On Monday this week Christopher Soghoian will hold a virtual conversation with Edward Snowden during SXSW 2014. Not everybody is pleased. Congressman Michael Richard Pompeo (Kansas) has written to the organizers requesting that the invitation to Snowden be withdrawn.
People of the world, I urge you to read Pompeo’s letter in full (click the image on the right), to witness authoritarian doublespeak claptrap at its best.
People of Kansas — just get rid of him.
Pompeo writes, “In case you did not have access to the full facts in making your initial decision to extend your invitation, I want to call a few undisputed facts about the actions taken by Mr Snowden to your attention…”
OK, let’s have a look at Pompeo’s ‘undisputed facts’.
Only a tiny sliver of the materials stolen by Mr Snowden had anything to do with United States telecommunications or the privacy rights of Americans.
That ‘tiny sliver’ shows that the NSA interprets the law to allow it to spy on all Americans at all times. A recent example of the extent of NSA legal contortions will suffice to demonstrate. The spy agency discussed the feasibility of classifying Wikileaks as a “malicious foreign actor” for surveillance purposes. “If the foreign IP is consistently associated with malicious cyber activity against the U.S., so, tied to a foreign individual or organization known to direct malicious activity our way, then there is no need to defeat any to, from, or about U.S. Persons. This is based on the description that one end of the communication would always be this suspect foreign IP, and so therefore any U.S. Person communicant would be incidental to the foreign intelligence task.”
This argument could be applied to any ‘dubious’ website that ever questions US foreign and domestic policy. The Pirate Bay was discussed. Others could easily be included. RT? Al Jazeera? If the argument were applied, then any American visitor to any such circumscribed website would become a legitimate target of surveillance; and the NSA document makes it clear that is the primary purpose – a method of circumventing US law. Americans should remember, this surveillance would not simply be metadata, but actual content.
So, Pompeo’s ‘tiny sliver’ clearly demonstrates that all Americans are to be considered targets at all times. But just in semantic terms, how can it be an ‘undisputed fact’ when the vast majority of the documents have not yet been disclosed?
I would here appeal to the American people. Just consider the utter contempt that the NSA shows towards all foreigners. I am a foreigner, a journalist and a blogger – and I am a legitimate target for the NSA. This cannot be right. You have a strong sense of ‘freedom’. Much of that stems from the Declaration of Independence, which most famously states:
We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.
It says ‘all men’, not just ‘all Americans’. Should that not include me? Am I to be excluded from your view of freedom? (Lest you believe me a hypocrite, let me just say that I believe that the UK and GCHQ is far worse – you at least are discussing this; open discussion here has effectively been squashed by the UK government.)
Mr. Snowden cares more about personal fame than personal privacy
I would question that. He handed the documents to a journalist and has played no part in their publication. He does not seek out publicity nor interviews; but grants them when requested and if possible.
Mr. Snowden gives real whistleblowers a bad name
Excuse me? If he had attempted the official routes he would rapidly have been silenced. I don’t know about the US, but I strongly believe it to be similar to the UK, where potential whistleblowers tend to get suicided (Dr David Kelly and Gareth Williams are two relatively recent examples). Official whistleblowing routes are simply not an option at this level. If he were in the UK, his best bet for survival would be to feign madness – consider David Icke (who espouses the Lizard conspiracy) and David Shayler (who told the world he was the Messiah).
When I served in the Army along the Iron Curtain we had a word for a person who absconds with information and provides it to another nation: traitor. We also had a name for a person who chooses to reveal secrets he had personally promised to protect: common criminal. Mr. Snowden is both a traitor and a common criminal.
This is the biggest lie of all put forward by NSA apologists from Obama downwards. Snowden is charged under the Espionage Act, which makes him a traitor. But the Espionage Act is a law subservient, as all laws are, to the US Constitution. There are some who say that NSA actions are constitutional; but there is a growing legal, ethical and moral view that it at least contravenes the Fourth Amendment.
I suspect that all Americans consider themselves bound by the US Oath of Allegiance. I know that all who work in or for government – and that includes Obama, Pompeo and Edward Snowden, are so bound. That oath includes, “I will support and defend the Constitution and laws of the United States of America against all enemies, foreign and domestic.”
The Constitution is primary, and if Snowden believed (as many academics and legal minds also believe) that the NSA was acting in defiance of the Constitution, then he was duty bound to try to defend the Constitution. By that same token, those who support the NSA in breach of the Constitution are themselves in breach of their Oath of Allegiance – and that makes them, not Snowden, the traitors.
It is perfectly reasonable to question Snowden’s actions, and to have any view you like on them. But to twist reality to blacken his name and dampen open discussion is, frankly, pretty despicable.
They claim to be super-patriots, but they would destroy every liberty guaranteed by the Constitution. They demand free enterprise, but are the spokesmen for monopoly and vested interest. Their final objective toward which all their deceit is directed is to capture political power so that, using the power of the state and the power of the market simultaneously, they may keep the common man in eternal subjection.
Vice President Henry Wallace, speaking of American Fascists
Damn. I hadn’t realised that Republicans and Democrats and Tories and Labour were all just synonyms for American Fascists.
The days when the West could speak with any moral authority have long gone. Nobody listens any more.
“Vladimir Putin had a telephone conversation with President of the United States Barack Obama on the American side’s initiative,” announced Putin’s office this morning.
The Russian President spoke of a real threat to the lives and health of Russian citizens and the many compatriots who are currently on Ukrainian territory. Vladimir Putin stressed that in case of any further spread of violence to Eastern Ukraine and Crimea, Russia retains the right to protect its interests and the Russian-speaking population of those areas.
That’s as close as you can get to ‘mind your own business’ in diplomatic language.
This coming week the European Justice and Home Affairs Council (ie, national ministers from the individual national governments) will meet in Brussels. There are several items on the agenda.
Top of the list in a memo released by Viviane Redding is reform of the data protection laws. She says,
I am confident we will be able to build on the momentum injected into the negotiations by the Greek Presidency at the last informal Council meeting in January. Seeing the latest progress, I will continue working with Ministers for an adoption of the data protection reform before the end of this year.
Bottom of the list in a ministerial statement from Theresa May is reform of the data protection laws. She says,
There will be a state of play/orientation debate on the Proposal for a General data Protection Regulation. The UK continues to believe that this proposal is far from ready for a general agreement, and that no such agreement can occur until the text as a whole has been approved. The proposal remains burdensome on both public and private sector organisations and the Government would not want to see inflexible rules on transfers outside the European Economic Area which do not reflect the realities of the modern, interconnected world.
And yes, they really are talking about the same thing. Most of Europe has already agreed the data protection reform proposals; but the UK doesn’t like it and won’t play.
The problem is, providing more protection for our personal information is difficult for the UK. It would upset the three most powerful organizations in the country: GCHQ, Google and Facebook. GCHQ would have its ability to collect our private messages, photos, home videos and internet browsing habits severely curtailed — and of course nobody would want to see that.
Google and Facebook would no longer be able to ship our personal information to servers outside of the UK; that is, the US, from where the NSA/FBI could demand access while declining to allow us to be told (assuming they need to since GCHQ will probably have already intercepted the data via its taps on the fibre cables that run between the two continents and simply handed it en masse to the NSA for storage and safe keeping).
Since these negative arguments would not prove popular to the British public, they are being hidden in spurious and frankly false claims that data protection will cost business. Yes there will be some cost in protecting our data (not nearly as much as the government would like us to believe); but that will be more than compensated by the lower cost of doing business with dozens of different data protection regimes. The net effect of reforming data protection will be greater data protection at a lower overall cost.
But Theresa May doesn’t want us to understand that. She and David Cameron would like us to believe that they are protecting us when they are really just protecting vested interests and actually selling us down the river. They are willing to trade our privacy to keep GCHQ and big American business happy.
When I wrote the piece, Is the AV industry in bed with the NSA, I concluded that on balance it probably is. I have no evidence. It’s just that I cannot believe that an organization complicit in developing and deploying its own malware, and able to ‘socially engineer’ RSA into doing its bidding, would leave AV untouched.
Obviously I spoke to people in the industry. In private conversation with one contact, while accepting his own protestations of innocence, I asked, “What about McAfee and Symantec?” He paused; but then said, “If I had to question anyone, those are the two names that would come to mind.”
I should say, again, that I have no evidence. It’s just doubts born out of the repetition of hyped-up statistics, frequently used by government to justify its actions, and what appears to be preferential treatment from government.
A couple of months later, the Dutch digital liberty group Bits of Freedom wrote to the leading AV companies for a formal position. One of the questions it asked was, “Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software?”
My understanding is that some, but not all, AV companies replied, in writing, that they do not collaborate with governments.
F-Secure’s Mikko Hyppönen spoke yesterday at the TrustyCon conference. I wasn’t there, so this is from The Register’s report:
A surprising number of governments are now deploying their own custom malware – and the end result could be chaos for the rest of us, F-Secure’s malware chief Mikko Hyppönen told the TrustyCon conference in San Francisco on Thursday…
While ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro replied to Bits of Information, Symantec and McAfee (among others) have not responded, Hyppönen claimed.
Same names. Coincidence? I wonder.
The American tech giants – Facebook in this instance – still don’t get it over the NSA spying programmes
The following is a transcription of a brief interview given by Mark Zuckerberg. The original can be found on TechCrunch here.
I’ve tidied it up a bit – removed the ‘ums’ and ‘rights’ and ‘you knows’ – just to make it more legible. I struggled over that because they clearly demonstrate where Zuckerberg is comfortable and where he is not comfortable with what he says; but I went ahead because what he says rather than his level of comfort is important to me. Anyway, here’s what is left:
We take our role really seriously. I think its my job and our job to protect everyone who uses Facebook and all the information that they share with us. It’s our government’s job to protect all of us and also to protect our freedoms and protect the economy, and companies; and I think they did a bad job of balancing those things. So frankly I think that the government blew it. I think that they blew it on communicating what they [were doing]; basically the balance of what they were going for.
The morning after the start of [the scandal] breaking, people asked [the government] what they thought; and the government’s comment was, “Oh don’t worry, basically we’re not spying on any Americans.”
Right. Wonderful. That’s really helpful to companies who are trying to serve people around the world, and [it's] really gonna inspire confidence in American internet companies. Thanks for going out there and being really clear about what you’re doing. I think that was really bad.
We’ve being pushing just to get more transparency on this, and I actually think we’ve made a big difference. The big question that you get from all the coverage is, what’s the volume of the total number of requests going on? Is it closer to a thousand requests that the government is making of us, or is it closer to 100 million? I mean, from the coverage and from what the government has said you would not know the difference. But we worked really hard with the government, behind the scenes, to get to the point where we could release the aggregate number of requests. It was around 9000 in the last half year.
Does that number tell us everything we want? No. And that’s why when the conversations get to the point where we weren’t going to make further progress, we decided to sue them so that we could reveal, is it 1000 or 2000 or 3000 or 4000 or 8000 of the 9000 requests. But the reality is, because of the transparency that we pushed for, now people can know and deserve to know that the number of requests that the government is making is closer to 1000 (it’s 9000 or less in the last six months), and definitely not, you know, 10 million or 100 million…
Really, Mark? Do you think that knowing the NSA made just over 1000 requests for your customers’ details rather than 9000 makes it all right – and that they can carry on, without judicial oversight, as they are? It’s the fact, not the volume, of NSA spying that is wrong, just plain wrong. Until the American tech giants stop hiding behind their really quite meaningless ‘transparency’ demands and empty successes over the NSA, then anger – and especially non-American anger – will remain at a high level.
Oh; and did I mention the word ‘hypocrite’? Facebook suggesting that the NSA isn’t taking sufficient care over users’ privacy? Really?
There was never any doubt that the detention of David Miranda at Heathrow under section 7 of the Terrorism Act was in fact legal. Now the arbiters of The Law have confirmed it in a judgment delivered earlier this week.
There is some good news, some bad news and a lot of not-unexpected news in this judgment. The not-unexpected news is that the Terrorism Act allows GCHQ to do just about whatever it pleases. The manufactured War against Terror has had the effect of turning the UK into a police state under the control of the security services and enforced by Her Majesty’s Constabulary. Anything can be defined, with a little imagination, as a potential act of terrorism; and therefore under the jurisdiction of the over-broad power of the Terrorism Act.
The good news is that the police did not immediately nor automatically accept GCHQ’s request for a port stop (ie, detention) on David Miranda as he passed through Heathrow. It was not until the police received a detailed request precisely applied to the Terrorism Act that they were effectively forced to respond. From the ruling:
“We assess that MIRANDA is knowingly carrying material, the release of which would endanger people’s lives. Additionally the disclosure, or threat of disclosure, is designed to influence a government, and is made for the purpose of promoting a political or ideological cause. This therefore falls within the definition of terrorism and as such we request that the subject is examined under Schedule 7.”
from the David Miranda judgment
Compare this to my assessment at the time:
So, three tests for terrorism. Applying these to David Miranda, and assuming that his laptop contained Snowden documents (which would be reasonable suspicion),
- the stated purpose of the leaks is to influence government
- the stated purpose could be described as both ‘political’ and ‘ideological’
- the effect, according to government, could result in increased terrorist attacks against the UK (that is, “a serious risk to the health or safety of the public”) and is also designed “to interfere with or seriously to disrupt an electronic system” (that is, GCHQ’s Tempora surveillance system).
I think it is quite clear that under the Terrorism Act, David Miranda is a terrorist.
Was David Miranda’s detention a legal and reasonable application of the Terrorism Act?
The bad news is that this is absurd. David Miranda is clearly not a terrorist. That means that what he was doing was an act of terrorism. That means that helping a journalist (in this case Glenn Greenwald) do his job, which most people would define as being in the public interest, can in itself be an act of terror — and that, frankly, is scary.
The Arbiters of The Law effectively confirm that the invocation of the Terrorism Act removes all other freedoms and rights:
In my judgment the Schedule 7 stop was a proportionate measure in the circumstances. Its objective was not only legitimate, but very pressing. The demands of journalistic free expression were qualified in the ways I have explained. In a press freedom case, the fourth requirement in the catalogue of proportionality involves as I have said the striking of a balance between two aspects of the public interest: press freedom itself on one hand, and on the other whatever is sought to justify the interference: here national security. On the facts of this case, the balance is plainly in favour of the latter.
This is a sad day for natural justice. But we cannot blame the judges. Their function is to interpret the law. Nor can we blame the police. Their function is to enforce the law. The blame rests solely on our weak politicians, under the sway of over-powerful intelligence services, who make the laws. It is the intelligence services, through threats and blackmail, who get their wishes translated into law. It is weak politicians who have sold out the people.
The United States would be well advised not to dismiss European anger over the NSA — but so far the US doesn’t seem to be taking the EU’s concerns seriously. Consider the safe harbour agreement, and the growing movement to suspend it.
Safe harbour is an official arrangement that allows American companies to circumvent the European data protection laws. These laws prohibit the export of personal European data to any country that does not have comparable data protection laws. The United States does not. On the face of it, then, this would stop companies like Google and Yahoo and Facebook operating in Europe since they ‘export’ their users’ data to servers in the US.
To avoid this, the EU and US developed the Safe Harbour. Provided individual companies are certified to provide a comparable level of data protection to that required in the EU, safe harbour allows US companies to store EU data in the US. That certification can be provided by a qualified third-party, or it can be self-certification. One of the conditions included is that personal EU data will not be passed on to third parties.
But this requirement is clearly being breached by the NSA’s Prism programme. It doesn’t matter whether US cloud companies are giving EU data to the NSA willingly or even knowingly — that it happens is in contravention to safe harbour. So the mood in Europe is simple: if safe harbour isn’t being honoured, it would be better to suspend it. If this were to happen as things stand, companies like Google and Facebook would no longer be able to operate in Europe.
Why I don’t think America is taking this threat seriously
In December 2013, a US think tank called Future of Privacy Forum (FPF) published a report concluding, “It would be unwise at this stage of the Safe Harbor to pull back on this effective program.” It claims that safe harbour is working — when Prism shows it is not.
FPF’s first argument is that “eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.” Seriously? Is FPF really suggesting that since the NSA will disregard the law, we shouldn’t bother having any laws?
Its second argument is that even US companies that allow their safe harbour certifications to lapse are “still subject to FTC Section 5 enforcement for any substantive violations of
the Safe Harbor principles committed while it claims to be a member.” Luckily, we can test that assertion because the FTC has just made enforcement on 12 US companies for that very infringement.
Following complaints, the FTC took action against the companies which resulted in settlements. The settlement agreements now prohibit the companies from falsely stating to be Safe Harbour certified.
FTC takes safe harbor enforcement action against 12 US corporations
So, the punishment for ignoring safe harbour rules is to agree to stop ignoring safe harbour rules; which can be done via self certification.
This is not the behaviour of a country that is taking Europe seriously.
Is it even possible for Europe to suspend safe harbour?
This is the crux of the problem. America clearly believes that it would be impossible: Google, Facebook, Microsoft, Yahoo etc, etc are so deeply woven into the social and economic fabric of Europe that it would not dare, in the final analysis, to pull the plug. That, I fear, would be a catastrophic underestimate of European determination.
Consider some of Europe’s recent announcements. It is preparing itself for a life without US tech giants, and even a life without the UK. (Incidentally, David Cameron will rapidly discover how insignificant the UK will be considered by the US if it can no longer influence the EU in favour of the US; and GCHQ, like the NSA, can no longer spy on Europe.)
Firstly, the EU has declared it wishes to be an honest broker between US and UN ownership of internet governance. In other words, the European bloc is no longer in blind support of the US position — it is preparing for, and in doing so it is making inevitable, a time when US control is removed.
Secondly, Angela Merkel has indicated a Franco-German intent to build a European internet outside of the NSA’s reach. US companies will either have to agree to play by European rules, or be excluded from Europe. (That, of course, applies equally to the UK and GCHQ. Nigel Farage of UKIP wants the UK to leave the EU; Cameron, who doesn’t, is close to getting the UK excluded by default.)
Faced with such a decision, the US companies will take a commercial position and play by the rules of what will effectively be a heavily policed virtual internet within and for Europe. Microsoft has already broken ranks and said it will ensure European data remains in servers within Europe. The problem for Microsoft will come when it receives a FISC order demanding EU data from those European servers. The danger for the United States is that under such circumstances, some of those companies will emigrate from America in order to maintain their European presence.
So, as I said at the beginning, the US would be well-advised to take Europe seriously. Europe is older and more patient than America. It can and will take the long view over this issue.
I had to speak to my GP today. It was a telephone consultation with what is, generally speaking, a pretty good surgery.
When we finished, I said, “While I’ve got you, I’d like to state my objection to inclusion in care.data.”
“In what?” he replied. “Care…?”
I explained. “I want to stress that I must not personally be identifiable with any health data that leaves your premises, nor any data that leaves HSCIC.”
“Oh,” he said. “You’ll have to write to the practice manager about that.” (Well, I have already done that; but the advantage of repeating it here is that I now have a recording of the event. Letters can be lost or denied; a recording in my possession cannot. It’s good, this VoIP thing.)
“No,” I said. “According to the official NHS documentation, all I have to do is tell you.”
“Oh, all right. I’ll pass it on to the practice manager. She’s probably got a form for you to fill in.”
“While we’re at it,” I added, “I’d like a comment added to my notes, please. I object to any of my personal records leaving your care at all. It is my opinion that if that happens, it will be in contravention of the European Union’s Data Protection Directive.”
I’m not a lawyer, obviously — but then neither is he.
But actually I do believe it would contravene the data protection principles for two basic reasons. Despite all the publicity about an explanatory leaflet from the NHS, I have never received one. That means that I have not been informed that my personal data is going to be passed to a third-party, nor have I had the process explained to me; and that while I should have to opt in to this process, I haven’t even been given the opportunity to opt out.
It all just goes to show that the whole thing is a deceitful farce.