Blogging for the 5th of July Foundation on Security, Privacy and Liberty
As US authorities decide they have the right to seize any data, the mandatory privacy suite expands: full-disk encryption goes from optional to very recommended, in addition to using a firewall and some sort of encrypting anonymizer.
Falkvinge – Privacy habits: Full-disk encryption goes from optional to very recommended »
Today the European Parliament has voted on a resolution concerning the “EU-US Privacy Shield”. This is a mess.
Transfer of personal data from the EU to the US used to be regulated under the so-called Safe Harbour Agreement, aiming at protecting our data when transferred to the US. But actually, this agreement was too vague, rather pointless and possible to circumvent. Finally, the European Court of Justice (ECJ) invalidated it, finding that it violated citizens right to privacy.
So work started to replace Safe Harbour with the EU-US Privacy Shield. In the process, the EU has stated that there is a new agreement, even though we are nowhere close to a final document. The EU and the US are very eager to push for this new agreement, to benefit Big Data in the US. But the concern is that this new agreement will not treat EU citizens personal data in a responsible way, disregard our right to privacy and that it might be Safe Harbour all over again.
One core question is if the US Patriot Act and the new USA Freedom Act should have precedence over EU data protection.
Today the European Parliament had a say, in a non-binding resolution. The press release:
In the resolution, passed by 501 votes to 119 with 31 abstentions, MEPs welcome the efforts of the Commission and the US administration to achieve “substantial improvements” in the Privacy Shield compared to the Safe Harbour decision which it is to replace.
However, they also voice concern about “deficiencies” in the proposed new arrangement negotiated by the Commission, notably:
• the US authorities’ access to data transferred under the Privacy Shield,
• the possibility of collecting bulk data, in some cases, which does not meet the criteria of “necessity” and “proportionality” laid down in the EU Charter of Fundamental Rights,
• the proposed US ombudsperson, a new institution that MEPs accept is a step forward, but believe to be neither “sufficiently independent”, nor “vested with adequate powers to effectively exercise and enforce its duty”, and
• the complexity of the redress mechanism, which the Commission and US administration need to make more “user-friendly and effective”, MEPs say.
Parliament stresses that the Privacy Shield framework gives EU member state’s data protection agencies a prominent role in examining data protection claims and notes their power to suspend data transfers. It also notes the obligation placed upon the US Department of Commerce to resolve such complaints.
Finally, MEPs call on the Commission to conduct periodic “robust reviews” of its decision that Privacy Shield protection is adequate, particularly in the light of experience with the new EU data protection rules which are to take effect in two years.
In other words, the EU and the US are far from a complete and acceptable agreement.
Green home affairs and data protection spokesperson Jan Philipp Albrecht said:
The proposed ‘Privacy Shield’ framework does not seem like a viable long-term solution. It seems highly questionable that this new framework addresses the concerns outlined by the European Court of Justice in ruling the Safe Harbour decision illegal. The European Commission cannot issue a blank check for the transfer of European citizens’ data to the US. Instead, it has to continue to insist on improvements to the level of data protection.
At the same time the centre-right group, EPP, is impatient to have a new agreement in place – seemingly without having the same concerns over privacy and data protection.
The EPP Group’s Spokesman on the issue, Axel Voss MEP, warned against any attempt to torpedo the finalisation of the Privacy Shield, listing benefits to European consumers and SMEs alike: “Free cross-border data flows between the EU and the US are of paramount importance for our economies, trade and investment. Data flows are a key element for the competitiveness of business. Therefore the EPP Group welcomes the conclusion of the negotiations between the EU and the US on this topic.”
Now, we will have to wait to see what the European Commission makes of this.
/ HAX
Links:
• European Parliament: EU-US “Privacy Shield” for data transfers: further improvements needed, MEPs say »
• Greens-EFA: EU-US ‘Privacy Shield’ data exchange »
• EPP: EU-US data flows: urgent implementation of Privacy Shield needed »
• Ars Technica: EU data protection chief: We have serious concerns about Privacy Shield »
Previous posts on The EU-US Privacy Shield: 1 | 2 | 3 | 4 | 5
See an interview with Max Scherms, who took Safe Harbour to the European Court of Justice »
Will the European Police Office’s (Europol’s) database soon include innocent people reported by Facebook or Twitter? The Europol Regulation, which has been approved on 11 May 2016, not only provides a comprehensive new framework for the police agency, but it also allows Europol to share data with private companies like Facebook and Twitter.
EDRi – Europol: Non-transparent cooperation with IT companies »
Today a batch of documents concerning the Transatlantic Trade and Investment Partnership (TTIP) has been leaked by Greenpeace.
As suspected there are worrying indications when it comes to the future of a free and open Internet.
• TTIP might result in the EU and US being able to ignore fundamental human rights (such as the right to privacy) when it comes to telecommunications. This is serious, as such issues have been central in previous legislative acts concerning the Internet.
• With the EU-US Privacy Shield still being a pretty open issue, TTIP seems to move the issue of data transfers in favour of Big Data. It is doubtful if there will be any meaningful protection of personal data being transferred from EU to the US.
• When it comes to Intellectual Property (IP), there are signs that TTIP will move to make Internet Service Providers to “voluntary” police the net. In other words, TTIP seems to make another try to re-introduce IP provisions that the European Parliament has already rejected in ACTA.
IP issues in TTIP seems to be open for negotiations and last-minute amendments. EDRi explains…
Concerning so-called “Intellectual Property” (IP), the negotiators seem to take lobbyists’ wish list very seriously. According to the leaked report, “[w]hen confronted with EU warning that bringing sensitive proposals that would require changes in EU law to the table – and doing it at a late stage of the negotiation – may have a negative impact on stakeholders” (which would apparently not include citizens) “and has very limited chances of being accepted”, the US seemed to be prepared to depart from the model of the TPP. Among the proposals the US is thinking of tabling, it includes privatised enforcement measures, that EDRi has been criticising since its inception because they bypass the rule of law and lead to arbitrary corporate decision-making without accountability (cf. “voluntary stakeholder initiatives”). As with ACTA, the US is strongly supportive of “voluntary initiatives” as US-based global giants already impose US copyright law on a global level. The EU (as shown by the recent leak of the Communication on Platforms) supports this approach.
It’s still early days. And there is no lack of warning signals.
So, I guess there will be yet another battle over a free and open Internet. (Frustratingly, in part it seems to be the same battle over IP issues being fought over and over again.)
/ HAX
• Greenpeace: TTIP Leaks »
• EDRi: TTIP leaks confirm dangers for digital rights »
• The Guardian: Leaked TTIP documents cast doubt on EU-US trade deal »
• Europan Commission: EU negotiating texts in TTIP »
• EU Commissioner Cecilia Malmström: Negotiating TTIP »
Here is an interesting piece in Foreign Policy: Fear this man »
It’s about the Italian firm Hacking Team and its founder and CEO, David Vincenzetti. The article gives an interesting and chilling glimpse into the commercial side of providing governments with IT tools for surveillance – that also is being used by authoritarian regimes for oppression and disinformation.
“Privacy is very important,” Vincenzetti says on a recent February morning in Milan, pausing to sip his espresso. “But national security is much more important.”
The EU-US Privacy Shield is to replace the so-called safe harbour agreement about the transfer of personal data between EU and the US — after the European Court of Justice (ECJ) invalidated the latter.
As reported earlier, the privacy shield is a principal agreement that yet has to be filled with substance. Even though the European Commission and Washington claim to have struck a deal, it is far from being finalised.
Actually, things are moving the opposite way. Reuters:
Last week, the EU’s 28 data protection authorities – known as the Article 29 Working Party – published a non-binding opinion on the framework which called for more reassurances over U.S. surveillance practices and the independence of a new U.S. privacy ombudsman.
Leaving some of the regulators’ concerns unaddressed could increase the chances of the Privacy Shield being challenged in court by privacy advocates, much as its predecessor was.
This is a mess. Obviously, the EU is not strong enough to stand up to the US on data protection. And the US is not interested in respecting a strong European legal framework in this field.
Some links:
• EU data enforcers demand privacy shield fixes »
• Privacy panel trips up transatlantic data deal »
• US businesses: Start preparing for the EU’s new privacy regulation »
• U.S. reluctant to change data pact after EU watchdogs’ concerns »
Earlier posts:
• “EU-US Privacy Shield must be sent back to negotiators” »
• The EU-US Privacy Shield: EU presents a pointless proposal »
• The EU-US Privacy Shield Illusion »
• An EU-US Privacy Shield? »
/ HAX
The European Parliament will have what is believed to be its’ final vote on EU Passenger Name Record (PNR) in Strasbourg next Thursday, April 14.
For years, the Parliament has tried to stop registration of sensitive personal information related to air travel. But after the latest terrorist attacks, pressure has mounted, and everything suggests that the dossier will be approved during next week’s session.
From the European Parliaments webpage:
Passenger Name Record (PNR) data is information provided by passengers and collected by air carriers during reservation and check-in procedures. Non-carrier economic operators, such as travel agencies and tour operators, sell package tours making use of charter flights for which they also collect and process PNR data from their customers.
PNR data include several different types of information, such as travel dates, travel itinerary, ticket information, contact details, baggage information and payment information.
Parliamentarians have had serious concerns about the impact of PNR on fundamental rights and data protection.
Now he PNR dossier is said to be voted together with the EU Data Protection package – at least allowing some coordinated approach.
Formally, EU PNR is about information regarding passengers arriving on flights from non-EU countries. But there is no doubt this will also apply to intra-EU flights.
So, governments will store information about all of people’s air travel, in detail. This is to be added to information about e.g. all of our telecommunications and our bank transactions. The grip tightens.
(It could have been even worse. Earlier on in the process, the U.K. put forward the idea that all our train travel, car rentals, and hotel stays should also be registered. But I guess they decided to take this one step at a time.)
If nothing short of a miracle occurs, next Thursday the EU will take its’ next step towards Big Brotherism.
/ HAX
Links:
• EP: Final votes on PNR and data protection package »
• News on PNR from the EP (16 July 2015) »
• EP: Much Ado About PNR (19 Jan. 2015 »
• EP: EU Passenger Name Record (PNR) proposal: an overview (14 Dec. 2015) »
• MEPs refuse to vote on PNR before Council strengthens data protection (9 March 2016) »
From the Associated Press Washington desk:
The FBI said Monday it successfully used a mysterious technique without Apple Inc.’s help to hack into the iPhone used by a gunman in a mass shooting in California, effectively ending a pitched court battle between the Obama administration and one of the world’s leading technology companies.
The government asked a federal judge to vacate a disputed order forcing Apple to help the FBI break into the iPhone, saying it was no longer necessary. The court filing in U.S. District Court for the Central District of California provided no details about how the FBI did it or who showed it how.
Justice Department cracks iPhone; withdraws legal action »
But is this really a mystery? I wrote about this some three weeks ago. That was when the ACLU demonstrated that breaking locked iPhones is almost common knowledge in the tech community:
One of the FBI’s Major Claims in the iPhone Case Is Fraudulent »
Never the less many questions remain unanswered. And the FBI is not about to open up. Ars Technica:
Apple likely can’t force FBI to disclose how it got data from seized iPhone »
Here, it is important to understand what this really has been all about:
[The FBI] is not as interested in solving the problem as they are in getting a legal precedent, [Richard] Clarke said. “Every expert I know believes the NSA could crack this phone. They want the precedent that government could compel a device manufacturer to let the government in.”
Now, what about Apple? Have all of this bruised the iPhones reputation when it comes to security?
Well, it shouldn’t. As mentioned, there already are known ways to break into a locked iPhone.
But facts is not the same as the public perception. The general notion is that this is something entirely new.
And, as a matter of fact, the authorities can open up a locked iPhone. Apple do have a very real public relations problem on its’ hands.
Inevitably, Apple will have to beef up the iPhones security shortly. That may, in turn, lead to new conflicts with the FBI & Co.
/ HAX
A group of leading digital rights organisations on both sides of the Atlantic has called for the Privacy Shield arrangement between the EU and US to be sent back to the negotiators. In a letter to senior EU officials, the group says that without “substantial reforms” to ensure protection for fundamental rights of individuals, the Privacy Shield will “put users at risk, undermine trust in the digital economy, and perpetuate the human rights violations that are already occurring as a result of surveillance programs and other activities.”
ArsTechnica: Privacy Shield deal must be sent back to negotiators, say digital rights warriors »