Archive | Data Retention

Turning friends into threats

Some weeks ago there was some attention and upset reactions about the Chinese concept of “Sesame Credits”. It’s all about what you say, read, buy and do on the Internet. Your credit status then might decide if you can get e.g. a bank loan or permission to travel abroad.

Nasty indeed. But what make the whole thing really upsetting is that your credit status also will be affected by what your friends do online. This really is a diabolic tool for “social control”. (Video»)

It is easy to believe that it is only those communists in China and such anti-democratic regimes that could apply a system like this.

But, actually, most western democracies can easily do the same thing with data retention. This is a perfect tool for building sociograms. A sociogram is a map showing who is connected to who when it comes to the internet and telecommunications. How the authorities look at you can be determined by the friends you have (and by what friends they have).

So, even if you have “nothing to hide” — you still certainly do have something to fear.

And it’s not just about data retention. The same (or even more detailed) information is collected by Facebook and Google. It most certinly can be obtained by the authorities — and is probably also for sale out there. It would be very strange if various intelligence agencies don’t already have access to this information.

In this way, Big Brotherism is breaking down trust between people in our societies. And that is a very bad thing.

/ HAX

0

The normalisation of mass surveillance

Once upon a time, there were rumors about a global surveillance network — Echelon. When the European Parliament decided to look into the matter, it turned out it did indeed exist. For years to follow there were rumors about US intelligence organisation NSA and its new capabilities to “collect it all”. And a few years ago, the Snowden documents exposed exactly that.

Then followed a state of resignation.

In 2013/14, it was brought to light that the NSA might have compromised the international clearing system for bank transfers, European run SWIFT. It’s a bit odd, as the US can have as much information about European bank transfers as they want, in accordance with the EU-US TFTP agreement. Newer the less, there were strong indications of something going on. This time the European police agency, Europol, didn’t even bother to look into the matter. In a European Parliament hearing Europol director Bob Wainwright explicitly said so. (The hearing is quite surreal. It’s all on video here. »)

In Germany, politicians softened their tone against the US/NSA when threatened with limited access to US intelligence. It also turned out that under the level of political polemic, the BND had been working very closely with the NSA all the time. And in Sweden, according to the Snowden files, SIGINT organisation FRA has access to NSA superdatabase XKeyscore. Swedish politicians (including the Greens, who are now in government) will not even comment on the legality of this.

The European Court of Justice has invalidated the EU data retention directive, finding it in breach of fundamental human rights. Never the less most EU member states are upholding (and in some cases implementing) data retention, leading national constitutional courts to object. But data retention fits well with US surveillance systems, so it seems to be less important if it is legal or not.

I could go on, but I better get to my point.

Politicians and intelligence bureaucrats are sending some pretty clear signals these days. They do not care about what is legal or not legal. They do not care if being exposed. They do not even comment on issues that ought to be fundamental in a democracy. The message is: This is the way it is. Live with it.

If there was ever need for a broad political movement against mass surveillance, it is now.

/ HAX

1

European Commission tries to evade Data Retention squabble

In April last year the European Court of Justice (ECJ) invalidated the EU Data Retention directive. The court found it to be in breach with human rights to collect and store data about all citizens all telecommunications.

Since then some countries have backed down from the idea, some (like Germany) are trying to go forward with some form of Data Retention “light” and some EU states (like Sweden) tries to ignore the ECJ ruling all together, continuing the practice as if nothing happened.

In a rather unexpected statement today, the European Commission (EC) tries to duck out of this controversy.

As the European Commission has repeatedly said since the European Court of Justice annulled the EU Data Retention Directive: the decision of whether or not to introduce national data retention laws is a national decision. The European Commission has no intention to go back on this statement or reopen old discussions.

We are aware that data retention is often the subject of a very sensitive, ideological debate and that sometimes there can be a temptation to draw the European Commission into these debates. The European Commission is not ready to play this game.

We have been very clear that the Commission is not coming forward with any new initiatives on Data Retention. In the absence of EU rules, Member States are free to maintain their current data retention systems or set up new ones, providing of course they comply with basic principles under EU law, such as those contained in the ePrivacy Directive.

We are therefore neither opposing, nor advocating the introduction of national data retention laws.

Link: European Commission statement on national data retention laws »

It’s easy to understand that the Commission would like to keep away from this dispute. But what the EC says in the statement is not self-evident.

The ECJ invalidated the directive on the basis that it is in breach with human rights, such as they are defined in the EU Charter of Fundamental Rights and the European Convention on Human Rights.

And if Data Retention was unacceptable as an EU directive, it should also be unacceptable as national law in EU member states. The principal problem with Data Retention is the same, regardless.

Now, both the EU Charter of Fundamental Rights and the European Convention on Human Rights are parts of the EU treaties. And the EC is the Guardian of the Treaties. Hence, the EC should have an obligation to uphold the ECJ ruling on Data Retention — in all of the EU, at all levels.

But it won’t. As usual in the EU, rules and treaties only apply when in line with what the EU elite wants.

/ HAX

Update: The EU eService Directive mentioned in the statement | Wikipedia » | Eur-Lex »

0

EU: Parliament just came out in favour of Snowden, open-source, encryption, digital freedom and anonymity

Today, the European Parliament adopted a resolution called “Human rights and technology in third countries” (2014/2232(INI)).

This is just a resolution, not legislation, but very interesting nevertheless. The European Parliament…

3. Believes that the active complicity of certain EU Member States in the NSA’s mass surveillance of citizens and spying on political leaders, as revealed by Edward Snowden, has caused serious damage to the credibility of the EU’s human rights policy and has undermined global trust in the benefits of ICTs;

Shame on the Brits, French, Germans and Swedes. (And several others.)

6. Calls for the active development and dissemination of technologies that help protect human rights and facilitate people´s digital rights and freedoms as well as their security, and that promote best practices and appropriate legislative frameworks, while guaranteeing the security and integrity of personal data; urges, in particular, the EU and its Member States to promote the global use and development of open standards, and of free and open-source software and cryptographic technologies;

Nice. This is one we should remind the European Parliament about over and over again–when it tries to make decisions going in the other direction.

9. Urges the EU itself, and in particular the EEAS, to use encryption in its communications with human rights defenders, to avoid putting defenders at risk and to protect its own communications with outsiders from surveillance;

Welcome to the real world.

10. Calls on the EU to adopt free and open-source software, and to encourage other actors to do so, as such software provides for better security and for greater respect for human rights;

This is not the first time the EP makes such a statement. But real progress seems to be very slow.

14. Draws attention to the plight of whistleblowers and their supporters, including journalists, following their revelations of abusive surveillance practices in third countries; believes that such individuals should be considered human rights defenders and that, as such, they deserve the EU’s protection, as required under the EU Guidelines on Human Rights Defenders; reiterates its call on the Commission and the Member States to examine thoroughly the possibility of granting whistleblowers international protection from prosecution;

65. Calls for the scope for international protection of whistleblowers to be extended, and encourages the Member States to table laws to protect whistleblowers;

Very nice. But still, no EU member state is prepared to grant Edward Snowden refuge or asylum.

19. Calls for the inclusion of clauses in all agreements with third countries that refer explicitly to the need to promote, guarantee and respect digital freedoms, net neutrality, uncensored and unrestricted access to the internet, privacy rights and the protection of data;

So, if the EU-US Trade Agreement (TTIP) will include copyright enforcement threatening digital freedom and privacy–the EP will vote no?

We must be sure to make a note of that one. And the next…

20. Urges the EU to counter the criminalisation of human rights defenders’ use of encryption, censorship-bypassing and privacy tools, by refusing to limit the use of encryption within the EU, and to challenge third-country governments that level such charges against human rights defenders;

21. Urges the EU to counter the criminalisation of the use of encryption, anti-censorship and privacy tools by refusing to limit the use of encryption within the EU, and by challenging third-country governments that criminalise such tools;

61. Calls for each individual to be entitled to encryption, and for the conditions needed to allow encryption to be created; takes the view that controls should be a matter for the end user, who will need the skills required to carry out such controls properly;

62. Calls for the introduction of ‘end to end’ encryption standards as a matter of course for all communication services, so as to make it more difficult for governments, intelligence agencies and surveillance bodies to read content;

As far as I can understand, the European Parliament just came out strongly against a ban on encryption.

27. Considers mass surveillance that is not justified by a heightened risk of terrorist attacks and threats to be in violation of the principles of necessity and proportionality, and, therefore, a violation of human rights;

63. Emphasises the special responsibility of government intelligence services to build trust, and calls for an end to mass surveillance; considers that the monitoring of European citizens through domestic and foreign intelligence services must be addressed and stopped;

So, what’s about EU member states continuing data retention?

40. Calls for the development of policies to regulate the sales of zero-day exploits and vulnerabilities to avoid their being used for cyber-attacks, or for unauthorised access to devices leading to human rights violations, without such regulations having a meaningful impact on academic and otherwise bona fide security research;

In your face, NSA…

45. Condemns the weakening and undermining of encryption protocols and products, particularly by intelligence services seeking to intercept encrypted communications;

…and the GCHQ.

46. Warns against the privatisation of law enforcement through internet companies and ISPs;

This ought to be seen as a clear warning not to go down that road in the TTIP.

49. Calls explicitly for the promotion of tools enabling the anonymous and/or pseudonymous use of the internet, and challenges the one-sided view that such tools serve only to allow criminal activities, and not to empower human rights activists beyond and within the EU;

Actually, I’m overwhelmed. But then again, this is not legislation.

However all of the above can be very useful as a reminder when the EU Commission and Council tries to get the Parliament to do the opposite. Or when the Parliament suddenly goes bananas on its own. (It frequently does. It surely will happen again very soon.)

The text as PDF »

/ HAX

3

Is the NSA to shut down bulk surveillance programs? Maybe not.

The NSA bulk surveillance program is hanging by a thread — as the controversial Patriot Act expires and as US Senate did not manage to adopt a replacement bill (the USA Freedom Act) before its week-long recess.

The Associated Press reports…

“In a chaotic scene during the wee hours of Saturday, Senate Republicans blocked a bill known as the USA Freedom Act, which would have ended the NSA’s bulk collection but preserved its ability to search the records held by the phone companies on a case-by-case basis. The bill was backed by President Barack Obama, House Republicans and the nation’s top law enforcement and intelligence officials.”

There will be an emergency session scheduled for Sunday, May 31st.

This is a cliff hanger. But even if the replacement bill will be adopted, bulk mass surveillance will not end. It will only change form.

The USA Freedom Act obliges telecoms meta data to be kept by the phone companies. This is the same model as in the EU Data Retention Directive. Even though this directive has been invalidated by the European Court of Justice for breaching human rights, it is already implemented in most EU member states.

In many EU countries authorities use data retention on a massive scale and in a rather indiscriminate way. There are even attempts to give the police direct online access to meta data held by the telecoms, in some countries.

So even if the Freedom Act might be adopted it will not be the end of bulk collection of telecoms data in the US. It will not be as bad as the Patriot Act, but still it will be pretty bad.

However, it will be interesting to see what happens if the Freedom Act is not adopted before the Patriot Act expires. In that case the NSA might have to shut down parts of their operation. At least for some time. (For all the public is allowed to know…)

• NSA is getting ready to shut down bulk surveillance programs in response to failed Senate vote »
• NSA winds down once-secret phone-records collection program »

Update: Julian Assange: Despite Congressional Standoff, NSA Has Secret Authority to Continue Spying Unabated »

/ HAX

0

The war on truth about… truth

One common practice when it comes to surveillance is to prohibit ISP:s, telecoms operators and tech companies to disclose that there is or has been any warrants or other demands for information from the authorities. (In the US this is known as national security letters.)

Some companies have worked their way around this by so called warrant canaries. In short this means that they state in e.g. their transparency or annual report that there has been no secret warrants. If they, the next year, leave that information out — they have communicated that there has been one or several secret warrants. But in an indirect, subtle way — without breaching the actual secret warrant in question.

This practice is now going to be illegal in Australia, when it comes to the government spying on journalists. BoingBoing explains…

Section 182A of the new law says that a person commits an offense if he or she discloses or uses information about “the existence or non-existence of such a [journalist information] warrant.” The penalty upon conviction is two years imprisonment.

This making it illegal… to or not to indicate to the public that… you are or are or are not not… telling the truth. Or a lie.

Orwell would have been amazed.

Or, in plain words: The Australian government does not appreciate the truth.

/ HAX

0

US tech gigants to Obama: End bulk collection mass surveillance

TechCrunch reports that US “technology companies, tech trade groups and privacy organizations sent a letter today to the President Barack Obama, various members of Congress, and governmental security officials, urging reform of the U.S. government’s surveillance practices.” From the letter…

“There must be a clear, strong, and effective end to bulk collection practices under the USA PATRIOT Act, including under the Section 215 records authority and the Section 2 214 authority regarding pen registers and trap & trace devices. Any collection that does occur under those authorities should have appropriate safeguards in place to protect privacy and users’ rights.”

TechCrunch: Tech Giants Call For “Clear, Strong And Effective End” To NSA’s Phone Metadata Surveillance »

0

EU: Data retention – an up-to-date summary

In a few weeks Swedish national data retention laws (based on the EU data retention directive) will be tested in an administrative mid-level court. This is only one of many court appeals in the EU on the subject. Former Pirate MEP Amelia Andersdotter has made a time line (link, in Swedish »).

In the following countries data retention has been rejected by court: Lithuania, Bulgaria (several times), Romania (several times), Germany, Ireland (several times), Cyprus, Czech Republic, Austria, Finland (political decision), Slovakia, Slovenia and The Netherlands. Then there are some open court cases.

In April last year, the European Court of Justice (ECJ) invalidated the EU directive on data retention – for breach of human rights. And recently, the European Commission has declared that there will be no new directive.

It’s also worth noticing criticism against data retention from the EU Council lawyers, Germanys minister of justice, the EU Data Protection group, the Human Rights Commissioner of the Council of Europe, the UN High Commissioner for Human Rights, the UN High Representative for Human Rights and Privacy in a Digital Age and others.

The Human Rights Commissioner of the Council of Europe has made this statement…

“Suspicionless mass retention of communications data is fundamentally contrary to the rule of law, incompatible with core data-protection principles and ineffective. Member states should not resort to it or impose compulsory retention of data by third parties. /…/ Member states should stop relying on private companies that control the Internet and the wider digital environment to impose restrictions that are in violation of the state’s human rights obligations.”

But some countries — like the UK, France and Sweden — try hard to ignore all criticism and all concerns about human rights. They have no plans of giving up this kind of mass surveillance.

/ HAX

Link (in Swedish, about the Swedish court case, but with some helpful quotes in English): Amelia Andersdotter »

0

EU: No new directive on data retention. But…

According to Reuters there will be no new EU directive on data retention — after the European Court of Justice (ECJ) last year declared the existing one to be in breach with human rights.

“On the data retention directive, the European Commission does not plan to present a new legislative initiative,” Dimitris Avramopoulos told a news conference in Brussels.

This is good news. No directive, no mandatory data retention in EU member states. But to fully understand the Commission statement you will need to know how the EU is working, under the hood.

Clearly, with the ECJ verdict a new directive would run into difficulties in the European Parliament. And it would, for sure, be challenged at the ECJ again.

But with no new directive, data retention will be a concern for member states. Meaning that countries who want to continue data retention can claim that their model is special and not in breach with the ECJ ruling and / or the human rights charter.

To sum it up: No new directive will not result in a ban on data retention. It will only move the issue to the respective national level. So the matter of data retention is in no way settled. 

Reuters: EU executive plans no new data retention law »

/ HAX

1