It was really surprising to see that there was absolutely zero control of any ID on the flight between Berlin and Brussels. I'm well aware of the marvels (and data protection nightmares) associated with the Schengen agreement. However, zero form of identification on air travel was really a big surprise to me. Not even my flights inside Germany had this 'feature'

How did this work? First of all, I booked the tickets through a travel agent quite some time in advance. No form of ID required (though he has my banking details). Next, I did a Lufthansa online check-in from my home, printed the boarding pass. On the airport, used the self-service luggage drop-off counter. Then directly went to the security check, and then to the gate. During the entire time, nobody asked for any form of ID.

So if I did buy the tickets on cash rather than with bank transfer, it would actually still be possible to travel under false name and thus anynomously. Amazing. Am I missing something?

My fellow friends from the CCC have tried their best to observer the elections in Hessen (Germany) yesterday. The amount of resistance they've met is more than shocking. If you want to read more about this (in German), I'd suggest reading Frank's blog entry, Holger's blog entry and the official CCC release on this subject.

In fact, in some of the municipalities the election supervisors have received official statements warning them about the CCC's intention to disturb the elections. What nonsense is this ?!?

Having been part of a CCC election observer team in the past, I can only state that this is beyond anything that we've seen before. Why would there be any resistance against quiet and peaceful observation of the elections?

The CCC election observers have absolutely zero history of ever having disturbed an election in any possible way. I'm sure you can ask about any municipality that has had first-hand contact about this. We know the laws and regulations very well, and want to do nothing else but to _observe_ the

As a friend of mine (who has studied political science) recently told me about the process of securitization. Finally I know a word for the process that seems so commonplace in todays politics: Framing something that is actually a minor problem with some criminals into a question of essential survival, thus eliminating any rational debate about it.

On Saturday, I attended the Freiheit statt Angst demonstration in Berlin, which aimed at protesting against the various new laws and regulations increasing the surveillance of the German government on its citizens. I assumed it would be again one of those niche events like the demonstrations against software patents, with some 200 people. To the contrary! The organizers counted 15,000 demonstrators, and even the police's initial estimate at the beginning of the demonstration was 8,000.

This really is a big step forward. Apparently it's not only the "generation Internet" that is sick of the ever increasing cut down on civil liberties, data protection and privacy. That being said, 15,000 is still a too small number for a topic that effects everyone in this country. But even a demonstration of that size doesn't happen every day in Berlin, so it's not that easy to completely ignore either...

Don't miss the photos of the demonstration

Today I will leave to the German state of Sachsen-Anhalt, as part of a CCC group that will observe the use of electronic voting machines (rather: voting computers) at the elections there.

Our main focus is to witness and collect evidence of the many shortcomings in even the current (by no means sufficient) rules and laws on the security of those devices.

As a Dutch hacker group in cooperation with the Berlin CCC has demonstrated before, the voting computers in question are by no means safe against manipulations - neither are the corresponding safety procedures and measures.

As several sources have reported, the German Bundestag just decided that the formal complaints of voters against the use of insecure voting machines in the last Bundestag elections are void.

The Bundestag decided to reject those complaints by using pre-worded statements from the Ministry of Interior, some of which can be technically proven to be wrong. It is a real pity - but what do you expect if you ask those people who got elected, whether they accept that election ;) It's also quite embarrassing to see such complaints to be dragged on for more than one year. We're talking about complaints about the Elections on September 18, 2005. I think this says a lot about the state of democracy in this country, and the carelessness of those in power towards a fair and equal election process.

This is why the original plaintiffs now are preparing a lawsuit in front of the federal constitutional court. In order to be filed, some 100 signatures of German voters in support of this lawsuit are required. This shouldn't be a problem, since a petition against the use of voting machines has drawn some 48,000 supporters without any trouble. You can find more information about how to support this complaint of unconstitutionality on the Homepage of Dr. Ulrich Wiesner.

The regular reader of this weblog might have noticed that for more than a yearI've had an interest in the use of voting machines in elections, specifically Germany.

While my many other interests and projects have not allowed me to look into this subject as much as I wanted, some of my friends of the Berlin CCC have collected a lot of information on voting machines (German) and also actually had a chance to do some hands-on security research together with our Dutch hacker friends

Yesterday, their joint activities became public. First in a TV show that has been aired in the Netherlands. German media reports are catching up today. Expect some more coverage following-up the CCC press release, such as this one.

Now what was actually discovered? In short,

• There are many possibilities for manipulations
• That a proof-of-concept firmware for election manipulation on a Nedap machine has been developed
• That the Nedap machine can be re-programmed just like any other computer, e.g. to turn it into a chess computer
• That the Nedap machines actually have spurious emissions that can be used to detect which party / candidate is currently being voted from a range of at least a couple of meters distance by using a small radio receiver with earphones.
• That any contemporary cell phone or Digital TV set-top-box has employed more security mechanisms than those voting machines. Cryptographically signed boot process? Signed applications? Trusted Computing? Such technologies are only employed for the protection of important data, such as commercial audio and video recordings. Unimportant matters such as democratic and free elections do not require any such secure technology, but use 1980's home computer technology.
• That the legal requirements on the technology of voting machines in the Netherlands and in Germany do apparently not even come close to identifying (and preventing) the most basic IT security threats.

Therefore, the use of such voting machines must be halted immediately, at least until an independent board of renowned international IT security experts has been drawn to specify new technical requirements on their security, and until all old machines have been upgraded or replaced by such machines that follow those requirements.

Because any reasonable set of security requirements will inevitably lead to machines that are by far more expensive than those currently in use, it becomes even more questionable to build and use them in the first place. Why should a few hours quicker election results ever be worth even only the slightest increase in risk of election manipulations?

I've always wondered how China actually implements their Internet censorship, and how effective it is. I could have probably found out by doing some online research, but as with many things it just never happened.

Since I'm now using it every day here in Shanghai, I think I have a pretty clear picture on what is going on. Apparently all they do is some URL based HTTP filtering, and black-holing those requests. I'm not sure whether they actually filter all traffic to the black-holed IP address (which could shadow thousands of other virtual hosts on the same address), or actually only filter individual requests.

So apparently they're just blocking the technically unsophisticated regular user. Anyone with some basic network knowledge could easily work around those restriction - though it probably would be highly illegal.

So basically all the websites I want to access - including those that definitely contain content that the Chinese government would dislike. The only thing that is lacking from the web for me is wikipedia. But well, if you google for the term that you're searching in wikipedia, then Google will happily give you the Google cache of that page ;)

But there's definitely no filtering on ports such as SSH or IMAPS. I can transparently access my IMAPS-secured mail server, I can ssh to my machines in Germany, everything working quite fine. Obviously any kind of tunnelling would give me access to the free world.

So all in all, (luckily!) not very effective, from my point of view.

Now I hope that the Chinese authorities don't see that posting before I leave the country, interpreting it as a 'censorship protection circumvention technology', or actually put my blog into their filters ;) This page is uploaded via HTTPS, so at least they won't see this message _leave_ the country.

One year after Germany decided not to have a national law on data retention, the European Union moves towards data retention legislation.

Apparently now the European Commission and the European Council are both competing with proposals for a directive on mandatory data retention of all telecommunication meta-data for up to three years. Meta-data includes MAC addresses, IP addresses, Email addresses, phone numbers, IMEI numbers, location of the base station from which a mobile system initiated the call, and many more (it's a two page listing!).

If you are a EU citizen and think that data retention is invasive, disproportionate and violates the European Constitution on Human Rights, please sign this petition at dataretentionisnosolution.com.

Since when has a trade secret (if there is any involved, I doubt it) become more important than the citizens' right to a transparent election process?

After a quick read through the respective laws such as the Election Verification Act (Wahlprüfungsgesetz) and the Federal Election Act (Bundeswahlordnung), there is not a single mention of any kind of electronic voting machines. To the opposite, they go into every tiny detail of how the ballots have to be formatted, what color of paper they are printed on, etc.

Apparently there is already at least one person who wants to challenge the election results in those counties where electronic voting machines are used. I'm more than motivated to join such action and/or start an initiative for transparency of electronic voting. Stay tuned.

It's quite amazing what kind of bogus ideas government agencies and operators of nuclear power plants have. According to this article, the German federal environmental agency has negotiated with the operators of not airplane crash safe nuclear power plants to install GPS jammers.

The idea is to make it harder to automatically guide a passenger airplane into such a power plant (as part of a terrorist attack). It follows the same awkward logic as the already-proposed "artificial disguise in fog".

It's incredible to see what to what extent they're willing to compromise the security. Either you think an attack to such plants is a danger that needs to be avoided, then you have to shut down those (three, I think) plants. Or you think all that terrorist panicking isn't worth such a measure.

But I don't think that anyone honestly believes that a bit of fog and some GPS jamming will prevent any such attack. At aircraft speeds, it doesn't really matter whether you have GPS 1 or 2 kilometers in front of the power plant. And in a country with a population density like Germany you cannot jam the signal for 100 or even 50km - especially since the highway toll system for tracks operates on the basis of GPS ;)

Apart from that, according to the Bundesnetzagentur (formerly RegTP, similar to the FCC), it is at this point not legal to operate any such jamming devices.

EDRi and XS4ALL have started an online petition against the recent European Commission proposal on mandatory 12 month data retention of all telecommunications meta-data.

Much like the software patent issue, we again have a situation where the European Parliament (those who are directly elected by the public) is against the proposal, while the commission and some national governments are pushing it.

With your support (and at least your signature), there are chances that this data retention directive - like the proposed software patent directive - can be turned down. Please take your time and sign, thanks.

Please also consider supporting the EDRi. They recently announced that they're short of funding.

Yesterday, I was attending the demonstration against software patents at the ministry of justice in Berlin.

This demonstration had to be called in on very short notice, because the European Council has yet again tried to quietly pass the legislation on software patentes (2002/0047 COM (COD)) as so-called 'B-item' on the agenda of the council (toe be more precise: the agriculture and fishing council). A B-item is one that requires no further discussion - which is absolutely wrong. The European Union has new member states that didn't participate in the previous discussion, and several member countries' parliaments have made decisions against patentability of software meanwhile...

Yesterday I've participated in a Chaosradio show about the recent international push towards biometrics in travel documents such as passports.

Our focus has been on the flaws of biometric systems, the current plans of the ICAO about MRTD's (Machine Readable Travel Documents), the risks involved and why they are not an applicable tool to prevent terrorist attacks.

If you're interested in listening to a recording of the show, it is available at the usual location, ftp.ccc.de.

The next Chaosradio radio show will be about the ongoing debade on software patents, especially the recent development within the European Union.

Being part of the anti software patent movement for about 4-5 years now, I am more than happy to help with the radio show on this subject.

The radio show will be on air on Sept 01, 10pm GMT+2. If you understand german, there's a MP3 live stream available on the homepage.

As I became aware today, there is a new initiative for something like a Freedom of Information Act in Germany at pro-information.de.

Surprisingly, this apparently has not been communicated a lot, considering the small number of about 2000 signatures so far.

If you feel like Germany should enact a FOIA in order to give citizens, journalists and historians access to all kinds of files of the administration, please support support the pro-information campaign by signing it.

I'll be presenting the CCC's point of view on that subject at this event.

It's going to be a non-technical introductory talk about the various methods and of data collection and data processing of person-related data on the Internet.

Yesterday evening I spend listening a discussion on that subject (organized by a member of parliament of the green party). Unfortunately the spokesperson for the conservative party didn't show up, and there was not too much discussion but consensus between the panel and the audience.

In an undemocrating manner and without public discussion, the European Parliament has passed a "IP rights enforcement directive" to "counter intellectual property piracy".

How can it happen that the wife of the head of one of Europe's biggest Media Companies (Vivendi International) can propose a Directive in January, that passes the Parliament in early march, when usually this process takes half a year to years?

This makes me sick and angry. I start to completely loose faith into European lawmakers. While fighting another EU directive on the patentability of software for years, another directive gets proposed and passes so quickly, that no public reaction can take place, nobody can even contact their representative MEP's.

For more information, see

• IP Justice press release
• FSF Europe Press Release

According to this article (in German) the German constitutional court ruled in favour of privacy and declared some recent changes in law as illegal. The respective changes made it much easier for law enforcement agencies to wiretap.

Yesterday I was invited to a parlamentary evening organized by FFII e.V., a non-for-profit organization lobbying against the introduction of software patents in the European Union.
As you may know, they've been quite sucessful during the last year, since the European Parlament passed a directive that prevents any patent on computer software. However, due to the strange way the EU works, this directive has to be approved by the EU council before it gets enacted. The council is composed by representatives of the executive government, not by directly elected members of parliament.

The purpose of this event was to raise awareness about the dangers of software (and pure algorithmic/logic) patents. Among the invited guests were members of Bundestag (the german parliament), and various Officials of BMWA, BMBF and BMJ (economy, research and justice ministries).

I received the event as quite well. We were able to make our point and make them understand why a piece of software is different of somebody making an invention in the field fo mechanics.