Thursday, September 26, 2013

European Parliament LIBE hearing on mass surveillance Pt2

A more accurate title for this post might be Caspar Bowden's evidence to the European Parliament LIBE hearing on mass surveillance Pt2, since that's the focus. (Pt1 is here) The 63 minute video of Caspar's statement and subsequent Q&A is now available in full on YouTube courtesy of Henrik Alexandersson.

Moving to section 2.2.5 of his report on The US National Security Agency (NSA)surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens' fundamental rights, Caspar notes that the collection of foreign intelligence information under the PRISM programme is based on the Patriot Act s215 power. This power is subject to originally classified “minimization” and “targeting” procedures, which were published in full by the Guardian on 20 June this year. These procedures provide no limitations or protections whatsoever for non US nationals. As the report says,
One therefore suspects that US operational practice places no limitations on exploiting or intruding a non - US person's privacy, if the broad definitions of foreign intelligence information are met.
Moreover in a May 2012 letter to the Congress intelligence review committees the government states that:
Because NSA has already made a “foreignness” determination for these selectors·in accordance with its FISC - approved targeting procedures, FBI's targeting role differs from that of NSA. FBI is not required to second - guess NSA's targeting determinations...
The versions of the targeting procedures released are generic, but the American Civil Liberties Union (ACLU) obtained redacted copies of slides related to FBI staff training that referred specifically to FISAAA for counter-terrorism purposes. The letter continues:
Once acquired, all communications are routed to NSA. NSA also can designate the communications from specified selectors acquired through PRISM collection to be "dual - routed'' to other intelligence Community elements. (emphasis added)
(Note FISAAA is the Foreign Intelligence Surveillance Act Amendments Act 2008. s1881 of FISAAA was incorporated into the Foreign Intelligence Surveillance Act as s702)

If data flowing to the NSA is adjudged to be 50% likely to be associated with foreigners, it is fair game. (The "targeting procedures" say analysts may only proceed to use data under the FISA s702 power if there is more than a 50% likelihood the target is not American and located outside the US). All of this data, i.e. data not filtered out as American only, is then available to the CIA, amongst others, of the sixteen  US intelligence community agencies.

We don't know the scope of intelligence agency data Edward Snowden had access to but it is unlikely he access to all of the intelligence agencies compartmentalised information exploitation guidelines. It is highly significant, however, that each of these agencies can have their own copies of the 50% non American data flowing from the NSA electronic fire hose.

Meanwhile on the EU side of the pond our general approach to data protection and control of data flows to the US exhibits all the features of EU regulators being asleep at the wheel (section 2.3). That's the case whether we are talking about the EU-US "safe harbour" provisions, Binding Corporate Rules (BCRs) for processors or cloud computing. One of the central issues in the whole report is that there are enormous loopholes in these supposed privacy safeguards for EU citizens. Caspar accused EU Commission officials of knowingly or unknowingly permitting or designing these loopholes into the text of the regulations. Get out clause typically include terms like "national security" (that old catch all) and "a legally binding request" and give US government and commerce a blanket licence to collect, process, store, copy and analyse any and all EU data they can get their hands on. "A legally binding request", for example, will include the all encompassing "foreign intelligence information" net which in turn includes any data of assistance to US foreign policy, not least expressly political surveillance over ordinary lawful democratic activity of citizens of EU countries.

Caspar strongly suggests it is the duty of the LIBE committee to investigate the 10 years or more incompetence and/or complicity of the Commission in creating instruments supposed/believed/claimed to protect the privacy of EU citizens but in practice undermining it. He wants Commission papers thoroughly scoured to analyse who made the key decisions, whether they were made in good faith and was it bungling, ineptitude or complicity that led to the prevailing state of affairs where EU privacy is wide open to US abuse. He reckons he delves into this criticism a bit more with less restraint in the report. Whilst it's true he does go into more detail there, I'm not sure he is quite so blunt about the failure of the Commission in their duty of care to protect privacy of the citizens they are supposed to represent.

He then moves onto the recommendations. In the summer of 2013 it became know that the EU Commission had dropped provisions in proposed new data protection regulations that would block the kind of data hoovering that the NSA are doing. The deletion of what would have been article 42 of the regulations was reportedly due to diplomatic pressure coming from the US government. (This is also covered in section 3.2 of the report). You can read article 42 in a draft version of the regulations leaked towards the end of 2011 (p69). Caspar makes his recommendations conscious of the fact that there is talk of re-instating article 42. But as things stand now, EU citizens are placing their data in jeopardy by using US services and websites.

The 1995 data protection directive 95/46 already requires that the basis of processing is consent and that must be informed consent - informed of all relevant risks. Under directive 95/46 EU citizens should be informed of the fact that if they use a US web server their data is going to be subject to political surveillance by the US intelligence communities. So he recommends:
- Prominent notices should be displayed by every US web site offering services in the EU to inform consent to collect data from EU citizens. The users should be made aware that the data may be subject to surveillance (under FISA 702) by the US government for any purpose which furthers US foreign policy. A consent requirement will raise EU citizen awareness...
- Since the other main mechanisms for data export (model contracts, Safe Harbour) are not protective against FISA or PATRIOT, they should be revoked and re-negotiated...
There simply is no case for allowing data transfers from the EU to the US under model contracts or safe harbour. He recognises disengaging these is a very serious matter and that it will have to be done in a phased and strategic way but it must be done. In addition, thinking strategically, 
- A full industrial policy for development of an autonomous European Cloud computing capacity based on free/open - source software should be supported. Such a policy would reduce US control over the high end of the Cloud e-commerce value chain and EU online advertising markets. Currently European data is exposed to commercial manipulation, foreign intelligence surveillance and industrial espionage. Investments in a European Cloud will bring economic benefits as well as providing the foundation for durable data sovereignty.
In relation to this EU cloud infrastructure, when the forthcoming report on Sigint (signals intelligence) in the EU gets published some member states may find themselves in a problematic position. Cryptically, Caspar then said he would say no more about that.

On the potential re-instatement of article 42 in the new data protection regulations (section 3.2 of the report) he is of the opinion that it does not go far enough. The CEO of Yahoo! recently said she could have been jailed for 10 years if she'd said more about government coercion under s702 powers. Depending on how and who interprets the law the penalty could be up to 30 years in jail or conceivably even the death penalty. The latter is unlikely but is part of US law.

By comparison Article 42 would create a conflict of law where the penalty on the EU side is a 2% fine. From Caspar's experience of working for Microsoft this is not going to work. Tiny proportionate penalties in the EU compared to more severe punishment in the US means the data controllers & processors will always take the smaller risk in the EU and comply with US government coercion.

So a re-instated Article 42 should make non compliance at the very least a serious criminal offence.

At the moment the way article 42 is structured there is complete discretion for member states to set penalties. This won't work. Also the imposition of fines won't work. The biggest fine the EU has ever dished out was $1 billion relating to Microsoft's anti-competitive practices in local area networks. Microsoft's profits over the 10 year operation of that monopoly were about $20 billion and that's a conservative estimate. The Microsoft lawyer who "lost" the case got promoted. A fine level of 20% of global revenue may be needed to persuade such corporations to take Article 42 compliance seriously. That might sound extraordinary but such large economic actors actually factor $1 billion fines into their corporate strategies as acceptable write-offs/losses.

The final point he wanted to emphasise before taking questions was in relation to BULLRUN, the NSA project to subvert cryptographic security -
Even after BULLRUN, cryptography is probably intact in theory, however it is not known which encryption implementations and products may have been rendered insecure. Therefore consideration should be given to extending the scope of 'Art.42' also to cover vendors of systems/products (as well as Controllers/Processors) in EU markets. Existing encryption security product accreditations, especially if influenced by NSA or GCHQ, must be regarded as suspect.
So if vendors of security products are coerced by the NSA to build back doors into their systems, even if they are not processing personal data, there should be a requirement for them to tell the EU about the backdoor. This would create a further conflict of law and further jeopardy and penalties for those companies that choose to comply with US rather than EU law. Again the sanctions have to be proportionately as severe or more so for non compliance as they would be in the US.

At that point he opened the session to the floor for a Q&A which ran for a further 40 minutes or so. Well done Mr Bowden on an impressive performance.

The Brazilian President, H.E. Dilma Rousseff, lambasted the US mass surveillance practices with her opening speech at the UN General Assembly in New York on Tuesday, September 24, 2013, just as President Obama was due to step on the same platform in her wake. That same day the EU Parliament held this whole day hearing criticising the US for those same practices (full videos of the morning and afternoon sessions are available via the Parliament website).

A day to remember for privacy advocates. Will it also prove to be a small step forward in reigning in the excesses of the digital surveillance state or just get lost in the noise of history and our mass electronic data addicted society?

No comments: