Usually I like The Next Web. But this is a bit strange. It says that news reports give the wrong weight to something Google lawyers argue in a motion to dismiss a class action. TNW’s headline is, No, Google did not say that there is no privacy in Gmail.
Excuse me? That is, conceptually, exactly what Google said — and TNW proves it by reproducing the content:
Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery. Indeed, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735, 743-44 (1979).
TNW misses off the legal reference, but then helpfully explains it. TNW then adds:
The same is true of email sent through an ECS provider…
So, TNW, I’m afraid you’ve got it wrong — that’s exactly what Google said, and exactly what Google meant.
Over the last few days numerous IT magazines have run a story about a surge in customers for Swiss hosting companies. For example, “Artmotion has witnessed a 45% growth in revenue amid this new demand for heightened privacy,” says Computer Weekly.
Most of these stories have come from, yes, a post-PRISM press release issued by Artmotion. “Artmotion, for example,” says the press release, “has witnessed 45 per cent growth in revenue amid this new demand for heightened privacy.”
Why are companies moving to Switzerland? Well, remember that we now live in post-Snowden enlightenment. “The desire for data privacy has therefore seen a surge in large corporations turning to Switzerland to take advantage of its privacy culture. Enterprises can host data in Switzerland clouds without fear of it being accessed by foreign governments,” says Computer Weekly.
“The desire for data privacy has therefore seen a surge in large corporations turning to ‘Silicon’ Switzerland to take advantage of the country’s renowned privacy culture. Here they can host data without fear of it being accessed by foreign governments,” says the press release.
Computer Weekly and the press release then both quote Mateo Meier, director at Artmotion:
Unlike the US or the rest of Europe, Switzerland offers many data security benefits. For instance, as the country is not a member of the EU, the only way to gain access to the data hosted within a Swiss Datacenter is if the company receives an official court order proving guilt or liability.
But my question is this: how do you get the data to Switzerland? Even if PRISM can’t get it when it’s there, Tempora will get it en route. And the NSA and GCHQ are in bed together in such an incestuous relationship that it would make a great movie (first available on The Pirate Bay).
That means that data in transit to and from the host will need to be encrypted (outside of the browser because we know we cannot trust either Google or Microsoft) in true and genuine end-to-end encryption. That won’t work for a traditional public-facing website.
What about a private cloud not open to the public? Still won’t work without encryption unless all of the users have a secure link to the server – and the only way to do that is with encryption.
What about secure back-up of company data? No, you still have to encrypt it to get it to and from the host securely.
So it doesn’t matter where you host your data, the only way it can be secure is if you encrypt it. But if you encrypt it, it doesn’t matter where you host it (provided of course the NSA/GCHQ doesn’t have a backdoor into the encryption itself).
I’m all in favour of Switzerland trying to make hay from the PRISM/Tempora fall out – but don’t assume that your data is safe just because of Swiss privacy laws. You need encryption, not geography, to be private.
I see the BBC is continuing its role as official propagandist for the UK government. A new article today describes the ‘cyber-attack’ threat to London’s Olympic ceremony. As usual, there is no substance to the story; just continued fear-mongering aimed at justifying GCHQ’s total surveillance programme. And just like this time last week its primary purpose is to advertise tonight’s episode of Under Attack – The Threat From Cyberspace on Radio 4. And just like last week I shall not be listening because I’ve heard it all before.
Bruce Schneier has put it right: the issue here is not one of privacy versus security (which is how governments present it), it is one of liberty versus control.
Over in the States the Obama administration has been equally active in mobilizing its own propaganda machine. Former FBI director Louis Freeh has been talking to the Associated Press, published in the New York Times yesterday, and reiterates his own version of the cybergeddon cyber Pearl Harbor. “You could manipulate transportation systems, aviation guidance systems, highway safety systems, maritime operations systems. You could shut down an energy system in the northeast U.S. in the middle of winter. The potential for mass destruction in terms of life and property is really only limited by (the attackers’) access and success in penetrating and hijacking these networks.”
This from the government that developed Stuxnet and attacked Iran. Yawn.
I want my privacy and I want my liberty; and I do not want government spending the money it takes from me in taxes to impose its version of security through its version of control over me.
When the UK government talks about ‘transparency’, it means being transparent with our data, not government behaviour. Transparency doesn’t mean telling the people what the government is doing, or providing proof to justify its actions – it means selling the personal information of ordinary people to the highest bidder.
And when it doesn’t have enough personal data it furtively sets about getting more. Like secretly collecting the private communications of everyone. Like planning a national DNA/ID database hidden within the National Health Service.
A year ago, the government asked “Stephan Shakespeare, Chair of the Data Strategy Board and CEO of YouGov, to look at our progress so far on opening up public data and set out his assessment of how the Government should best use PSI [public sector information] to support economic growth… Stephan consulted with leading industry experts, businesses and academics in the field as well as undertaking a comprehensive market assessment of PSI.”
But he didn’t talk to you and he didn’t talk to me. And ‘public sector information’ is our information not his, and not the government’s.
Here’s a flavour from Shakespeare’s report:
In our consultations, business has made clear that it is unwilling to invest in this field until there is more predictability in terms of supply of data. Therefore without greater clarity and commitment from government, we will fail to realise the growth opportunities from PSI.
It is important to note for such a strategy that the biggest prize is freeing the value of health, education, economic and public administrative data.
Quite clearly, without any consultation with the people, the government is being urged to be transparent with business on exactly what it is willing to sell; and that the most valuable data is our personal health records, our educational records, our economic status, and other information held about us by the local authority.
And the government’s response to this? One word:
This is government transparency – selling our privacy to the highest bidder. Are we really happy to just let this happen?
Back in April Google amended its Google Play developer policy. It was a simple addition: “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.”
Simple, but far-reaching. At a stroke, it eliminated the growing threat of ‘silent updates’ to Android apps. At the time, many people thought it was specifically aimed at arch display advertising rival, Facebook. It probably was.
Facebook had been secretly experimenting with silent updates to its new Facebook Home app. Once an app has been installed with acceptable and accepted permissions, it is able to update itself with new and expanded permissions secretly (silent updates); that is, without telling the user what was happening, or what new permissions were being enacted.
But by forcing those updates to go via the Play Store, Google is able to stop them being ‘silent’. Good job, really. Facebook’s Android app has been updated — but provided you got it from Play, it cannot update itself silently.
Sarah A. Downey, a lawyer and privacy strategist with Abine, did a simple blog: eighteen words and a graphic compilation of three screenshots:
Her comment: “Really, Facebook? Three screens of permissions? No thanks. We don’t have that kind of relationship.”
Says it all really. If Google hadn’t insisted on updates via Play, you might never know about it this update. And if you side-load an app — for example, straight from Facebook — you might still never know about it.
So, two lessons: get your apps from Play; and dump Facebook anyway.
Goodle (that is, the UK’s ICO) is friendly with Google. You can see that in its behaviour over Street View (the collection, inadvertent or otherwise, of personal wifi data while driving round the streets of the world). Germany fined Google over it. Goodle just said stop it, don’t do it again, and get rid of what you’ve got.
When Google didn’t get rid of it, Goodle had to get really tough, and say get rid of it now, because we really, really mean it this time!
But back to Article 29. Problematically, Goodle, it is one of six EU member states chosen to take enforcement action against Google. CNIL, the French regulator, has already completed its task. It has instructed Google in exactly what it must do to come into conformance with French laws. Google has three months to comply before CNIL levies a fine.
Spain is likely to be next. The Spanish regulator announced on Thursday that it has “found evidence of five serious privacy law breaches — each punishable with fines of up to 300,000 euros ($395,000).” (AFP) An enforcement notice with threats will likely follow shortly.
Germany is hardly likely to take a softer line – generally speaking it is tougher than most other EU nations on matters of personal privacy (some can remember Nazi Germany, and most can remember Stasi Germany).
Then we have Italy, the Netherlands, and of course Goodle. My bet is that Italy and the Netherlands do the same as France and Spain. But what then? What about the UK? What’s a good Goodle to do if all the other nations slap Google as hard as they can? It’s a difficult position for a loyal Google Poodle.
On Thursday, on Prism and Verizon, I warned, “We’ll just have to look very closely at the weasel words that will come from both sides of the Atlantic…” But I didn’t expect them to start so soon.
The EC’s Justice Commissioner Viviane Reding met the US Attorney General Eric Holder in Dublin on Thursday and Friday. Reding had some questions ‘on the collection of data from Verizon and about the PRISM programme’:
How do these affect EU citizens right? Are they aimed at EU citizens? What is the volume of the data collected? Do the programmes involve bulk collection of data or is the collection targeted? Do the programmes operate under proper oversight of the judiciary? Is the collection of EU citizens’ data authorised by a court?
And these were the answers:
First, on the Verizon question, the information I received today is that it is a U.S. project, directed mainly towards U.S. citizens. It is about metadata, not about content. It is about bulk, not about individuals. And it is based on court orders and congressional oversight.
So, she says, that’s all right then: “I consider that this is mainly an American question…” Let’s not forget that the EU’s own data protection office, the European Data Protection Supervisor Peter Hustinx has said that telephone metadata is personal information that should, presumably, be protected by European laws. Nor let us forget that this program does include Europeans when they are talking to an American – and since it is bulk, every time they are talking to an American.
Considering PRISM, she says:
It is about foreign intelligence threats.
PRISM is targeted at non-U.S. citizens under investigation on suspicion of terrorism and cybercrimes. So it is not about bulk data mining, but specific individuals or targeted groups. It is on the basis of a court order, of an American court, and of congressional oversight.
She doesn’t quite say ‘that’s alright then,’ but she is clearly reassured.
Should EU citizens – and anyone, anywhere, be reassured? Absolutely not. The words are ambiguous. I cannot see that specific mining from bulk data is any less worrying overall than ‘bulk data mining’.
But the real joke is that it is based, in both cases on court orders and congressional oversight. That court is a secret court using a secret interpretation of a draconian law. It is almost certainly unconstitutional, but it cannot be challenged because no-one knows what it is. But it would seem that provided it can be described as a ‘court’, that’s alright as far as Viviane Reding is concerned.
Once again, the people of the USA and Europe will need to take action themselves. This dragnet surveillance by the NSA under the aegis of a secret court is most decidedly not OK – and it is people power that will have to force our respective governments to do the right thing. First, of course, we need to see past the weasel words of weasel governments.
OK, that sadly won’t happen, despite the clearly illegal theft of personal information from millions of EU citizens. However, I am reassured by an EC Memo issued today by EU Justice Commissioner Viviane Reding. “The European Union and the United States will meet in Dublin on 13-14 June to discuss issues of common interest in the field of justice and home affairs.”
Vice-President Reding is also seeking clarifications as to whether and how United States authorities are accessing and processing the data of European Union citizens using major U.S. online service providers.
The European Commission remains concerned by the question of EU citizens’ personal data being accessed and processed by United States authorities using major U.S. online service providers. The European Commission seeks clarifications on this issue. The Commission maintains that if U.S. law enforcement authorities want to access data of EU citizens on servers of U.S. companies, this should happen though formal channels, notably through the Mutual Legal Assistance Agreement which is in force since 2010. Access through other means should be excluded unless in clearly defined, exceptional and judicially reviewable situations.
That’s pretty clear, blunt and straightforward. But what happens next? Will Holder stop? No. Can the EU do anything about it? No. So will Europe ban Google, Facebook, Microsoft et al? Attractive though that might sound, it’s not going to happen.
So whatever does happen, it’s going to be interesting. We’ll just have to look very closely at the weasel words that will come from both sides of the Atlantic, trying to reassure us that we have nothing to worry about while maintaining business as usual for government and the corporates.
The European Data Processing Supervisor has issued a statement on the NSA and PRISM:
The EDPS is following the NSA story closely and is concerned about the possible serious implications for the privacy and other fundamental rights of EU citizens.
We welcome the request by the Chairman of the Article 29 Working Party, Mr. Jacob Kohnstamm, on 7 June to the Commission to seek clarification of the facts as soon as possible.
We expect the issue will be discussed at the EU-US Summit this Friday.
We will continue to monitor the situation.
I think this should be read in conjunction with a beautifully savage shredding of a letter from the UK’s Chris Grayling to the European Commission demanding that the GDPR be slowed down and abandoned in favour of a weaker directive. Grayling included a copy of an ICO report that I suggested was confused and confusing in my report on Infosecurity Magazine. And, not surprisingly, Viviane Reding would have none of it and pointed out the inconsistencies and inaccuracies in Grayling’s logic.
Grayling’s inconsistency was inevitable. He had to pretend that the UK’s reluctance was based on economic grounds. This is palpable rubbish. The reality behind the UK position is ferocious lobbying by those same US corporations that are a part of the PRISM operation. A strong European data protection regulation will really throw the cat among the pigeons where GCHQ and NSA co-operation via PRISM is concerned.
You know I don’t like Europe. But just for once I have to say, rock on Viv!