Freedom of Speech is the idea that you can discuss ideas without fear of harassment. But the judicial protection is actually quite weak; it only protects you from repercussions from your government. In order to allow society to discuss forbidden ideas, ideas that may turn out to be in the right, a much wider Freedom of Speech is needed: one that requires Privacy.
Falkvinge: You don’t have Freedom of Speech without Privacy »
There is a huge difference between government mass surveillance and commercial privacy infringements.
The government can use force to make you behave the way politicians and bureaucrats want you to behave. The government can limit your freedom and it tends to curtail your civil rights. In a state with total control, democracy will succumb. Living in a Big Brother society will be unbearable. Government mass surveillance is about control and power.
Commercial players tend to use the data they collect to try to sell you stuff – which basically is about influencing a voluntary relation. Or to evaluate partners (customers, suppliers etc.) that they conduct business with. Never the less, this can be very annoying, intrusive, damaging and even dangerous for the private individual.
We must keep in mind that these are two different issues. They are about totally different relations to the individual. They should be approached in different ways.
Sometimes I get the impression that certain parties in the public debate deliberately is trying to muddle the water. Politicians regularly try to lead the discussion away from government mass surveillance to issues concerning commercial actors. And when asked what they do to protect people’s right to privacy their answers often are about Facebook, Google, advertising and commercial data mining – when it ought to be about mass surveillance, data retention and the relations between citizens and the state.
They shouldn’t be allowed to get away with that.
/ HAX
According to TechDirt, a report from European Data Protection Supervisor (EDPS) Giovanni Buttarelli argues for a ban on encryption backdoors.
Excellent.
But that is not all…
The new rules should also clearly allow users to use end-to-end encryption (without ‘backdoors’) to protect their electronic communications.
Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.
That is taking the issue far. Very far. Maybe so far as to kill the report altogether in the EU institutions.
I cannot imagine politicians prohibiting all forms of attempted decryption, under all circumstances. Europol would go bananas. The EPP and S&D groups in the European Parliament would never accept it. And I imagine the Commission would never put forward such a proposal.
Just focusing on banning backdoors, however, is a totally different issue – that might stand a fair chance to become EU policy.
Then we have this…
In this context the EDPS also recommends that the Commission consider measures to encourage development of technical standards on encryption…
This could be understood as the EU encouraging encryption in general. That would be a good thing. Or as if the EU should take some sort of control over the development of encryption. That would be really bad.
Frankly, I’m not sure what to make of parts of this report.
But, at least, this is a clear stand against backdoors – from an EU data protection bigwig.
/ HAX
TechDirt: EU Data Protection Official Says Revised Privacy Laws Should Ban Backdooring Encryption »
Data retention (collection of data about everybody’s phone calls, text messages, e-mails, internet connections and mobile positions) may only be used to combat serious crimes – and only if there are no other options (such as using surveillance only against people who are actually suspected of criminal activities).
This is the essence of the European Court of Justices Advocate Generals recommendation in some ongoing cases about data retention.
From the press release (PDF):
The Advocate General is of the opinion that a general obligation to retain data may be compatible with EU law. The action by Member States against the possibility of imposing such an obligation is, however, subject to satisfying strict requirements. It is for the national courts to determine, in the light of all the relevant characteristics of the national regimes, whether those requirements are satisfied.
First, the general obligation to retain data and the accompanying guarantees must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference.
Secondly, the obligation must respect the essence of the right to respect for private life and the right to the protection of personal data laid down by the Charter.
Thirdly, the Advocate General notes that EU law requires that any interference with the fundamental rights should be in the pursuit of an objective in the general interest. He considers that solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.
Fourthly, the general obligation to retain data must be strictly necessary to the fight against serious crime, which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights.
Furthermore, the Advocate General points out that that obligation must respect the conditions set out in the judgment in Digital Rights Ireland (5) as regards access to the data, the period of retention and the protection and security of the data, in order to limit the interference with the fundamental rights to what is strictly necessary.
Finally, the general obligation to retain data must be proportionate, within a democratic society, to the objective of the fight against serious crime, which means that the serious risks engendered by that obligation within a democratic society must not be disproportionate to the advantages it offers in the fight against serious crime.
Here it is important to remember that the ECJ revoked the EU Data Retention Directive – the document all member states data retention is built upon – in the spring of 2014. This because it violates fundamental human rights, such as the right to privacy. So it is hardly possible to stick to any direct adaptations of the fallen directive.
One thing that seems to be clear is that data retention cannot be used to investigate minor crimes (e.g. illegal file sharing). And it cannot be used for non-criminal proceedings (e.g. by local councils and tax authorities). The infringement of privacy is massive with data retention. It must be in proportion to the seriousness of the suspected crime.
Point four (“which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights”) is also interesting. Of course, there are other measures – like only using surveillance against people suspected of criminal activities, instead of the entire population.
Later this fall the ECJ will give its final verdict. But it usually follows the Advocate Generals recommendations.
Links:
• ECJ press release (PDF) »
• The Advocate Generals recommendation, full text »
• EDRi – European Court confirms: Strict safeguards essential for data retention »
• Falkvinge – European Supreme Court says “Maybe” to mass surveillance of innocents »
This is unusual.
The new UK “Brexit minister” David Davis is involved in a court case in the European Court of Justice (ECJ) – suing the British government over personal data rights.
Furthermore, the law he is challenging was introduced by his new boss, Prime Minister Theresa May, during her time as Minister for Home Affairs.
“The choice of Mr Davis is a remarkable one in some ways. A sincere civil libertarian, as well as a pro-Brexit campaigner, he is one of a group of claimants suing the UK government at the European Court of Justice to enforce EU law on an allegedly non-compliant UK in respect of personal data rights. This case — which is reliant on the very charter of fundamental rights loathed by many in his own party — has already seen a decision of the high court saying an act of parliament was incompatible with EU law (though this was not upheld on appeal, it was referred to the ECJ instead).”
FT: David Davis, Brexit and the shapelessness of things to come »
“There are a few improvements, the most obvious being on the purpose limitation and the duration of data retention by private companies. But even here, the EU standard that data can only be stored as long as this is “necessary” is watered down to “relevant”. Of course, any data can be relevant for the company, but that does not mean it meets the necessity test.”
“At the very least, it should get a sunset clause and expire in two years, when the new EU data protection rules have to be applied. The negotiations should in the meantime continue with the next US administration, which also should amend its laws in the next two years. I know this is difficult given the current situation on Capitol Hill in Washington, but we can’t give US companies such privileged access to EU data transfers market if they don’t follow our standards.”
“All I have seen is a funny attempt to define “bulk collection” as not being “mass surveillance”. The US government is still allowed to do bulk data collection in at least six cases, including gathering “foreign intelligence information”, which can be information on anything from illicit arms trade to legitimate trade agreement protests.”
German Green MEP Jan Philipp Albrecht on the EU-U.S. Privacy Shield.
Link: EU-US “Privacy Shield” – Background and Frequently Asked Questions (FAQ) »
The much criticized EU-U.S. Privacy Shield agreement concerning data protection for personal data transferred from the EU to the U.S. has – as expected – been approved by EU member states.
• Privacy Shield data pact gets European approval »
• EU-U.S. commercial data transfer pact clears final hurdle »
• New Privacy Shield Could Face Legal Challenge in Europe, Experts Say »
• Official: Privacy Shield dragged across finish line »
Most likely this agreement will end up in the European Court of Justice – as it is suffering from many of the same shortcomings as its predecessor, the Safe Harbour agreement. The latter was invalidated by the court for violating citizens rights to privacy.
We definitely need cyber defence capabilities. Foreign powers, terrorists, and criminal networks have the capability to harm key functions in our societies.
We also need capacity for offensive cyber operations. No doubt, this will be a part of tomorrow’s conflicts and there is an ongoing cyber war arms race. Several western countries affiliated with NSA is adapting to this. (E.g. Sweden has recently made changes to legalise offensive operations, that according to the Snowden documents are already in place.)
First of all, the threshold for cyber attacks is lower than for conventional military conflicts. At the same time, most countries have made it clear that they will consider cyber attacks as an actual act of war. So there are reasons to tread carefully.
This is a grey area. It is difficult to be sure if a cyber attack originates from another nation or a criminal or terrorist organisation. In the same way, it is difficult to know who you engage in defensive or offensive cyber operations. Things might easily escalate.
Second, there is no clear line separating conventional mass surveillance and cyber warfare. One can easily spill over into the other. The lines are muddled. The rule of law can easily be circumvented by labelling surveillance that would be illegal in “civil” law enforcement as secret “military” operations.
Third, cyber warfare capabilities are frequently outsourced to private contractors. This will make it even harder to uphold democratic oversight and accountability.
I would argue that one major problem with cyber warfare capabilities is that they might be used to conceal domestic intelligence operations outside the realm of the law.
This calls for vigilance.
/ HAX
Privacy Shield—the much maligned replacement to the Safe Harbour deal between the European Union and the US—looks set to be approved by national representatives on Friday, Ars understands.
The scheme, which will allow the transfer of personal data from the EU to the US despite privacy and data protection concerns, has faced an uphill battle. Brussels officials who negotiated the deal on behalf of the EU have been desperate to push it through in the face of criticism from the European Data Protection Supervisor, national data protection authorities, and the European Parliament, in order to give some legal certainty to companies that rely on transatlantic data flows. (…)
The agreement is expected to be formally adopted by the European Commission next Monday, followed by the deal being inked by justice commissioner Vera Jourová and US secretary of commerce Penny Pritzker on Tuesday.
Jennifer Baker in Ars Technica: Privacy Shield to be dragged across finish line—sources »
The EU General Data Protection Regulation (GDPR) and the Data Protection Directive for Law Enforcement Agencies (LEDP) have now been approved — after being watered down as the result of an unprecedented lobbying campaign.
Next up is the EU e-Privacy Directive. EDRi explains…
The e-Privacy Directive contains specific rules on data protection in the area of telecommunication in public electronic networks. It is hugely important, as it is the only EU legislation that regulates confidentiality of communications. (…)
Specifically, the ePrivacy Directive regulates aspects related to the right to confidentiality of communications and the right to freedom of expression.
Once again, we can expect a massive lobby campaign to weaken citizens rights.
To get up to date with what is at stake, read this blog post from EDRi:
• e-Privacy Directive revision: An analysis from the civil society »
/ HAX
