Microsoft could either see the Schengen Cloud coming or was privy to politicians’ thoughts. In January this year it announced that it would allow European customers to keep their data on servers within Europe. This followed a blog by legal counsel Brad Smith in December 2013 that voiced concern over US surveillance:
And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.
Protecting customer data from government snooping
So when news broke in February that Germany’s Merkel and France’s Hollande were keen on developing a European cloud to protect the privacy of European citizens, Microsoft was in a strong position to say, hey, we’re already with you: European data will remain within Europe; Microsoft can be part of the European cloud. (That proposed cloud is now known as the Schengen Cloud. Since the UK has never joined the Schengen group it is a way of excluding the UK — and specifically GCHQ — from Europe’s cloud.)
But the reality is different. Privacy expert Alexander Hanff, CEO of Think Privacy Inc, said at the time: “Microsoft knows full well that it makes no difference whether the data is hosted in the US or not. They are a US corporation and therefore any data they hold is vulnerable to the US surveillance machine no matter where it is. It is clear from the announcement that Microsoft (as well as the rest of the cloud industry) is really concerned about losing revenues for cloud services and they know there is a strong movement within Europe (not least by the European Commission) to create infrastructure independent of the US and US tech giants.”
He called it right. Brad Smith had been true to his word and had challenged a US law enforcement demand for customer details held in Ireland. The unnamed LEA had demanded everything on the customer, including the content of emails, user’s contact lists, IP addresses and even bank details. Microsoft went to court. It argued that warrants could not be served overseas, and that the warrant should be negated.
On Friday, a US magistrate delivered his decision. He said that while the LEA demand was couched as a warrant, because it involved telecommunications it was to be enacted as a subpoena — and subpoenas can be enforced on overseas locations. Thus, as Hanff had predicted, it matters not where a US company stores its data, the PATRIOT Act can demand and enforce access to it.
In fairness, Microsoft seems to have expected this. It will appeal. Microsoft’s deputy general counsel David Howard blogged on Friday,
When we filed this challenge we knew the path would need to start with a magistrate judge, and that we’d eventually have the opportunity to bring the issue to a U.S. district court judge and probably to a federal court of appeals. Today the Magistrate Judge, who originally issued the warrant in question, disagreed with our view and rejected our challenge. This is the first step toward getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States.
One step on the path to challenging search warrant jurisdiction
The stakes are high. If the US courts ultimately uphold law enforcement’s right to demand the data of European citizens held on European premises for all US companies, and if Europe proceeds with the Schengen Cloud, then Microsoft, Google, Facebook, Twitter and other US tech giants will simply be excluded from Europe. This will hurt the US economy. Firstly these companies will be excluded from one of the world’s most important markets, and secondly it will be a huge boost to the indigenous European tech industry — which will hurt the US economy even more.
The age-old social contract between people and governments has become corrupted. It should be that the people pay governments to protect them. But governments have decided that the best way to protect themselves is to control the people. And that is their driving motivation.
Occasionally the people fight back; and if they fight hard enough they seem to have a few victories — the first crypto wars, SOPA, ACTA, the Communications Data Bill and others. But the people never win and cannot win. Governments cannot be beaten — they can be changed, but it is always like-for-like. Compare the current UK Tory government with the previous Blair/Brown Labour government: there is no difference.
When the people seem to win a victory against government control, all that happens is that government feigns defeat and operates a tactical withdrawal. But it does not forgive and it does not forget. Later, it returns with a left hook, an uppercut or a simple sucker punch. It alters its arguments, it changes its dress, but it does not change its intent.
The first crypto wars were never won; government simply usurped the entire internet instead. ACTA was not abandoned, it was simply compartmentalised into the TPP and TTIP (both negotiated in more secrecy than ACTA) to make it easier to swallow in smaller bites. And the Data Communications Bill will simply return as the Data Communications Bill as soon as Cameron (or the next prime minister) can rid himself of or neutralize Nick Clegg.
So what of US moves to reign in NSA surveillance? History tells us not to expect it. And, indeed, both the EFF and the Cato Institute tell us not to believe it.
The first bill to actually hit the table is that proposed by the House Permanent Select Committee on Intelligence (HPSCI) — and the first warning comes from the EFF: “The bill only needs 17 lines to stop the calling records program, but it weighs in at more than 40 pages. Why?”
Because, says the EFF, “the ‘reform’ bill tries to create an entirely new government ‘authority’ to collect other electronic data.”
Julian Sanchez, writing in the Cato Institute, explains the new authority:
In order to preserve the capabilities of the current NSA telephony program, the HPSCI bill created a new and distinct authority, §503, that authorizes rapid collection of both telephony and electronic communications metadata under a process superficially somewhat similar to §702 of the FISA Amendments Act.
Under the Hood of the House Intel Committee’s NSA Reform Bill
To sum up, says Sanchez, the HPSCI bill’s seemingly broad prohibition on bulk collection turns out to be riddled with ambiguities and potential loopholes. Seems like the NSA puts backdoors into more than just cryptography.
While this would at least presumably put an end to the current dragnet collection of telephony metadata, it is not at all clear how seriously it would constrain the government’s bulk collection of records on the whole. In some respects, there is at least a colorable argument that the new authority could expand the scope of government collection in some respects. Given the government’s track record on this front, it is probably not excessively paranoid to suspect that any such loopholes and ambiguities are likely to be exploited.
Under the bill, the government might try to argue that the order can collect any type of record created as the result of any “electronic communication” as long as the communication is of an agent of a foreign power or someone in contact with the agent or foreign power. This is an incredibly broad standard.
An NSA “Reform Bill” of the Intelligence Community, Written by the Intelligence Community, and for the Intelligence Community
In short, government is doing precisely what history tells us it would. It is pretending to bow to the will of the people while actually increasing and enshrining in statute new and more extensive control capabilities.
When Bruce Schneier left the employ of BT, he finally got off the pot. His natural inclinations can now be seen. He still hasn’t criticised BT despite it being obvious that BT is no more innocent than any of the big American telecoms companies — but he told me (by email) at the time that he tried to avoid getting involved in foreign politics.
He hasn’t been 100% consistent in this. When Swedish journalists discovered Swedish involvement in the MITM NSA/GCHQ hacking program known as Quantum, he said, “Both Quantum and FoxAcid are NSA/GCHQ programs to attack computer users. The fact that Sweden is involved in these programs means that Sweden is involved in active attacks against internet users. It is not just passive monitoring. This is an active attack.”
One day we may yet hear what he knows about BT’s cooperation with GCHQ (Tempora et al).
In the meantime, he is now no longer backward in commenting on surveillance in general and the NSA in particular. An article in The Atlantic last week warns us not to listen uncritically to the protestations of either the NSA or the tech giants that now appear to be up in arms against this NSA hacking and surveillance.
The tech giants (Google, Facebook, Yahoo, Microsoft etcetera) all claim to be doing what they can to prevent further snooping. But they are not doing the one thing that would work — they are not encrypting user data on servers in a way that would be impossible for governments to demand the keys. And the reason they are not doing this is simply because the vendors and the governments both want the same thing — to be able to read our data.
The best we have are caveat-laden pseudo-assurances. At SXSW earlier this month, CEO Eric Schmidt tried to reassure the audience by saying that he was “pretty sure that information within Google is now safe from any government’s prying eyes.” A more accurate statement might be, “Your data is safe from governments, except for the ways we don’t know about and the ways we cannot tell you about. And, of course, we still have complete access to it all, and can sell it at will to whomever we want.”
Don’t Listen to Google and Facebook: The Public-Private Surveillance Partnership Is Still Going Strong
The reality is that for so long as the vendors want access to our data, the governments will be able to demand it. Neither of that is changing; although both sides are trying to pretend it is.
Let’s all try a little experiment.
Index on Censorship warned today about what it calls ‘censorship by omission’ in the UK. The suggestion is not that the British are told what to think by the UK press, but that they are controlled over what they are allowed to think about. It suggests that serious news can be omitted from print while newspapers guide their readers to less important, or even old, news.
The British news spectrum was recently obsessed with Labour politicians Harriet Harman and Patricia Hewitt, who worked for the National Council for Civil Liberties (now ‘Liberty’) in the 1970s. That council granted affiliate status to the now-banned Paedophile Information Exchange (PIE). The Daily Mail made a huge splash about its PIE investigation in February, despite uncovering no new information. That paper alone had reported the same story in 1983, 2009, 2012 and 2013. Eventually the BBC, online world and print media all covered the controversy, meaning more worthy issues lost precedence.
British news blind spots: Omission and obscurity
The result, warns Index on Censorship, is a form of censorship by omission:
We’re denied investigation or campaigning on vital issues because nobody knows they exist.
So here’s our experiment. Let’s see over the next few days just how much coverage we get on the Snowden files released today by Der Spiegel. Quoted by Glenn Greenwald’s new publication, The Intercept, this includes:
One undated document shows how British GCHQ operatives hacked into the computer servers of the German satellite communications providers Stellar and Cetel, and also targeted IABG, a security contractor and communications equipment provider with close ties to the German government. The document outlines how GCHQ identified these companies’ employees and customers, making lists of emails that identified network engineers and chief executives. It also suggests that IABG’s networks may have been “looked at” by the NSA’s Network Analysis Center.
The ultimate aim of GCHQ was to obtain information that could help the spies infiltrate “teleport” satellites sold by these companies that send and receive data over the Internet. The document notes that GCHQ hoped to identify “access chokepoints” as part of a wider effort alongside partner spy agencies to “look at developing possible access opportunities” for surveillance.
In other words, infiltrating these companies was viewed as a means to an end for the British agents. Their ultimate targets were likely the customers. Cetel’s customers, for instance, include governments that use its communications systems to connect to the Internet in Africa and the Middle East. Stellar provides its communications systems to a diverse range of customers that could potentially be of interest to the spies – including multinational corporations, international organizations, refugee camps, and oil drilling platforms.
Der Spiegel: NSA Put Merkel on List of 122 Targeted Leaders
So let’s be very clear here. This is a direct accusation that GCHQ has been hacking into the telecommunications products of friendly companies in allied nations. Over the next few days it will be worth seeing just how much coverage this very major, very important story actually generates in the British mainstream press.
Here’s my prediction — and I genuinely hope I am proved very wrong: there will be serious coverage in the Guardian and Independent (read by very few who don’t already know that GCHQ is hack-crazy and law-breaking); some coverage in the Telegraph (read by hardly anyone); dismissive, brief coverage by the BBC; and preciously little else.
The brilliant Hawktalk blog has demonstrated how the UK government has airbrushed the Data Protection Act out of ‘national security’ issues. This leaves GCHQ free to conduct mass surveillance of British citizens (and who cares about foreigners anyway?) without any effective legal oversight — merely a nod and a wink from the government of the day.
The conclusion comes from an analysis of a data protection exemption certificate obtained under freedom of information laws and dating back to 2005 — now probably out of date but equally probably indicative of what is happening today (born out by similarities between an old TfL exemption certificate and a recent one issued by Theresa May).
There are eight data protection principles underpinning the Data Protection Act. Summarized by the Information Commissioners Office (the UK’s data protection regulator), these are that personal data should be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
In the certificate analysed by Hawktalk, principles 1, 2, and 8 are exempted. Furthermore, principles 3 and 5 are effectively nullified by the exemption to principle 8 — the data can simply be transferred to NSA databases outside of the ICO’s jurisdiction.
Hawktalk’s argument is that these principles are automatically suspended for any statutory body pursuing its statutory purposes. The implication of a certificate specifically issued to completely exempt that body (GCHQ) from any of the principles is that it (GCHQ) wishes to pursue the processing of personal data beyond its (GCHQ’s) statutory purpose — it simply does not need an additional exemption if it sticks to what it was designed to do (ie, national security). In other words, GCHQ wishes to collect and process personal data to an extent that is both beyond its legal remit and the strictures of national law.
GCHQ has become, quite literally, a law unto itself.
I see that Krebs is reporting a story titled, Bug Exposes IP Cameras, Baby Monitors. He writes,
The issue came to light on the company’s support forum after camera experts discovered that the Web interface for many Foscam cameras can be accessed simply by pressing “OK” in the dialog box when prompted for a username and password.
It reminded me of a true, personal experience. Some years ago my young son had two action-man-like toys that could communicate with each other. One morning he turned them on – but instead of me talking to man #1 via man #2, we both heard a baby crying.
It was surprising, and not a little worrying, until we heard a second voice; the soothing tones of a young lady comforting the baby. We recognized that second voice as belonging to a neighbour with a new baby living on the other side of the street.
The neighbours were both police officers. The temptation to listen into this covert communications surveillance was just a little offset by the distressing nature of a baby crying (parents will know what I mean), and perhaps a degree of moral rectitude. Still, I must admit I have often wondered what I might have learnt about local policing and local villains had I not crossed the road and told our neighbours about their new baby monitor.