are worried Europe's insistence on empowering consumers is worrisome for Google, Microsoft, Yahoo, Adobe, AOL, Coremetrics and Quantserve, the giant data aggregators that conduct the ecosystem of tracking cookies, web beacons and other Web tracking mechanisms. It's all part of interlaced tracking networks comprised of dozens more smaller, independent ad networks, data analytics firms and tracking services. "The Article 29 Working Party seemed to convey the message that it's our way or the highway," says Wolf. "That does not send a message to industry that genuine efforts at self-regulation will be recognized and rewarded. That approach could in fact impede business initiatives to advance privacy." It could also impede the tech giants' direct path to online advertising lucre. Research firm eMarketer this week issued fresh projections that the U.S. online advertising market will will grow 20.2% to $31.3 billion in 2011, up from $26 billion in 2010. A primary driver: improved targeting technology. The more intensely data aggregators can track you, the more they will be able to triangulate your online haunts and preferences. That intelligence, in turn, is expected to boost sales of pricey display advertising. The display ad market is expected to grow 24.5% to $12.3 billion in the U.S. this year, up from $9.9 billion in 2010, according to eMarketer. That assumes, of course, that the current set up of self-regulation of the data aggregation industry prevails. However, consensus appears to be gelling in the U.S. and Europe, among consumer and privacy advocates, as well as regulators and politicians, that self-regulation won't cut it. The concerns raised by the EU are being echoed by the Federal Trade Commission, the Federal Communication Commission, the research community, non-governmental organizations, and certain federal lawmakers, led by Sen. Jay Rockefeller, D-WV. "The online advertising industry has been attempting to persuade the FTC and EU regulators that its self-regulatory program is adequate," says Jonathan Mayer, a researcher at the Stanford University Center for Internet and Society. "It's now clear that EU regulators aren't buying it." Here in the U.S., privacy and consumer advocacy groups are rallying behind Sen. Rockefeller's proposed Do Not Track legislation. It would require use of a simple mechanism that empowers consumers to make a universal request not to be tailed around the Web. The ad networks and data aggregators would be required by federal law to honor such requests. Co-mingled tracking data Concern is rising about the advertising industry's wide spread practice of co-mingling tracking data from Internet searches and surfing with the information Internet users disclose at websites for shopping, travel, health or jobs. And personal disclosures made on popular social networks, along with the preferences expressed via Web applications on smartphones and tablet PCs saturating cool smartphones and tablet PCs are getting tossed into the mix. Privacy advocates worry that health companies, insurers, lenders, employers, lawyers, regulators and law enforcement could begin to acquire detailed profiles derived from tracking data to use unfairly against people. Rockefeller's proposed Do Not Track law would give the FTC and state attorneys general power to enforce the law and impose penalties for violations. But Google, Facebook and data aggregators have been lobbying hard to maintain the self-regulated industry. Craig Spiezle, executive director of the Online Trust Alliance, says the tack Europe is taking "underscores the chasm between the EU's privacy perspectives versus that of the U.S." Earlier this week, the Interactive Advertising Bureau -- whose 500 members include Google, Facebook and Microsoft -- made it mandatory for all of its members to begin using a turquoise triangular icon to alert users to tracking cookies and give them a way to request a halt to tracking. While the turquoise icon alert is "a significant first step," Spiezle says what's lacking is a "road map" addressing the entire spectrum of privacy concerns. "We need to move beyond this discussion of interest-based advertising, which I believe is a good thing and provides consumer value, to the broader issues on how else is the data being used and who has access to it," says Spiezle. John Simpson, spokesman for the non-profit Consumer Watchdog advocacy group says "the Europeans have exactly the right approach. They are asking that a consumer must be given the right to opt in before a cookie is placed." Simpson says the IAB's icon alert mechanism is "mostly window dressing." He says if European regulators do end up imposing a strict opt-in rule across Europe, Google, Facebook and the other data aggregators and ad networks will be forced to comply to do business in Europe. At that point, "there is no reason they cannot do the same thing in the United States," says Simpson. "Strict rules in Europe would show the U.S. self-regulatory program to be the sham that it is." Source:

Children Should be Taught Importance of Privacy in Mainstream Education, ICO Says

The Information Commissioner's Office (ICO) said that it was important for children to learn about data privacy and freedom of information (FOI) rights, and that both "should be embedded in the formal education process".

The ICO is responsible for ensuring organisations comply with UK data protection laws, FOI laws and regulations on privacy and electronic communications. It said that it was imperative that children learned about privacy after revealing the details of research into the use of social networks by students.

A survey of more than 4,000 young people showed that 88% of secondary school students and 39% of primary school pupils have a social networking site profile, the ICO said. Most respondents had not read the sites' privacy policies, almost a third did not know what one was, and nearly a quarter said they did not know where to find the information, it said.

"Young people today are growing up in an age where an ever increasing amount of information is held about them," Jonathan Bamford, head of strategic liaison at the ICO, said in a statement. "It is vital that they understand their privacy rights and how to exercise them.

The ICO also said children should be encouraged to "exploit" the growing availability of public data.

The Freedom of Information Act (FOIA) and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by Government departments and public bodies.

Under the FOI laws anyone of any nationality living anywhere in the world can make a written request for information and expect a response within 20 working days. The public authority will be obliged to meet that request unless exemptions apply or unless meeting it will be too costly or difficult.

“By being aware of their rights to access information, young people will feel more empowered to ask important questions about the things that matter to them – be it about their local leisure centre, or what the government is doing on university tuition fees or the environment," Bamford said in the ICO statement.

The ICO said it was aware of existing projects and subjects that teach some information rights, but said schools should adopt the teaching of "information rights issues as part of the mainstream education process – giving young people skills that will serve them well throughout their adult lives”.

The ICO said it was looking for a "research partner" to help develop a new project it hopes will eventually make recommendations on how privacy and information rights can be formally introduced to the education system.


US Government's First Chief Information Officer Slams Cloud Computing Reticence

SECURITY and privacy concerns are "unfounded and ridiculous" excuses used by federal agencies to avoid adopting cloud computing, says the US government's first chief information officer.
Vivek Kundra said the reasoning didn't gel because Washington was a large IT outsourcing customer, using a variety of external suppliers.

"Security and privacy ... in some ways are very unfounded and ridiculous (reasons) because the US government has outsourced over 4700 systems," Mr Kundra, who left his post earlier this month after more than two years in the role, said.

"This is in the hands of Lockheed, Raytheon, Boeing, Northrop Grumman and yet when it comes to cloud for some reason these fears are raised," he said during a panel discussion at's Dreamforce event in San Francisco.

"Government contracts are designed to ensure those provisions are taken care of."

He railed against the billions of dollars lost to "IT cartels", who he said had no innovative bones but were experts in navigating government procurement.

"In federal government alone we spent $US80 billion a year (on IT) and one of the most frustrating issues was to actually see project after project fail because it was based on the old IT model.

"That model was essentially vendors would bid for government contracts and their expertise wasn't superior technology or innovation; it was the fact that they had a PhD in understanding how to navigate the complicated procurement process," Mr Kundra said.

"We cannot continue on that path in this tough fiscal environment that we're in. That is why as part of the administration we instituted a "cloud first" policy, recognising that some of the most major innovation is not happening within the old model of what I call the 'IT cartel' where people continue to win this contract and their objective is essentially to put in as many people as possible and bill at exorbitant rates."

He advised governments, including foreign administrations, that current tough economic times meant they had to find innovative ways to serve citizens more effectively.

He admitted poor return-on-investment decisions were made at federal level.

"The government would award multi-million or billion dollar contracts and you fast forward and ask what value did you get two, three, five, 10 years (later) in some cases and there's negative value."

He cited the example of a US Department which spent 10 years and $US850 million trying to implement a personnel system and "there was nothing to show for it a decade later".

Mr Kundra predicts a major shift to cloud services in the public sector over the coming years as agencies grapple with tighter IT budgets.

"You're seeing across the board agencies, whether they are federal, state or local, having to zero out their capital expenditure.

"When you move away and take away all your capex, you're left with opex. How do you innovate in that space?

"What I would encourage is every government, internationally and domestically, better start thinking about how do you not just look at a model where you do more with more or less with less (but) how do we do much more with less," he said.

In 1998 the government had 432 data centres. Today the figure stands at 2094 facilities.

The US manages more than 12,000 major applications across the federal government, he said. It spends $US24bn on IT infrastructure per annum.

"Think about where all the money is going and think about how we actually serve our constituents because all that money's being spent on redundant infrastructure, redundant application that we're not able to optimize," he told conference delegates.

The cloud first policy that he championed had a few wins. The General Services Administration had shaved IT costs by 50 per cent moving to a cloud model.

In a cloud first policy we're already seeing agencies such as GSA, the Recovery Board and USDA actually adopt the cloud first policy.

Mr Kundra said if $US20bn worth of IT projects were transitioned to the cloud, it would deliver savings of $US5bn.

His views on the benefits of cloud were also echoed in an opinion piece published in The New York Times.


Court Says State Can’t Hold DNA

The state Appeals Court said yesterday that the government cannot unilaterally decide to keep DNA profiles of civilians who willingly provide genetic information to law enforcement as police try to solve crimes.

In a unanimous ruling, the court revived a lawsuit filed by Keith Amato against Cape and Islands District Attorney Michael O’Keefe and the State Police for keeping his DNA profile, which was collected to help authorities solve the slaying of Truro fashion writer Christa Worthington, an Amato acquaintance.

“DNA information is highly sensitive,’’ Judge David A. Mills wrote for the court. “Citizens have a reasonable expectation of privacy in such information. . . . We are not convinced [O’Keefe and State Police] have acted reasonably as a matter of law.’’

Amato voluntarily gave a biological sample in 2002, and has fought for years for the removal of his genetic profile from State Police files, particularly since Christopher McCowen was convicted of murdering Worthington and his conviction was upheld.

Amato has since recovered the biological sample. But his genetic profile, which is developed by processing the sample, is still in government hands, though he has not been convicted of a crime.

McCowen was linked to the killing based on his DNA profile. Like Amato, McCowen voluntarily provided a sample.

A Barnstable Superior Court judge rejected Amato’s lawsuit.

Yesterday’s ruling reinstates it while spelling out the new principle that an individual’s right to privacy can trump state rules on preservation of evidence in murder cases, Amato’s lawyer said.

“It’s a procedural victory for us [and] a ground-breaking opinion,’’ said Mark W. Batten, a Boston lawyer who represented Amato on behalf of the American Civil Liberties Union of Massachusetts.

“The court has said clearly for the first time that state government may not maintain information through some unilateral determination,’’ he added.

In a phone interview, O’Keefe emphasized that Amato was in a group of people who provided biological information during the early stages of the complex, high-profile investigation into Worthington’s murder.

O’Keefe said genetic profiles were never made for about 100 men, chosen at random in Cape communities, who volunteered to provide samples in 2005.

He said that under state rules, law enforcement must hold onto evidence in homicide cases for 50 years. Amato’s genetic profile, he said, falls into that category because he had some connection to Worthington before her death, in contrast to those who were randomly asked for samples.

He said civilian witnesses should back the idea of keeping information in homicide cases for decades.

“I would think they would want a record of the fact that they were excluded, so that no one could, in some subsequent [proceeding] point the finger at them,’’ O’Keefe said.

Source: John R. Ellement,

Kayıtlı Elektronik Posta Yönetmelik ve Tebliği Yayımlandı!

Bilgi Teknolojileri ve İletişim Kurumu (BTK) ile 2008 yılından beri üzerinde çalıştığımız ve uygulamaya geçirmek için uğraştığımız Kayıtlı Elektronik Posta nihayet bugün (25 Ağustos 2011) Resmi Gazetede yayımlanan Yönetmelik ve Tebliği ile hayatımıza girmiş bulunmaktadır.

Yönetmelik ve Tebliğe linkinden erişim mümkündür.

Şirketlere İnternet Sitesi Uyarısı


İstanbul Bilgi Üniversitesi Bilşim ve Teknoloji Hukuku Enstitüsü'nün, Bilişim ve Teknoloji Hukuku Master Programı, 2011-2012 Güz Dönemi 26 Eylül-30 Aralık 2011 tarihleri arasında yapılacaktır.

Başvurmak isteyen adaylar için ilan edilen takvim aşağıdaki gibidir:

20 Haziran 2011 Pazartesi (Başvuru başlangıcı)
08 Eylül 2011 Perşembe (Son başvuru)
10 Eylül 2011 Cumartesi (Mülakat)
13 Eylül 2011 Salı (Kabul ilan)
13 Eylül- 24 Eylül 2011 (Kayıt)

Opinion 15/2011 on the definition of consent

Article 29 Veri Koruması Çalışma Grubunun "Rıza" kavramına ilişkin görüşü aşağıdaki linkte yer almaktadır:

Article 29 Working Party Opines on Consent Requirements

Article 29 Working Party Opines on Consent Requirements
On July 13, 2011, the Article 29 Working Party (the “Working Party”), adopted an Opinion on the concept of consent as a legal basis for processing personal data, which includes recommendations for improving the concept in the context of the ongoing review of the EU data protection framework. The Opinion also analyzes the conditions for valid consent under EU data protection law (that consent must be “freely given,” “specific,” “unambiguous,” “explicit,” “informed,” etc.), and clarifies the obligations of data controllers seeking consent. In addition, the Opinion provides examples of valid and invalid consent with respect to company social media, medical research, body scanners, PNR data and online gaming.

Below are some of the Working Party’s key conclusions:
•Only statements or actions that indicate the data subject’s agreement constitute valid consent. Mere silence or inaction (opt-out) typically will not be viewed as valid consent, especially in an online context. For example, default privacy settings used by online social networks, default Internet browser settings or pre-ticked boxes do not qualify as valid consent.
•Consent must be given prior to the data processing, after providing notice to the data subject. The notice should be provided in clear and understandable language.
•In an employment context – where there may be an element of coercion – careful assessment is required to determine whether employees are free to consent.
•From an accountability perspective, data controllers should implement mechanisms to prove that they have obtained data subjects’ valid consent.
•Reliance on consent does not relieve data controllers of their obligation to comply with other EU data protection requirements for lawful processing of personal data, such as the principle of proportionality.
•If a data subject withdraws his or her consent, the data controller must delete any personal data pertaining to the data subject unless there is another legal basis that justifies continued storage of the data.
•A revised data protection framework should include specific provisions concerning the protection of minors, such as requiring online age verification mechanisms and information that is understandable to children. Consent should not provide a basis for targeting underage consumers in the context of online behavioral advertising.
•The Working Party believes that it not necessary to include a general requirement for “explicit” consent in the revised EU data protection framework, and takes the position that, in most cases, data controllers should be able to obtain consent quickly and in a user-friendly manner. The Working Party does, however, favor the introduction of a specific provision regarding the right to withdraw consent.


Juror Privacy Issue Sparks Debate

RALEIGH Two high-profile murder cases have given jurors and potential jurors in Wake County a lingering case of the jitters.

Donald Stephens, the senior chief resident superior court judge, responded by issuing a blanket administrative order sealing juror addresses, phone numbers and questionnaires containing private information.

That drew scorn from public records advocates and media lawyers, who say it violates the constitution and jeopardizes the openness of judicial proceedings.

In two recent murder cases that were broadcast live from the courtroom, jurors have voiced concerns about being dragged into the spotlight and about details of their private lives becoming public.

The judge said he worried that jurors would not give their full attention to a case if they were apprehensive about possible encounters with the media or family of victims or defendants after the trial.

"I'm just exercising the authority of the court to create an environment in which jurors can do their job," Stephens said.

He entered the order in early June, shortly after jury selection began in the murder trial of Jason Young, who was accused of killing his wife.

Prosecutors and defense lawyers had issued all jury pool members a questionnaire that delved into each person's experiences with infidelity, an important issue in the case. Some expressed concerns about their responses being used against them elsewhere.

That case ended in a mistrial, but as it neared conclusion, jurors told court officials they were worried about being rushed by TV camera crews and others after deliberations.

Jurors also had fears during the spring murder trial of Brad Cooper, also accused of killing his wife, in a page-turner case that attracted an opinionated group of bloggers, tweeters and curious spectators. Members of the jury complained that people in the courtroom gallery were staring at them and making disturbing eye contact.

Stephens said his order was prompted by more than the Cooper and Young trials. In recent years, jurors have been asking more and more about their rights in the judicial process, a national trend that has been posing thorny legal questions over the past decade.

Though Stephens typically lets cameras into his courtrooms so the public can witness legal proceedings and have a fuller understanding of a verdict when it comes, lawyers for media organizations have criticized his order as limiting public access to legal proceedings that should be open.

Identifying information about jurors is important, public records advocates say, to maintain open courts set up in the Constitution.

"The records of North Carolina's courts - including information about jurors - are public, both under the public records law and under a specific statute that governs court records," said Amanda Martin, general counsel for the N.C. Press Association.

Steven Zansberg, a lawyer in Denver who explores the effects of digital media on the courts with the New Media Project, has kept tabs on the issue for years.

In 2000, he wrote about the clash between the rights of the public and press to information about jurors and jurors' rights to privacy.

At that time, courts and legislatures in at least eight states had considered measures to limit the disclosure of jurors' names and addresses. Some increased the use of anonymous juries.

Zansberg supports taking up each concern on a case-by-case basis.

OECD Leaders Split on Web's Future

An OECD debate in Paris on internet governance has thrown up conflicting visions of the future, with politicians and consumer groups disputing key issues on web openness and freedoms.

The OECD meeting painted in sharp relief the diverse interest groups at stake, with officials clashing over web freedoms.

The EU and Civil Society Information Society Advisory Council (CSISAC) said they wanted to continue to promote freedom online, concepts that went against the ethos of the main document under discussion - OECD Communiqué on Internet Policy-making principles.

The EU underlined its commitment to an open internet, criticising corporate and governmental processes that could restrict internet development.
“There are pressures – regulatory, political, and economic – to fragment the internet, often along national borders," said Neelie Kroes, vice president of the European Commission responsible for the digital agenda.

"Sometimes this results from legitimate concerns, like personal data protection; sometimes it is just plain censorship.

“But the internet's most important characteristic is its universality, where, in principle, every node can communicate with every other. We must safeguard this.”

However, the OECD proposals, and Kroes, supported a multi-stakeholder approach that aimed to protect copyright holders from internet piracy.

The outlined methods for protecting rights holders came under criticism from CSISAC, which refused to endorse the OECD's proposals despite playing a role in drawing them up.

ISP responsibility

“CSISAC was not able to accept the final draft’s over-emphasis on intellectual property enforcement at the expense of fundamental freedoms," the group said before criticising plans to make ISPs more responsible for content.

“The final Communiqué advises OECD countries to adopt policy and legal frameworks that make internet intermediaries responsible for taking lawful steps to deter copyright infringement," CSISAC said.

"This approach could create incentives for internet intermediaries to delete or block contested content, and lead to network filtering."

CSISAS also railed against the idea of cutting off internet access, as outlined in the OECD's proposal and the Digital Economy Act in Britain.

“Internet intermediaries could voluntarily adopt “graduated response” policies under which internet users’ access could be terminated based solely on repeated allegations of infringement,” the council said.

“CSISAC believes that these measures contradict international and European human rights law.”

Read more: OECD leaders split on web's future | News | PC Pro


Former hacker Kevin Poulsen has, over the past decade, built a reputation as one of the top investigative reporters on the cybercrime beat. In Kingpin, he pours his unmatched access and expertise into book form for the first time, delivering a gripping cat-and-mouse narrative—and an unprecedented view into the twenty-first century’s signature form of organized crime.

The word spread through the hacking underground like some unstoppable new virus: Someone—some brilliant, audacious crook—had just staged a hostile takeover of an online criminal network that siphoned billions of dollars from the US economy.

The FBI rushed to launch an ambitious undercover operation aimed at tracking down this new kingpin; other agencies around the world deployed dozens of moles and double agents. Together, the cybercops lured numerous unsuspecting hackers into their clutches…yet at every turn, their main quarry displayed a seemingly uncanny ability to sniff out their snitches and see through their plots.

The culprit they sought was the most unlikely of criminals, a brilliant programmer with a hippie ethic and a supervillain’s double identity. As prominent ‘white hat’ hacker Max ‘Vision’ Butler, he was a celebrity throughout the programming world, even served as a consultant for the FBI. But as the black-hat ‘Iceman,’ he found in the world of data theft an irresistible opportunity to test his outsized abilities. He infiltrated thousands of computers around the country, sucking down millions of credit card numbers at will. He effortlessly hacked his fellow hackers, stealing their ill-gotten gains from under their noses. Together with a smooth-talking con artist, he ran a massive real-world crime ring.

And for years, he did it all with seeming impunity, even as countless rivals fell afoul of police.

Yet as he watched the fraudsters around him squabble, their ranks riddled with infiltrators, their methods inefficient…he began to see in their dysfunction the ultimate challenge. He would stage his coup and fix what was broken, run things as they should be run—even if it meant painting a bullseye on his forehead.

Through the story of this criminal’s remarkable rise, and of law enforcement’s quest to track him down, Kingpin lays bare the workings of a silent crime wave still affecting millions of Americans. In these pages, we watch as a new generation of for-profit hackers cobbles together a criminal network that today stretches from Seattle to St. Petersburg to Shanghai. We are ushered into vast online-fraud supermarkets stocked with credit card numbers, counterfeit checks, hacked bank accounts, dead drops, and fake passports. We learn the workings of the numerous hacks—browser exploits, phishing attacks, Trojan horses, and much more—these fraudsters use to ply their trade, and trace the complex routes by which they turn stolen data into millions of dollars. And, thanks to Poulsen’s remarkable access to both cops and criminals, we step inside the quiet, desperate arms-race law enforcement continues to fight with these scammers today.

Ultimately, Kingpin is a journey into an underworld of startling scope and power, one in which ordinary American teenagers work hand-in-hand with murderous Russian mobsters, in which a simple wi-fi connection can unleash a torrent of gold worth millions.


İstanbul Bilgi Üniversitesi Bilişim ve Teknoloji Hukuku Enstitüsü'nün Bilişim Hukuku Master Programı 20 Haziran 2011 Pazartesi tarihi itibariyle yeni dönem başvuruları almaya başlamıştır.

Programla ilgili önemli tarihler aşağıdaki gibidir:

20 Haziran 2011 Pazartesi (Başvuru başlangıcı)
08 Eylül 2011 Perşembe (Son başvuru)
10 Eylül 2011 Cumartesi (Mülakat)
13 Eylül 2011 Salı (Kabul ilan)
13 Eylül- 24 Eylül 2011 (Kayıt)

Digital Agenda: Scoreboard shows progress

Digital Agenda: Scoreboard shows progress

Brussels, 31 May 2011 - A Scoreboard has been published by the European Commission showing the performance of the EU and Member States in delivering on the agreed targets of the Digital Agenda for Europe after the first year of its existence (see IP/10/581, MEMO/10/199 and MEMO/10/200). In line with its commitment to an open data strategy the European Commission has made its data sets and statistics in the Scoreboard publicly available online enabling anyone to carry out their own analysis and come to their own conclusions.

Overall progress over the first year of the Digital Agenda has been good, especially on the use of Internet (65% of EU population). But progress in some areas is disappointing, in particular roll-out of new super fast Broadband networks, which is one of the key Digital Agenda goals, even if there is some progress in upgrading existing cable and copper networks.

Neelie Kroes, Vice President of the European Commission for the Digital Agenda said: "A year after the launch of the Digital Agenda I note progress. However, Member States, industry, civil society and the Commission need to do more if we want to maximise the Agenda's potential for retaining Europe's competitiveness, stimulating innovation, and creating jobs and prosperity. I call on everybody to consider the massive long term benefit of acting decisively now, especially in high speed broadband."

The Digital Agenda committed the EU to carry out 101 specific actions (78 for the Commission, of which 31 are legal proposals, and 23 for Member States) which will together boost investment in, and use of, digital technologies. Overall, 11 DAE actions have been completed, 6 actions due in 2010 are delayed and the remaining actions are largely on track.

On the 13 key performance targets (see MEMO/10/200):

Good progress on regular Internet use, online shopping, eGovernment and low energy lighting

Mixed progress in broadband availability and take up

Insufficient progress in cross-border eCommerce, online presence of small and medium-sized enterprises (SMEs), roaming prices and public research.

The implications of the scoreboard will be discussed in Brussels on June 16-17 at the Digital Agenda Assembly.

The Scoreboard shows good progress in:

Regular Internet use. This has risen rapidly to 65% of the EU population (target 75% by 2015). Disadvantaged groups like the less well-educated and the elderly are also using the Internet more, up from 42% to 48%. This brings within reach of the 2015 goal of 60%.Non-users have fallen from 30% to 26% of the population.

Online shopping. 40% of EU citizens now shop online, including 57% of all Internet users. More than half of the population in 8 EU countries buys online.

eGovernment: 41% of citizens use eGovernment services, half of whom have return completed forms online. The eGovernment Action Plan (IP/10/1718) should help realise the 2015 target of use of eGovernment services by 50 % of citizens and 80% of businesses.

Promotion of low energy lighting: Solid State Lighting increased its market share to 6.2% in 2010 (up from 1.7% in 2009), making good progress to reducing the energy use of lighting by 20% by 2020.

Mixed progress in:

Broadband availability and take up: Basic broadband is increasingly available even in remote areas. However, deployment and uptake of very high-speed broadband is currently concentrated in only a few (mostly urban) areas. The Commission is working with Member States to implement the strategy to give every European access to basic broadband by 2013 and fast and ultra fast broadband by 2020 (IP/10/1142).

Insufficient progress in:

Cross-border eCommerce: barely growing, from 8.1-8.8% in 2010. The Digital Agenda target is 20% of citizens shopping online across borders by 2015. The Commission intends to address this and other barriers to the development of the Digital Single Market in a forthcoming Communication on the eCommerce Directive

Online presence of Small and Medium-sized enterprises (SMEs): 26% of SMEs purchase online, a rising share, but only 13% of SMEs sell online, (up 2 points on last year)

Roaming prices: they fell by 1.5 € cents in 2010, but are still more than three times as expensive as domestic calls. The Digital Agenda's aim is for thedifference between national and roamed calls within the EU to approach zero by 2015.

Public investment in ICT R&D: expenditure by public authorities did not exceed the € 5.7 billion baseline of the previous year. A 6% annual growth will be needed to reach the target of doubling to € 11 billion by 2020.

Is the Commission on target?

Overall, progress on implementing the 101 Digital Agenda actions has been quite good. Almost 10% of the actions have been completed, 80% are on track and the remaining 10% are delayed.


The Scoreboard covers the period May 2010 to May 2011. It is accompanied by a series of online reports on specific aspects of the Digital Agenda, such as eGovernment or online trust and security. The Scoreboard incorporates data and analysis previously found in the Commission's annual Progress Report on the Single European Electronic Communications (IP/10/602).

For more information


Scoreboard website:

A profile of each EU Member State, with details of broadband, internet use, eGovernment and telecoms regulatory trends, is available on the Digital Agenda website:

Digital Agenda website:

Neelie Kroes' website:

Commission underlines commitment to ensure open internet principles applied in practice

Digital Agenda: Commission underlines commitment to ensure open internet principles applied in practice

The need to ensure that citizens and businesses are easily able to access an open and neutral internet has been underlined by the European Commission in a report adopted today. The Commission will be vigilant that new EU telecoms rules on transparency, quality of service and the ability to switch operator, due to enter into force on 25th May 2011, are applied in a way that ensures that these open and neutral internet principles are respected in practice. For example, the Commission will pay close attention to the existence of generalised restrictions of lawful services and applications and to EU citizens' and businesses' broadband connections being as fast as indicated by Internet Service Providers' advertising. The Commission has asked the Body of European Regulators for Electronic Communications (BEREC) to undertake a rigorous fact-finding exercise on issues crucial to ensuring an open and neutral internet, including barriers to changing operators, blocking or throttling internet traffic (e.g. voice over internet services), transparency and quality of service. The Commission will publish, by the end of the year, evidence from BEREC's investigation, including any instances of blocking or throttling certain types of traffic. If BEREC's findings and other feedback indicate outstanding problems, the Commission will assess the need for more stringent measures.

Neelie Kroes, Vice-President of the European Commission for the Digital Agenda, said: “I am determined to ensure that citizens and businesses in the EU can enjoy the benefits of an open and neutral internet, without hidden restrictions and at the speeds promised by their service providers. I am a firm believer in the principles of competition, which are at the core of the new enhanced telecom rules on transparency, quality of service and the ability to easily switch operators. Over the next few months, in close cooperation with Member States' regulatory authorities, I will be closely monitoring respect for new EU rules to make sure that they ensure an open internet. At the end of 2011, I will publish the results, including any instances of blocking or throttling certain types of traffic. If I am not satisfied, I will not hesitate to come up with more stringent measures, which may take the form of guidance or even general legislative measures to achieve the competition and choice consumers deserve. If this proves to be insufficient, I am ready to prohibit the blocking of lawful services or applications.”

There is no set definition of 'net neutrality' but it will be a legal requirement under EU law as from 25 May 2011 that Member States' telecoms regulatory authorities promote the ability of internet users "to access and distribute information or run applications and services of their choice" (Article 8(§4)g of the telecoms Framework Directive 2002/21/EC, as amended by Directive 2009/140/EC).

Other rules directly relevant to net neutrality that enter into force on 25 May as part of new EU telecoms rules include requirements concerning:

transparency (e.g. any restrictions limiting access to services or applications, connection speeds)

quality of service (regulators can set minimum quality levels) and

the ability to switch operator (within one working day).

Service transparency

Consumers are entitled to make informed choices about their internet provider on the basis of adequate information about possible restrictions on access to particular services, actual connection speeds and possible limits on internet speeds. There will be an obligation for telecoms providers under the new EU telecoms rules applicable from 25 May 2011 that consumers are informed – before signing a contract – about the precise nature of the service to which they are subscribing, including traffic management techniques and their impact on service quality, as well as any other limitations (such as bandwidth caps or available connection speed). BEREC has reported that the majority of Member States' national regulators received complaints about discrepancies between advertised and actual delivery speeds for an internet connection.

Blocking or throttling of lawful internet traffic

Blocking can take the form of either making it difficult to access or restricting certain services or websites on the internet. For example, some mobile internet operators block voice over internet protocol (VoIP) services. Throttling, which is employed to manage Internet traffic and minimise congestion, may be used to slow down certain types of traffic and so affect the quality of content, such as video streaming provided to consumers by a competitor. Today's report shows that here have been some instances of unequal treatment of data by certain operators. Although in many cases these were solved voluntarily, often after intervention by Member States' national regulatory authorities (NRAs), more accurate information is needed to distinguish cases of contractual or "de facto" blocking from those subjecting access to certain services to additional payment, and on the extent (isolated or generalised) of the blocking practices detected.

Internet traffic management

Most internet users can accept that an email takes a few seconds to reach its intended recipient, but a similar delay in online voice or video chats is disruptive. Today's report highlights the general consensus that traffic management is necessary to ensure the smooth flow of Internet traffic, particularly at times when networks become congested, and so guarantee a consistent good quality of service. There is broad agreement that operators should be allowed to determine their own business models and commercial arrangements. However, some parties are concerned about potential abusive traffic management, for example, for the purposes of granting preferential treatment to one service over another. The Commission and BEREC are monitoring the situation.

Switching internet service providers

The Commission's report confirmed it was crucial to ensure that consumers can change operators easily. The new telecoms rules on number portability, which will require that consumers be able to change their operators and keep their numbers within one working day, should help in this regard. The new rules also make sure that conditions for contract termination do not represent a disincentive to switching. The Commission and BEREC will examine how switching takes place in practice.


The net neutrality report follows a Commission commitment, at the time of adoption of the EU telecom reform package, to report to the Parliament and Council and reflects comments made during a public consultation (IP/10/860), which attracted over 300 responses (IP/10/1482), and wide discussions with interested parties including a summit organised with the European Parliament.


Net neutrality Communication:

Digital Agenda website:

Neelie Kroes' website:

Follow Neelie Kroes on Twitter: