Friday, September 27, 2013

Alas medical confidentiality in the UK, we knew it well...

The UK government's disastrous plan to extract all our personal medical data from GP surgery systems and dump it in a, to say the least, inadequately controlled central database, has hit a speed bump.  It seems that the Information Commissioner's Office has decided to inform NHS England that they have not given GPs enough time to hand over the data legally.

Don't get me wrong. The ICO has no intention of blocking this government induced systemic national kneecapping of the Hippocratic oath and the principle of medical confidentiality. They merely want to give GPs more time to let people know it is happening. The government previously refused to fund a publicity campaign explaining they were collecting all UK electronic medical data into one big pot (or actually in practice several big central pots). NHS England did send GPs some posters and leaflets for display in surgeries though.

I'm being a little hard on the ICO here since, in fairness, his power to actually do anything about all this is limited by the way Part 9 of the 2012 Health and Social Care Act, which came into force in April 2013, has been written and additionally the 'get out of medical confidentiality free card' provided by Section 251 of the National Health Service Act 2006.

There are several aspects of this I've been tempted to rant about here for many months - in particular the misleading, false and/or delusional claims on the part of politicians that the data will be anonymised - but I've just had a terrific email from Terri Dowty at medConfidential who sums the situation up better than I could and I'm sure she won't mind me sharing it with you in full:
"Information that you share with your GP is about to be extracted from surgery records and stored on a centralised NHS system with your identifying details still attached. From there, it will be made available for administrative, research and other purposes. The government has claimed that your records will be ‘anonymised’ before they are handed over to anyone else, but this is not true. There are several circumstances in which data that identifies patients will be made available.

Once your information has been uploaded, neither you nor your GP will have any control over who it is shared with, who has access or what is done with it. You will not be consulted, nor will you be asked for consent. Uploads will take place automatically every month.

When you next visit your GP, you may see a small poster headed ‘how information about you helps us to provide better care’. This is how the NHS is explaining its plans to you and it is very misleading. It does not give you full details of the information that will be collected, and it claims that information will not identify you.

Further down the poster you will see the words ‘you have a choice’. What this actually means is: if you do not want personal and confidential information to be taken from your medical record every month, the onus is on you to opt out of the scheme. If you don’t do so, it will be assumed that you consent to the extraction.

You can download an opt-out letter to complete and send to your GP from the medConfidential website:
http://medconfidential.org/how-to-opt-out/
You will also find more detailed information about the scheme – known as ‘care.data’ – on the medConfidential website.

Please tell all of your friends, family and colleagues about this scheme, or forward this email to them. It is very important that everyone knows they must take action if they don’t want their information to leave their GP’s surgery."
The government's plan, if you can call it that, is that data will be made available to researchers in universities, hospitals and commercial organisations.  There is now even a Health & Social Care Information Centre (HSCIC) data access and extraction price list. NHS England's chief data officer, Geraint Lewis, has however, reportedly suggested that the cost of access expanded HSCIC data sets should be reduced from from around £30,000 to a nominal £1.

I'd highly recommended you find 20 minutes in the next few days and read Terri Dowty's and Phil Booth's outline at medconfidential of the rather complex story at play here. It's yet another one of those government giant database cure for all ills stories. Another information system disaster in the making. Another careless metaphorical bullet through the head of a crucial societal value, this time medical confidentiality.

Thursday, September 26, 2013

European Parliament LIBE hearing on mass surveillance Pt2

A more accurate title for this post might be Caspar Bowden's evidence to the European Parliament LIBE hearing on mass surveillance Pt2, since that's the focus. (Pt1 is here) The 63 minute video of Caspar's statement and subsequent Q&A is now available in full on YouTube courtesy of Henrik Alexandersson.



Moving to section 2.2.5 of his report on The US National Security Agency (NSA)surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens' fundamental rights, Caspar notes that the collection of foreign intelligence information under the PRISM programme is based on the Patriot Act s215 power. This power is subject to originally classified “minimization” and “targeting” procedures, which were published in full by the Guardian on 20 June this year. These procedures provide no limitations or protections whatsoever for non US nationals. As the report says,
One therefore suspects that US operational practice places no limitations on exploiting or intruding a non - US person's privacy, if the broad definitions of foreign intelligence information are met.
Moreover in a May 2012 letter to the Congress intelligence review committees the government states that:
Because NSA has already made a “foreignness” determination for these selectors·in accordance with its FISC - approved targeting procedures, FBI's targeting role differs from that of NSA. FBI is not required to second - guess NSA's targeting determinations...
The versions of the targeting procedures released are generic, but the American Civil Liberties Union (ACLU) obtained redacted copies of slides related to FBI staff training that referred specifically to FISAAA for counter-terrorism purposes. The letter continues:
Once acquired, all communications are routed to NSA. NSA also can designate the communications from specified selectors acquired through PRISM collection to be "dual - routed'' to other intelligence Community elements. (emphasis added)
(Note FISAAA is the Foreign Intelligence Surveillance Act Amendments Act 2008. s1881 of FISAAA was incorporated into the Foreign Intelligence Surveillance Act as s702)

If data flowing to the NSA is adjudged to be 50% likely to be associated with foreigners, it is fair game. (The "targeting procedures" say analysts may only proceed to use data under the FISA s702 power if there is more than a 50% likelihood the target is not American and located outside the US). All of this data, i.e. data not filtered out as American only, is then available to the CIA, amongst others, of the sixteen  US intelligence community agencies.

We don't know the scope of intelligence agency data Edward Snowden had access to but it is unlikely he access to all of the intelligence agencies compartmentalised information exploitation guidelines. It is highly significant, however, that each of these agencies can have their own copies of the 50% non American data flowing from the NSA electronic fire hose.

Meanwhile on the EU side of the pond our general approach to data protection and control of data flows to the US exhibits all the features of EU regulators being asleep at the wheel (section 2.3). That's the case whether we are talking about the EU-US "safe harbour" provisions, Binding Corporate Rules (BCRs) for processors or cloud computing. One of the central issues in the whole report is that there are enormous loopholes in these supposed privacy safeguards for EU citizens. Caspar accused EU Commission officials of knowingly or unknowingly permitting or designing these loopholes into the text of the regulations. Get out clause typically include terms like "national security" (that old catch all) and "a legally binding request" and give US government and commerce a blanket licence to collect, process, store, copy and analyse any and all EU data they can get their hands on. "A legally binding request", for example, will include the all encompassing "foreign intelligence information" net which in turn includes any data of assistance to US foreign policy, not least expressly political surveillance over ordinary lawful democratic activity of citizens of EU countries.

Caspar strongly suggests it is the duty of the LIBE committee to investigate the 10 years or more incompetence and/or complicity of the Commission in creating instruments supposed/believed/claimed to protect the privacy of EU citizens but in practice undermining it. He wants Commission papers thoroughly scoured to analyse who made the key decisions, whether they were made in good faith and was it bungling, ineptitude or complicity that led to the prevailing state of affairs where EU privacy is wide open to US abuse. He reckons he delves into this criticism a bit more with less restraint in the report. Whilst it's true he does go into more detail there, I'm not sure he is quite so blunt about the failure of the Commission in their duty of care to protect privacy of the citizens they are supposed to represent.

He then moves onto the recommendations. In the summer of 2013 it became know that the EU Commission had dropped provisions in proposed new data protection regulations that would block the kind of data hoovering that the NSA are doing. The deletion of what would have been article 42 of the regulations was reportedly due to diplomatic pressure coming from the US government. (This is also covered in section 3.2 of the report). You can read article 42 in a draft version of the regulations leaked towards the end of 2011 (p69). Caspar makes his recommendations conscious of the fact that there is talk of re-instating article 42. But as things stand now, EU citizens are placing their data in jeopardy by using US services and websites.

The 1995 data protection directive 95/46 already requires that the basis of processing is consent and that must be informed consent - informed of all relevant risks. Under directive 95/46 EU citizens should be informed of the fact that if they use a US web server their data is going to be subject to political surveillance by the US intelligence communities. So he recommends:
- Prominent notices should be displayed by every US web site offering services in the EU to inform consent to collect data from EU citizens. The users should be made aware that the data may be subject to surveillance (under FISA 702) by the US government for any purpose which furthers US foreign policy. A consent requirement will raise EU citizen awareness...
- Since the other main mechanisms for data export (model contracts, Safe Harbour) are not protective against FISA or PATRIOT, they should be revoked and re-negotiated...
There simply is no case for allowing data transfers from the EU to the US under model contracts or safe harbour. He recognises disengaging these is a very serious matter and that it will have to be done in a phased and strategic way but it must be done. In addition, thinking strategically, 
- A full industrial policy for development of an autonomous European Cloud computing capacity based on free/open - source software should be supported. Such a policy would reduce US control over the high end of the Cloud e-commerce value chain and EU online advertising markets. Currently European data is exposed to commercial manipulation, foreign intelligence surveillance and industrial espionage. Investments in a European Cloud will bring economic benefits as well as providing the foundation for durable data sovereignty.
In relation to this EU cloud infrastructure, when the forthcoming report on Sigint (signals intelligence) in the EU gets published some member states may find themselves in a problematic position. Cryptically, Caspar then said he would say no more about that.

On the potential re-instatement of article 42 in the new data protection regulations (section 3.2 of the report) he is of the opinion that it does not go far enough. The CEO of Yahoo! recently said she could have been jailed for 10 years if she'd said more about government coercion under s702 powers. Depending on how and who interprets the law the penalty could be up to 30 years in jail or conceivably even the death penalty. The latter is unlikely but is part of US law.

By comparison Article 42 would create a conflict of law where the penalty on the EU side is a 2% fine. From Caspar's experience of working for Microsoft this is not going to work. Tiny proportionate penalties in the EU compared to more severe punishment in the US means the data controllers & processors will always take the smaller risk in the EU and comply with US government coercion.

So a re-instated Article 42 should make non compliance at the very least a serious criminal offence.

At the moment the way article 42 is structured there is complete discretion for member states to set penalties. This won't work. Also the imposition of fines won't work. The biggest fine the EU has ever dished out was $1 billion relating to Microsoft's anti-competitive practices in local area networks. Microsoft's profits over the 10 year operation of that monopoly were about $20 billion and that's a conservative estimate. The Microsoft lawyer who "lost" the case got promoted. A fine level of 20% of global revenue may be needed to persuade such corporations to take Article 42 compliance seriously. That might sound extraordinary but such large economic actors actually factor $1 billion fines into their corporate strategies as acceptable write-offs/losses.

The final point he wanted to emphasise before taking questions was in relation to BULLRUN, the NSA project to subvert cryptographic security -
Even after BULLRUN, cryptography is probably intact in theory, however it is not known which encryption implementations and products may have been rendered insecure. Therefore consideration should be given to extending the scope of 'Art.42' also to cover vendors of systems/products (as well as Controllers/Processors) in EU markets. Existing encryption security product accreditations, especially if influenced by NSA or GCHQ, must be regarded as suspect.
So if vendors of security products are coerced by the NSA to build back doors into their systems, even if they are not processing personal data, there should be a requirement for them to tell the EU about the backdoor. This would create a further conflict of law and further jeopardy and penalties for those companies that choose to comply with US rather than EU law. Again the sanctions have to be proportionately as severe or more so for non compliance as they would be in the US.

At that point he opened the session to the floor for a Q&A which ran for a further 40 minutes or so. Well done Mr Bowden on an impressive performance.

The Brazilian President, H.E. Dilma Rousseff, lambasted the US mass surveillance practices with her opening speech at the UN General Assembly in New York on Tuesday, September 24, 2013, just as President Obama was due to step on the same platform in her wake. That same day the EU Parliament held this whole day hearing criticising the US for those same practices (full videos of the morning and afternoon sessions are available via the Parliament website).

A day to remember for privacy advocates. Will it also prove to be a small step forward in reigning in the excesses of the digital surveillance state or just get lost in the noise of history and our mass electronic data addicted society?

Wednesday, September 25, 2013

European Parliament LIBE hearing on mass surveillance Pt1

The EU Parliament LIBE Committee held their Inquiry on Electronic Mass Surveillance of EU Citizens yesterday. Full videos of the morning and afternoon sessions are available via the Parliament website. Some short extracts from the morning session -



Some short extracts from Caspar Bowden's evidence in the final session of the day -



Caspar's statement is really worth watching in full. It's only about 22 minutes but it's pretty impressive how much information he can pack into that time. He gets introduced by Dutch MEP Sophie in 't Veld at 17:07:04. Amusingly but emphatically he declines her invitation to introduce or provide a short overview of his report on The US National Security Agency (NSA)surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens' fundamental rights for the Parliament's Policy Department for Citizens' Rights and Constitutional Affairs. Caspar prefers to take a forensic approach, assuming MEPs have read the report (or will do at their leisure at some point) but highlighting some of the detail they may have missed the significance of (or might do when they read it). The scope of the report is limited to the US and the NSA.

There is a widely held view that the collection of data is less important than its use. Caspar disagrees. Now that Edward Snowden's revelations are public we know we are being watched and as a result likely to change our behaviour. It's the Heisenberg principle at a societal scale - you cannot monitor/measure/surveil without influencing those under surveillance. This poisonous mass surveillance it has been going on for perhaps over 10 years and this creates profoundly dangerous destabilizing factors in democracy.

We have never had disclosures on the scale we have seen from Snowden.

[Note In his statement Caspar refers to page numbers of his report in his evidence which are slightly out of sync with the copy I've read and link to on the parliament website. I'll use the numbers from the linked version if I refer to page numbers.]

The first theme in the report he draws attention to is the competing models of privacy governance in the EU and US. This is fundamental and often overlooked. From the long term perspective the underlying principle of EU data protection law is rather odd since it removes the key power to control their personal data from the individual. Once data is submitted to a government or private sector system the individual can no longer object when that data is copied - if it's copied to thousands of machines in that organisation or to a thousand other organisations or other legal regimes. The data protection system assumption is that if the right legal boxes are ticked, the individual must put up and shut up.

Yet every time data is copied from one system to another, privacy risk is increased. It never decreases. With every copy the risk that something bad will happen to that data goes up and the risk that something bad will happen to the person connected to that data likewise increases.

So EU data protection law disables individual control of personal data and the Snowden revelations should make us question this unsound regulatory foundation of privacy protection.

The next section of the report he picks is on the XKeyscore system. From the report:
The XKeyscore system was described in slides 20 (dated 2008 21 ) published by The Guardian on the 31 st of July. It is an “exploitation system/analytic framework”, which enables searching a “3 day rolling buffer” of “full take” data stored at 150 global sites on 700 database servers. The system integrates data collected 22 from US embassy sites, foreign satellite and microwave transmissions (i.e. the system formerly known as ECHELON), and the “upstream” sources above.
The system indexes e - mail addresses, file names, IP addresses and port numbers, cookies, webmail and chat usernames and buddylists, phone numbers, and metadata from web browsing sessions (including words typed into search engines and locations visited on Google Maps). The distinctive advantage of the system is that it enables an analyst to discover “strong selectors” (search parameters which identify or can be used to extract data precisely about a target), and to look for “anomalous events” such as someone “using encryption” or “searching for suspicious stuff”
When you stop to think about this immense surveillance power you realise it goes beyond even George Orwell's imagination. Data can be extracted retrospectively in time, so it gives an analyst a time machine. So without any prior suspicion about an individual it is possible to go back and examine behaviour and conduct of anybody in the world, except Americans, to a limited degree. Not only is it a facility for officials to engage in fishing expeditions it is an irresistible (and most likely official) compulsion.

The next point of interest in the report is BULLRUN (page 16), the codename for the NSA programme to break into widely used encryption systems. Not exclusively by mathematical means but also via side channel attacks - electronic emanations from computers through which keys can be reconstructed - and also through co-opting manufacturers of security equipment. BULLRUN has created the most shock amongst the technology security community of all the Snowden leaks.  All over the world security experts are trying to guess what is vulnerable and re-key/re-grade those systems. But they are working in the dark.

From Caspar's conversations with journalists and experts who have seen some of the Snowden material it appears unlikely that there will emerge much more specific detail about what exactly is vulnerable and what is not. That leaves us with the problem that a large number of systems we thought were secure may not be so and we don't know how to find out which ones are compromised.

He then moved onto the FISA definition of “foreign intelligence information” which is incredibly broad. The Foreign Intelligence Surveillance Act (FISA) foreign intelligence information, Caspar describes, poetically, as "the core term of art" underlying the NSA PRISM mass electronic surveillance programme. It is first defined in the original FISA in 1978 but the parts of the definition that are pertinent to this discussion have not changed since then.

To get to the definition you have to substitute in 2 levels of definition (from related statutes) in what is a complex formulation. (Just an aside - it is really irritating when regulators do this, leading to the byzantine searching of loosely connected laws, with multiple clauses referring to multiple other clauses, when you just want a clear notion of what the law actually is). From the report:
The FISA definition of “foreign intelligence information” has been amended several times to include specific and explicit categories for e.g. money laundering, terrorism, weapons of mass - destruction, but has always included two limbs which seem almost unlimited in scope. When the terms are unwound it includes:
information with respect to a foreign - based political organization or foreign territory that relates to, and if concerning a United States person is necessary to the conduct of the foreign affairs of the United States. [emphasis added]
This definition is of such generality that from the perspective of a non - American it appears any data of assistance to US foreign policy is eligible, including expressly political surveillance over ordinary lawful democratic activities.
That's worth dwelling on and this represents only about a tenth of the full definition of foreign intelligence information. Read it again - any data of assistance to US foreign policy is eligible, including expressly political surveillance over ordinary lawful democratic activity of citizens of EU countries.

We do not know to what extent that definition is applied or exploited because a curious fact is that there has been nothing written about it in 40 years
  • no legal commentary
  • no published guidance
  • no executive orders elaborating on what it means
It is simply unknown to what effect that broad facility has been put over the past 40 years. However, the natural supposition is that this is the power under which purely political surveillance of activities in a foreign country, counter espionage possibly but essentially political spying would be conducted.

There is, in the definition, a discrimination by nationality. In the case of US citizens the threshold for surveillance is necessity, a very strict legal line. For non US citizens the requirement is merely "relates", about the weakest legal hurdle you can imagine.

The FISA section 702 power (Procedures for targeting certain persons outside the United States other than United States persons) contains an express discrimination by nationality too, amounting to a double discrimination by nationality favouring US citizens.

There is nothing in EU law remotely like that and human rights experts say this is simply and obviously unlawful under the European Convention on Human Rights.

At this point Caspar refers to the contribution of an earlier speaker in the day relating to section 215 of the US Patriot Act. The reforms of s215 being discussed in the US are not going to help very much with the 'suspicious through lack of US citizenship' problem. The provision to "obtain foreign intelligence information not concerning a US citizen" gives carte blanche to apply section 215 power to foreigners. Even if they fix and restrict the selective collection of information to counter terrorism criteria but conveniently overlook the 'guilty of being a foreigner' provisions, it won't do any good.

I'm going to have to cut the report short at that point but will get back to the rest of this testimony in a later post.

Tuesday, September 24, 2013

Brazilian President attacks US Mass Surveillance

The Brazilian President, H.E. Dilma Rousseff, has used her opening address at the General Debate of the 68th Session of the UN General Assembly to criticise the mass surveillance activities exposed by Edward Snowden.
"I would like to bring to the consideration of delegations a matter of great importance and gravity.
Recent revelations concerning the activities of a global network of electronic espionage have caused indignation and repudiation in public opinion around the world.
In Brazil, the situation was even more serious, as it emerged that we were targeted by this intrusion. Personal data of citizens was intercepted indiscriminately. Corporate information often of high economic and even strategic value - was at the center of espionage activity. Also, Brazilian diplomatic missions, among them the Permanent Mission to the United Nations and the Office of the President of the Republic itself, had their communications intercepted.
Tampering in such a manner in the affairs of other countries is a breach of International Law and is an affront to the principles that must guide the relations among them, especially among friendly nations. A sovereign nation can never establish itself to the detriment of another sovereign nation. The right to safety of citizens of one country can never be guaranteed by violating fundamental human rights of citizens of another country.
The arguments that the illegal interception of information and data aims at protecting nations against terrorism cannot be sustained.
Brazil, Mr. President, knows how to protect itself. We reject, fight and do not harbor terrorist groups.
We are a democratic country surrounded by nations that are democratic, pacific and respectful of International Law. We have lived in peace with our neighbors for more than 140 years.
As many other Latin Americans, I fought against authoritarianism and censorship, and I cannot but defend, in an uncompromising fashion, the right to privacy of individuals and the sovereignty of my country. In the absence of the right to privacy, there can be no true freedom of expression and opinion, and therefore no effective democracy. In the absence of the respect for sovereignty, there is no basis for the relationship among Nations.
We face, Mr. President, a situation of grave violation of human rights and of civil liberties; of invasion and capture of confidential information concerning corporate activities, and especially of disrespect to national sovereignty.
We expressed to the Government of the United States our disapproval, and demanded explanations, apologies and guarantees that such procedures will never be repeated.
Friendly governments and societies that seek to build a true strategic partnership, as in our case, cannot allow recurring illegal actions to take place as if they were normal. They are unacceptable.
Brazil, Mr. President, will redouble its efforts to adopt legislation, technologies and mechanisms to protect us from the illegal interception of communications and data.
My Government will do everything within its reach to defend the human rights of all Brazilians and to protect the fruits borne from the ingenuity of our workers and our companies.
The problem, however, goes beyond a bilateral relationship. It affects the international community itself and demands a response from it. Information and telecommunication technologies cannot be the new battlefield between States. Time is ripe to create the conditions to prevent cyberspace from being used as a weapon of war, through espionage, sabotage, and attacks against systems and infrastructure of other countries.
The United Nations must play a leading role in the effort to regulate the conduct of States with regard to these technologies.
For this reason, Brazil will present proposals for the establishment of a civilian multilateral framework for the governance and use of the Internet and to ensure the effective protection of data that travels through the web.
We need to create multilateral mechanisms for the worldwide network that are capable of ensuring principles such as:
1 - Freedom of expression, privacy of the individual and respect for human rights.
2 - Open, multilateral and democratic governance, carried out with transparency by stimulating collective creativity and the participation of society, Governments and the private sector.
3 - Universality that ensures the social and human development and the construction of inclusive and non-discriminatory societies.
4 - Cultural diversity, without the imposition of beliefs, customs and values. 5 - Neutrality of the network, guided only by technical and ethical criteria, rendering it inadmissible to restrict it for political, commercial, religious or any other purposes.
Harnessing the full potential of the Internet requires, therefore, responsible regulation, which ensures at the same time freedom of expression, security and respect for human rights"
That's quite a critique -

Dear UN, the US has been engaged in illegal mass surveillance - a grave violation of human rights - industrial espionage and unconscionable political spying, generally behaving in ways likely to lead to us descending into uncontrolled cyberwarfare. I suggest you sort it out.

Interesting also that President Rousseff's address should be made in parallel with Caspar Bowden presenting his findings on the impact of the NSA surveillance on the fundamental rights of EU citizens to the European Parliament. More on the latter when I get the time in the next few days. It is absolutely essential reading for anyone with a serious interest in the Snowden affair.