Updated: Mozilla, Deutsche Telekom won’t release “privacy phone”

Update: Mozilla has told TechCrunch that the WSJ’s framing of this as a partnership around an actual phone was inaccurate. In other words, there’s absolutely no news here beyond the more general Firefox OS collaboration that we reported on one year ago to the day. For the record, I did contact Mozilla’s representatives to seek comment before publishing my original piece, but received no reply.

That original story follows thusly:

A year back, Deutsche Telekom and Mozilla said they were working together on privacy-centric features for Firefox OS, including “location blurring” (fine-grained control of how much location information to give to each app), guest mode, and a registration-free “find my phone” tool. It looks like that collaboration is about to bear fruit: According to a Wall Street Journal piece on Tuesday, the companies will unveil a “privacy phone” at the upcoming Mobile World Congress that will include such features. The article also notes how the T-Mobile parent and other German carriers are lobbying against the last-minute watering-down of strict new EU data protection rules that will cover web service providers such as Google and Facebook.

Wirecard targets summer launch for its wrist-worn digital wallet

Last month, Wirecard unveiled a wristband device that functioned like a digital wallet, storing credit cards, ID cards and even tickets on the end of your arm. The Smart Band was only a prototype, but if all goes as planned, the German payments company will start selling a commercial version of the device this summer in Europe, Wirecard told me in a recent interview.

Given that the Apple Watch will go on sale in April, Wirecard shortly afterwards could have an alternate wearable on the market that works with a digital wallet technology other than [company]Apple[/company] Pay. And given Apple Pay won’t be available in Europe until sometime later year, a wrist-worn contactless payments technology might actually be available to Android devices before they’re available to iOS users.

Wirecard Smart Band

Wirecard’s Smart Band uses a Google-backed technology called Host Card Emulation (HCE) to securely store and transfer credit card credentials to and from a smartphone. A near field communications chip in the band then communicates with a point-of-sale terminal, working at the same places that accept Apple Pay and [company]Google[/company] Wallet.

While Smart Band technically could be a way of putting Google Wallet in a wristband, Wirecard EVP of Mobile Services Joern Leogrand said that the company isn’t in any talks with Google and doesn’t have plans to do so. Rather it wants to use Smart Band to fuel transactions on its own digital billfold, he said, as well as the mobile wallets of its partners.

Wirecard dons many hats when it comes it finance. It builds white-label technology for other companies — for instance, it’s the brains behind the mobile payments services for [company]Telefónica[/company], [company]Vodafone[/company] and [company]Deutsche Telekom[/company] — while it also runs a consumer-facing bank that issues its own prepaid cards and a peer-to-peer payments network similar to PayPal’s.

Wirecard plans to make the make Smart Band available to its own customers and partners first. The first commercial Smart Band is under development and could be available to its own cardholders in Europe by this summer, Leogrand said. Wirecard will next offering it to its white label partners, Leogrand said. Carriers like Telefónica could use the wearable breathe life into their suffering mobile payment services.

But because of HCE, which virtualizes the secure smart card used in any mobile payments service, the gadget wouldn’t necessarily be tied to a specific carrier or device. Anyone who works with Wirecard for payment processing could use the band as an extension of their mobile apps.

“It’s not set in stone how we launch the Smart Band,” Leogrand said. “We’re in the very early stages of this, and we’re open to ideas.”

The end goal is to license its technology and sell its payments processing services to other hardware makers, Leogrand said. While the Smart Band prototype included some basic fitness tracking features, that kind of technology is well outside of Wirecard’s core area of expertise. Smart Band’s payments tech would be most useful if it were integrated into other multi-purpose wearables. That could mean high-end smart watches, but also cheaper sub-$100 fitness bands, Leogrand said.

[youtube https://www.youtube.com/watch?v=EydIoYdbS4A]

If you were hoping to test out the Smart Band in the U.S., then you’ll likely be disappointed. Until Wirecard signs some big hardware deal, the device will only be available in Europe (though European cardholders should be able to make payments on U.S. NFC terminals). Wirecard doesn’t have a banking license in the U.S.

The curious case of Angela Merkel and her EU data retention ideas

In the wake of last week’s terrorist attacks in Paris, German Chancellor Angela Merkel has called on the European Commission to deliver on its “promise” of a new EU-wide data retention directive to replace the one struck down by the EU’s highest court last year.

Merkel wants to implement this new directive into German law. There’s only one problem: the Commission doesn’t seem to have promised any such thing, at least not in public.

The Court of Justice of the European Union struck down the Data Retention Directive 2006 in April of last year because it was disproportionate and had insufficient safeguards. The directive had mandated that EU countries had to force telecommunications firms to retain metadata about their customers’ communications for between six and 24 months. Even before the CJEU scrapped it, Germany had already stopped implementing it on constitutional grounds.

On Thursday, according to a DPA report, Merkel told German parliamentarians:

Given the cross-party conviction among all interior ministers, both state-level and federal, that we need such minimum retention periods, we should insist that the revision of the directive promised by the EU Commission is quickly completed and then implemented into German law.

That DPA report claims “Brussels is drafting a follow-up that meets the judges’ standards,” but that’s not what the Commission says.

Last month, Netzpolitik reported that new Home Affairs Commissioner Dimitris Avramopoulos was planning to make such an announcement, and that his department was “now reflecting on the how, rather than the if.” However, after that report came out, the department backtracked, with a spokeswoman saying: “I meant that we are now reflecting on the how to take things forward, rather than if we need a new directive or not.”

Avramopoulos’s predecessor, Cecilia Malmström, had previously said she wouldn’t propose any new data retention directive until the EU’s new data protection rules had been finalized – something that now may not happen before 2016.

An EU source confirmed to me today that the Commission is taking its time evaluating the issues raised by the CJEU ruling, and intends to have an open dialog with the European Parliament, member states, civil society, law enforcement and data protection authorities. Only then will it be able to decide whether there is a need for a new proposal, the source said.

Technically, Merkel could try setting up a new German data protection law without a broader EU directive. However, her own justice minister has firmly rejected the mass surveillance idea, telling German television a few days ago: “With data retention, we also store all data from journalists and restrict freedom of the press. That does not fit together.”

She would also need to somehow make sure that her data retention law didn’t fall foul of the arguments the CJEU used to strike down the EU Data Retention Directive, advice from the EU Legal Service division suggests.

German government website attack may be Ukraine-related

Two German government websites were knocked offline by a distributed denial of service (DDoS) attack around 10am local time on Wednesday. Chancellor Angela Merkel’s site is still down five and a half hours later, but that of the Bundestag came back minutes ago. The pro-Russian CyberBerkut hacker group has claimed responsibility, claiming the attack was carried out as an appeal to Germany to “stop financial and political support of criminal regime in Kiev, which unleashed a bloody civil war” in Ukraine. Although the attribution of today’s attack remains unconfirmed, the group has been highly active since the ouster of Ukrainian president Viktor Yanukovych in February 2014.

Sophisticated cyberattack damaged German steel plant, report says

Skilled hackers caused serious damage at a German steel mill sometime during this year, according an annual security roundup issued Wednesday by the country’s Federal Office for Information Security (BSI).

According to the report, the previously undisclosed attack caused “massive damage” to a blast furnace by targeting internal systems and industrial components, making it impossible to shut down the furnace in a regulated way.

The BSI said the attackers displayed “very advanced” capabilities, and that they used a “sophisticated spear phishing” technique to gain access to the core networks of the plant.

Spear phishing involves targeting specific individuals within an organization, by investigating them in order to figure out how best to dupe them into clicking some link they shouldn’t – British spy agency GCHQ reportedly did it in order to hack into Belgacom’s systems, for example. This is fairly textbook stuff, but once the attackers were in, they also knew their way around industrial control systems, the BSI indicated.

The most famous attack on industrial control systems remains Stuxnet, the nasty worm that the U.S. and Israel created to attack various Iranian facilities, most notably the Natanz uranium enrichment plant. Stuxnet destroyed hundreds of the Iranians’ centrifuges by making them spin out of control.

The BSI’s report didn’t say which steelworks were targeted this year, nor precisely when the attack took place.

German court denies Snowden visit bid

The German high court has denied an attempt by two of the country’s opposition parties to have NSA whistleblower Edward Snowden visit Berlin to testify before the Bundestag, Germany’s parliament.

The Karlsruhe court reportedly said that the suit was an administrative issue that had to go before the Federal Court of Justice instead. The suit had been filed by the Greens and the Left, seeking to force the government to allow Snowden into Germany – he is currently still stuck in Russia, and Chancellor Angela Merkel’s administration has not been keen to let him in, lest the visit further impair relations with the U.S.

The German government has previously asked whether Snowden would be willing to testify before the parliamentary inquiry into the NSA allegations if the committee members went to visit him, but his lawyer has said he would only be willing to testify in Berlin.

Meanwhile, a formal probe into the alleged bugging of Merkel’s phone by the NSA has so far come up short. The investigation launched in June, more than half a year after those allegations were published by Der Spiegel, leading to a great deal of public frostiness from Germany towards the U.S.

Germany’s chief federal prosecutor, Harald Range, told a press conference on Wednesday that there wasn’t enough evidence to bring charges in the case. He said: “The document presented in public as proof of an actual tapping of the mobile phone is not an authentic surveillance order by the NSA. It does not come from the NSA database.”

The original Spiegel article in question (PDF) did not actually depict the document in question, which included Merkel’s phone number as a “selector”, though it did show others that apparently came from the NSA. Range, whose investigation continues, said the Spiegel reporter who produced the document had not provided further details to aid the investigation, and neither had the BND spy agency.

Perhaps importantly, the original article did not claim that the document came from the Snowden cache, but rather said more ambiguously that Spiegel‘s wider investigation had taken in “internal documents of the U.S. National Security Agency and other information, most of which comes from the archive of former NSA contractor Edward Snowden.”

UPDATE (December 13): Der Spiegel has hit back over allegations in some reportage that the Merkelphone document was a fake. The publication said on Saturday that Range had categorically denied during the press conference that the document was a fake. It also reiterated that what it had published and passed onto Merkel’s office was “a transcription and not the original document”, and accused Range of trying to “publicly undermine the credibility” of Der Spiegel.

Google axes News in Spain in response to royalty law

Google has decided to shut down Google News in Spain. The decision follows the passage of a law in July that obliges any news aggregator quoting snippets of text or using thumbnails of images from a copyrighted publication to pay royalties for doing so.

In a blog post late Wednesday, [company]Google[/company] News chief Richard Gingras said the service makes no money because Google doesn’t advertise on it, so it would be unsustainable to continue operations in Spain. With the law set to come into effect in January, Google News will shut there on 16 December.

Spain is not the first European country to pass a so-called ancillary copyright law – Germany did so in March 2013 – but its version is much more heavy-handed.

In the German law, publishers can choose whether or not they want to grant a news aggregator such as Google News the right to use snippets of their copyrighted text in its search results without compensation. This is how the German publishers ultimately caved in: Google refused to pay royalties, so it stopped listing the articles of publishers who belonged to the relevant rights collection group. The publishers in that group ended up granting Google the right to use their text without having to pay up, but did so grumbling that the case demonstrated Google abusing its market power (never mind that other German aggregators had done precisely the same thing.)

Under the Spanish “Google tax” law, that simply wouldn’t be an option. There, the levy is an “inalienable right”, meaning publishers couldn’t give Google News a free pass even if they wanted to. As Weblogs CEO Julio Alonso recently wrote, that applies even to those who publish their content under a free-use copyleft license, such as Creative Commons.

Slippery slope

Google’s struggles with European publishers predate these ancillary copyright laws of the last couple years, and on two occasions it was able to stave off anything as drastic as legislative changes. In late 2012, the company struck a deal with Belgian publishers through which it appeared to buy millions of dollars’ worth of advertising in the relevant publications. And in early 2013 it established a fund for French publishers, to “support digital publishing initiatives.”

Now, following the German and Spanish examples, the idea of the “Google tax” may spread, as the European Commission’s recently-installed digital economy chief, Günther Oettinger, has been making noises about applying it across the EU. The German commissioner, who has the copyright reform file, recently said: “When Google takes intellectual works from within the EU and works with them, then the EU may protect those works and demand a levy from Google for them.”

The issue is also a major strand in the Google search antitrust case although, as I have previously argued, it is a copyright issue that bears little relation to the other elements of the case, and it should be considered separately. The other elements of the case are about harm to consumers and Google’s direct rivals, while this element is only about giving the publishers money for nothing.

The Spanish publishers will no doubt now see their traffic drop off a cliff, just as their German counterparts did, and this will almost certainly hammer their advertising revenues. But, because of the severity of the law they themselves forced, they will be able to do nothing about it. It’s not even a move that could see local rivals to Google flourish, as the law is not specific to the U.S. firm. I have asked AEDE, the relevant collection society, for comment.

In the overall theme of Europe pushing back against U.S. firms – a narrative that I find overplayed sometimes, as there isn’t nearly enough coordination in Europe to make this some kind of plot – Spain is fast emerging as the most heavy-handed player. The authorities there seem more overtly protectionist than elsewhere in Europe, and they’re not afraid to cause severe consequences for internet users and businesses.

When Spain banned Uber earlier this week, for example, the injunction also ordered Spanish ISPs and payment processors to block Uber’s customers from being able to use the service. And, as the EFF has pointed out, the same copyright law that introduced the “Google tax” will also introduce criminal liability for websites that refuse to remove links to copyright-infringing material.

Google’s cars return to German roads, but not for Street View

Yesterday, when I was walking down to my local Berlin food market at lunchtime, I saw a child pointing at a strange but familiar vehicle rolling down the road. It looked like a Google Street View car – which was a surprise, as Google hasn’t been collecting Street View imagery in Germany since 2011.

As I subsequently learned, [company]Google[/company] did indeed put its cars back on German roads this week. However, it’s only using them to keep Google Maps up to date, ensuring that the service is showing the correct street names and routing information. Street View remains off the menu.

Germans can be a tad touchy about privacy, and many objected to the rollout of Street View in the country. Even after Google started automatically blurring faces and number plates, it was forced to give Germans the option of having their houses blurred out as well – something hundreds of thousands of people took the firm up on.

However, this was a costly business, with Google needing to hire temporary workers to manually blur out selected buildings. It also didn’t stop people trying to sue the U.S. company over alleged privacy infringement. So, in 2011, Google said it was giving up on Street View in Germany – the pre-existing images remain online, but they haven’t been updated in three years.

In a recent post, Google said its cars would be back on the road from the start of December in the following cities: Berlin, Hamburg, Munich, Cologne, Frankfurt, Stuttgart, Dusseldorf, Dortmund, Essen, Bremen, Leipzig, Dresden, Hanover, Nürnberg, Duisburg, Bochum, Wuppertal and Bielefeld.

The idea is to expand coverage to other regions of Germany in 2015. However, the post stressed:

We know there is great interest in our camera cars. They are the same cars that we used in the past to take images for Street View. In the coming journeys, we will only use the images to improve Google Maps, and we have no plans to release them.

As much of a privacy fan as I am, I’ve always found the German reaction to Street View to be somewhat over-the-top. If you can see a building façade from the street, I see no reason why it shouldn’t be shown online too, in what is frequently a very useful service.

With the images being so out of date now, they’re frequently useless if you’re trying to remember which restaurant it was you liked so much on that one street. The house-blurring technique that Google tried would also have annoying knock-on effects: If one person in an apartment block wanted the frontage obscured on Street View, everyone else would have to live with that too, like it or not.

Still, Google’s not the only one to find pain in trying to provide useful street imagery. Its Russian rival, [company]Yandex[/company], encountered an amusing conundrum when creating its version of Street View in Turkey. Yandex’s system also automatically blurs out faces, but Turkey is full of images of the statesman Kemal Ataturk, whose visage it is illegal to desecrate. That meant the Russian firm had to go through all of its street imagery to manually un-blur Ataturk’s face wherever they could find it.

Ex-Skypers unveil Wire app, offering voice, messaging and more

The free service is currently available on iOS, Android and OS X, though an in-browser version will arrive soon. It’s been under development for two years and has a very credible team behind it. However, its security mechanisms remain a mystery.