The United States would be well advised not to dismiss European anger over the NSA — but so far the US doesn’t seem to be taking the EU’s concerns seriously. Consider the safe harbour agreement, and the growing movement to suspend it.
Safe harbour is an official arrangement that allows American companies to circumvent the European data protection laws. These laws prohibit the export of personal European data to any country that does not have comparable data protection laws. The United States does not. On the face of it, then, this would stop companies like Google and Yahoo and Facebook operating in Europe since they ‘export’ their users’ data to servers in the US.
To avoid this, the EU and US developed the Safe Harbour. Provided individual companies are certified to provide a comparable level of data protection to that required in the EU, safe harbour allows US companies to store EU data in the US. That certification can be provided by a qualified third-party, or it can be self-certification. One of the conditions included is that personal EU data will not be passed on to third parties.
But this requirement is clearly being breached by the NSA’s Prism programme. It doesn’t matter whether US cloud companies are giving EU data to the NSA willingly or even knowingly — that it happens is in contravention to safe harbour. So the mood in Europe is simple: if safe harbour isn’t being honoured, it would be better to suspend it. If this were to happen as things stand, companies like Google and Facebook would no longer be able to operate in Europe.
Why I don’t think America is taking this threat seriously
In December 2013, a US think tank called Future of Privacy Forum (FPF) published a report concluding, “It would be unwise at this stage of the Safe Harbor to pull back on this effective program.” It claims that safe harbour is working — when Prism shows it is not.
FPF’s first argument is that “eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.” Seriously? Is FPF really suggesting that since the NSA will disregard the law, we shouldn’t bother having any laws?
Its second argument is that even US companies that allow their safe harbour certifications to lapse are “still subject to FTC Section 5 enforcement for any substantive violations of
the Safe Harbor principles committed while it claims to be a member.” Luckily, we can test that assertion because the FTC has just made enforcement on 12 US companies for that very infringement.
Following complaints, the FTC took action against the companies which resulted in settlements. The settlement agreements now prohibit the companies from falsely stating to be Safe Harbour certified.
FTC takes safe harbor enforcement action against 12 US corporations
So, the punishment for ignoring safe harbour rules is to agree to stop ignoring safe harbour rules; which can be done via self certification.
This is not the behaviour of a country that is taking Europe seriously.
Is it even possible for Europe to suspend safe harbour?
This is the crux of the problem. America clearly believes that it would be impossible: Google, Facebook, Microsoft, Yahoo etc, etc are so deeply woven into the social and economic fabric of Europe that it would not dare, in the final analysis, to pull the plug. That, I fear, would be a catastrophic underestimate of European determination.
Consider some of Europe’s recent announcements. It is preparing itself for a life without US tech giants, and even a life without the UK. (Incidentally, David Cameron will rapidly discover how insignificant the UK will be considered by the US if it can no longer influence the EU in favour of the US; and GCHQ, like the NSA, can no longer spy on Europe.)
Firstly, the EU has declared it wishes to be an honest broker between US and UN ownership of internet governance. In other words, the European bloc is no longer in blind support of the US position — it is preparing for, and in doing so it is making inevitable, a time when US control is removed.
Secondly, Angela Merkel has indicated a Franco-German intent to build a European internet outside of the NSA’s reach. US companies will either have to agree to play by European rules, or be excluded from Europe. (That, of course, applies equally to the UK and GCHQ. Nigel Farage of UKIP wants the UK to leave the EU; Cameron, who doesn’t, is close to getting the UK excluded by default.)
Faced with such a decision, the US companies will take a commercial position and play by the rules of what will effectively be a heavily policed virtual internet within and for Europe. Microsoft has already broken ranks and said it will ensure European data remains in servers within Europe. The problem for Microsoft will come when it receives a FISC order demanding EU data from those European servers. The danger for the United States is that under such circumstances, some of those companies will emigrate from America in order to maintain their European presence.
So, as I said at the beginning, the US would be well-advised to take Europe seriously. Europe is older and more patient than America. It can and will take the long view over this issue.
I got this Skype message this morning from a much-loved and well-respected colleague:
Well it was news to me; so I asked what made him think that. He sent me a link; and that link led me to this:
And so it continues – I am mentioned 28 times on this page.
I quickly checked my emails to see if some rich aunt had passed over and left me a new website in her will; but all I could find were a few other opportunities:
…my name is Michael Smith and I want you to assist me received huge sum of (Ten Million Five Hundred Thousand United States Dollars) for Investment purpose in your country and am willing to offer you 40% of the total sum for your great support. You might also wonder how i got your contact, I got it through the internet when i was looking for a trust worthy person i can trust to handle this project.
(yes, there was my rich aunt in all her glory still very much alive), and this
…a woman with the name (Ms. Gail Jackson) Came to Our Office with an Application Stating That she is your sister and You Gave Her the Power Of Attorney to Be the Beneficiary of Your Outstanding Contract Award Funds. She Made Us To Believe That You Are Dead And That She Is Your Next Of Kin…
That last one was worth $5.6 million; but sadly it was mistaken identity – I’ve never had a sister.
The reality is probably less interesting. It’s probably a new site under development. The developer is using a privacy statement template, and where it says ‘enter your name’, he entered mine. Or maybe all of the variables are in a separate file and are merged automatically; but in this instance they’ve got out of sync.
Sadly, I do not have a new gig with wossname; and I have no idea how my name became so elevated. But it is gratifying, nevertheless…
The brilliant Hawktalk blog has demonstrated how the UK government has airbrushed the Data Protection Act out of ‘national security’ issues. This leaves GCHQ free to conduct mass surveillance of British citizens (and who cares about foreigners anyway?) without any effective legal oversight — merely a nod and a wink from the government of the day.
The conclusion comes from an analysis of a data protection exemption certificate obtained under freedom of information laws and dating back to 2005 — now probably out of date but equally probably indicative of what is happening today (born out by similarities between an old TfL exemption certificate and a recent one issued by Theresa May).
There are eight data protection principles underpinning the Data Protection Act. Summarized by the Information Commissioners Office (the UK’s data protection regulator), these are that personal data should be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
In the certificate analysed by Hawktalk, principles 1, 2, and 8 are exempted. Furthermore, principles 3 and 5 are effectively nullified by the exemption to principle 8 — the data can simply be transferred to NSA databases outside of the ICO’s jurisdiction.
Hawktalk’s argument is that these principles are automatically suspended for any statutory body pursuing its statutory purposes. The implication of a certificate specifically issued to completely exempt that body (GCHQ) from any of the principles is that it (GCHQ) wishes to pursue the processing of personal data beyond its (GCHQ’s) statutory purpose — it simply does not need an additional exemption if it sticks to what it was designed to do (ie, national security). In other words, GCHQ wishes to collect and process personal data to an extent that is both beyond its legal remit and the strictures of national law.
GCHQ has become, quite literally, a law unto itself.
The home page for Google France from a few days ago. It’s been removed now; but just in case anyone missed it…
On The Day We Fight Back Against Mass Surveillance (sign here if you haven’t already done so) I took a moment to glance through the draft report prepared by the European Parliament’s civil liberties, justice and home affairs committee (LIBE) on mass surveillance. It will be voted on tomorrow (Wednesday 12 February). It shows that some of our politicians (you can bet that there are few British politicians included) actually do care about our privacy and civil liberties.
After many legalistic pages of having regard to this and whereas that, it gets to the meat. Here’s an example from among many similar paragraphs:
Condemns in the strongest possible terms the vast, systemic, blanket collection of the personal data of innocent people, often comprising intimate personal information; emphasises that the systems of mass, indiscriminate surveillance by intelligence services constitute a serious interference with the fundamental rights of citizens; stresses that privacy is not a luxury right, but that it is the foundation stone of a free and democratic society; points out, furthermore, that mass surveillance has potentially severe effects on the freedom of the press, thought and speech, as well as a significant potential for abuse of the information gathered against political adversaries; emphasises that these mass surveillance activities appear also to entail illegal actions by intelligence services and raise questions regarding the extra-territoriality of national laws;…
That’s paragraph 9, and the rest are in similar vein. Paragraph 14 says:
Strongly rejects the notion that these issues are purely a matter of national security and therefore the sole competence of Member States; recalls a recent ruling of the Court of Justice according to which ‘although it is for Member States to take the appropriate measures to ensure their internal and external security, the mere fact that a decision concerns State security cannot result in European Union law being inapplicable’; recalls further that the protection of the privacy of all EU citizens is at stake, as are the security and reliability of all EU communication networks; believes therefore that discussion and action at EU level is not only legitimate, but also a matter of EU autonomy and sovereignty;…
Then follows 98 paragraphs of recommendations on what to do about it. Basically, it is ‘stop it’, ‘don’t do it again’, and ‘introduce these measures to prevent it’. Lest our American friends – and the American people are our friends – think this is just US-bashing, I should point out that certain EU member states are also criticised. Obviously this is primarily the UK and GCHQ; but the intelligence services of Sweden, Germany and France are also included.
Finally, the report
Instructs its President to forward this resolution to the European Council, the Council, the Commission, the parliaments and governments of the Member States, national data protection authorities, the EDPS, eu-LISA, ENISA, the Fundamental Rights Agency, the Article 29 Working Party, the Council of Europe, the Congress of the United States of America, the US Administration, the President, the Government and the Parliament of the Federative Republic of Brazil, and the United Nations Secretary-General.
It won’t happen of course. And even if it does, it will get no further. It will very rapidly get buried in European bureaucracy, largely at the instigation of the UK and the other major European players who have more to lose than gain in allowing their own citizens the rights they were born with.
But I am greatly fortified by the fact that this report shows some European politicians really do care about privacy and liberty.
Last week the Daily Mail wrote:
Unless patients object, officials will start to extract confidential data from their files next month.
This is wrong. It’s talking about the UK government’s plans to extract all health records from our GPs and place them into a single central database which it will then sell to drug companies, insurance companies, academics and others. The Mail is wrong because it doesn’t matter whether you object or not. You cannot stop the collection and centralisation of your personal records.
All you can do is tell your GP that you do not wish to be identifiable from those records. You can do this at two levels: firstly, that you do not wish your identity to be associated with the records stored in the database; and secondly that you do not wish your identity to be associated with the records passed on to third parties (whose only possible purpose in buying this data is to increase their profits).
As far as I can gather — and remember that the government simply does not want us to understand what is going on — if requested by the patient, the system will seek to anonymise the data collected, and pseudoanonymise the data sold. How they will do this is not made clear.
Anonymisation is impossible. Big data makes it impossible. Even if every scrap of directly identifying information is removed (and I very much doubt that will happen) there is so much other data about all of us readily available that anyone with a few resources and determination will be able to identify us by collating the different bits. Drug companies and insurance companies have more than a few resources. This is not, as the government will tell us, a slight theoretical possibility, but a practical reality — and an inevitability.
As for pseudoanonymisation, that is a farce. It literally means slight anonymisation that can be reversed — and reversed it will be.
There’s another aspect. At the moment, if the police want our health records they can get them from our GPs with a warrant. They will no longer need a warrant. Backbench Tory MP David Davis asked the government (written question):
To ask the Secretary of State for Health whether any medical data will be extracted by care.data from GP-held records of patients who have objected to the use of their confidential information by others than those providing them with care.
Daniel Poulter, the Parliamentary Under-Secretary of State for Health, responded (written answer):
In terms of information which identifies a patient, NHS England’s “Better information means better care” leaflet sets out how people can ask their GP practice to note their objections, which will prevent confidential, identifiable data about them being used by the care.data programme, other than in a very limited number of exceptional circumstances.
As examples, existing public health legislation may require data to control the spread of specific infectious diseases or the police may require information about an individual patient when investigating serious crime. Decisions are made on a case-by-case basis and must balance legal requirements, the duty of confidentiality owed to the patient and the accepted public interest in a confidential health service, all against any benefits that may arise from the disclosure.
It is important to note that provisions in the Health and Social Care Act 2012 are designed to strengthen and clarify the role of the Health and Social Care Information Centre so that information can be collected, held securely and made readily available to those who need it in safe, de-identified formats, with crucial safeguards in place to protect the confidential data it holds.
The Health and Social Care Act 2012 is clear that
“information which identifies or enables identification of a person must not be published”.
Poulter’s response is as clear as mud. Note that there is no mention of opting out, merely objecting. But note also that the police ‘may require information about an individual patient’. To get to an individual means they must and can bypass all anonymisation and pseudoanonymisation instructions we give to our doctors.
This month, before March when the collection begins, I shall be doing a number of things:
- demand of my GP (in writing) that my records are collected without identifying information
- demand of my GP (in writing) that my records are not sold or given to third parties with any identifying information
- inform my GP that I forbid the uploading of any of my personal data to a central database, and invoke the European Data Protection directive in support
- write to my MP and explain my objections
- sign all and every petition I can find that objects to this government theft of my personal data (here are two: 38 degrees, and Epetitions)
Do no evil is best known today as a Google reference; but it occurs earlier in the Bible (2 Corinthians 13:7 King James):
Now I pray to God that ye do no evil; not that we should appear approved, but that ye should do that which is honest, though we be as reprobates.
Do as you would be done by is an immediately recognisable biblical reference (Matthew 7:12 King James):
Therefore all things whatsoever ye would that men should do to you, do ye even so to them: for this is the law and the prophets.
Google has claimed the former, but ignores the latter.
It recently removed two extensions from its Chrome webstore: Add to Feedly and Tweet this Page. This was a good thing. Although the extensions originally did what’s described on the tin, they had been bought by advertising companies of the worst sort. Those advertising companies subsequently slipped in, via automatic updates, adware engines.
Automatic updates are a double-edged sword. In the hands of a supplier you trust they can be a tremendous boon — security patches and software improvements just happen. But in the hands of a dubious firm, automatic updates are a troublesome problem. They can, and in the case of these two extensions, did covertly install all manner of things.
To get round the problem Google has changed its terms of service. In future, extensions will need to be clearly defined — the new terms state that extensions must have “a single purpose,” and be “narrow and easy-to-understand”. Adding a new function secretly, such as adware, clearly breaches these rules.
Google invoked these rules to remove the extensions. In general, however, the company says the new terms won’t be enforced widely until the summer. That implies there will then be some form of enforcement methodology — extension auditing, for example.
Again, this is a good thing. Google is saying that its users should know what the software they use actually does, and it should be easily understood, and their privacy should not be abused.
Which is more or less what the European Union is saying to Google itself. Two European data protection regulators (France and Spain) have already fined the company the maximum possible for breaking privacy laws. Four others (Germany, Italy, The Netherlands and the UK) have agreed that the privacy laws have been broken. Germany, Italy and The Netherlands are expected to levy fines. The UK is more likely to discover some weasel way to avoid fining Google (because of the UK’s traditional thrall to big business), but nevertheless holds Google in breach of the law.
Google is doing unto Europe what it won’t allow its app providers to do unto Google: confuse, break the rules and dissemble. It is clearly hoping and expecting that its sheer size will prevent Europe smacking it in the same way it smacked those that disobeyed its own rules. Here’s hoping…
Some time this month, if you live in Britain, you will receive a leaflet from the NHS. Its purpose is to persuade you that a new central database of all your health information (more or less everything your doctor knows about you, has said to you, has prescribed for you, or advised you on) held and operated by the government, is a good thing. It is not a good thing, and the leaflet does not tell you all you need to know about the database.
It is not a good thing.
Ross Anderson has provided an alternative leaflet providing more of the information that we should all be told. His leaflet provides a cut-out form that we can use to instruct our GP not to give any of our health data to the central database. We can do this. That’s the law. It’s in the Data Protection Act. If we do not do so, our health records will be uploaded automatically and we will not be able to get them removed. I suggest every Brit should read Anderson’s leaflet as well as the NHS leaflet; and I urge everyone to instruct their GP to block the upload.
Why do we need to object?
The data held will not be anonymised. It cannot be, because they want to marry our GP records with any records from hospital visits. That data will then be sold to third parties. The biggest buyers will be the pharmaceutical companies, either directly or disguised as research establishments or subcontracted to universities. By default, that data will not be anonymised.
They say we can insist on our own records being anonymised before sale. That is meaningless, irrelevant and impossible.
Raw medical records will not help in the development of new treatments or drugs. But it will help in targeting existing drugs. It will show relationships both geographically and socially between treatments and success or failure rates. It will, in short, enable the drug companies to target specific groups of patients or geographical areas with their existing drugs.
That will be the primary use of this database by the pharmaceutical companies – to locate targets and develop marketing strategies for their existing products.
Do not believe anything said to the contrary: this is what will happen.
If you are suffering from ‘shock fatigue‘ (and who isn’t?) over the never-ending revelations on the extent and degree of NSA surveillance on all of us, then I can do no better than recommend you view NSA Files: Decoded – What the revelations mean for you. It is a single document that provides an overview of what we’ve learnt so far, and is interspersed throughout with brief videos on viewpoints from both sides of the fence.
If you are American, then you should be proud of the public debate that these revelations have prompted. If you are British, you should be worried about the lack of any public debate at all.
Britain’s spy agency GCHQ has secretly gained access to the network of cables which carry the world’s phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency (NSA)…
“It’s not just a US problem. The UK has a huge dog in this fight,” Snowden told the Guardian. “They [GCHQ] are worse than the US.”
Guardian, Friday 21 June 2013
But where is the public debate in the UK? It doesn’t exist.
To understand why, you have to consider the nature of the two countries. America was founded on a distrust of government (ironically, specifically the British government). Protection against government authority is built into the American Constitution. And to this day, Americans instinctively distrust big government.
Britain is different. Its democracy has grown slowly and peacefully over a thousand years. Brits instinctively believe that their government is good; Brits instinctively trust big government.
The result of Snowden’s revelations is that both governments are trying to justify their surveillance practices; but while the American government is on the defensive, the British government is decidedly offensive.
Meanwhile, in Britain, prime minister David Cameron accused the Guardian of damaging national security by publishing the revelations, warning that if it did not “demonstrate some social responsibility it would be very difficult for government to stand back and not to act”.
NSA Files: Decoded
Meanwhile, in Britain, government agents forced the physical destruction of the Guardian disks containing Snowden files:
The intelligence men stood over Johnson and Blishen [Guardian staff] as they went to work on the hard drives and memory chips with angle grinders and drills, pointing out the critical points on circuit boards to attack. They took pictures as the debris was swept up but took nothing away.
NSA files: why the Guardian in London destroyed hard drives of leaked files
Meanwhile, in Britain, Glen Greenwald’s boyfriend David Miranda was detained at Heathrow for 9 hours and had his computer equipment confiscated because he was suspected of being a terrorist:
At the time I said that all the police had to do was justify the suspicion that Miranda was a terrorist as defined in the Terrorism Act; which would be easy.
Britain: the Miranda detention proves it is a police state in action
Meanwhile, in Britain, an emergency debate in Parliament did not discuss GCHQ overreach, but instead discussed the Guardian’s support for terrorists:
This debate, however, focuses on a narrower and darker issue: the responsibility of the editors of The Guardian for stepping beyond any reasonable definition of journalism into copying, trafficking and distributing files on British intelligence and GCHQ. That information not only endangers our national security but may identify personnel currently working in our intelligence services, risking their lives and those of their families.
Parliamentary debate: National Security (The Guardian)
Incidentally, Paul Flynn (a Labour MP) attempted a ‘point of order’:
On a point of order, Mr Caton. You are the guardian of the reputation of this debate, and so far it has demeaned Parliament’s reputation, because we have had two speeches that were written and read with no attempt to engage us in debate. This is McCarthyite scaremongering that disgraces Parliament.
Meanwhile, in Britain, the government’s pet poodle paper (The Daily Mail, if you hadn’t guessed) attacked the Guardian:
Stupendous arrogance: By risking lives, I say again, the Guardian is floundering far out of its depth in realms where no newspaper should venture…
Stephen Glover, 9 October 2013
Put quite simply, the British government has very successfully managed to turn attention away from its surveillance programmes and against, instead, the newspaper that exposed it. The message is irrelevant, it suggests — it is the messenger that should be shot.
It is time, I suggest, for the British people to understand that its government cares not a jot for the British people, nor for democracy, nor freedom, nor liberty. It cares more for secrecy; and demands to be left alone to carry on unchecked. It is time for Brits to learn to distrust their government.
That’s rubbish. Google said what it said – it’s there in black and white and they all quote it. It was said by lawyers, so of course they meant what they said. And how do you take a motion to dismiss a class action out of context?
The question is not what Google said, but why it said it. OK, here’s my layman’s take.
This is big. It’s not a court case that Google can afford to lose. If it did, it could potentially jeopardise the entire business model for Gmail. And without Gmail, where is Drive?
Google almost certainly will not lose this case. But the ‘what if…’ doesn’t bare contemplating. Google has to be absolutely certain of winning. And that’s where the invocation of the ‘third-party doctrine’ comes in. It’s the nuclear option defence.
Now the three Google apologists all say, wait a minute, Google is only talking about non-Gmail plaintiffs. So? It still cites the third-party doctrine – and show me where in the Smith v. Maryland ruling it says, “this ruling only applies to non-Gmail email users.”
But Google is being more clever than this. By invoking Smith v Maryland, Google is saying to the government, if you take me down, I’m taking you down as well. The government relies too much on this doctrine in its own surveillance practices to allow it to be overturned in a case against Google. So this statement by Google is a form of insurance to make sure it doesn’t lose the case.
What Google is saying very clearly is that users do not have a legal expectation of privacy and that it has the legal right to be a right bastard. The only bit where The Next Web, The Verge and TechDirt have got it right is that Google is not saying it is or will become a right bastard – only that legally it can.