European Data Protection Supervisor suggests the EU should scrap the Data Retention Directive and start again…

You have to feel sorry for Peter Hustinx. He’s the European Data Protection Supervisor (EDPS): ‘the European guardian of personal data protection’. He tries to do his job. Sadly, the rest of the European Union simply ignores him. Take the Data Retention Directive (that telecoms companies must keep details of where you go on the internet and who you talk to on the telephone “for a period of not less than six months and not more than two years from the date of the communication”)…

That’s more of an invasion of privacy than we realise until we start seriously thinking about it. Basically, it’s appalling. And that’s more or less what Mr Hustinx thinks. In his recently published “Opinion of the European Data Protection Supervisor on the Evaluation report from the Commission to the Council and the European Parliament on the Data Retention Directive (Directive 2006/24/EC)”, he not merely says it doesn’t pass muster, he goes so far as to suggest it be scrapped and the politicians start again from scratch.

On the basis of the Evaluation report it may be concluded that the Data Retention Directive does not meet the requirements set out by the rights to privacy and data protection, for the following reasons:

• the necessity of data retention as provided for in the Data Retention Directive has not been sufficiently demonstrated;
• data retention could have been regulated in a less privacy-intrusive way;
• the Data Retention Directive lacks foreseeability.

and further

The EDPS calls upon the Commission to consider seriously all options in the impact assessment including the possibility of repealing the Directive, either per se or combined with a proposal for an alternative, more targeted EU measure.

Can there be a more damning opinion?

Probably not.

Will the politicians listen.

Most certainly not.

EDPS Report

Respect to Germany

As a Brit I am accustomed to living with a grudging respect for Germany and  the Germans. But I’d like to go on record with profound respect for Germany’s decision to abandon nuclear energy. That’s the best news I’ve heard this year. Now we just need our own government to display similar bravery in the face of vested interest.

The EU, internet freedom and illegitimate oppressive regimes

And still the inordinate crass hypocrisy of our European politicians has the power to amaze me…

Last Friday, Neelie Kroes blogged about the e-G8 and G8 meetings.

Plus my strong commitment to freedom of expression is well-known – and I’ve already given a clear signal on the “no disconnect strategy“.
The World’s Most Powerful Join the Digital Revolution

What is Neelie’s ‘no disconnect strategy’?. It is this:

I am very concerned by what is going on in countries like Egypt, Tunisia and Libya and I think people around the world have the right to be connected. This is why I am promoting a “No Disconnect Strategy” for the Internet. I asked my services to explore how civil society organisations and individuals can be assisted to circumvent arbitrary internet and communications shut-downs by repressive regimes, where we have concluded that an authoritarian regime’s actions are illegitimate. Our experts are working on this very important issue right now. I will keep you updated.
The “No Disconnect Strategy”

Think about this. She has asked her experts to explore ways in which she can help rebels ‘circumvent arbitrary internet and communications shut-downs’. This may be ‘arbitrary’ to her, but in the countries concerned it is the law of the land. She is setting herself up as being morally superior than other cultures, governments and societies; and she is seeking to interfere in the internal politics of other sovereign states. (I’m not criticising; I’m just saying that’s what she’s doing.)

At the same time, in the UK, a local council used a Californian court to force Twitter to disclose personal information on one UK user. I do not blame Twitter for handing over the information. Faced with a court order, it had no choice. However, I have huge concern over both the South Tyneside Council that sought it and the Californian court that ordered it. As far as I understand, the anonymous Mr Monkey was accused of being (not proven to be), just accused of being, libellous. On that basis, one of accusation only, Twitter was forced to give up private personal data.

Back to Neelie Kroes, whose “strong commitment to freedom of expression is well-known”. Well, knowing who someone is, is a first step to being able to remove them. Neelie wants to be able to help ‘individuals’ oppressed by ‘repressive regimes, where we have concluded that an authoritarian regime’s actions are illegitimate’.

OK, Neelie – that means the UK. Our government via the police is repressive; they ‘coral’ peaceful demonstrators illegally; they use unnecessary force (even killing an innocent passer-by); they watch us with more surveillance cameras than anywhere else in the world; they use Geotime surveillance software to track people (“This latest tool could also be used in a wholly invasive way and could fly in the face of the role of the police to facilitate rather than impede the activities of democratic protesters,” said Sarah McSherry, a partner at Christian Khan Solicitors, representing several protesters in cases against the Metropolitan police); and they have the world’s largest illegal DNA database of innocent people.

So, Neelie – never mind Libya and Syria and the Yemen: what are you going to do to safeguard the British people from the British government and the British police?

The legislature legislates, the judiciary adjudicates: doesn’t Cameron understand this?

The manner in which Sharon Shoesmith was dismissed was unfair. That is the finding of the courts. But according to the BBC:

…Prime Minister David Cameron has made it clear that he has a real problem with this decision because he believes elected ministers should be the ones who make key decisions about their departments.

“For the prime minister it is about accountability,” [BBC political correspondent Robin Brant] said. “It’s about elected ministers deciding if people like Sharon Shoesmith are doing a good or bad job. He doesn’t think it should be up to judges.”
Baby Peter boss Sharon Shoesmith ‘does not do blame’

We are being told that Cameron considers this to be a constitutional issue. If so, how sad it is that the prime minister of the United Kingdom has so little knowledge of the constitution of the United Kingdom. He, as the key member of the executive, plays a pivotal role in making the law. But it is the responsibility of the courts to interpret the law. That’s what they have done. If he doesn’t like it, his responsibility is to make a new law – not to usurp the role of the courts.

At best this is ignorance. At worst it is a power grab. I fear both. But the latter is the more dangerous.

Freedom and control; liberty and security; citizen and politician

Luis Corrons has started his new blog, Libertarian Security, with an excellent post: Freedom vs Security. He paints a worrying picture, especially where government intervention is concerned:

Governments even go as far as saying that any limitations on people’s liberties aren’t actually that, but they are giving citizens more liberty by protecting their security. This is nonsense. However, anybody that listens to 100 99 percent (let’s keep the hope alive) of politicians, however democratic they may seem, will see that their strategy is always similar: They all try to justify themselves by stating that they restrict our liberties to give us more freedom.

and

All this will eventually change the Internet as we currently know it… for worse at least when it comes to freedom of speech. In a few years’ time, besides protecting ourselves against cyber-attacks we will also have to look for mechanisms that guarantee our rights against government abuse of power.
Freedom vs Security

Apart from recommending Luis’ blog, and hoping that he can find the time for many more posts, I really want to add a further illustration of the sort of political double-talk gobbledygook that emanates from our ‘leaders’. It concerns net neutrality, something most thinking people believe to be essential for future freedom.  Well, Neelie Kroes, Vice-President of the European Commission for the Digital Agenda, also believes in net neutrality – and that’s incredibly reassuring. How do we know? Because she has told us:

“I am determined to ensure that citizens and businesses in the EU can enjoy the benefits of an open and neutral internet…”
Digital Agenda: Commission underlines commitment to ensure open internet principles applied in practice

But it’s worth actually considering what she really means. What is ‘net neutrality’ to Neelie Kroes?

Bear in mind that new European rules came into force on 25 May. “Member States’ telecoms regulatory authorities [must] promote the ability of internet users “to access and distribute information or run applications and services of their choice” (Article 8(§4)g of the telecoms Framework Directive 2002/21/EC, as amended by Directive 2009/140/EC).” She went on to add

Other rules directly relevant to net neutrality that enter into force on 25 May as part of new EU telecoms rules include requirements concerning:

• transparency (e.g. any restrictions limiting access to services or applications, connection speeds)
• quality of service (regulators can set minimum quality levels) and
• the ability to switch operator (within one working day).

Transparency. This means that where the telecoms providers are not neutral, they have to say what they are providing, and that, in EU terms, will make them neutral.

Quality of service. Important though it is, WTF has this to do with net neutrality?

Switch. I would like to know what relevance the ability to rapidly switch providers has to net neutrality.

All of this is exactly what Luis Corrons warns about. Our political leaders are intent on removing net neutrality while persuading us that they are protecting it. And the tragedy is that too many of us will believe them, and allow them.

Libertarian Security

Secret EU/US PNR agreement flies in the face of data protection principles

Discussing the EU/USA negotiations on ‘passenger name records’, back in March I concluded:

My bet is that there will be a lot of huffing and puffing, and pretending to get what we (the European citizen) wants; but America will eventually get all that it seeks simply because it is America and is supported (through national interest) by most of the individual national governments in Europe. We will be told by the Vice-President of the European Commission that our personal data is protected – but it won’t be.
EU-US Negotiations on an agreement to protect personal information exchanged in the context of fighting crime and terrorism…

Today we learn from a document leaked to the Guardian

The personal data of millions of passengers who fly between the US and Europe, including credit card details, phone numbers and home addresses, may be stored by the US department of homeland security for 15 years, according to a draft agreement between Washington and Brussels leaked to the Guardian.
US to store passenger data for 15 years

Click the image to read the leaked document at the Guardian...

It’s not this agreement that surprises me. What surprises me is that anyone still believes the word of such an undemocratic, autocratic, secretive, misleading, authoritarian, double-talking, self-seeking organisation as the EU. I have said it before and I will say it again: it is time for the UK (and any other European ex-nation that values its freedom) to leave the European Union.

Luis Corrons new blog: Libertarian Security

Luis Corrons, technical director at PandaLabs and someone I widely quote and enormously respect has a new blog: Libertarian Security. Bookmark it! It’ll be worth reading.

(Thanks to David Harley of ESET, another security expert I respect and admire, for pointing it out.)

Bank of America fraud continues to show the way in security

There is a triumvirate of evil in this world: the banks, the pharmaceutical companies and the oil companies. They control the governments that control us. And they do so in the name of profit for their owners.

Yesterday, BankInfoSecurity published a story about a security breach at the Bank of America. An employee has apparently been selling personal account information to a criminal gang – enough for the criminals to open separate accounts in the customers’ names; and leading to a $10 million loss. Over the next few days the wires will be full of security experts explaining how this should never have happened if only the bank had been using this or that security product developed by the very same security experts. That’s a given – but it’s not the point I wish to make.

Some 300 BofA customers in California and other Western states have reportedly had their accounts hit, and 95 suspects linked to the breach were arrested by the Secret Service in Feb.
$10 Million Loss Highlights Risks, Sophistication of Internal Breaches

Note that. The Secret Service had enough information to make arrests three months ago.

BofA says it detected the fraud a year ago, but only recently began notifying affected customers of the breach.

Note that also. Never mind how long the fraud had been going on, the bank knew about it a year ago. And note that it has only recently begun notifying the victims.

Now note this:

“Keeping customer information secure and confidential is one of our most important responsibilities, and Bank of America sincerely apologizes for this incident, and regrets any inconvenience it may cause our customers. We work hard to prevent fraud, and our customers who experience fraud on their accounts related to this incident will be reimbursed if they report it promptly to us.”
Colleen Haggerty, Bank of America spokeswoman

What hypocrisy – throughout. If they took security seriously, it would never have happened. What hypocrisy. They took a year to notify the victims, but have the gall to offer reimbursement only “if [the victims] report it promptly to us.”

Governments and the internet: they will regulate; they will over-regulate; and they will get it wrong

Eric Schmidt of Google has told governments not to be too hasty in regulating technology.

When asked about government regulation, Schmidt also said that technology moves so fast that governments really shouldn’t try to regulate it because it will change too fast, and any problem will be solved by technology. “We’ll move much faster than any government,” Schmidt said.
Eric Schmidt To World Leaders At eG8: Don’t Regulate Us, Or Else

He may have been talking about Google – but the argument applies to technology and the internet in general. And it’s a self-evident argument to anyone with half a brain cell. Sadly, governments are not that clever. They will regulate; they will over-regulate; and they will get it wrong.

Consider this:

The European Commission (EC) has today released its new Intellectual Property Rights Strategy (IPRS), which controversially requires UK and EU broadband providers to give their “cooperation” in helping to tackle internet copyright infringement (piracy) at source.
Europe Forces ISPs to Act as Internet Police for Copyright Infringement

Consider this:

The US Department of Homeland Security has gone on another round of domain seizures – its first since February this year – taking control of domains used by sites accused of copyright infringement and counterfeiting offences.
Homeland Security seizes more domains

Quite clearly, our brainless governments are bending over backwards to be the firearm of the IP rightsholders, regardless of the warnings they receive from the industry. Why? I think there are two reasons: money and control. Firstly, governments fear the loss of tax revenue from a faltering industry. And secondly, they welcome the control it gives them. Political control. If they can take down a site for copyright infringement, they will be able to take down a site for any old (political) reason.

And where does that leave us? Well, it’s going to turn a lot of us into criminals. Because as Eric Schmidt says, technology can move faster than governments. And as they legislate, we will evade. Not many of us are going to sit back and obey silly laws that are unfair, wrong and unenforceable.

New zero-day cookiejacking attack against Internet Explorer

Rosario Valotta has published a new 0-day attack against all Internet Explorers on all Windows boxes. It’s a variant of cookiejacking; that is, stealing a victim’s cookies. If you can steal the cookies, you can steal the session key and access whatever the user is accessing.

Now I’m not qualified to give a technical comment on this attack. Others will do that soon enough. But what I do want to say is that Rosario’s attack still depends on social engineering. It still requires you do something that, if you knew what it was, you wouldn’t. His technique involves a disguised ‘dragging’ process. The victim is led to believe he is dragging something innocuous, while in reality he is opening the door to his computer.

Rosario’s example includes a simple 4-piece jigsaw of an attractive lady, with the tag line: ‘Solve the jigsaw to watch Denise naked’

Solve the jigsaw to watch Denise naked

That’s the social engineering. It looks pretty innocuous, and gives (the men among us) a reward at the end. But that’s the disguised dragging. Do it and you’re got.

Nearly there. Nearly owned.

Sooner or later most 0-day attacks are patched. Like I said, I cannot comment on the technical detail of Rosario’s attack – but my point is that our defence against almost any attack is to avoid being socially engineered. It’s not easy. But the offer of naked pictures is invariably a trick.