“Blanket retention of communications data, without suspicion, creates a honeypot of information for criminals and hackers, and this case will have implications for personal privacy and the security of individual personal data.”
The Guardian: European court to consider legality of UK surveillance laws »
Update, also see:
The Guardian: MP calls for limit on UK surveillance powers as EU test case opens »
There is a rather interesting legal battle concerning data retention going on in Sweden. Parties are the ISP Bahnhof and the government oversight authority Post- & Telestyrelsen (PTS).
Two years ago, to the day, the European Court of Justice (ECJ) invalidated the EU data retention directive — stating that it is in violation of human rights, especially the right to privacy.
However, in Sweden data retention continues — under a cross-party political consensus. This is to be tried in the ECJ, but is still an open issue.
Meanwhile, Swedish police (and other authorities) are using data retention to demand information about Internet users and their activities from the ISPs.
Referring to the ECJ verdict, the ISP Bahnhof, has refused to share information about minor crimes with the police. After all, data retention was supposed to be about terrorism and other serious criminal activities.
To share information from data retention, Bahnhof requires that the police confirm that it will only be used for investigating serious crimes according to relevant Swedish legal definitions. And Bahnhof demands this information from the police in writing.
The police is not happy about this. Not at all. So it has asked PTS to investigate what can be done. This leading to PTS slamming Bahnhof with a penalty of five million Swedish kronor (some 550.000 euros) if not compliant.
Now, we shall remember that there still is an open case about Swedish data retention in the ECJ. Also, a Swedish administrative court has asked the ECJ for guidance when it comes to the Bahnhof case.
This has lead Bahnhof to ask the Stockholm lower administrative court (Förvaltningsrätten) for inhibition of the PTS decision concerning the fines mentioned above.
Now, this court has granted Bahnhof inhibition — until it has reached a final verdict after careful investigation in the wider context of data retention. However, PTS still can appeal against the inhibition. If so, the case will move up the three-tier Swedish administrative court system.
The bottom line is that a relatively small ISP — backed up by the first ECJ ruling — is prepared to take a fight against the government on data retention. And that the Swedish government is trying to circumvent the ECJ verdict, to maintain mass surveillance.
This is a story to be continued.
/ HAX
Disclaimer: The 5:th of July-foundation, running this blog, is the VPN provider for Bahnhof (and others). Bahnhofs lawyer is also a member of the board of the 5:th of July foundation.
The European Parliament will have what is believed to be its’ final vote on EU Passenger Name Record (PNR) in Strasbourg next Thursday, April 14.
For years, the Parliament has tried to stop registration of sensitive personal information related to air travel. But after the latest terrorist attacks, pressure has mounted, and everything suggests that the dossier will be approved during next week’s session.
From the European Parliaments webpage:
Passenger Name Record (PNR) data is information provided by passengers and collected by air carriers during reservation and check-in procedures. Non-carrier economic operators, such as travel agencies and tour operators, sell package tours making use of charter flights for which they also collect and process PNR data from their customers.
PNR data include several different types of information, such as travel dates, travel itinerary, ticket information, contact details, baggage information and payment information.
Parliamentarians have had serious concerns about the impact of PNR on fundamental rights and data protection.
Now he PNR dossier is said to be voted together with the EU Data Protection package – at least allowing some coordinated approach.
Formally, EU PNR is about information regarding passengers arriving on flights from non-EU countries. But there is no doubt this will also apply to intra-EU flights.
So, governments will store information about all of people’s air travel, in detail. This is to be added to information about e.g. all of our telecommunications and our bank transactions. The grip tightens.
(It could have been even worse. Earlier on in the process, the U.K. put forward the idea that all our train travel, car rentals, and hotel stays should also be registered. But I guess they decided to take this one step at a time.)
If nothing short of a miracle occurs, next Thursday the EU will take its’ next step towards Big Brotherism.
/ HAX
Links:
• EP: Final votes on PNR and data protection package »
• News on PNR from the EP (16 July 2015) »
• EP: Much Ado About PNR (19 Jan. 2015 »
• EP: EU Passenger Name Record (PNR) proposal: an overview (14 Dec. 2015) »
• MEPs refuse to vote on PNR before Council strengthens data protection (9 March 2016) »
A new study shows that knowledge of government surveillance causes people to self-censor their dissenting opinions online. The research offers a sobering look at the oft-touted “democratizing” effect of social media and Internet access that bolsters minority opinion.
The study, published in Journalism and Mass Communication Quarterly, studied the effects of subtle reminders of mass surveillance on its subjects. The majority of participants reacted by suppressing opinions that they perceived to be in the minority. This research illustrates the silencing effect of participants’ dissenting opinions in the wake of widespread knowledge of government surveillance, as revealed by whistleblower Edward Snowden in 2013.
• Washington Post: Mass surveillance silences minority opinions, according to study »
• Motherboard: ‘Chilling Effect’ of Mass Surveillance Is Silencing Dissent Online, Study Says »
• Journalism & Mass Communication Quarterly: Under Surveillance – Examining Facebook’s Spiral of Silence Effects in the Wake of NSA Internet Monitoring »
Once again terrorists have struck.
No doubt, this will be followed by new calls for mass surveillance.
But mass surveillance doesn’t really work. It’s rather draining the police and intelligence services of resources – making us all less safe.
Not even a system with 99% accuracy would be useful. It would give 10,000 false positives per million people’s communications scanned. That’s simply not workable. (And it would lead to dramatic consequences for totally innocent people.) Also, there are no systems even close to being 99% accurate.
After the Paris attacks Waldemar Ingdahl wrote in Spiked:
And yet, despite the vast array of new powers granted to security agencies over the past 15 years, they still find it difficult to connect the dots in the lead-up to a terrorist attack. In fact, the Madrid train bombings in 2004 and the London bombings in 2005 were undertaken despite the fact that some of the perpetrators were already under surveillance.
What we need is more traditional police and intelligence work — not security bureaucrats behind computer screens, trying to find suspicious patterns in ordinary people’s communications.
Human intelligence is hard, often dangerous and expensive. But that is what it takes. Everything else is part of a counter-productive security theatre.
But then again, fighting terrorism might just be a pretext for mass surveillance of the general public.
/ HAX
Spiked, November 2015: Why mass surveillance misses terrorists »
You know the saying that Google will know if you are gay before you do?
Almost the same, but a little different, can be said about the government.
The government knows who you have been talking to on the phone and who your friends are – and who their friends are. The government knows where you have been and who else might have been in the same place at the same time. The government knows when you connected to the internet, who you sent an email and the people that have emailed you. Data is stored about your every text message, and in some countries that go for the content of the messages as well.
In the UK Big Brother will even keep an eye on your web searches, if the government gets it its way.
The government knows who your friends are and what people you are trying to avoid. It can tell who you do business with and what people you sleep with. It can figure out your hobbies and your whereabouts. And it can flag you if a friend of your friend is someone the people in power do not approve of.
With Google – at least, it’s about selling you stuff, to expose you to “relevant” ads and to make a buck. (But World Domination, really?)
But with the Goovernment – it’s all about control. And power. Over you. For real.
Put one on top of the other, and it gets even more scary. (The government doesn’t need Google to cooperate in this. Much of the data is out on the market.)
All of this while government doings are getting more opaque, more secretive and more dubious.
This is not the way to do things in an open, democratic society.
/ HAX
So, where does the EU stand on politicians, law enforcements and intelligence organisations war on encryption?
It is still an open question, to be decided in the e-Privacy Directive.
What is this — and didn’t the EU just set out the framework for data protection? Diego Naranjo at EDRi explains…
“Did you think the data protection reform was finished? Think again. Once the agreement on the texts of the General Data Protection Regulation (GDPR) and the Data Protection Directive for Law Enforcement Agencies (LEDP) was reached, the e-Privacy Directive took its place as the next piece of European Union (EU) law that will be reviewed. The e-Privacy Directive (Directive 2002/58/EC on privacy and electronic communications) contains specific rules on data protection in the area of telecommunication in public electronic networks.”
Here issues such as cookies, government trojans and encryption back doors should be addressed.
So far, this process has attracted very little attention from the public, the media, the industry and internet activists. Nevertheless, these issues are essential when it comes to citizens right to privacy.
While the Apple vs. FBI case in the US is all over the media — what’s going on in the same field in the EU is more or less ignored.
While most EU politicians have held a low profile about encryption backdoors so far, the matter of government trojans already is an existing and very real cause for worry.
The French have since long been suspected to use malware (e.g. Babar, Bunny, Casper, Dino, NBot and Tafacalou) and will most certainly move ahead in its’ new cyber-security strategy. In Germany the government just approved the usage of trojans by federal agencies. And countries like Sweden are fast-tracking legislation in this field.
It is important to remember that this is not “only” about phone calls, text messages and e-mails. With trojans on your phone, tablet or computer — the government can access everything you do. What you write. What you google. Your online banking. Your social media activities. Dating apps that you might use. Your contacts. Your private pictures. Your business plans. Your health apps. You name it…
So we better get busy while it’s still possible to influence the political process.
Don’t let the EU get away with keeping this dossier under the radar. Please.
/ HAX
EDRi: Data Protection Reform – Next stop: e-Privacy Directive »
Julian Sanchez: This Is the Real Reason Apple Is Fighting the FBI »
1. This offers the government a way to make tech companies help with investigations.
2. This public fight could affect private orders from the government.
3. The consequences of a precedent permitting this sort of coding conscription are likely to be enormous in scope.
4. Most ominously, the effects of a win for the FBI in this case almost certainly won’t be limited to smartphones.
Last October the EU-US “Safe Harbour” agreement was canceled by the European Court of Justice. This agreement was created to ensure that European personal data was to be treated with care when handled by US companies. But the ECJ found that the agreement did not meet the requirements of the Data Protection Directive, because of NSA access.
ArsTechnica then reported…
“The most significant repercussion of this ruling is that American companies, such as Facebook, Google, and Twitter, may not be allowed to send user data from Europe back to the US.”
Link: Europe’s highest court strikes down Safe Harbour data sharing between EU and US »
Today the media has reported that a new agreement has been reached: The EU-US Privacy Shield.
Such an agreement has been a top political priority for the EU as well as the US — as the respective administrations have not wanted data protection to get in the way of business as usual.
But is there a real agreement? Not really. All there is, is a “framework agreement”, basically saying that the EU and the US agree to agree at some point.
Today ArsTechnica writes…
“What that means in practice is that the Commission has negotiated some breathing space to strike a deal with the US.”
“The US has clarified that they do not carry out indiscriminate mass surveillance of European citizens,” EU Commissioner Andrus Ansip has declared. No further details on this, though…
Link: Last gasp Safe Harbour “political deal” struck between Europe and US »
Apparently the EU and the US have no such thing as an actual deal to show. But there is a lot of hot air coming out of Brussels and Washington.
Earlier today, before the news about an “framework agreement” from Brussels, ArsTechnica had an interview with Max Schrems, the Austrian law student who took this case to court to begin with.
“On the subject of any potential new agreement, he argues it would be no better, and that a sector-specific approach to EU-US data transfers would be preferable. “If this case goes back to the ECJ [European Court of Justice]—which it very likely will do, if there is a new safe harbour that does not meet the test of the court—then it will fail again, and nobody wants that,” he says.”
Link: Why Safe Harbor 2.0 will lose again »
Apart from the EU and the US having agreed to agree — everyone seems to be just as much in the dark as before. (There is also the hidden agenda of mass surveillance and intelligence cooperation that led to the end of “safe harbour” in the first place, to be taken into consideration.)
I suppose the new agreement, when it is finalized, will end up in the European Parliament for final approval. Then, if not before, we should know. And it is encouraging that the Parliament has been very vigilant concerning EU-US data protection issues in the past.
/ HAX
Today is January the 27:th, Holocaust Memorial Day. A day of remembrance. But also, a day to ask ourselves what we have learned from history.
One example is that records set up with the very best of intentions can be misused. From Wikipedia…
In the Netherlands, the Germans managed to exterminate a relatively large proportion of the Jews. The main reason they were found so easily was that before the war, the Dutch authorities had required citizens to register their religion so that church taxes could be distributed among the various religious organizations.
Unintended consequences, indeed. But this is exactly the kind of risks we must consider when handling personal data or rolling out mass surveillance. You never know why, how and by whom these tools will be used.
Can we trust that all future political leaders and bureaucrats will be decent people? Of course not. Can we be sure that we will live in a democracy 25, 50 or some 100 years from now? No, we can’t. Can we even take our national sovereignty for granted in the future? Sadly, no.
The only thing we can be certain of is that bad things will happen, sooner or later. So it is thoughtless to give the government tools that can be used to harm and oppress the people. And if we still do, we must make sure that we can disable them if there is a risk that they will be abused or fall into the wrong hands. Even when the change to the worse is gradual.
But that’s not what’s happening, is it? Evidently, today’s political leaders have learned nothing from history.
/ HAX
