Navigation

Archive | surveillance

Big Brother in Switzerland

By on September 28, 2016 in Big Brother, surveillance

Swiss citizens have backed by a large margin a new law that will expand government surveillance powers, following a national referendum held in Switzerland on Sunday.

In total, 65.5 percent were in favour, and 34.5 percent against. Under the new law, Switzerland’s intelligence agency, the Service de renseignement de la Confédération (SRC), will be allowed to break into computers and install malware, spy on phone and Internet communications, and place microphones and video cameras in private locations.

Ars Technica: Switzerland votes for meatier surveillance law by large margin »

0

Open WiFi hotspots, city-WiFi and anonymity

By on September 19, 2016 in Anonymity, Big Brother, Copyright, ECJ, EU, File Sharing, Intellectual Property, IPRED, Privacy, surveillance

Last week European Commission president Jean-Claude Juncker proposed open city WiFi networks. This left us with some unanswered questions, e.g. about the rules for liability when it comes to copyright infringements. (Link»)

The very next day a ruling in the European Court of Justice (ECJ) brought some clarity. And raised some new questions.

The court finds that a measure consisting in password-protecting an Internet connection may dissuade the users of that connection from infringing copyright or related rights, provided that those users are required to reveal their identity in order to obtain the required password and may not therefore act anonymously, a matter which it is for the referring court to ascertain.

Ars Technica wrote…

Businesses such as coffee shops that offer a wireless network free of charge to their customers aren’t liable for copyright infringements committed by users of that network, the ruling states—which, in part, chimes with an earlier advocate general’s opinion. But hotspot operators may be required, following a court injunction, to password-protect their Wi-Fi networks to stop or prevent such violations. (…)

The implications are obvious: no more free and anonymous Wi-Fi access in bars, cafes, or hotels in countries within the 28-member-state bloc that can now use existing law to demand that users hand over their ID first.

Pirate Party MEP Julia Reda commented…

Juncker’s free Wi-Fi plan is aimed at travellers, refugees, and other groups that could not possibly be expected to identify themselves before using a public Wi-Fi. The commission is even advertising its new initiative as password-free. This ruling means that copyright holders will be able to foil that plan and require free Wi-Fi providers to restrict access to their networks.

Let me add to the confusion.

First, let’s have a look at the situation for traditional hotspot operators such as cafés.

It is not reasonable to expect a café owner to keep a database of all local WiF users. That would require an extensive and very privacy sensitive register that cannot be tampered with and that can stand up to legal procedures. And still, it would do nothing to identify an individual user on the cafés single IP address. At least not with the relatively cheap and simple WiFi equipment normally used in such places.

It all quickly gets complicated and expensive. This would effectively kill free WiFi with your coffee.

The same general questions can be raised when it comes to Juncker’s free city WiFi. But there is a difference. Public sector operated WiFi will have more money and can apply common technical standards. As the number of users in a city-WiFi can be expected to be substantially higher that at a single café – there would not only need to be some sort of password protection but also individual user names, linked to personal identity. At least if you want to meet with the ECJ ambition to be able to identify single users.

In both cases, anonymity will be more or less impossible.

And when it comes to city-WiFi, we can expect various law enforcement and intelligence agencies to show a keen interest.

/ HAX

Ars Technica: Wi-Fi providers not liable for copyright infringements, rules top EU court »

2

EU: Junckers’ mixed signals on mobile networks

By on September 14, 2016 in Copyright, EU, Free Markets, Internet, surveillance

Today the president of the European Commission, Jean-Claude Juncker, gave his “State of the Union” speech in the European Parliament.

EU Observer reports…

Every city in the EU will offer free wireless internet access in its centre by 2020, EU commission president Juncker promised in his state of the EU speech on Wednesday. “We need to be connected. Our economy needs it. People need it,” said Juncker. He also said that a faster mobile network, known as 5G, should be “fully deployed” in the EU by 2025.

Two reflections:

First, it is becoming ever harder for cafés, restaurants, and others to provide free internet access for their customers. The reason is that they can become liable for any copyright infringements their customers may commit. (Mainly because of EU regulations.)

Doesn’t this apply for “cities” as well? Will there be separate rules for free WiFi provided by private and public entities?

Second, there is the matter of what you see and what you don’t see. Free WiFi sounds like a good idea for most people. But what will the effects be on commercial networks? As you cannot compete with free (or rather stuff paid for by the taxpayers) – will this hamper the deployment of e.g. “faster mobile networks”? It seems like Juncker is sending mixed and conflicting signals.

Finally, one must put free, public networks into the context of mass surveillance. Exactly who will operate them – and what law enforcement agencies will these operators collaborate with?

/ HAX

0

France, Germany and crypto backdoors

By on September 7, 2016 in Big Brother, Cryptography, France, Germany, IT security, surveillance

In a world where terrorists deliberately encrypt their connections, how big is the chance that a terrorist would (continue to) use a service that is known to be insecure? Our guess: as soon as the European Commission introduces legislation forcing services such as Telegram to decrypt secure communications, terrorists will turn to alternative tools. (…)

The idea that the way to gain access to terrorists’ communications is by backdooring services such as Telegram, is preposterous. Let’s be clear, the French and German proposal will undermine the security of every single person, under the populist guise of improving security. Or, in the words of cryptographer Phil Zimmerman: When crypto is outlawed, only outlaws will have crypto.

EDRi: When crypto is outlawed, only outlaws will have crypto »

1

German BND ordered to delete illegally collected data, including use of XKeyscore

By on September 5, 2016 in Big Brother, BND, Germany, NSA, surveillance

The German Intelligence Service BND illegally collected and stored mass surveillance data and has to delete those data immediately, including XKeyscore. This is one of the results of a classified report of the German Federal Data Protection Commissioner that we are hereby publishing. In her report, she criticizes serious legal violations and a massive restriction of her supervision authority.

Netzpolitik: Secret Report: German Federal Intelligence Service BND Violates Laws And Constitution By The Dozen »

Ars Technica: German spies repeatedly broke law, must delete XKeyscore database—watchdog »

0

Prepare for the next crypto war

By on August 15, 2016 in Big Brother, Cryptography, EU, France, IT security, Privacy, surveillance

Last winter it looked as if there was going to be an international initiative against encryption. However, after some public attention, President Obama announced that there were no such plans – at present. Shortly after that, there was a brawl between Apple and the FBI, ending with the FBI withdrawing its subpoena for Apple to build software to give backdoor access to an iPhone. (The FBI cracked it by other methods.) Meanwhile, the UK is slowly moving towards some sort of ban on encryption.

Now, it seems this issue will get new attention. Last week the French called for a global initiative to “deal with” encryption. Apparently, they are trying to get Germany aboard on such an initiative. If so, we can expect the issue to become a hot topic in the EU shortly.

As most politicians are somewhat ignorant when it comes to IT and the Internet – we can expect some ill-conceived proposals.

It would be very difficult for politicians to ban user managed end-to-end encryption like PGP. That should reasonably not be up for discussion. (But you never know when it comes to the EU.)

My guess is politicians (and law enforcement) will take aim at popular communication apps like Whatsapp and Telegram – and to demand backdoors to smartphones and other encrypted hardware.

Cracking communication apps and installing backdoors is still a terrible idea. These techniques will – sooner or later – end up in the wrong hands. And government having access to citizens communications is still a very unpleasant concept.

However, this will not prevent terrorists and criminals from communicating securely and covertly – if they really want to.

/ HAX

France in global call to “deal with” messaging apps »
How the Government Is Waging Crypto War 2.0 »

1

ECJ Advocate General on data retention: Strict conditions must apply

By on July 19, 2016 in Big Brother, Civil liberties, Data Protection, Data Retention, ECJ, EU, Human rights, Internet, Privacy, Rule of law, surveillance

Data retention (collection of data about everybody’s phone calls, text messages, e-mails, internet connections and mobile positions) may only be used to combat serious crimes – and only if there are no other options (such as using surveillance only against people who are actually suspected of criminal activities).

This is the essence of the European Court of Justices Advocate Generals recommendation in some ongoing cases about data retention.

From the press release (PDF):

The Advocate General is of the opinion that a general obligation to retain data may be compatible with EU law. The action by Member States against the possibility of imposing such an obligation is, however, subject to satisfying strict requirements. It is for the national courts to determine, in the light of all the relevant characteristics of the national regimes, whether those requirements are satisfied.

First, the general obligation to retain data and the accompanying guarantees must be laid down by legislative or regulatory measures possessing the characteristics of accessibility, foreseeability and adequate protection against arbitrary interference.

Secondly, the obligation must respect the essence of the right to respect for private life and the right to the protection of personal data laid down by the Charter.

Thirdly, the Advocate General notes that EU law requires that any interference with the fundamental rights should be in the pursuit of an objective in the general interest. He considers that solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.

Fourthly, the general obligation to retain data must be strictly necessary to the fight against serious crime, which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights.

Furthermore, the Advocate General points out that that obligation must respect the conditions set out in the judgment in Digital Rights Ireland (5) as regards access to the data, the period of retention and the protection and security of the data, in order to limit the interference with the fundamental rights to what is strictly necessary.

Finally, the general obligation to retain data must be proportionate, within a democratic society, to the objective of the fight against serious crime, which means that the serious risks engendered by that obligation within a democratic society must not be disproportionate to the advantages it offers in the fight against serious crime.

Here it is important to remember that the ECJ revoked the EU Data Retention Directive – the document all member states data retention is built upon – in the spring of 2014. This because it violates fundamental human rights, such as the right to privacy. So it is hardly possible to stick to any direct adaptations of the fallen directive.

One thing that seems to be clear is that data retention cannot be used to investigate minor crimes (e.g. illegal file sharing). And it cannot be used for non-criminal proceedings (e.g. by local councils and tax authorities). The infringement of privacy is massive with data retention. It must be in proportion to the seriousness of the suspected crime.

Point four (“which means that no other measure or combination of measures could be as effective while at the same time interfering to a lesser extent with fundamental rights”) is also interesting. Of course, there are other measures – like only using surveillance against people suspected of criminal activities, instead of the entire population.

Later this fall the ECJ will give its final verdict. But it usually follows the Advocate Generals recommendations.

Links:
• ECJ press release (PDF) »
• The Advocate Generals recommendation, full text »
• EDRi – European Court confirms: Strict safeguards essential for data retention »
• Falkvinge – European Supreme Court says “Maybe” to mass surveillance of innocents »

0

UK Brexit Minister in ECJ court case against UK government on privacy

By on July 14, 2016 in Data Protection, ECJ, Privacy, surveillance, UK

This is unusual.

The new UK “Brexit minister” David Davis is involved in a court case in the European Court of Justice (ECJ) – suing the British government over personal data rights.

Furthermore, the law he is challenging was introduced by his new boss, Prime Minister Theresa May, during her time as Minister for Home Affairs.

“The choice of Mr Davis is a remarkable one in some ways. A sincere civil libertarian, as well as a pro-Brexit campaigner, he is one of a group of claimants suing the UK government at the European Court of Justice to enforce EU law on an allegedly non-compliant UK in respect of personal data rights. This case — which is reliant on the very charter of fundamental rights loathed by many in his own party — has already seen a decision of the high court saying an act of parliament was incompatible with EU law (though this was not upheld on appeal, it was referred to the ECJ instead).”

FT: David Davis, Brexit and the shapelessness of things to come »

0

EU-US Privacy Shield adopted by the EU despite privacy flaws

By on July 11, 2016 in Big Brother, Civil liberties, Data Protection, ECJ, EU, EU-US Privacy Shield, Privacy, surveillance, US

The much criticized EU-U.S. Privacy Shield agreement concerning data protection for personal data transferred from the EU to the U.S. has – as expected – been approved by EU member states.

• Statement by Vice-President Ansip and Commissioner Jourová on the occasion of the adoption by Member States of the EU-U.S. Privacy Shield »

• Privacy Shield data pact gets European approval »

• EU-U.S. commercial data transfer pact clears final hurdle »

• New Privacy Shield Could Face Legal Challenge in Europe, Experts Say »

• Official: Privacy Shield dragged across finish line »

Most likely this agreement will end up in the European Court of Justice – as it is suffering from many of the same shortcomings as its predecessor, the Safe Harbour agreement. The latter was invalidated by the court for violating citizens rights to privacy.

0

Cyber war capabilities and mass surveillance

By on July 11, 2016 in Big Brother, Civil liberties, Democracy, Intelligence, Privacy, Rule of law, surveillance, War on Terror

We definitely need cyber defence capabilities. Foreign powers, terrorists, and criminal networks have the capability to harm key functions in our societies.

We also need capacity for offensive cyber operations. No doubt, this will be a part of tomorrow’s conflicts and there is an ongoing cyber war arms race. Several western countries affiliated with NSA is adapting to this. (E.g. Sweden has recently made changes to legalise offensive operations, that according to the Snowden documents are already in place.)

First of all, the threshold for cyber attacks is lower than for conventional military conflicts. At the same time, most countries have made it clear that they will consider cyber attacks as an actual act of war. So there are reasons to tread carefully.

This is a grey area. It is difficult to be sure if a cyber attack originates from another nation or a criminal or terrorist organisation. In the same way, it is difficult to know who you engage in defensive or offensive cyber operations. Things might easily escalate.

Second, there is no clear line separating conventional mass surveillance and cyber warfare. One can easily spill over into the other. The lines are muddled. The rule of law can easily be circumvented by labelling surveillance that would be illegal in “civil” law enforcement as secret “military” operations.

Third, cyber warfare capabilities are frequently outsourced to private contractors. This will make it even harder to uphold democratic oversight and accountability.

I would argue that one major problem with cyber warfare capabilities is that they might be used to conceal domestic intelligence operations outside the realm of the law.

This calls for vigilance.

/ HAX

Statewatch » Council documents: responses to offensive cyber operations; “cyber capacity building” in non-EU countries; implementation report on Cyber Defence Policy Framework »

0