Last week the Council of the EU published the EU Human Rights Guidelines on Freedom of Expression Online and Offline. It is really aimed at non-EU states that show little regard for human rights — but the reality is the EU should look closely at its own behaviour.
Consider just three extracts:
1. Free, diverse and independent media are essential in any society to promote and protect freedom of opinion and expression and other human rights. By facilitating the free flow of information and ideas on matters of general interest, and by ensuring transparency and accountability, independent media constitute one of the cornerstones of a democratic society. Without freedom of expression and freedom of the media, an informed, active and engaged citizenry is impossible… Efforts to protect journalists should not be limited to those formally recognised as such, but should also cover support staff and others, such as ”citizen journalists”, bloggers, social media activists and human rights defenders, who use new media to reach a mass audience…
2. Support the adoption of legislation that provides adequate protection for whistleblowers and support reforms to give legal protection to journalists’ right of non-disclosure of sources…
3. The right to seek and receive information
The right to freedom of expression includes freedom to seek and receive information. It is a key component of democratic governance as the promotion of participatory decision-making processes is unattainable without adequate access to information. For example the exposure of human rights violations may, in some circumstances, be assisted by the disclosure of information held by State entities. Ensuring access to information can serve to promote justice and reparation, in particular after periods of grave violations of human rights. The UN Human Rights Council has emphasized that the public and individuals are entitled to have access, to the fullest extent practicable, to information regarding the actions and decision-making processes of their Government…
These are, put simply, ‘a free and independent press, including bloggers’; ‘protection for whistleblowers’; and ‘freedom of information’ — all of which are necessary to and in a democratic society.
The UK seeks to curtail an independent press. It does this through threats (such as using the Leveson proposals against journalists and editors), abuse of the Terrorism Act (just as Obama abuses the Espionage Act), and pure and simple bullying.
Example: When Guido Fawkes’ political blog scooped the mainstream press on the arrests of Max Clifford, Jim Davidson and Rolf Harris, Fawkes wrote,
No judge has ordered reporting restrictions in relation to Rolf Harris, no super-injunctions prevent the reporting of news concerning him, instead his lawyers Harbottle and Lewis are citing the Leveson Inquiry’s report in letters to editors of newspapers – cowing them into silence. The Leveson effect is real and curtailing the freedom of the press through fear.
Leveson Effect: Can You See What It Is Yet?
Example: David Miranda was arrested, detained at Heathrow, and had his computer equipment confiscated when he was merely passing through Heathrow on the way from Berlin to Brazil. To achieve this, the UK government had to classify him as a terrorist for possibly carrying Snowden files.
Example: Government officials insisted on and oversaw the physical destruction of The Guardian’s hard disks that contained Snowden files.
Protection for whistleblowers
The three great whistleblowers of the modern age are Chelsea (Bradley) Manning, Julian Assange, and Edward Snowden. Manning is in prison and likely to stay there for many years to come; Assange has a European Arrest Warrant against him and is effectively imprisoned for life in the Ecuadorean Embassy in London; and the whole of Europe has refused to provide asylum to Snowden.
At the Stockholm Internet Forum set for the end of May, and hosted by the Swedish government,
.SE – the only non-governmental organization among the hosts – made a list of possible candidates. The most important name on it: Edward Snowden. Further names included journalists Glenn Greenwald and Laura Poitras, the two journalists that informed the world about the NSA’s activities, Guardian Editor in Chief Alan Rusbridger as well as hacker Jacob Appelbaum, who found the mobile phone number of German Chancellor Angela Merkel in Snowden’s database. The list of candidates was sent to the Swedish Foreign Ministry for approval.
Swedish Foreign Ministry prevents Snowden’s invitation
In the event, Carl Bildt’s foreign ministry vetoed all except Laura Poitras, who declined the invite because of the blacklist.
If the European Union was serious about protection for whistleblowers, it would provide protection for Assange and Snowden. For the former it is assisting the US attempts at getting him into the USA; and for the latter it is doing nothing to prevent it.
Freedom of information
This, says the EU, is a necessary ingredient for democracy — but denies it to its own people. In April, Dr Helen Wallace of GeneWatch announced
GeneWatch has spent 12 months battling to reveal documents showing extensive government contacts between the Department of Food, Environment and Rural Affairs (Defra) and the GM crop lobby crop the Agricultural Biotechnology Council (ABC).
“These partial documents strongly suggest the Government is colluding with the GM industry to manipulate the media, undermine access to GM-free-fed meat and dairy products and plot the return of GM crops to Britain”, said Dr Helen Wallace, Director of GeneWatch UK, “The public have a right to know what is going on behind closed doors”.
She was complaining about missing and redacted documents from the Department for Environment Food & Rural Affairs (DEFRA). Early in May she commented,
These documents expose Government collusion with the GM industry to agree PR messages and blacklist critical journalists. Scientists have been cherry-picked to push GM industry PR, as it seems the Government has made promises of research funds tied to public-private partnerships with Monsanto or Syngenta dependent on supporting commercial cultivation of RoundUp Ready GM crops in Britain. Disturbingly, the Government has also been kept in the loop over lobbying by GM feed importers behind closed doors to stop supermarkets offering their customers the choice of GM-free-fed meat and dairy products. British consumers have lost out to boost Monsanto’s profits, as more GM RoundUp Ready soya is shipped in for use in feed, harming the environment abroad.
In short, the UK government systematically denies information to the UK people where the democratic process might disturb its autocratic purposes. This is contrary to both the spirit and word of the EU’s freedom of expression guidelines.
The only realistic conclusion that can be drawn from the EU guidelines is that they are nothing other than propaganda designed to make European citizens believe that they live in a democracy. It wants the world to believe that it has high ideals over freedom of expression and access to information, but does little to ensure it within its own borders.
When Europe learned about the extent of NSA surveillance on the personal information of European citizens there was immediate concern over the effectiveness of the EU/US safe harbour agreement. Under European data protection laws, personal data cannot be exported to a foreign country that does not have data protection laws considered comparable to EU laws. The US does not have comparable data protection – and therefore cannot receive European data.
To solve this commercial impasse, the relevant authorities came up with the safe harbour agreement. Under this, US companies can be certified (or can certify themselves) as effectively conforming to European laws. Without that certification, they cannot handle European data in the US.
One of the requirements is that they agree not to pass any of that data to a third-party. Snowden’s revelations show that vast troves of the data gets passed to the NSA without judicial oversight or public transparency. Clearly, then, the intent of the safe harbour agreement is not working.
Europe was incensed – so incensed that it threatened to suspend the safe harbour agreement altogether. Few people have taken this seriously. I wrote at the time,
In a pit of fique, the EC has declared that if the US doesn’t do what it wants, it might reconsider the safe harbor agreement that allows US companies to export personal European data even though the US is not considered safe to secure it. It won’t, of course. Can you imagine the uproar if Europeans could suddenly not have their hourly fix of Facebook or Twitter or Google mail?
EC continues its froth(ing at the mouth) over the NSA
The Hunton and Williams international law firm has concluded similar:
Despite the rhetoric, it seems unlikely that the Safe Harbor will be suspended… Any such action would cause considerable uncertainty and would disrupt existing business arrangements that fuel the global economy.
The Future of the US-EU Safe Harbor
But the rhetoric coming from Commissioner Reding has been unequivocal: if the US does not tighten and improve enforcement of safe harbour by this coming summer, it will be suspended. Last November it
set out actions to be taken in order to restore trust in data flows between the EU and the U.S., following deep concerns about revelations of large-scale U.S. intelligence collection programmes, which have had a negative impact on the transatlantic relationship.
Restoring Trust in EU-US data flows
This includes 13 specific recommendations.
The Commission is calling on U.S. authorities to identify remedies by summer 2014. The Commission will then review the functioning of the Safe Harbour scheme based on the implementation of these 13 recommendations.
But when you examine these 13 recommendations (which the EC could have called ‘requirements’, but did not), they are all decidedly weak.
The competent authority enforcing safe harbour in the US is the Federal Trade Commission (FTC).
All of this is necessary background before we consider the FTC’s latest privacy settlement with a US company. It accused Snapchat of multiple privacy failings (notably, that it did not do what it claimed to be doing).
Snapchat, the developer of a popular mobile messaging app, has agreed to settle Federal Trade Commission charges that it deceived consumers… The FTC case also alleged that the company deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure.
Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False
FTC Chairwoman Edith Ramirez actually commented, “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”
This should be reassuring to Reding and the EC – the FTC seems to be taking false security claims seriously. That is effectively exactly what the EU is demanding in its 13 recommendations that will ensure the continuance of the safe harbour agreement: that US companies actually do what the safe harbour certification says they will do.
But despite these tough words from the FTC, the actual settlement agreement with Snapchat is pathetic.
Under the terms of its settlement, Snapchat will not be fined. But the app maker will be prohibited from misrepresenting the privacy, security or confidentiality of user data within the app and be required to implement a comprehensive privacy program to be monitored by an independent party over the next 20 years. If Snapchat violates the settlement in the future, it could face financial penalties.
Snapchat agrees to settle FTC charges that it deceived users – The Washington Post
Incidentally, the ‘financial penalties’ amount to the colossal fine of $16,000.
What all of this amounts to (just for the sake of argument, imagine a company like Facebook misrepresenting its privacy policies and falling foul of the safe harbour agreement) is a slap on the wrist, a demand for improvement and a promise not to do it again, with the threat of a $16,000 fine if it breaks its word. But doing this pretty well conforms to the lily-livered 13 Recommendations.
The result is effective collusion between politicians on both sides of the Atlantic to make it seem as if they are working for the people while not actually causing any problems to business. Same as it ever was, and everyone’s a winner – except the people.
The United States is accustomed to getting its way internationally through trade threats. One method is the Special 301 Report Watch List, which is an annual list of countries which the US believes are failing in their duties towards copyright protection (specifically, US copyright protection). Once included in the Priority Watch List, a foreign country is liable for legal and/or trade sanctions. The Special 301 Report is compiled by the Office of the United States Trade Representative (USTR), and is seen as a method of bullying recalcitrant nations into conformity with US preferences.
This is not the only annual report from the USTR. It also produces the Section 1377 Review which examines international compliance with telecommunications trade agreements. This too, perhaps because it has become entrenched in the USTR way of doing business, can take a bullying tone. The latest report was released on Friday – but I would suggest that it thinks again if it believes it can bully the European Union at this stage of EU/US relations.
Following the Snowden revelations on NSA/GCHQ spying, the now former head of Deutsche Telekom, René Obermann, proposed in November 2013 that Europe should establish a Schengen-routing and Schengen-cloud. The idea was that any communication from one point in Europe to another point in Europe should never leave Europe; and that personal European data should remain within Europe. This latter would effectively remove the existing safe harbour agreement with the US.
‘Schengen’ was chosen specifically as a mechanism for excluding the UK. The Schengen Area comprises 26 European countries that have abolished border control for Europeans between common borders – the UK has always remained outside of this agreement. As Die Welt described in March, the ‘Schengen-routing’ is intended to be “a defensive measure against the encroachments of the Anglo-Saxon intelligence on European internet users.”
Germany’s Angela Merkel and France’s François Hollande (that is, the central axis of the European Union) have declared support for the idea.
USTR’s Section 1377 Review
At the end of last week the USTR released its 2014 Section 1377 Review. On cross-border data flows it has two concerns: Turkey and the EU.
In Turkey, in the run-up to the recent local elections (‘won’ by Prime Minister Erdogan’s AKP party) and ahead of the presidential elections in August, the government has been tightening its grip on and control over the internet. USTR is concerned over restrictions on data flows and will seek “to ensure that data flows supporting legitimate trade can expand unimpeded.”
In Europe, the report notes that
DTAG [Deutsche Telekom AG] has called for statutory requirements that all data generated within the EU not be unnecessarily routed outside of the EU; and has called for revocation of the U.S.-EU “Safe Harbor” Framework, which has provided a practical mechanism for both U.S companies and their business partners in Europe to export data to the United States, while adhering to EU privacy requirements.
Well, obviously, this is a false statement. The safe harbour agreement requires that US companies holding European data do not pass that data to any third-party – but clearly they do pass it to the NSA and law enforcement. The report continues,
The United States and the EU share common interests in protecting their citizens’ privacy, but the draconian approach proposed by DTAG and others appears to be a means of providing protectionist advantage to EU-based ICT suppliers. Given the breath [sic] of legitimate services that rely on geographically-dispersed data processing and storage, a requirement to route all traffic involving EU consumers within Europe, would decrease efficiency and stifle innovation. For example, a supplier may transmit, store, and process its data outside the EU more efficiently, depending on the location of its data centers. An innovative supplier from outside of Europe may refrain from offering its services in the EU because it may find EU-based storage and processing requirements infeasible for nascent services launched from outside of Europe.
This is riddled with emotive language and inaccuracies. Draconian? Protectionist advantage? (Now I freely accept that DTAG will be looking for commercial opportunities, and that it is not a company I personally wish to use. From personal experience, I will never have dealings with T-Mobile again. But it is interesting that it seems to be willing to trade the US market for the European market.)
And the inaccuracies… Europeans would suggest that the US has shown scant regard for anyone’s privacy, while it is the US that delivers protectionist advantage (sometimes via economic espionage) to its own companies. Secondly, it completely misrepresents the proposals. European point-to-point communications should stay within Europe (that’s the ‘routing’); while personal data should not leave Europe (that’s the ‘cloud’). But the USTR is lumping the two together into some form of balkanised European intranet completely cut off from the rest of the internet. In reality, it should have little effect on legitimate trade between the EU and US.
It is not, for example, nearly as draconian as the US exclusion of Huawei from the US markets without any proof of actual threat (other than economic).
Then comes the USTR threat:
Furthermore, any mandatory intra-EU routing may raise questions with respect to compliance with the EU’s trade obligations with respect to Internet-enabled services. Accordingly, USTR will be carefully monitoring the development of any such proposals.
In reality we should not take this too seriously. It’s a form of lobbying – perhaps the first of much more to come – and we already know that USTR is not averse to lobbying on behalf of US industry. But it does show that the US is beginning to take the Schengen threat seriously. The UK should too. In the meantime, it should be said that US industry is not without its European allies. Neelie Kroes, the European Commissioner in charge of the European Digital Agenda, has said: “It’s not realistic that we can keep data in the EU, and the trial could jeopardize the open Internet.” Neelie Kroes is the commissioner who recently tried to redefine ‘net neutrality’ to suit big telecoms companies, only to have her definition rejected by the European Parliament.
I am not Microsoft’s greatest fan. It is a dinosaur stuck on the beach while the fleeter of foot are soaring through the clouds. The reality is that it has no, and has never had, any visionaries. Even its domination of the desktop was more down to luck and sharp practices than genuine vision.
It was lucky that Gary Kildall rejected IBM’s overtures, else there would never have been an MS-DOS; and it was sharp practices that killed off Digital Research — its one serious and technically superior competitor. It was lucky that Apple demonstrated the value of Xerox Parc research and paved the way for Windows. It was lucky Jobs was so far ahead of his time he thought he could have a walled garden in the ’80s; and almost destroyed Apple in the process.
But it was sheer arrogant blindness that made Gates think he could ignore the internet. For the last two decades Microsoft has been forced into playing catch up; but catch up never works if you don’t have the vision to get ahead of the competition.
Now, in just one area, Microsoft is showing visionary signs that could differentiate it from all of its competitors. Microsoft has started listening to its customers rather than imposing its will on its customers.
While Facebook is telling everyone that they don’t want privacy, Microsoft is listening and saying, OK, we will give you privacy. While Google is fighting the European Union over privacy and cloud storage, Microsoft is listening to the EU and saying, OK, we can accommodate and store European data in European data centres.
Now, it’s not as simple as that. The US government can still demand customer data from Microsoft’s European data centres simply because Microsoft is a US company. But it’s making that data much more defensible, and telling the EU that it is willing to cooperate rather than fight.
Similar over privacy. When it became clear last week that Microsoft had, quite legally, searched the emails of one of its customers concerning the theft of Microsoft IP, it knew there would be privacy issues. It immediately said two things: firstly that it would in future get a pseudo warrant from an independent lawyer who had previously been a judge, and secondly that it would include its own searches in future ‘transparency reports’ (the ones that publish the number of law enforcement searches).
It wasn’t enough for the privacy advocates who pointed to the hypocrisy of criticising NSA warrantless surveillance and then doing its own.
To Microsoft’s great credit, within a week, it has listened, heard and understood. Brad Smith announced yesterday,
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
We’re listening: Additional steps to protect your privacy
Is this a new Microsoft — the genuinely ‘listening’ company? It no longer dominates the world’s operating systems, and is losing ground on desktop office software. But it seems to be doing one thing that none of its competitors are doing. It is listening to its customers, and giving them what they want. That alone, over the next few years, could catapult Microsoft back into a leading position.
The United States would be well advised not to dismiss European anger over the NSA — but so far the US doesn’t seem to be taking the EU’s concerns seriously. Consider the safe harbour agreement, and the growing movement to suspend it.
Safe harbour is an official arrangement that allows American companies to circumvent the European data protection laws. These laws prohibit the export of personal European data to any country that does not have comparable data protection laws. The United States does not. On the face of it, then, this would stop companies like Google and Yahoo and Facebook operating in Europe since they ‘export’ their users’ data to servers in the US.
To avoid this, the EU and US developed the Safe Harbour. Provided individual companies are certified to provide a comparable level of data protection to that required in the EU, safe harbour allows US companies to store EU data in the US. That certification can be provided by a qualified third-party, or it can be self-certification. One of the conditions included is that personal EU data will not be passed on to third parties.
But this requirement is clearly being breached by the NSA’s Prism programme. It doesn’t matter whether US cloud companies are giving EU data to the NSA willingly or even knowingly — that it happens is in contravention to safe harbour. So the mood in Europe is simple: if safe harbour isn’t being honoured, it would be better to suspend it. If this were to happen as things stand, companies like Google and Facebook would no longer be able to operate in Europe.
Why I don’t think America is taking this threat seriously
In December 2013, a US think tank called Future of Privacy Forum (FPF) published a report concluding, “It would be unwise at this stage of the Safe Harbor to pull back on this effective program.” It claims that safe harbour is working — when Prism shows it is not.
FPF’s first argument is that “eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.” Seriously? Is FPF really suggesting that since the NSA will disregard the law, we shouldn’t bother having any laws?
Its second argument is that even US companies that allow their safe harbour certifications to lapse are “still subject to FTC Section 5 enforcement for any substantive violations of
the Safe Harbor principles committed while it claims to be a member.” Luckily, we can test that assertion because the FTC has just made enforcement on 12 US companies for that very infringement.
Following complaints, the FTC took action against the companies which resulted in settlements. The settlement agreements now prohibit the companies from falsely stating to be Safe Harbour certified.
FTC takes safe harbor enforcement action against 12 US corporations
So, the punishment for ignoring safe harbour rules is to agree to stop ignoring safe harbour rules; which can be done via self certification.
This is not the behaviour of a country that is taking Europe seriously.
Is it even possible for Europe to suspend safe harbour?
This is the crux of the problem. America clearly believes that it would be impossible: Google, Facebook, Microsoft, Yahoo etc, etc are so deeply woven into the social and economic fabric of Europe that it would not dare, in the final analysis, to pull the plug. That, I fear, would be a catastrophic underestimate of European determination.
Consider some of Europe’s recent announcements. It is preparing itself for a life without US tech giants, and even a life without the UK. (Incidentally, David Cameron will rapidly discover how insignificant the UK will be considered by the US if it can no longer influence the EU in favour of the US; and GCHQ, like the NSA, can no longer spy on Europe.)
Firstly, the EU has declared it wishes to be an honest broker between US and UN ownership of internet governance. In other words, the European bloc is no longer in blind support of the US position — it is preparing for, and in doing so it is making inevitable, a time when US control is removed.
Secondly, Angela Merkel has indicated a Franco-German intent to build a European internet outside of the NSA’s reach. US companies will either have to agree to play by European rules, or be excluded from Europe. (That, of course, applies equally to the UK and GCHQ. Nigel Farage of UKIP wants the UK to leave the EU; Cameron, who doesn’t, is close to getting the UK excluded by default.)
Faced with such a decision, the US companies will take a commercial position and play by the rules of what will effectively be a heavily policed virtual internet within and for Europe. Microsoft has already broken ranks and said it will ensure European data remains in servers within Europe. The problem for Microsoft will come when it receives a FISC order demanding EU data from those European servers. The danger for the United States is that under such circumstances, some of those companies will emigrate from America in order to maintain their European presence.
So, as I said at the beginning, the US would be well-advised to take Europe seriously. Europe is older and more patient than America. It can and will take the long view over this issue.
Do no evil is best known today as a Google reference; but it occurs earlier in the Bible (2 Corinthians 13:7 King James):
Now I pray to God that ye do no evil; not that we should appear approved, but that ye should do that which is honest, though we be as reprobates.
Do as you would be done by is an immediately recognisable biblical reference (Matthew 7:12 King James):
Therefore all things whatsoever ye would that men should do to you, do ye even so to them: for this is the law and the prophets.
Google has claimed the former, but ignores the latter.
It recently removed two extensions from its Chrome webstore: Add to Feedly and Tweet this Page. This was a good thing. Although the extensions originally did what’s described on the tin, they had been bought by advertising companies of the worst sort. Those advertising companies subsequently slipped in, via automatic updates, adware engines.
Automatic updates are a double-edged sword. In the hands of a supplier you trust they can be a tremendous boon — security patches and software improvements just happen. But in the hands of a dubious firm, automatic updates are a troublesome problem. They can, and in the case of these two extensions, did covertly install all manner of things.
To get round the problem Google has changed its terms of service. In future, extensions will need to be clearly defined — the new terms state that extensions must have “a single purpose,” and be “narrow and easy-to-understand”. Adding a new function secretly, such as adware, clearly breaches these rules.
Google invoked these rules to remove the extensions. In general, however, the company says the new terms won’t be enforced widely until the summer. That implies there will then be some form of enforcement methodology — extension auditing, for example.
Again, this is a good thing. Google is saying that its users should know what the software they use actually does, and it should be easily understood, and their privacy should not be abused.
Which is more or less what the European Union is saying to Google itself. Two European data protection regulators (France and Spain) have already fined the company the maximum possible for breaking privacy laws. Four others (Germany, Italy, The Netherlands and the UK) have agreed that the privacy laws have been broken. Germany, Italy and The Netherlands are expected to levy fines. The UK is more likely to discover some weasel way to avoid fining Google (because of the UK’s traditional thrall to big business), but nevertheless holds Google in breach of the law.
Google is doing unto Europe what it won’t allow its app providers to do unto Google: confuse, break the rules and dissemble. It is clearly hoping and expecting that its sheer size will prevent Europe smacking it in the same way it smacked those that disobeyed its own rules. Here’s hoping…
There is one aspect of what the European Parliament is calling the ‘surveillance scandal’ that is not to my mind being sufficiently addressed in Britain: what is GCHQ’s involvement in European hacking and surveillance doing for Britain’s standing in Europe?
While there is a relatively open and wide-ranging debate over the NSA in the US, there is virtually nil debate over GCHQ in the UK. The reason is basically twofold: firstly, the UK government has run a very successful campaign in keeping the lid on things (a combination of refusing to say anything, denying that anything wrong has been done, and bullying/persuading the media to say little or nothing about it); and secondly, the apathy of the British public is legendary. So long as it doesn’t directly affect us, we Brits just don’t care — and spying on foreign Europeans does not directly affect us.
It is all helped by the European Treaty that says that national security is national concern. The British government can and simply does say to Europe, ‘what GCHQ does is none of your concern, and it is not our policy to talk about what our intelligence agencies do.’
The result is that the man in the British street has no idea of what is actually happening in Europe, nor the dismay with which Britain and the British are now considered abroad.
Yesterday I asked Jan Philipp Albrecht, an elected member of the European Parliament and a leading light in its Civil Liberties, Justice and Home Affairs committee, how Britain is now viewed in relation to GCHQ. (You can get more details here: Exclusive: Jan Philipp Albrecht Speaks to Infosecurity Ahead of Calling Snowden as a Witness.)
My question was this:
What does Britain spying on fellow members of the EU do for the future relationship between the UK and the rest of Europe?
His reply, verbatim:
It is already today a huge damage to the relationship between UK and the rest of Europe. The attacks of the GCHQ on TelCom services like Belgacom and on servers on huge internet companies are illegal cyberattacks which come near to the notion of cyberwar. The involvement of issues not covered by national security like economic spying splits the Union and throws it back to the fight between national economies in the last century. It will harm the economies in Europe including the British and the trust in the institutions as well as the digital market severely.
It is worth considering this. Firstly, between the lines, there is clear anger. Secondly, he comes as near as dammit to accusing Britain of waging cyberwar against its allies. Thirdly, he brushes aside the notion that the surveillance is based on national security and anti-terrorism, and includes the accusation of ‘economic spying’. And lastly he likens that economic spying to the situation of twentieth century Europe; a century in which economic rivalry led to two world wars. This is what Europe thinks of Britain and the British today.
Does it matter? Too damn right. Despite our aloofness, we don’t actually want to leave Europe. Prime minister Cameron has promised to renegotiate Britain’s relationship with Europe. This is what most Brits want; but what Cameron wants is to eliminate Europe from those areas that limit his freedom to do what he wants. His main aims, which he will sell to the British public in terms of maintaining British sovereignty, is to limit data protection and eliminate the jurisdiction of the European court. These will benefit big business and GCHQ; but be bad for the people.
But — and this is the point — because of the surveillance scandal, he may be in for a surprise. He will threaten Europe that unless he gets what he wants, Britain may leave the Union. And the rest of Europe will simply say, ‘Good riddance.’
The problem with the news is that it is usually generated by parties with a vested interest. When the news comes from government, it is because government has an axe to grind. When the news comes from a security firm, it is because that firm has a product or service to sell.
Usually this vested interest is well disguised and hidden behind actual facts. Sometimes, however, the truth is so far distorted that you simply have to comment. And here’s an example: a missive from a PR company that states, verbatim:
EU Cyber Security Directive Could Cost Organisations Billions
The new EU Directive on Cyber Security is going to have a huge impact on all organisations that trade in the EU. The Directive states that any organisation that does not have their cyber security in order and suffers a security breach will face extremely heavy fines of up to 2% of their annual global turnover. This means for large enterprises or banks, fines could run into millions or billions of pounds…
…recent research… has revealed that many industries are seriously behind in terms of IT security and risk facing extremely heavy fines when the Directive comes into action.
This is simply wrong. It demonstrates either an abject failing to understand EU processes, or a conscious attempt to mislead.
The European Commission proposes the laws that the European Parliament votes to accept or reject. It has two vehicles: a Directive and a Regulation. Regulations are European laws that become national laws verbatim. Directives are more like a statement of intent — individual nations are able to transpose Directives into national law in accordance with local practice and requirements.
There are two relevant EC proposals right now: a cyber security directive, and the general data protection regulation. Time and again security firms get these separate issues muddled in a manner that is either ignorance of European processes, or an intentional attempt to mislead.
The cyber security directive lays down no specific sanctions — these are left for the individual nation states to specify themselves.
Member States shall lay down rules on sanctions applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The sanctions provided for must be effective, proportionate and dissuasive.
EU cyber security directive
It is the regulation that imposes the 2% maximum sanction — under specific personal data loss conditions (and for smaller companies, that may well turn out to be less than the current maximum fine that can be levied by the UK’s Information Commissioner).
The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of cooperation with the supervisory authority in order to remedy the breach…
…The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently etcetera, etcetera
EU proposal for a general data protection regulation
And remember that passage of the GDPR into law is still far from certain. However, by conflating these two separate proposals:
- government is able to suggest that the EU proposals will place an unacceptable burden on national business (in reality, it is almost entirely the UK that takes this approach, largely because the Data Protection Regulation will impose unacceptable burdens on GCHQ’s current free rein in electronic surveillance)
- security firms are able to frighten industry into spending ever more money on ever more weird and wonderful security products. A risk based approach to security will probably show that the actual risk is far, far less than the warnings from the security industry.
The tragedy in this particular instance is that two good names are dragged into the mire: Tripwire and Ponemon. I would suggest that if you see news articles over the next couple of days saying that industry is being faced with massive fines for not having adequate security, you take a step back and consider the actual EU proposals before rushing out to spend 2% of your annual income on security products.
This example does the security industry no favours whatsoever.
“Establishing a European Public Prosecutor’s Office – A federal budget needs federal protection,” says Viviane Reding today.
She’s talking about the formation of a European Public Prosecutor’s Office, “to fight fraud against the EU budget and to uphold the rule of law across the Union.”
I like the idea of fighting fraud.
I distrust the concept of the ‘rule of law’ – it’s just a political concept devised to say, ‘you Pleb, me Lord, you do what I say, always, no arguments.’
But that’s not the point here. “It is a federal budget. If we don’t protect it, nobody else will do it for us,” says Reding.
Federal budget? Did I miss something? When did the European Union morph into the European Federation?
So Britain, disingenuous towards its people all the way, and Sweden (Obama’s other European bitch), have vetoed EU/US talks about espionage. All they can talk about is privacy.
Slowly and quietly, NSA and GCHQ spying on innocent people as part of dragnet data gathering and hoarding is being buried. What will emerge is that the two agencies simply gather targeted meta data — and that’s not so bad, is it?
The European super state, which makes the laws by which we live, is not apparently competent to discuss the surveillance by which we are monitored. This is nothing short of technical legal chicanery by the same European partnership that is colluding to deliver Assange to Obama.
Personally I am fed up with being lied to and misled by the politicians we all pay to protect us. Consider this: if government used the same risk-based security that everyone else uses, all anti-terror surveillance would be abandoned and the money diverted to road safety and better designed kitchens.
If we now listen to and believe this duplicity from the British and Swedish governments, then we are colluding in the establishment of an Orwellian police super state. We are being lied to and deceived.