This coming week the European Justice and Home Affairs Council (ie, national ministers from the individual national governments) will meet in Brussels. There are several items on the agenda.
Top of the list in a memo released by Viviane Redding is reform of the data protection laws. She says,
I am confident we will be able to build on the momentum injected into the negotiations by the Greek Presidency at the last informal Council meeting in January. Seeing the latest progress, I will continue working with Ministers for an adoption of the data protection reform before the end of this year.
Bottom of the list in a ministerial statement from Theresa May is reform of the data protection laws. She says,
There will be a state of play/orientation debate on the Proposal for a General data Protection Regulation. The UK continues to believe that this proposal is far from ready for a general agreement, and that no such agreement can occur until the text as a whole has been approved. The proposal remains burdensome on both public and private sector organisations and the Government would not want to see inflexible rules on transfers outside the European Economic Area which do not reflect the realities of the modern, interconnected world.
And yes, they really are talking about the same thing. Most of Europe has already agreed the data protection reform proposals; but the UK doesn’t like it and won’t play.
The problem is, providing more protection for our personal information is difficult for the UK. It would upset the three most powerful organizations in the country: GCHQ, Google and Facebook. GCHQ would have its ability to collect our private messages, photos, home videos and internet browsing habits severely curtailed — and of course nobody would want to see that.
Google and Facebook would no longer be able to ship our personal information to servers outside of the UK; that is, the US, from where the NSA/FBI could demand access while declining to allow us to be told (assuming they need to since GCHQ will probably have already intercepted the data via its taps on the fibre cables that run between the two continents and simply handed it en masse to the NSA for storage and safe keeping).
Since these negative arguments would not prove popular to the British public, they are being hidden in spurious and frankly false claims that data protection will cost business. Yes there will be some cost in protecting our data (not nearly as much as the government would like us to believe); but that will be more than compensated by the lower cost of doing business with dozens of different data protection regimes. The net effect of reforming data protection will be greater data protection at a lower overall cost.
But Theresa May doesn’t want us to understand that. She and David Cameron would like us to believe that they are protecting us when they are really just protecting vested interests and actually selling us down the river. They are willing to trade our privacy to keep GCHQ and big American business happy.
The United States would be well advised not to dismiss European anger over the NSA — but so far the US doesn’t seem to be taking the EU’s concerns seriously. Consider the safe harbour agreement, and the growing movement to suspend it.
Safe harbour is an official arrangement that allows American companies to circumvent the European data protection laws. These laws prohibit the export of personal European data to any country that does not have comparable data protection laws. The United States does not. On the face of it, then, this would stop companies like Google and Yahoo and Facebook operating in Europe since they ‘export’ their users’ data to servers in the US.
To avoid this, the EU and US developed the Safe Harbour. Provided individual companies are certified to provide a comparable level of data protection to that required in the EU, safe harbour allows US companies to store EU data in the US. That certification can be provided by a qualified third-party, or it can be self-certification. One of the conditions included is that personal EU data will not be passed on to third parties.
But this requirement is clearly being breached by the NSA’s Prism programme. It doesn’t matter whether US cloud companies are giving EU data to the NSA willingly or even knowingly — that it happens is in contravention to safe harbour. So the mood in Europe is simple: if safe harbour isn’t being honoured, it would be better to suspend it. If this were to happen as things stand, companies like Google and Facebook would no longer be able to operate in Europe.
Why I don’t think America is taking this threat seriously
In December 2013, a US think tank called Future of Privacy Forum (FPF) published a report concluding, “It would be unwise at this stage of the Safe Harbor to pull back on this effective program.” It claims that safe harbour is working — when Prism shows it is not.
FPF’s first argument is that “eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.” Seriously? Is FPF really suggesting that since the NSA will disregard the law, we shouldn’t bother having any laws?
Its second argument is that even US companies that allow their safe harbour certifications to lapse are “still subject to FTC Section 5 enforcement for any substantive violations of
the Safe Harbor principles committed while it claims to be a member.” Luckily, we can test that assertion because the FTC has just made enforcement on 12 US companies for that very infringement.
Following complaints, the FTC took action against the companies which resulted in settlements. The settlement agreements now prohibit the companies from falsely stating to be Safe Harbour certified.
FTC takes safe harbor enforcement action against 12 US corporations
So, the punishment for ignoring safe harbour rules is to agree to stop ignoring safe harbour rules; which can be done via self certification.
This is not the behaviour of a country that is taking Europe seriously.
Is it even possible for Europe to suspend safe harbour?
This is the crux of the problem. America clearly believes that it would be impossible: Google, Facebook, Microsoft, Yahoo etc, etc are so deeply woven into the social and economic fabric of Europe that it would not dare, in the final analysis, to pull the plug. That, I fear, would be a catastrophic underestimate of European determination.
Consider some of Europe’s recent announcements. It is preparing itself for a life without US tech giants, and even a life without the UK. (Incidentally, David Cameron will rapidly discover how insignificant the UK will be considered by the US if it can no longer influence the EU in favour of the US; and GCHQ, like the NSA, can no longer spy on Europe.)
Firstly, the EU has declared it wishes to be an honest broker between US and UN ownership of internet governance. In other words, the European bloc is no longer in blind support of the US position — it is preparing for, and in doing so it is making inevitable, a time when US control is removed.
Secondly, Angela Merkel has indicated a Franco-German intent to build a European internet outside of the NSA’s reach. US companies will either have to agree to play by European rules, or be excluded from Europe. (That, of course, applies equally to the UK and GCHQ. Nigel Farage of UKIP wants the UK to leave the EU; Cameron, who doesn’t, is close to getting the UK excluded by default.)
Faced with such a decision, the US companies will take a commercial position and play by the rules of what will effectively be a heavily policed virtual internet within and for Europe. Microsoft has already broken ranks and said it will ensure European data remains in servers within Europe. The problem for Microsoft will come when it receives a FISC order demanding EU data from those European servers. The danger for the United States is that under such circumstances, some of those companies will emigrate from America in order to maintain their European presence.
So, as I said at the beginning, the US would be well-advised to take Europe seriously. Europe is older and more patient than America. It can and will take the long view over this issue.
I had to speak to my GP today. It was a telephone consultation with what is, generally speaking, a pretty good surgery.
When we finished, I said, “While I’ve got you, I’d like to state my objection to inclusion in care.data.”
“In what?” he replied. “Care…?”
I explained. “I want to stress that I must not personally be identifiable with any health data that leaves your premises, nor any data that leaves HSCIC.”
“Oh,” he said. “You’ll have to write to the practice manager about that.” (Well, I have already done that; but the advantage of repeating it here is that I now have a recording of the event. Letters can be lost or denied; a recording in my possession cannot. It’s good, this VoIP thing.)
“No,” I said. “According to the official NHS documentation, all I have to do is tell you.”
“Oh, all right. I’ll pass it on to the practice manager. She’s probably got a form for you to fill in.”
“While we’re at it,” I added, “I’d like a comment added to my notes, please. I object to any of my personal records leaving your care at all. It is my opinion that if that happens, it will be in contravention of the European Union’s Data Protection Directive.”
I’m not a lawyer, obviously — but then neither is he.
But actually I do believe it would contravene the data protection principles for two basic reasons. Despite all the publicity about an explanatory leaflet from the NHS, I have never received one. That means that I have not been informed that my personal data is going to be passed to a third-party, nor have I had the process explained to me; and that while I should have to opt in to this process, I haven’t even been given the opportunity to opt out.
It all just goes to show that the whole thing is a deceitful farce.
The brilliant Hawktalk blog has demonstrated how the UK government has airbrushed the Data Protection Act out of ‘national security’ issues. This leaves GCHQ free to conduct mass surveillance of British citizens (and who cares about foreigners anyway?) without any effective legal oversight — merely a nod and a wink from the government of the day.
The conclusion comes from an analysis of a data protection exemption certificate obtained under freedom of information laws and dating back to 2005 — now probably out of date but equally probably indicative of what is happening today (born out by similarities between an old TfL exemption certificate and a recent one issued by Theresa May).
There are eight data protection principles underpinning the Data Protection Act. Summarized by the Information Commissioners Office (the UK’s data protection regulator), these are that personal data should be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
In the certificate analysed by Hawktalk, principles 1, 2, and 8 are exempted. Furthermore, principles 3 and 5 are effectively nullified by the exemption to principle 8 — the data can simply be transferred to NSA databases outside of the ICO’s jurisdiction.
Hawktalk’s argument is that these principles are automatically suspended for any statutory body pursuing its statutory purposes. The implication of a certificate specifically issued to completely exempt that body (GCHQ) from any of the principles is that it (GCHQ) wishes to pursue the processing of personal data beyond its (GCHQ’s) statutory purpose — it simply does not need an additional exemption if it sticks to what it was designed to do (ie, national security). In other words, GCHQ wishes to collect and process personal data to an extent that is both beyond its legal remit and the strictures of national law.
GCHQ has become, quite literally, a law unto itself.
On Thursday, on Prism and Verizon, I warned, “We’ll just have to look very closely at the weasel words that will come from both sides of the Atlantic…” But I didn’t expect them to start so soon.
The EC’s Justice Commissioner Viviane Reding met the US Attorney General Eric Holder in Dublin on Thursday and Friday. Reding had some questions ‘on the collection of data from Verizon and about the PRISM programme’:
How do these affect EU citizens right? Are they aimed at EU citizens? What is the volume of the data collected? Do the programmes involve bulk collection of data or is the collection targeted? Do the programmes operate under proper oversight of the judiciary? Is the collection of EU citizens’ data authorised by a court?
And these were the answers:
First, on the Verizon question, the information I received today is that it is a U.S. project, directed mainly towards U.S. citizens. It is about metadata, not about content. It is about bulk, not about individuals. And it is based on court orders and congressional oversight.
So, she says, that’s all right then: “I consider that this is mainly an American question…” Let’s not forget that the EU’s own data protection office, the European Data Protection Supervisor Peter Hustinx has said that telephone metadata is personal information that should, presumably, be protected by European laws. Nor let us forget that this program does include Europeans when they are talking to an American – and since it is bulk, every time they are talking to an American.
Considering PRISM, she says:
It is about foreign intelligence threats.
PRISM is targeted at non-U.S. citizens under investigation on suspicion of terrorism and cybercrimes. So it is not about bulk data mining, but specific individuals or targeted groups. It is on the basis of a court order, of an American court, and of congressional oversight.
She doesn’t quite say ‘that’s alright then,’ but she is clearly reassured.
Should EU citizens – and anyone, anywhere, be reassured? Absolutely not. The words are ambiguous. I cannot see that specific mining from bulk data is any less worrying overall than ‘bulk data mining’.
But the real joke is that it is based, in both cases on court orders and congressional oversight. That court is a secret court using a secret interpretation of a draconian law. It is almost certainly unconstitutional, but it cannot be challenged because no-one knows what it is. But it would seem that provided it can be described as a ‘court’, that’s alright as far as Viviane Reding is concerned.
Once again, the people of the USA and Europe will need to take action themselves. This dragnet surveillance by the NSA under the aegis of a secret court is most decidedly not OK – and it is people power that will have to force our respective governments to do the right thing. First, of course, we need to see past the weasel words of weasel governments.
If fully applied, the ruling could effectively shut down deployments of Google Apps by European governments, schools and enterprises, at least until Google makes the changes the EU regulators are seeking.
This raises a number of other questions – for example, is the European Commission’s love affair with the cloud heading for an impasse with its own regulators? Back in September the EC issued a ‘communication’, Unleashing the Potential of Cloud Computing in Europe. It concluded with a call
upon Member States to embrace the potential of cloud computing. Member States should develop public sector cloud use based on common approaches that raise performance and trust, while driving down costs. Active participation in the European Cloud Partnership and deployment of its results will be crucial.
Last week, ENISA published an excellent overview of the Privacy considerations of online behavioural tracking, which I thoroughly recommend. It tries to draw a distinction between behavioural tracking and behavioural advertising; but the reality is that this is probably a technical rather than practical separation. This is likely to become the crux of Europe’s problem: it wants to maximise the cloud, accepts that it must allow commercialisation, but politically needs to ensure privacy – and the two things might simply be incompatible. As Peter Hustinx, the European Data Protection Supervisor said in his Opinion on Friday,
the use of cloud computing services cannot justify a lowering of data protection standards as compared to those applicable to conventional data processing operations.
In other words, as of right now, the EC’s desire to unleash the potential of cloud computing is incompatible with the need to maintain existing data protection standards. But we needn’t worry too much: it will all, as King John might have said, come out in the wash. Big business will give a little, the regulators will give a little, and the EC will twist and squirm a lot – and we’ll all be able to use the cloud happily.
The question is, will it be with Google? That’s the second issue coming from the Article 29 working party: has Europe got it in for Google? In October, Ars Technica commented:
The French seem to have an appetite for regulating the Internet, and for going after Google in particular. A new proposed law would force Google to make payments when French media show up in news searches; but Google has responded, in a letter to French ministers, that it “cannot accept” such a solution and would simply remove French media sites from its searches.
Two weeks later, Le Canard Enchaîné reported that France had made a €1 billion tax claim against Google and was using this as a bargaining chip in the newspaper content dispute. France, of course, with its current socialist government, likes to tax everything that moves – but as one of the key movers and shakers within the EU, you have to wonder if it is merely spearheading a wider European antipathy; and if so, where does this come from?
Well, again back in October, Henrik Alexandersson [a ‘Swedish libertarian, working for the Pirate Party in the European Parliament’] attended a luncheon seminar organized by ICOMP, the Initiative for a Competitive Online Marketplace (funded, it would seem, by Microsoft).
However, already when we received the seminar documents at the entrance – we realized that this really was something else: A Microsoft-funded Google Bashing lunch.
Google Bashing is a very popular sport in the EU, these days.
Alexandersson was so annoyed by the initial talk by “one of Microsoft’s lawyers, Pamela Jones Harbour… speaking about everything that Google does wrong,” that he and his party got up and left. But privacy, he says,
is not what Google Bashing in Brussels is about. Here it is rather a question of a number of Google’s competitors trying to whip up political criticism, for business reasons. They simply don’t like that Google more or less own the search market.
So here’s a thought. Is that anti-Google sentiment in Europe ‘political exploited by business’, or ‘business exploited by politics’? It’s a moot point. Either way, Google should be in no doubt that it has powerful adversaries in Europe.
My news stories on Infosecurity Magazine from Tuesday 10 April until Friday 13 April, and Monday 16 April until Wednesday 18 April
NHS needs a security czar to prevent continuous data walkabout
While the South London Healthcare NHS Trust signs a Data Protection Undertaking, the security industry wonders why we have learnt nothing in the last two years – and calls for a new NHS data protection czar.
18 April 2012
PwC 2012 Information Security Breaches Survey: Preliminary findings report continued mobile insecurity
New statistics show that while many companies appear to understand the business threat from BYOD, many others are taking no precautions whatsoever.
18 April 2012
(ISC)² launches its new EMEA advisory board
In a move designed to offer genuine hands-on security experience to EMEA’s different security initiatives, professional body (ISC)² has launched a new Advisory Board for Europe, the Middle East and Africa (EAB).
18 April 2012
Google co-founder worries about the future of the internet
In an interview with the Guardian, the co-founder of Google lists the threats facing the future vitality of the internet.
17 April 2012
Shadowserver uncovers campaign against Vietnam in Hardcore Charlie’s file dump
An analysis of the hacked files dumped by hacker Hardcore Charlie fails to prove Chinese culpability, but finds evidence of ‘yet another cyber espionage campaign against Vietnam.’
17 April 2012
Iranian software manager hacks and dumps card details of 3m Iranians
Khosrow Zarefarid found and reported a flaw in the Iranian POS system. He reported it, but was ignored – so he used it and hacked 3 million Iranian debit card details.
17 April 2012
Dutch Pirate Party forced to take its Pirate Bay proxy off-line
In a move that will be monitored by the UK’s music industry association (BPI), its Dutch equivalent BREIN (translates as ‘Brain’) has obtained a court injunction forcing the political party, the Pirate Party, to take down the proxy site that was allowing users to continue using the blocked Pirate Bay (TPB).
16 April 2012
Is ACTA dead in the water, or is it resurfacing via the G8?
David Martin, European Parliament’s rapporteur on the ACTA treaty, is expected to recommend that parliament should reject ACTA. Does this mean the end for the Anti-Counterfeiting Trade Agreement?
16 April 2012
Commotion Wireless: an open source censorship buster
The great contradiction in modern techno-politics is the need for democracies to promulgate free speech in other countries while controlling it in their own.
16 April 2012
Boston police release unredacted Facebook data of ‘Craigslist killer’
The complete Facebook account of Philip Markoff, in hard copy and including friend IDs, was given by the Boston Police to the Boston Phoenix newspaper.
13 April 2012
EC asks how we would want the internet of things to be controlled
The European Commission (EC) has issued an online ‘consultation’ document: How would you envisage ‘governance’ of the ‘Internet of Things’?
13 April 2012
City trader fined £450,000 by the FSA
“For the reasons given in this Notice…”, says an FSA Decision Notice, “…the FSA has decided to impose on Mr Ian Charles Hannam a financial penalty of £450,000.”
13 April 2012
MPAA’s attempted takedown of Hotfile gets more and more difficult
Don’t throw the baby out with the bathwater says Google; and there’s more baby than bathwater suggests Prof. James Boyle.
12 April 2012
UK private members bill designed to censor pornography on the internet
Baroness Howe of Ildicote has introduced the Online Safety Act 2012, designed to force ISPs to install and operate pornography filters.
12 April 2012
Financial services the target in massive DDoS increase
A new analysis from Prolexic shows a huge increase in DDoS attacks, largely sourced in Asia and primarily attacking financial institutions.
12 April 2012
Smartphones are still firmly ‘enterprise-unready’
Research from by Altimeter Group, Bloor Research and Trend Micro shows that the ‘consumer marketing’ legacy of many smartphones makes them ill-equipped to meet enterprise security demands.
11 April 2012
EU trade committee’s draft opinion on ACTA: Don’t ratify
The European Parliament’s Industry, Research and Energy committee for the Committee on International Trade has published its draft opinion on ACTA. Don’t ratify, it tells parliament.
11 April 2012
DHS gets California company to hack game consoles
In a project that started from law enforcement agencies’ request to the US Department of Homeland Security (DHS), which was then farmed out to the US Navy, Obscure Technologies of California has been awarded a contract to find ways of hacking game consoles.
11 April 2012
Real-time data mining comes to Twitter
Twitter is usually described as a micro-blogging social network. To many who monitor its ‘trending topics’ it is also an early warning news service, frequently pointing users to breaking news before the traditional news media reports it.
10 April 2012
Iran bids farewell to the internet; welcomes its own halal intranet
Iran’s answer to ‘criminality’ on the internet is not to fight criminality, but to block the internet. In the future, Iranians will have access to only the official national intranet and a whitelist of acceptable foreign sites.
10 April 2012
What an Englishman does in bed
Companies that monitor the end point behavior of their remote workers will have to start monitoring their (internet) behavior in bed. That at least is the inference to be drawn from a new street survey conducted by Infosecurity Europe.
10 April 2012
Vietnam is reportedly due to issue a new decree in June entitled “Decree on the Management, Provision, Use of Internet Services and Information Content Online”. It will among other things,
Force foreign companies that provide online services such as social networking, blogging, discussion forums and chat to cooperate with the Vietnamese government and provide it with the information it needs to crack down on activities banned by the decree.
(Reporters Without Borders)
It’s what we have come to expect from authoritarian undemocratic communist regimes. Thank god we have the Free West to protect our freedom, free speech and privacy. All that’s happening in the US is the Internet Rogering Act (otherwise known as Representative Michael Roger’s Cyber Intelligence Sharing and Protection Act – CISPA). And of course all CISPA does is allow companies like Facebook and Microsoft and Google and ISPs to share our personal data freely without just cause or due process or legal redress with themselves and the government because they feel like it.
Well at least we’ve got the UK, with its mother of parliaments, habeas corpus, proud history of tolerance, freedom, justice and other detriments to effective government. All the UK government (you remember, that one that condemned Labour’s authoritarian attitudes when it was in opposition) is doing is the preparation of an unnamed bill to be presented at the earliest opportunity and designed to force all ISPs to provide total traffic information on demand, in real-time, without just cause or due process or legal redress, on all UK citizens to the government’s spy agency (GCHQ). That’s everyone you speak to and every website you visit.
So they’ll know if you speak to a criminal (or terrorist) even if you don’t know it’s a criminal (or terrorist), and you will forever be associated with that criminal (or terrorist) even though you don’t know it. And they will know which websites you visit, whether it’s politically subversive (ie, not in line with government thinking), or pornography (eg, Sun Page 3), or whatever. They’ll know you’re going there probably before you even get there.
But don’t worry. All of us real criminals and terrorists will easily get round both the US and UK laws with encryption and foreign proxies and the onion web – so it’s only the innocent citizens that will actually be affected. Thank god we don’t live in Vietnam or China or Iran.
Last week’s news stories (Feb 6 to Feb 10):
UK attitudes to online safety and personal safety are different
The UK public are likely to trade privacy for security on the streets, but not on the wire.
UK security skills are ‘wholly inadequate’
Baroness Neville-Jones claims UK security skills are ‘wholly inadequate’.
Google Wallet vulnerable to brute forcing the PIN
Joshua Rubin discloses a Google Wallet PIN vulnerability.
Cybercrime – another business in the Malspace
Trusteer gives information on cybercrime ‘Factory Outlets’.
Intrusion upon seclusion protected by Canadian court
The Ontario Appeal Court decides that there is an action for tort on privacy breaches.
Service providers lack confidence in LEAs
Arbor Network’s review shows rise in hacktivist DDoS, and ISPs still distrust LEAs.
Copyrighting pornography; are unsecured WiFi owners to blame?
Two US court cases: can you copyright porn; and are WiFi owners automatically responsible for all downloads.
2011 review: CNI targetted, spam down, botnets up
M86’s review gives a good account of the rise and rise of the Blackhole exploit kit.
Disaster Recovery is health industry’s biggest headache
New survey from BridgeHead Software shows that disaster recovery is the health industry’s main concern for 2012.
Adobe Flash sandbox comes to Firefox on Windows
Adobe has announced that it is bringing its Flash sandbox to the Firefox browser.
EU hints on planned Strategy for Internet Security – HP comments
Neelie Kroes has given three hints on what the EU’s future Strategy for Internet Security might contain; and HP’s Dr Prescott Winter gives his thoughts.
Teampoison hacktivists deface Daily Mail recipe page
The Daily Mail, the UK’s love-to-hate right wing ragpaper, was hacked by Teampoison in a pure example of hacktivist defacement.
EU Regulation decouples privacy from data protection
Amberhawk data protection legal training company discusses aspects of the new EU Data Protection Regulation.
More breaches caused by staff than hackers
An Irish Computer Society survey highlights that more breaches are aused by staff than external hackers.
Adobe addresses PDF security problem
A new paper from Adobe discusses the problems and solutions in PDF security.
You have to look long and hard, but eventually you find it. There, on page 51 of ‘Building on our inheritance – Genomic technology in healthcare’ is the one and only mention of the national whole genome sequence database. From the beginning you know it must exist. The report talks throughout about the benefits that will accrue to mankind from the widespread use whole genome sequence research; but it only makes sense if the data is complete and freely available. But not until page 51, and only on page 51, is the national genome database mentioned.
This would not necessarily require data stored locally: patient sequence data could be stored securely in a national database, making it accessible to the centres but also to the patient’s physician or GP.
let’s be clear: this is a national DNA database. But it’s OK, because this is for health rather than law enforcement. And it will, yeah right, only be available to health officials, and health researchers, and pharmaceutical companies and academics and probably anyone who pays for it – internationally. The report makes very clear that if national research is good, international research is very much better.
It is, in effect, a national DNA database writ large. It has all the worst elements of the police DNA database combined with the NHS central records database and will undoubtedly cost a great deal more than both and be more dangerous and insecure than either.
And for what? “Government should not be duped by hype about genomics: some useful applications will exist but most diseases in most people and many adverse drug reactions are not predictable from people’s genes,” said Dr Helen Wallace, Director of GeneWatch UK. “Storing personal genomes for no reason would lead to a massive marketing scam, based on selling drugs to healthy people who are told they are at risk of getting diseases in the future.”
My concern is that government is quite relaxed about a new national DNA database from which it will gain all the benefits with none of the blame; that, in effect, a national genome database is already a conspiracy between government and the pharmaceutical companies in just the way that ACTA and DEA and SOPA and PIPA and others are a conspiracy between governments and the entertainment industry.