Cyber war capabilities and mass surveillance

We definitely need cyber defence capabilities. Foreign powers, terrorists, and criminal networks have the capability to harm key functions in our societies.

We also need capacity for offensive cyber operations. No doubt, this will be a part of tomorrow’s conflicts and there is an ongoing cyber war arms race. Several western countries affiliated with NSA is adapting to this. (E.g. Sweden has recently made changes to legalise offensive operations, that according to the Snowden documents are already in place.)

First of all, the threshold for cyber attacks is lower than for conventional military conflicts. At the same time, most countries have made it clear that they will consider cyber attacks as an actual act of war. So there are reasons to tread carefully.

This is a grey area. It is difficult to be sure if a cyber attack originates from another nation or a criminal or terrorist organisation. In the same way, it is difficult to know who you engage in defensive or offensive cyber operations. Things might easily escalate.

Second, there is no clear line separating conventional mass surveillance and cyber warfare. One can easily spill over into the other. The lines are muddled. The rule of law can easily be circumvented by labelling surveillance that would be illegal in “civil” law enforcement as secret “military” operations.

Third, cyber warfare capabilities are frequently outsourced to private contractors. This will make it even harder to uphold democratic oversight and accountability.

I would argue that one major problem with cyber warfare capabilities is that they might be used to conceal domestic intelligence operations outside the realm of the law.

This calls for vigilance.

/ HAX

Statewatch » Council documents: responses to offensive cyber operations; “cyber capacity building” in non-EU countries; implementation report on Cyber Defence Policy Framework »

0

EU to adopt EU-US Privacy Shield shotrly

Privacy Shield—the much maligned replacement to the Safe Harbour deal between the European Union and the US—looks set to be approved by national representatives on Friday, Ars understands.

The scheme, which will allow the transfer of personal data from the EU to the US despite privacy and data protection concerns, has faced an uphill battle. Brussels officials who negotiated the deal on behalf of the EU have been desperate to push it through in the face of criticism from the European Data Protection Supervisor, national data protection authorities, and the European Parliament, in order to give some legal certainty to companies that rely on transatlantic data flows. (…)

The agreement is expected to be formally adopted by the European Commission next Monday, followed by the deal being inked by justice commissioner Vera Jourová and US secretary of commerce Penny Pritzker on Tuesday.

Jennifer Baker in Ars Technica: Privacy Shield to be dragged across finish line—sources »

0

Next up: EU e-Privacy Directive

The EU General Data Protection Regulation (GDPR) and the Data Protection Directive for Law Enforcement Agencies (LEDP) have now been approved — after being watered down as the result of an unprecedented lobbying campaign.

Next up is the EU e-Privacy Directive. EDRi explains…

The e-Privacy Directive contains specific rules on data protection in the area of telecommunication in public electronic networks. It is hugely important, as it is the only EU legislation that regulates confidentiality of communications. (…)

Specifically, the ePrivacy Directive regulates aspects related to the right to confidentiality of communications and the right to freedom of expression.

Once again, we can expect a massive lobby campaign to weaken citizens rights.

To get up to date with what is at stake, read this blog post from EDRi:

• e-Privacy Directive revision: An analysis from the civil society »

/ HAX

0

Europols web censorship under fire

Europol’s Internet Referral Unit (IRU) celebrated its first birthday at the weekend, but civil liberties organisations are worried that it goes too far in its efforts to keep the Web free from extremist propaganda. (…)

However AccessNow a global digital rights organisation said Europe’s approach to dealing with online extremism is “haphazard, alarming, tone-deaf, and entirely counter-productive.”

According to AccessNow, “the IRU is outside the rule of law on several grounds. First, illegal content is just that—illegal. If law enforcement encounters illegal activity, be it online or off, it is expected to proceed in dealing with that in a legal, rights-respecting manner.”

Ars Technica: Europol’s online censorship unit is haphazard and unaccountable says NGO »

0

EU to end Bitcoin anonymity

Today, the European Commission has released details on the new EU Anti-Money Laundering Directive – aiming at combating terrorist financing. Among the details, we find some disturbing news on digital currencies such as Bitcoin:

Tackling terrorist financing risks linked to virtual currencies: to prevent misuse of virtual currencies for money laundering and terrorist financing purposes, the Commission proposes to bring virtual currency exchange platforms and custodian wallet providers under the scope of the Anti-Money Laundering Directive. These entities will have to apply customer due diligence controls when exchanging virtual for real currencies, ending the anonymity associated with such exchanges;

Gah!

Anonymity is not a crime!

But then, again, this is not really about terrorism. It’s about giving the government control over your money.

Then we have this blow to all those terrorists shopping around for missiles…

Tackling risks linked to anonymous pre-paid instruments (e.g. pre-paid cards): the Commission also proposes to minimise the use of anonymous payments through pre-paid cards, by lowering thresholds for identificationfrom €250 to €150 and widening customer verification requirements. Proportionality has been taken into account, with particular regard paid to the use of these cards by financially vulnerable citizens;

Again, this will only make life more complicated for ordinary, law-abiding citizens.

And there will be cross-border control of all bank accounts:

Give Financial Intelligence Units swift access to information on the holders of bank- and payment accounts, through centralised registers or electronic data retrieval systems.

“Centralised registers.” Like in total control.

This might come in handy for our governments when the next Euro crisis calls for a citizen haircut – like when Cyprus confiscated parts of people’s bank savings.

Your money is no longer yours. You are no longer free.

/ HAX

European Commission:
• Commission strengthens transparency rules to tackle terrorism financing, tax avoidance and money laundering »
• Questions and Answers: Anti-money Laundering Directive »

Related reading: Bargeld ist Freiheit »

2

EU rushing new directive on combating terrorism

Joe McNamee, Executive Director of European Digital Rights (EDRi) on the new EU Directive on “combating terrorism”:

Speed is being prioritised over quality. The calculation appears to be that it is better for the EU to be seen to be doing “something” rather than taking its time to adopt legislation that is actually fit for purpose.

EDRi: Rush to “fight terrorism” threatens our fundamental rights and security »

0

Make UN member states stand by their word on the Internet and privacy

“1. Affirms that the same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of one’s choice, in accordance with articles 19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights;”

These are words from the United Nations Human Rights Council, in a declaration of the 27:th of June. (PDF») It continues…

“8. Calls upon all States to address security concerns on the Internet in accordance with their international human rights obligations to ensure protection of freedom of expression, freedom of association, privacy and other human rights online, including through national democratic, transparent institutions, based on the rule of law, in a way that ensures freedom and security on the Internet so that it can continue to be a vibrant force that generates economic, social and cultural development;”

“9. Condemns unequivocally all human rights violations and abuses, such as torture, extrajudicial killings, enforced disappearances and arbitrary detention, expulsion, intimidation and harassment, as well as gender based violence, committed against persons for exercising their human rights and fundamental freedoms on the Internet, and calls on all States to ensure accountability in this regard;”

“10. Condemns unequivocally measures to intentionally prevent or disrupt access to or dissemination of information online in violation of international human rights law and calls on all States to refrain from and cease such measures;”

Great! Or… what?

I cannot help noticing that Turkey is one of the signing countries… And Poland, despite the country’s ever more dubious approach to free speech.

The United Kingdom (with the GCHQ) and the United States (home of the NSA) have signed the declaration. And countries like Sweden (FRA), Germany (BND) – who are part of the global surveillance network.

Do they really mean what they say? Probably not.

This is a great UN declaration. But the fight for a free and open internet, free speech, privacy and civil rights still needs to be fought by an army of activists. You simply cannot trust governments with this, just because they say so.

It’s like 5 July 2012. The day that gave the 5 July-foundation (who, among other things is running this blog) its name. (Read more») This was the date for an ambitious UN resolution “on the Promotion, Protection, and Enjoyment of Human Rights on the Internet”.

Then, like now, we believe that words are not enough and that the Internet community must engage in the battle to defend the values stated in the resolution.

Today the 5 July-foundation runs several projects for security, privacy and liberty. (Read more»)

Actually, today is also the second anniversary of this blog – trying to identify threats to digital liberty. I hope you enjoy it.

And let’s use this UN resolution as valuable support when our governments go back to Big Brother Business as usual. We have their words on paper. And we demand that they stand by them!

/ HAX

• The Declaration (PDF) »
• UN rights council condemns internet blocking »
• UN rights council condemns the disruption of internet access »
• UN Human Rights Body Condemns Nations Blocking Internet Access »
• UN Human Rights Council Passes Resolution ‘Unequivocally’ Condemning Internet Shutdowns »
• Disrupting Internet Access Is A Human Rights Violation, UN Says »

0

Belgian court: Facebook can keep tracking non-users

A Belgian court has overturned a ruling that would have forced Facebook to stop tracking non-users who had visited its pages, The Wall Street Journal reported yesterday. A Brussels appeals court found that the Belgian Privacy Commission, which brought a case against Facebook last year, does not have jurisdiction over the company’s Ireland-based European headquarters. As The Guardian reports, it also rejected a claim that the case was urgent and needed to be expedited.

This reverses a decision made last year, when a court ordered Facebook to stop using cookies to keep tabs on the web browsing of people who were not logged into accounts or had otherwise opted out of tracking

The Verge: Facebook wins Belgian privacy case over tracking logged-out users »

Ars Technica: Facebook wins privacy case, can track any Belgian it wants »

0

Data Protection: Is the EU just incompetent or… evil?

According to usually well informed sources the Council of the European Union (the member states representatives) is ready to greenlight the so called EU US Privacy Shield.

The Privacy Shield is supposed to replace the previous Safe Harbour agreement on protection of personal data being transferred from the EU to the US. The latter was used in a sloppy way by US companies and it did not offer sufficient protection against US mass surveillance. The European Parliament has frequently called for the Safe Harbour agreement to be revoked – and finally the European Court of Justice (ECJ) invalidated it on grounds that it did not respect European citizens right to privacy.

Since then, the EU and US have been working hard to secure a new agreement – the Privacy Shield.

The problem is that the Privacy Shield, ruffly speaking, has the same problems as the Safe Harbour agreement. So much so that the ECJ have found that it ought to look into the matter once again. (The Max Schrems case, part 2.)

So, why is the EU so eager to give the Privacy Shield its approval? First off all both the EU and the US is under pressure from Big Data to get this stumbling block out of the way. Second, some US government agencies are getting quite frustrated. Third, the EU screwed up in the negotiations, but hopes that no one will notice (!) if they hurry to adopt the agreement.

In other words, protection of European citizens data and privacy has not been an EU priority. The Council (and the Commission) seems to be more interested in good relations with the NSA and Big Data.

Is the EU just incompetent or… evil?

/ HAX

Links:
• Previous blog post on the EU US Privacy Shield, with many useful links »
• The latest leaked EU documents (PDF) »
• Reuters: EU, United States agree on changes to strengthen data transfer pact »
• German IT Law: Data flows to the US: Why the EU Model Clauses may soon be no longer state of the art »
• The Irish Times: Data protection groups seek to join key High Court case »
• NSA Mass Surveillance: US Government wants to intervene in European Facebook-Case (PDF) »

Thanks to Amelia Andersdotter and Dataskydd.net for digging up relevant links and documents.

1