I see the BBC is continuing its role as official propagandist for the UK government. A new article today describes the ‘cyber-attack’ threat to London’s Olympic ceremony. As usual, there is no substance to the story; just continued fear-mongering aimed at justifying GCHQ’s total surveillance programme. And just like this time last week its primary purpose is to advertise tonight’s episode of Under Attack – The Threat From Cyberspace on Radio 4. And just like last week I shall not be listening because I’ve heard it all before.
Bruce Schneier has put it right: the issue here is not one of privacy versus security (which is how governments present it), it is one of liberty versus control.
Over in the States the Obama administration has been equally active in mobilizing its own propaganda machine. Former FBI director Louis Freeh has been talking to the Associated Press, published in the New York Times yesterday, and reiterates his own version of the cybergeddon cyber Pearl Harbor. “You could manipulate transportation systems, aviation guidance systems, highway safety systems, maritime operations systems. You could shut down an energy system in the northeast U.S. in the middle of winter. The potential for mass destruction in terms of life and property is really only limited by (the attackers’) access and success in penetrating and hijacking these networks.”
This from the government that developed Stuxnet and attacked Iran. Yawn.
I want my privacy and I want my liberty; and I do not want government spending the money it takes from me in taxes to impose its version of security through its version of control over me.
When the UK government talks about ‘transparency’, it means being transparent with our data, not government behaviour. Transparency doesn’t mean telling the people what the government is doing, or providing proof to justify its actions – it means selling the personal information of ordinary people to the highest bidder.
And when it doesn’t have enough personal data it furtively sets about getting more. Like secretly collecting the private communications of everyone. Like planning a national DNA/ID database hidden within the National Health Service.
A year ago, the government asked “Stephan Shakespeare, Chair of the Data Strategy Board and CEO of YouGov, to look at our progress so far on opening up public data and set out his assessment of how the Government should best use PSI [public sector information] to support economic growth… Stephan consulted with leading industry experts, businesses and academics in the field as well as undertaking a comprehensive market assessment of PSI.”
But he didn’t talk to you and he didn’t talk to me. And ‘public sector information’ is our information not his, and not the government’s.
Here’s a flavour from Shakespeare’s report:
In our consultations, business has made clear that it is unwilling to invest in this field until there is more predictability in terms of supply of data. Therefore without greater clarity and commitment from government, we will fail to realise the growth opportunities from PSI.
It is important to note for such a strategy that the biggest prize is freeing the value of health, education, economic and public administrative data.
Quite clearly, without any consultation with the people, the government is being urged to be transparent with business on exactly what it is willing to sell; and that the most valuable data is our personal health records, our educational records, our economic status, and other information held about us by the local authority.
And the government’s response to this? One word:
This is government transparency – selling our privacy to the highest bidder. Are we really happy to just let this happen?
Back in April Google amended its Google Play developer policy. It was a simple addition: “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.”
Simple, but far-reaching. At a stroke, it eliminated the growing threat of ‘silent updates’ to Android apps. At the time, many people thought it was specifically aimed at arch display advertising rival, Facebook. It probably was.
Facebook had been secretly experimenting with silent updates to its new Facebook Home app. Once an app has been installed with acceptable and accepted permissions, it is able to update itself with new and expanded permissions secretly (silent updates); that is, without telling the user what was happening, or what new permissions were being enacted.
But by forcing those updates to go via the Play Store, Google is able to stop them being ‘silent’. Good job, really. Facebook’s Android app has been updated — but provided you got it from Play, it cannot update itself silently.
Sarah A. Downey, a lawyer and privacy strategist with Abine, did a simple blog: eighteen words and a graphic compilation of three screenshots:
Her comment: “Really, Facebook? Three screens of permissions? No thanks. We don’t have that kind of relationship.”
Says it all really. If Google hadn’t insisted on updates via Play, you might never know about it this update. And if you side-load an app — for example, straight from Facebook — you might still never know about it.
So, two lessons: get your apps from Play; and dump Facebook anyway.
Goodle (that is, the UK’s ICO) is friendly with Google. You can see that in its behaviour over Street View (the collection, inadvertent or otherwise, of personal wifi data while driving round the streets of the world). Germany fined Google over it. Goodle just said stop it, don’t do it again, and get rid of what you’ve got.
When Google didn’t get rid of it, Goodle had to get really tough, and say get rid of it now, because we really, really mean it this time!
But back to Article 29. Problematically, Goodle, it is one of six EU member states chosen to take enforcement action against Google. CNIL, the French regulator, has already completed its task. It has instructed Google in exactly what it must do to come into conformance with French laws. Google has three months to comply before CNIL levies a fine.
Spain is likely to be next. The Spanish regulator announced on Thursday that it has “found evidence of five serious privacy law breaches — each punishable with fines of up to 300,000 euros ($395,000).” (AFP) An enforcement notice with threats will likely follow shortly.
Germany is hardly likely to take a softer line – generally speaking it is tougher than most other EU nations on matters of personal privacy (some can remember Nazi Germany, and most can remember Stasi Germany).
Then we have Italy, the Netherlands, and of course Goodle. My bet is that Italy and the Netherlands do the same as France and Spain. But what then? What about the UK? What’s a good Goodle to do if all the other nations slap Google as hard as they can? It’s a difficult position for a loyal Google Poodle.
On Thursday, on Prism and Verizon, I warned, “We’ll just have to look very closely at the weasel words that will come from both sides of the Atlantic…” But I didn’t expect them to start so soon.
The EC’s Justice Commissioner Viviane Reding met the US Attorney General Eric Holder in Dublin on Thursday and Friday. Reding had some questions ‘on the collection of data from Verizon and about the PRISM programme’:
How do these affect EU citizens right? Are they aimed at EU citizens? What is the volume of the data collected? Do the programmes involve bulk collection of data or is the collection targeted? Do the programmes operate under proper oversight of the judiciary? Is the collection of EU citizens’ data authorised by a court?
And these were the answers:
First, on the Verizon question, the information I received today is that it is a U.S. project, directed mainly towards U.S. citizens. It is about metadata, not about content. It is about bulk, not about individuals. And it is based on court orders and congressional oversight.
So, she says, that’s all right then: “I consider that this is mainly an American question…” Let’s not forget that the EU’s own data protection office, the European Data Protection Supervisor Peter Hustinx has said that telephone metadata is personal information that should, presumably, be protected by European laws. Nor let us forget that this program does include Europeans when they are talking to an American – and since it is bulk, every time they are talking to an American.
Considering PRISM, she says:
It is about foreign intelligence threats.
PRISM is targeted at non-U.S. citizens under investigation on suspicion of terrorism and cybercrimes. So it is not about bulk data mining, but specific individuals or targeted groups. It is on the basis of a court order, of an American court, and of congressional oversight.
She doesn’t quite say ‘that’s alright then,’ but she is clearly reassured.
Should EU citizens – and anyone, anywhere, be reassured? Absolutely not. The words are ambiguous. I cannot see that specific mining from bulk data is any less worrying overall than ‘bulk data mining’.
But the real joke is that it is based, in both cases on court orders and congressional oversight. That court is a secret court using a secret interpretation of a draconian law. It is almost certainly unconstitutional, but it cannot be challenged because no-one knows what it is. But it would seem that provided it can be described as a ‘court’, that’s alright as far as Viviane Reding is concerned.
Once again, the people of the USA and Europe will need to take action themselves. This dragnet surveillance by the NSA under the aegis of a secret court is most decidedly not OK – and it is people power that will have to force our respective governments to do the right thing. First, of course, we need to see past the weasel words of weasel governments.
OK, that sadly won’t happen, despite the clearly illegal theft of personal information from millions of EU citizens. However, I am reassured by an EC Memo issued today by EU Justice Commissioner Viviane Reding. “The European Union and the United States will meet in Dublin on 13-14 June to discuss issues of common interest in the field of justice and home affairs.”
Vice-President Reding is also seeking clarifications as to whether and how United States authorities are accessing and processing the data of European Union citizens using major U.S. online service providers.
The European Commission remains concerned by the question of EU citizens’ personal data being accessed and processed by United States authorities using major U.S. online service providers. The European Commission seeks clarifications on this issue. The Commission maintains that if U.S. law enforcement authorities want to access data of EU citizens on servers of U.S. companies, this should happen though formal channels, notably through the Mutual Legal Assistance Agreement which is in force since 2010. Access through other means should be excluded unless in clearly defined, exceptional and judicially reviewable situations.
That’s pretty clear, blunt and straightforward. But what happens next? Will Holder stop? No. Can the EU do anything about it? No. So will Europe ban Google, Facebook, Microsoft et al? Attractive though that might sound, it’s not going to happen.
So whatever does happen, it’s going to be interesting. We’ll just have to look very closely at the weasel words that will come from both sides of the Atlantic, trying to reassure us that we have nothing to worry about while maintaining business as usual for government and the corporates.
The European Data Processing Supervisor has issued a statement on the NSA and PRISM:
The EDPS is following the NSA story closely and is concerned about the possible serious implications for the privacy and other fundamental rights of EU citizens.
We welcome the request by the Chairman of the Article 29 Working Party, Mr. Jacob Kohnstamm, on 7 June to the Commission to seek clarification of the facts as soon as possible.
We expect the issue will be discussed at the EU-US Summit this Friday.
We will continue to monitor the situation.
I think this should be read in conjunction with a beautifully savage shredding of a letter from the UK’s Chris Grayling to the European Commission demanding that the GDPR be slowed down and abandoned in favour of a weaker directive. Grayling included a copy of an ICO report that I suggested was confused and confusing in my report on Infosecurity Magazine. And, not surprisingly, Viviane Reding would have none of it and pointed out the inconsistencies and inaccuracies in Grayling’s logic.
Grayling’s inconsistency was inevitable. He had to pretend that the UK’s reluctance was based on economic grounds. This is palpable rubbish. The reality behind the UK position is ferocious lobbying by those same US corporations that are a part of the PRISM operation. A strong European data protection regulation will really throw the cat among the pigeons where GCHQ and NSA co-operation via PRISM is concerned.
You know I don’t like Europe. But just for once I have to say, rock on Viv!
In the UK we used to have this wonderful process called ‘stop and search’, which allowed the police to stop, search, and subsequently arrest a ‘suspected person’ without warrant. In 1984 it was repealed by the PACE Act. The police would no longer be allowed to stop and search someone because he looked Irish and was probably an IRA terrorist, nor a coloured person because he was black and obviously a gun-toting rapist. Instead, a constable in uniform would need to provide his name and his police station, the reason for the search, the legal justification for the search, and subsequently make a copy of the search form available for 12 months.
Why doesn’t this principle apply to the internet? In the UK, the government still has designs on getting the Communications Data Bill onto the statute books one way or another. This allows unwarranted search of all of our communications data – the who, what, where, when and how long of our communications. Based on who we speak to and where we go on the internet, the government will know if we’re gay when we have told no-one, pregnant before we tell our parents, ill (and possibly how) depending on which specialist we visit, whether we’re looking for a loan, our ethnic, political and sexual leanings, and a whole host of other deductions based on the who, what, where, when and how long of our communications.
That Bill has been stalled, not prevented, by the opposition of deputy prime minister Nick Clegg. But the reality is that it probably isn’t necessary. Edward Snowden – who should be lauded as a folk hero rather than condemned as a criminal – has leaked US documents showing firstly that the NSA already operates its own version of the Communications Data Bill as a secret enactment of a secret interpretation of a US law; and secondly that a second secret project (PRISM) provides NSA access to the servers of major corporations such as Google, Yahoo, Microsoft, Apple, Facebook and others. That access will include content as well as meta data. In both cases it will include data on UK citizens: meta phone data when speaking to someone in the US; and full content data whenever you have an account with any of the participating corporations.
Now, given the close relationship and standard exchange of data between the British intelligence services and the US secret services, it defies credibility that GCHQ and MI5 are unable to get whatever online information on UK citizens they want whenever they want it.
This afternoon in a ministerial statement in the House of Commons, home secretary William Hague gave out the most unbearable guff and waffle trying to say the British citizens have nothing to worry about. But British citizens have everything to worry about. He avoided saying that any attempt by MI5 to get data from the NSA would require judicial oversight, saying only that ministerial oversight was involved – the fox is in charge of the hen-house.
He stressed that British laws apply in the UK and US laws apply in the USA. He made no attempt to suggest that the US should not be collecting data on UK citizens, and gave no indication of whether any oversight at all is required if the NSA provides, unasked, personal data on UK citizens to the UK intelligence services.
It is, in effect, the return of the ‘sus law’ in a cyber guise. But this time we are all searched – not just the terrorist-looking Irishman (and Muslim today) and the obvious rapist black man but all of us. We are all assumed to be guilty and searched in order to find the proof to prove the suspicion. It is a total reversal of the ‘innocent until proven guilty’ premise of natural justice; and it applies directly to all UK and US citizens (and everyone else in the world who has an account with a US company).
Explaining his action, Edward Snowden said, “I can’t in good conscience allow the US government to destroy privacy, internet freedom and basic liberties for people around the world with this massive surveillance machine they’re secretly building.”
He deserves our support. It is time for us all to stand up and say “Shame on you, USA and UK. Shame on you for your deceit. Shame on you for criminalizing principled people who tell the truth. Shame on you for your lies. And shame on you for turning us all into suspects.” You are creating a society that is hardly worth defending against the real enemies. With you in power, they have already won.
The matter of fact way in which big companies seem to think they own and have a right to private and personal information about us is worrying. The following paragraph is lifted verbatim from a Juniper Research blog today:
The next step is to combine this with, say, healthcare data achieved through large-scale remote patient monitoring, to achieve a more accurate picture of the individual through knowledge of that individual’s peers. It may not be an exaggeration to say that we may be on the edge of a new era where individual circumstances are routinely informed through precise data analysis of a data “cloud”.
The DNA of Big Data
If you think, don’t worry, the new EU General Data Protection Regulation (GDPR) will keep our privacy safe, think again. On Friday Ross Anderson attended a GDPR lobbying meeting in London. He has thoughtfully published his notes in the Cambridge University Light Blue Touchpaper blog:
There were about 100 people present, of which only 5 were from civil society. Most were corporate lobbyists: good-looking, articulate and impressive, but pushing some jaw-dropping agendas. For example the lovely lady from the Association of British Insurers found it painful that the regulation might ban profiling that was unfair or discriminatory.
How Privacy is Lost
It’s worth reading in full – but I’m afraid it doesn’t get any better. And when you add the more direct lobbying of companies like Google and Facebook, I think we can confidently predict that the GDPR that emerges at the end – if it survives at all – is going to be vastly weaker than the one that started out last year.