The Guardian: EU to crack down on online services such as WhatsApp over privacy »
Archive | EU
Prepare for the next crypto war
By HAX on August 15, 2016 in Big Brother, Cryptography, EU, France, IT security, Privacy, surveillance
Last winter it looked as if there was going to be an international initiative against encryption. However, after some public attention, President Obama announced that there were no such plans – at present. Shortly after that, there was a brawl between Apple and the FBI, ending with the FBI withdrawing its subpoena for Apple to build software to give backdoor access to an iPhone. (The FBI cracked it by other methods.) Meanwhile, the UK is slowly moving towards some sort of ban on encryption.
Now, it seems this issue will get new attention. Last week the French called for a global initiative to “deal with” encryption. Apparently, they are trying to get Germany aboard on such an initiative. If so, we can expect the issue to become a hot topic in the EU shortly.
As most politicians are somewhat ignorant when it comes to IT and the Internet – we can expect some ill-conceived proposals.
It would be very difficult for politicians to ban user managed end-to-end encryption like PGP. That should reasonably not be up for discussion. (But you never know when it comes to the EU.)
My guess is politicians (and law enforcement) will take aim at popular communication apps like Whatsapp and Telegram – and to demand backdoors to smartphones and other encrypted hardware.
Cracking communication apps and installing backdoors is still a terrible idea. These techniques will – sooner or later – end up in the wrong hands. And government having access to citizens communications is still a very unpleasant concept.
However, this will not prevent terrorists and criminals from communicating securely and covertly – if they really want to.
/ HAX
France in global call to “deal with” messaging apps »
How the Government Is Waging Crypto War 2.0 »
Copyright wars, the next step
The UK has just changed its copyright-and-patent monopoly law to extend copyright to furniture and to extend the term of that copyright on furniture with about a century. This follows a decision in the European Union, where member states are required to adhere to such an order. This change means that people will be prohibited from using 3D printing and other maker technologies to manufacture such objects, and that for a full century.
Falkvinge: As 3D printers break through, EU expands copyright to furniture and extends term by a century »
European Data Protection Supervisor: Ban encryption backdoors
According to TechDirt, a report from European Data Protection Supervisor (EDPS) Giovanni Buttarelli argues for a ban on encryption backdoors.
Excellent.
But that is not all…
The new rules should also clearly allow users to use end-to-end encryption (without ‘backdoors’) to protect their electronic communications.
Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.
That is taking the issue far. Very far. Maybe so far as to kill the report altogether in the EU institutions.
I cannot imagine politicians prohibiting all forms of attempted decryption, under all circumstances. Europol would go bananas. The EPP and S&D groups in the European Parliament would never accept it. And I imagine the Commission would never put forward such a proposal.
Just focusing on banning backdoors, however, is a totally different issue – that might stand a fair chance to become EU policy.
Then we have this…
In this context the EDPS also recommends that the Commission consider measures to encourage development of technical standards on encryption…
This could be understood as the EU encouraging encryption in general. That would be a good thing. Or as if the EU should take some sort of control over the development of encryption. That would be really bad.
Frankly, I’m not sure what to make of parts of this report.
But, at least, this is a clear stand against backdoors – from an EU data protection bigwig.
/ HAX
TechDirt: EU Data Protection Official Says Revised Privacy Laws Should Ban Backdooring Encryption »
EDRi: Three steps to end freedom of expression
By HAX on July 25, 2016 in Censorship, Civil liberties, EU, Freedom of Speech, Human rights, Rule of law, social media
It is quite clear that removal of material online is a restriction on fundamental rights. It is quite clear that the safeguards in the Charter of Fundamental Rights of the EU are being willfully ignored:
EU Charter: Article 52.1:
Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
Government using private sector censorship for political objectives
By HAX on July 24, 2016 in Big Data, Big Government, Censorship, Civil liberties, Democracy, EU, Facebook, Freedom of Speech, Google, Human rights, Rule of law, social media, Transparency, Twitter
Censorship is censorship. If you block someone from speaking freely or delete people’s content from the Internet you do censor them.
But there are different sorts of censorship.
One is when the government silences opposition, controversial voices or whatever. That is, in general terms, a violation of freedom of speech and our civil rights. That should not be accepted in a democratic society.
Another form of censorship is when Twitter censors Milo Yiannopolous, when Google censor artist Dennis Cooper or when Facebook is accused of downgrading news depending on political affiliations.
These are private companies and they choose to whom they want to provide their services. This is clearly stated in these companies voluminous terms and conditions.
So, OK – social media giants can censor people (and ideas). But should they?
The fact that Google, Youtube, Facebook and Twitter can censor people in a legally »correct« way in no way should protect them from being criticized for doing so.
And they should be criticized! Especially as their dominance on the social media scene is almost total. Their actions have political consequences. And they might very well have a political agenda.
(As a libertarian I run into this issue a lot. Just because I dislike something, I do not have the desire or right to outlaw it. But still, as a consumer, user or concerned citizen I am free to criticize e.g. censorship – and to loudly point out its risks and problems.)
But recently the lines are getting blurred. As I have pointed out in previous blog posts, governments (most recently the EU) are teaming up with major social media players to use the latter’s legal framework to silence voices that politicians dislike. Thus circumventing the legal system and the rule of law – and moving government censorship out of democratic control.
This is a serious, mounting problem.
/ HAX
ECJ Advocate General on data retention: Strict conditions must apply
By HAX on July 19, 2016 in Big Brother, Civil liberties, Data Protection, Data Retention, ECJ, EU, Human rights, Internet, Privacy, Rule of law, surveillance
Data retention (collection of data about everybody’s phone calls, text messages, e-mails, internet connections and mobile positions) may only be used to combat serious crimes – and only if there are no other options (such as using surveillance only against people who are actually suspected of criminal activities).
This is the essence of the European Court of Justices Advocate Generals recommendation in some ongoing cases about data retention.
From the press release (PDF):
The Advocate General is of the opinion that a general obligation to retain data may be compatible with EU law. The action by Member States against the possibility of imposing such an obligation is, however, subject to satisfying strict requirements. It is for the national courts to determine, in the light of all the relevant characteristics of the national regimes, whether those requirements are satisfied.
First, the general obligation to retain data and the accompanying guarantees must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference.
Secondly, the obligation must respect the essence of the right to respect for private life and the right to the protection of personal data laid down by the Charter.
Thirdly, the Advocate General notes that EU law requires that any interference with the fundamental rights should be in the pursuit of an objective in the general interest. He considers that solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.
Fourthly, the general obligation to retain data must be strictly necessary to the fight against serious crime, which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights.
Furthermore, the Advocate General points out that that obligation must respect the conditions set out in the judgment in Digital Rights Ireland (5) as regards access to the data, the period of retention and the protection and security of the data, in order to limit the interference with the fundamental rights to what is strictly necessary.
Finally, the general obligation to retain data must be proportionate, within a democratic society, to the objective of the fight against serious crime, which means that the serious risks engendered by that obligation within a democratic society must not be disproportionate to the advantages it offers in the fight against serious crime.
Here it is important to remember that the ECJ revoked the EU Data Retention Directive – the document all member states data retention is built upon – in the spring of 2014. This because it violates fundamental human rights, such as the right to privacy. So it is hardly possible to stick to any direct adaptations of the fallen directive.
One thing that seems to be clear is that data retention cannot be used to investigate minor crimes (e.g. illegal file sharing). And it cannot be used for non-criminal proceedings (e.g. by local councils and tax authorities). The infringement of privacy is massive with data retention. It must be in proportion to the seriousness of the suspected crime.
Point four (“which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights”) is also interesting. Of course, there are other measures – like only using surveillance against people suspected of criminal activities, instead of the entire population.
Later this fall the ECJ will give its final verdict. But it usually follows the Advocate Generals recommendations.
Links:
• ECJ press release (PDF) »
• The Advocate Generals recommendation, full text »
• EDRi – European Court confirms: Strict safeguards essential for data retention »
• Falkvinge – European Supreme Court says “Maybe” to mass surveillance of innocents »
And now… automated web censorship
By HAX on July 13, 2016 in Big Data, Censorship, Civil liberties, EU, Europol, Facebook, Freedom of Speech, Google, Internet, Rule of law, social media
Automated systems to identify child abuse material (and flag it for removal) on the Internet is now going to be used to combat “extremist” and “hateful” content on social media.
“However, the definition of “extremist content” is everything but clear; CEP’s algorithm does not (and logically cannot) contain this definition either. Even if it were to use a database of previously identified material, that still would create problems for legitimate quotation, research and illustration purposes, as well as problems regarding varying laws from one jurisdiction to another.”
“The Joint Referral Platform has the potential to automate Europol’s not-formal-censorship activities by an automatic detection of re-upload. However, it remains unclear whether any investigative measures will be taken apart from the referral – particularly as Europol’s activities, bizarrely, do not deal with illegal material. There is obviously no redress available for incorrectly identified and deleted content, as it is not the law but broad and unpredictable terms of service that are being used.”
What could possibly go wrong..?
FAQ: EU-US Privacy Shield
“There are a few improvements, the most obvious being on the purpose limitation and the duration of data retention by private companies. But even here, the EU standard that data can only be stored as long as this is “necessary” is watered down to “relevant”. Of course, any data can be relevant for the company, but that does not mean it meets the necessity test.”
“At the very least, it should get a sunset clause and expire in two years, when the new EU data protection rules have to be applied. The negotiations should in the meantime continue with the next US administration, which also should amend its laws in the next two years. I know this is difficult given the current situation on Capitol Hill in Washington, but we can’t give US companies such privileged access to EU data transfers market if they don’t follow our standards.”
“All I have seen is a funny attempt to define “bulk collection” as not being “mass surveillance”. The US government is still allowed to do bulk data collection in at least six cases, including gathering “foreign intelligence information”, which can be information on anything from illicit arms trade to legitimate trade agreement protests.”
German Green MEP Jan Philipp Albrecht on the EU-U.S. Privacy Shield.
Link: EU-US “Privacy Shield” – Background and Frequently Asked Questions (FAQ) »
EU-US Privacy Shield adopted by the EU despite privacy flaws
By HAX on July 11, 2016 in Big Brother, Civil liberties, Data Protection, ECJ, EU, EU-US Privacy Shield, Privacy, surveillance, US
The much criticized EU-U.S. Privacy Shield agreement concerning data protection for personal data transferred from the EU to the U.S. has – as expected – been approved by EU member states.
• Privacy Shield data pact gets European approval »
• EU-U.S. commercial data transfer pact clears final hurdle »
• New Privacy Shield Could Face Legal Challenge in Europe, Experts Say »
• Official: Privacy Shield dragged across finish line »
Most likely this agreement will end up in the European Court of Justice – as it is suffering from many of the same shortcomings as its predecessor, the Safe Harbour agreement. The latter was invalidated by the court for violating citizens rights to privacy.