 Welcome to the new talk, the new European surveillance landscape of those of you who are not at the Lake and not Yeah, so So those of you who are still here not at the lake they are really serious about this topic and This talk is about the Investigation agencies in in the EU Coming up with new Political measures of new laws that increase Civilians and decrease our rights as citizens and our speaker Matias Monroy who's an activist and journalist and we'll talk about this very topic. So a round of applause, please Thank you very much I Want you to give an overview what we can expect the next coming years Because after the election of the European Parliament, there are new plans, but also Plans that continue working on some old Plans and I want to show you the most important aspects and I will talk about decrease and Guidelines that matter here an important topic is the decree of The prevention of distribution of terrorist Internet content and You guys probably know it under the name upload filter Which tries to prevent bad content and Proposal exists and the European Commission Usually has a task to make a proposal and then the parliament and the council of the European Union Negotiate the loss and When the European Parliament Creates certain These are then with these in team And then the committee has so far not processed the upload filter Plans but the council still has to Acknowledge and accept it and this whole procedure Takes several years Until the final laws will have been created So what's real interesting is that the parliament? has said that in principle they are They agree with the decree especially the removal of Internet contents and But they am still Still negotiate if this should be across borders If the removal is the instruction of removal should function across borders if the LKA in Germany Once something to be removed, then this would only function in Germany and Now this is an ongoing negotiation and most likely It will be loosened in the future because There are already people working on this on the political level For instance the Europol police unit already runs and a reporting office for Internet illegal internet contents so and then this police agency passes on these Reportings to the internet providers Entfernungs bitten and but these are still only Referrals so they are not legally binding and the providers do not have to follow the orders of Interpol But still the the amount of other the fraction of deletions as still very high, so it's about 85 percent and And we can see that And that basically only the laws are so even though everything works already in practice They are still have to be laws in place that make everything official but now Even now there are websites being targeted Which are illegal and of course they also want to extend the whole Framework on cyber crimes So still this is all voluntarily but But after but it's still like being made official After the Christchurch attack there were The presentation would also online sein So I've also collected these things here, and I've also put the links in here I think the most important thing right now is this Christchurch call Tomorrow at the G7. I'm pretty sure they're definitely going to remind people of what the Christchurch call again And we'll tell you well after Christchurch is it is especially important and there's some kind of routine based on which states essentially remove particular types of content from the internet Another thing it's going to be really important here What's been prepared in the background background is something in the EU, which is the so-called EU internet forum I was supposed to it was initially a voluntary event with a big internet company such as Facebook We will participate it voluntarily So they met voluntarily with the EU Commission to kind of discuss the system About voluntary content removal and how to improve the system but the EU used this forum to put pressure on to these companies and to essentially force them more and more To essentially implement these what are essentially simply requests for takedowns rather than actual Binding forces to take them down So they've already been to trips to California. So usually they meet at Facebook or Google and they think about So that's also something that happened after Christchurch and so they discuss together how you can Take care of a case like this where you need to do something very quickly, right? So the question is how can you do this as quickly as possible, which is not necessarily a legal way, right? So the question is how do you remove content as quickly as possible? So I've described all of this in a more roundabout way this time because I want you to know that this initiative in terms of the legislative initiative is very much still at the beginning but De facto these states have already kind of like pushed this very far So I think the question is how how much the EU Parliament and also national parliament still have to say as part of this process next topic our electronic evidence Da geht es da drum grenz überschreiten Data that cross borders or are on servers Cross-nationally so for example like the cloud and how that data can be confiscated So that's also already possible now So for example if someone is being investigated by the police you can request a provider to provide the information that they have About this individual that's something that happens based on international law right now And that's something that can take a while and so police and other investigative agencies essentially want to Speed up this process to and want to be able to directly request this information from providers. So there's also suggested decree One thing that I need to say here So the difference between a decree and a guideline is that a decree is something that is much more comprehensive So it has to essentially be implemented from a to z very specifically But if it's just a guideline The member states of the EU can come up with their own laws and essentially have these own laws in different ways that vary From on the national level and they can also adjust them nationally and for example kind of weaken them on the national level as well But in this case they specifically went for the form the format of a decree because a pretty far-reaching demand Way less has happened here then with regards to the upload filters So there is no official point of view of the EU parliament yet. That is something supposed to be published in the fall So one question is what does the EU want with a decree like this? Especially if most of the important providers are not even in the EU So that's why there are now negotiations with the United States Who have a similar system called the cloud act these EU evidence for ordnung to basically I Compatible to essentially make the cloud act and this EU decree compatible and to allow mutual requests for information between these two legal systems What's important here is that the European Council can essentially kind of essentially a task Can essentially have these negotiations happen without the EU parliament being involved? So they essentially have no way they have no say in this so these negotiations have actually already happened So the Trump administration says well generally we're open to something like this and for these mutual requests So you can ask for information in the US and so the FBI can also directly Send in request for information in Europe And the US government essentially wants to expand this to telecommunications So it's unclear what exactly they're talking about in that case. That's something that's being negotiated right now But basically what they're asking for is that they want to be able to listen in on telephone phone conversations in Europe, so it's not just supposed to be about internet, but also the telephone data And so we need to kind of keep an eye on this to see where that goes Another similar story is also happening on the level of the European Not the European Council, but the So it's a European it's not an EU institution, but it's something that also includes for example, Turkey and the US And they already have some kind of agreements and that's something that's supposed to be expanded to this to access to data and internet data as well And so yeah, I think these are the two these really two two extremely important things one is the upload filter and one is the other thing on electronic evidence So now we're talking another big top like another big topic topic, which is interoperability So mr.. Demesia the previous minister of the interior in Germany talked about this So there are several decrease that are being changed right now So these this is about two police databases, and I'm gonna present the six most important to you So I'm just gonna kill you all with this very very easy to understand graphic first I also have a link for this, but if you want to understand this you cannot avoid this This is something that the European Commission has published two years ago That's all databases that the EU is essentially running and that the EU is planning to run in the future So this gray area something that we're not interested in that's basically all the national systems But we're interested in everything that's in this blue circle in this blue bubble And these databases I want to talk about six of those And they're supposed to be put to turn essentially fused and these are databases that include biometric Information such as fingerprints and pictures of your face. So that's six different databases That were created for six different purposes These are done in a silo to some and this data supposed to be concentrated and essentially centralized in one single database Where they can be searched. So I'm just gonna present these one by one This is all six of them What's also didn't pass here another thing that's supposed to happen is that once the central database exists where you have everyone's The picture of everyone's face and everyone's fingerprint. So also that includes third state third states So not just people who are asylum seekers or asking for visa But for example someone who enters the EU for tourism purposes or for business purposes Those people all have to provide their biometric data and all of that would be in this database And so in the background these are going to be compared whether there's something that's kind of like looks suspicious For example, if someone has a fingerprint that is linked to two different identities It's supposed to be easier to search these things So they're supposed to be in one interface that essentially accesses all six databases at the same time So you don't have to look at them separately to essentially lower latency and require less time for the searchers And so this decree already exists so the decision exists another question is how to implement this technologically And the European Commission is going to publish further decisions on the technical implementation But basically this is already being prepared right now And so I just want to present these six databases that are going to be centralized here The most important one is the Schengen information system. This is that is the big European Union police database that currently includes 85 million Bits of data, but that's kind of like really bits of data So it's something about like maybe stolen for example like stolen vehicles stolen cars And there's maybe one million people that are also included in this database and for many of these They actually have pictures of their faces and they have fingerprint data And so this one also will have certain kinds of innovations and there's going to be Updates so once all of these once all of these will be centralized and of course the decrys to be changed for each database as well That's good And that's also something that's going to make these databases That's going to make these databases stronger So for example one thing is that they're going to create like a new fingerprinting system So for example, it's something that's supposed to be once you're somewhere where a crime was committed So you should be able to essentially search the entire database right away from on the ground another big important database is the visa information system where everyone who essentially applies for a visa For visa and in the EU has to provide their fingerprint at a picture of their face And this decrees also something that hasn't been passed yet And so these changes have not been passed yet And so potential changes here are related to whether children also have to provide fingerprints Right now. It's mandatory from the age of 14 years old onwards and they the European Council essentially wants to lower This minimum this age to six So that children from six the age of six onwards would have to be Would have to provide fingerprints Another important database is the fingerprint database for asylum seekers that is pretty big And I think that's something where you can also tell how this works on the European on the EU level Which was initially created to be able to identify people who Requested asylum in different places maybe under different names and then they realized oh my god It's so useful if we have hundreds of thousands of fingerprints on this database and the police can use this And so they can use it to look for criminals and so in hindsight They essentially change the decree and expanded the purpose of this database. So wow all of a sudden Police can also just access this data for office asylum seekers And so this database Is also the one the first one it's going to be expanded to Faces and pictures of faces as well So you would be able to search for faces as well in this database and then there's a database that lots of people Don't know which is a database of people who have already been sentenced It's also an EU wide database where everyone who's been sentenced to anything by a court Which I know which condition you also need to provide biometric data So those people are essentially included in this ECRIS database the European criminal records information system Then there are two more databases that have been decided upon but that don't exist yet The first one is an entry and exit system. So there's a decision that it's entry exit system As should create so regardless for what purpose you enter the country You essentially end up in this system So if you're from a country that is not an EU member or so if you don't have a passport from an EU member You have to leave your biometric data You have to provide your biometric data and it's going to be saved in this database And this is something that's supposed to be implemented in 2020 21 And so there's several security research projects that are looking into this right now and that's extremely interesting because people are Saying well if people have to provide their biometric data and that's not contained in the passport So we're taking biometric data from these people that essentially slows down Border controls by maybe two minutes and that also means border controls are going to change take more time And so they're trying to optimize this By using security applications that essentially automate this so that people can for example provide their fingerprints without Touch or like that's some kind of kiosk These are my children so some Airports already. I mean have these like self-service kiosks. And so in the future you might be able to use these to essentially Save your fingerprints and your face and then get kind of a token and you go to the border and so they only have then the border They only have to put that data into the database So there's several research project project into this right now and then there's this another system for registering Your travel so if you've ever been to the US, you've probably heard of Esther Before you go you only need to tell them while I'm coming on this in this day I'm going for this in particular purpose. Maybe as a tourist gonna stay for such a time frame and I'll probably be staying here So you need to provide that information before you travel and so this picture Is from an EU Security research project and this is the avatar that they're using as a lie detector So basically you have to talk to this avatar that will ask you 15 questions These are pretty simple something that someone at the border would also ask you This avatar had but the and but this avatar has the ability to essentially detect With your webcam, so you basically have to respond through a web cam So this is something that you'd be doing from home I mean most of you probably not because you probably have a your passport Someone who's coming from outside of the EU And so that person And so this avatar is essentially supposed to recognize whether someone is nervous when responding to certain questions And that would then mean that once that person actually comes to the border would actually be questioned more deeply So there's also lots of security research going on in the background right now For these new information systems and to optimize these new information systems And obviously that's also big business for all these companies that essentially provide biometric data applications Now a different topic That I also consider important and what is not getting enough attention You might know the term follow the money to use financial data to Pursue Suspicions And this is of great value Because then we know who has sent money to which other person and who has switched bank accounts for example and it's like a data retention or some form of data retention and According to the money-laundering decree there is A new plan that the national registers are being combined and I want to want to mention this And when I say data retention then I say this just shortly because you guys know a lot about it already So I mean the data retention is Somewhat cancelled but then again there are new plans to introduce something very similar that despite the EU Court Saying that this is not possible that they're still Politicians plan to have Something like a restricted data restriction even though it is actually not restricted and they try to Say it's just a region regional data retention For example we define That countries in which there was a terrorist attack they have Regions of elevated risk. So for instance in Belgium Belgium and France Therefore allowed to Introduce data retention for six months. So these are the ideas that Politicians are throwing around and while in practice. I don't expect that It will be a restricted data retention. It will be a full data retention And the people who work on this from our side are people from date from digital courage Who try to work against these plans? And there's also another system that Manages DNA traces and With this as system, it's possible to look up DNA traces for all of the EU's countries And now this system will be extended for facial recognition and Because politicians say hey, it would be good to have this and Well, it still applies what I said before it's being prepared, but there are No laws yet, and it's it will likely come and we will have Face recognition at the borders and of course, it's not like high tech It's something that police agencies already do, but they only have access to National databases And so it's and right now they only contain Records of people who have been under criminal investigation and now the plans are to extents us to the whole European Union And there is another project That is very much under the radar even though I think it's very important It's being tried that on a technical level that To develop software that makes it easier to request information And it was developed by the German federal police and They want to have it make it easier to retrieve data And So that all the police records are being connected and made available across borders And if you Follow the politics or activism then you see how Lose the police is sometimes with Their own guidelines and there are even if the person is actually not sentenced to anything There is still all of this data about the people who were investigated And they are kept indefinite somewhat indefinitely And It's getting the person in the other context and if a person has been on an investigation in the past then of course these Records are still available for new research and new investigations And That's why it's this lick the smear some of them and yeah, I wanted to mention this And also people who disrupt public peace are also Being recorded or basically the German federal police wants to keep The disrupting people as a yeah, they want to keep track of these people And they want to share this across borders with this and with this adept system This will be a lot easier and it's political And then there's the EU passenger system So that the airlines are required to send data about who has booked which flights and And there are plans to extend this to Trains and ships as well, but this is still very much under dispute But this is very much under dispute because then you have to control the access to To the trains and this is an infrastructure that currently doesn't exist and They say yeah, there are some countries that say yeah sure we can arrange that and there are other countries Like Germany that say no this would be very problematic for our high-speed rail network And so for instance the German trains Strain agencies against this Poles so I'm two more slides on Europol which will be Extended so Europol is getting new Competencies all the time one of them is and decryption. So there is a plan to create a decryption unit of Europol and What should be highlighted is that? Europol is not responsible for Decrypting themselves but for transferring knowledge and competence to national police agencies so that they are able to decrypt encrypted data And So Europol will basically Will facilitate Encryption and make it also much cheaper for police agencies to decrypt without being reliant on commercial companies documents and Yeah, also them our telecommunications Europol is should also help They should also have to decrypt telecommunication data including end-to-end encryption And most likely this will mean that they will deploy Trojan horses and the step much establishment of this competence center Centrum in Europol is Well underway at this moment And finally There is Something else about our Europol there is an agreement with other countries outside of the European Union So I think my strategic upcoming that's so there are some strategic Agreements which is by itself not something new so for instance in the fight against drugs Fight against drugs. They cooperate a lot I have the shot So I've enumerated the countries that For which they want to exchange data about individuals And under dispute is that is the agreement between Israel and And the EU because And so the EU doesn't recognize the Israel's occupation of particular areas But after 1967 I think But basically that there are police stations in that area So essentially by working with police that works in these occupied territories There's that could be considered an independent like kind of like an informal recognition of these Occupations, but the Commission is already has a mandate to negotiate there And so the European Commission is already negotiating with these states. That's it So Just want to say something about this picture I put a few pictures in here and this one the first one in particular is from one of the security research programs Which I love to read because it's one way of figuring out where we are going But they're also full of kind of like showing off, right? So they just assume that everything is going to work out and going to be possible So this particular picture is part of the program red alert Where they're essentially which is essentially supposed to look at the dark web and uncover the identities of people who are using it and Identify these people. So, yeah, that's that's that Thank you. Please run of one round of applause, please Well, yeah, thank you so much Matias, so we have roughly ten minutes for a question for Q&A So this is your opportunity to ask follow-up questions to Matias We have two Living microphone stands in here. So if you have a question, please Walk up to one of these people and ask your question via the microphone As far as I can tell The internet seems to be at the lake as well. So they don't have any questions, but you you can ask questions Ask yourself. What do you want to know from Matias? Ah, there's someone first question Yeah, I think it's open. Yeah, I think it's open Okay So I have a question about the database That collects Information from people or supposed to collect information from people who use trains in Germany because you usually buy tickets online and so that already ends up in a database and That I've also heard that they can are considering Whether they might just get rid of the regular ticket machines, but you can just use cash to buy tickets So wouldn't that itself lead to Essentially make surveillance much easier even without having a check-in at the airport Yeah, so I've heard style check-in. Well, I'm actually skeptical whether Germany is Gonna Participate in something like this or gonna come around to participating in something like this And if they do with many many restrictions because right now It's also possible in Germany to book a train ticket very spontaneously So you just go to the train station Get a ticket at the cash at the ticket machine for a train that leaves in 10 minutes and a system like that would be much more Difficult under these circumstances, so I'm extremely skeptical. There's lots of disagreement amongst the states as well And I have no idea where this is actually gonna happen If yes, I think the entire German train system would be have to be changed But I turned on its head completely and I'd rather imagine that maybe some Individual states might say that they will do it so the Netherlands Belgium France and the UK are negotiating this right now So these are the countries who already have these trains Where you need to register beforehand Where it's also something that is checked in some of these cases So I think what's gonna happen is that these countries are essentially gonna cooperate And so there's no gonna be no EU expansion on this for so there's gonna gonna be an EU train passenger system But a multilateral system That several countries just participate in based on an ad hoc basis Thank you so much. And so the second mic in the back, please Hello, I have a question about one of these graphics that you were showing us kind of in the beginning I think the picture showed Requests for deletion In the first part primarily contained archive.org And then towards the end there were other websites, but there were no absolute numbers So I just wanted to check whether you had any more details on that or were able to provide any additional details and where you got that Graphic oh, yeah, so this picture this graphic is something that is So I didn't even mention this because there is already a deletion database Where several big websites came together And once content has been deleted they essentially put deleted content into a hash file So once re-uploaded they don't even get uploaded into the internet, but can be deleted right away So that's what we call upload filters So this is something that's happening on a voluntary basis and several companies essentially came together in the beginning It was like all the big ones. I don't quite remember. I think it was Google Facebook Microsoft. They're definitely part of these every single time And then later on there were smaller ones that joined them as well so for example Yeah, so yeah several smaller ones joined as well later and this cooperation this hash database global It's being run by the global counter-terrorism initiative. So I think so and those I'm also linking to those on this particular slide and they're the ones who publish this Graphic because they essentially looked at which websites are affected by deletion requests Or primarily affected by deletion requests. So I'll put that up on the Fablan website So one more question from the front Hello, thank you for the presentation. My name is Peter. I have two questions. I just asked two of them at the same time Yeah, okay first one You present this database in the beginning, which was an entry exit Data Bank And or like one was a migrant database About people who come from countries that are not part of the EU Is there are there any plans to Also connect to these databases to Biometric databases that are being created right now as part of for example creating and giving out new IDs in Germany So are these national database is going to be connected with those? So that's the first question The second question is much more direct So these degrees and these decisions that you mentioned are in some cases part of the Political Our part is still in the middle of the political decision-making Process so in some cases some nation states can still get involved with that. And so maybe we can talk about that afterwards, but Yeah, of course As usual I will be available for questions after this talk You might also notice that I feel a sense of urgency with this Because I for me it's also important that there is movement against these things and there there is pressure against these things because I'm also very interested in how can you kind of get people who are involved in certain policy interested in these topics and the other question so the first question Whether biometric data from national databases for example from German citizens that are already in the German Registration system whether that data is going to end up in the database. So for now there is no intention of doing that So this essentially only includes databases that have topic they have data of people who are either either had to be Registered somewhere for some reason or who essentially ended up in a criminal database system For example, if you end up in the Schengen information system That's so not that's not only criminals But that also includes people for example who have to be deported or who are told that they have to be deported from the EU so that's actually the largest part and the Majority of people in that database. So it's not actually crime database of criminals, but it's primarily a database of foreigners So anyone who essentially kind of had to provide their fingerprints to the state at some points all of these people are being put together As part of the interoperability degree And and then that add on to that the data of people from non-member states that have to cross one of the EU borders But so again, this is also something where the decree is already signed essentially. So if you're as National of an EU member state You have been you will get checked more thoroughly you may have noticed that and then Recent past so they check a larger number of databases, but nothing is being saved in a database anywhere So for example, if you were in Turkey or you come back from Latin America by plane from your holiday And then once you cross the outer EU border no information about that is being saved anywhere If you are from a different country, so if you're not an EU national that information is being saved in a database So after the attacks in 2015 France demanded the system that was kind of in the middle of being built And is now technologically still in the middle of being created. So France demanded this to be expanded to EU citizens So that's something that didn't happen back then But as usual often you only need a single reason to say oh, well now we have this great system And so we can we already have the fingerprinting system. It's really easy and nobody notices this So it might be useful in the future to kind of have a protocol of who crosses borders where and when So usually these systems are expanded afterwards Great, so there's another question in the back Hi, I'm Chris I'm from Switzerland And what is What so there are rumors that Switzerland will actually take care of the database is that rumour true and What is that run so Because from observed from the outside It would make sense Because then no one is really like doing the dirty work, so yes, Switzerland is actually part of some Information systems like the sheng information system And therefore they are also involved in the interoperability of the databases Because the sheng information system Is because it's used and queried as part of border crossings if Switzerland Will participate in the whole system I don't know, but I don't think so because there are some databases involved that Switzerland does not use Of course the system could be Configured in such a way that Switzerland only had access to the databases that are shared anyway, but ultimately, yeah So thank you very much if no one else wants to know something what neither Physically nor from the internet then I like to have a warm round of applause for our speaker Thank you very much for all Technicians and the translation angels If you want to spend another applause please