ECJ invalidate data retention directive

ECJ Invalidates data retention

On 8 April2014 the Grand Chamber of the European Court of Justice, (ECJ) in joined cases C-293/12 and C-594/12, issued a landmark decision declaring the 2006 data retention directive invalid.

The data retention directive was the instrument through which the EU required communications service providers, both fixed line and mobile, to store details of everything everyone does on the telephone or internet; for a period of between 6 months and two years. The details of what was required to be collected were laid out in article 5 of the directive and the only thing not permitted was recording of the content of calls or messages.

The ECJ decided that mass indiscriminate data retention interferes disproportionately and in a particularly serious manner with the fundamental rights to privacy and the protection of personal data.

The challengers

Digital Rights Ireland (DRI) and 11,130 Austrian citizens whose case was joined to that of DRI challenged the directive, ostensibly arguing it constituted an unlawful and unacceptable interference with fundamental rights to privacy and free speech. The Court focused on the effects of the data retention directive on articles 7 and 8 of the Charter of Fundamental Rights of the European Union - respect for private and family life and protection of personal data.

The Grand Chamber of the court proceeded to declare the directive invalid and effectively condemned pre-emptive, suspicionless, warrantless mass surveillance and consequent "interference with the fundamental rights of practically the entire European population".

Introduction and legal context

The Court opens by explaining Digital Rights Ireland challenged the implementation of the data retention directive into Irish law and the Austrian Constitutional Court, Verfassungsgerichtshof, was asked to consider the constitutionality of the Austrian implementation of the directive. They then set out the legal context.

The objective of the data protection directive, directive 95/46/EC, is to protect people's privacy. The aim of the directive on privacy and electronic communications, directive 2002/58/EC, is to harmonise privacy rights and allow sharing of data within and across the EU. Both these directives require appropriate technical and organisational measures to protect the security of personal data.  The 2002 directive prohibits surveillance without user consent, in theory. It has,however, the enormous loophole of article 15 which states any necessary, appropriate and proportionate measure can be used to bypass obligations to respect fundamental rights, when those measures are for national security or crime fighting reasons. Article 15 also specifically appears to approve of the retention of data.

The data retention directive itself obliged communications service providers to retain data. Under article 3, EU member state were required to adopt measures mandating data retention of categories of data specified in article 5. (Take a look at the list of information retained. It's almost unbelievable). Under article 4, access to this retained data would only be available to "competent national authorities" in specific cases and in accordance with national law. Article 6 specified the data should be retained for between 6 months and 2 years. Article 11 basically says when it comes to data retention the need to respect a basic level of fundamental rights theoretically noted in article 1 of the 2002 e-privacy directive could be ignored.

DRI and Austrian cases

The Court then outlines the Digital Rights Ireland and Austrian cases in paragraphs 17 to 22. DRI argued the directive constituted a disproportionate interference with fundamental rights to respect for privacy and family life, data protection and freedom of expression & information, guaranteed under articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union. Austrian citizens Mr Seitlinger, Mr Tschol et al sought the annulment of the Austrian law implementing data retention. The Austrian Court, took the view that data retention, because of the indiscriminate nature and scale of it, almost exclusively affects innocent people. The Verfassungsgerichtshof also felt data retention could not achieve its objectives and was disproportionate, so they also asked the European Court of Justice to review whether data retention constituted a disproportionate interference with fundamental rights guaranteed under articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union. Additionally the Verfassungsgerichtshof suggested the data protection directive and articles 52 and 53 of the Charter of Fundamental Rights presented barriers or at least limitations to data retention.

Next the ECJ considers the substance of the questions before them. They acknowledge (para 27) that the data mandated for retention taken as a whole provides a very rich picture of people's lives. Also that people might well adjust their behaviour and self censor due to the chilling effect of the knowledge of the mass data gathering (para 28). So there is a clear acceptance by the ECJ that freedom of expression protected by article 11 of the Charter could be on the line. They do not however pursue this to any solid conclusion and focus instead of matters of privacy and data protection, relating to articles 7 & 8 of the Charter.

Interference with privacy and data protection

The heavy lifting in the decision is then laid out from paragraph 32 to 71.

"32. ... Directive 2006/24... derogates from the system of protection of the right to privacy established by Directives 95/46 and 2002/58"

The data collected does not have to be sensitive or to inconvenience people in any way to establish the existence of an interference with the fundamental right to privacy. (Para 33). Data retention
"constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter." (para 34). Access to the data retained by competent national authorities is an interference with the rights guaranteed by Article 7 of the Charter. (para 35). Likewise because the directive provides for the processing of personal data it is an interference with the fundamental right to data protection covered by article 8 of the Charter. (para 36). Paragraph 37 merits quotation in full:

"37.  It must be stated that the interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out, in particular, in paragraphs 77 and 80 of his Opinion, wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance."

Justification for interference with fundamental rights

Having declared the interference with the fundamental rights to privacy and data protection particularly serious, the Court then must look at the justification for and proportionality of this interference. It finds the 2006 directive wanting on both counts.

Article 52(1) of the Charter of Fundamental Rights of the EU states that any circumvention of those rights must be proportionate, strictly limited and necessary to meet objectives of general interest or to protect the freedoms of others.

In paragraphs 39 and 40, the Court then makes a rather fuzzy attempt to step back from the absolutist stance it appears to have be shaping up to take against data retention.

"39... it must be held that, even though the retention of data required by Directive 2006/24 constitutes a particularly serious interference with those rights, it is not such as to adversely affect the essence of those rights given that, as follows from Article 1(2) of the directive, the directive does not permit the acquisition of knowledge of the content of the electronic communications as such."

This does not sit logically with the earlier acceptance in paragraphs 27 & 28 that metadata provides a very comprehensive picture of peoples' lives which could have a chilling affect on freedom of expression. It also seems something of a non sequitur - how must it be held that data retention constitutes a particularly serious interference with fundamental rights, yet not be such as to adversely affect the essence of those rights?

Paragraph 40 says the essence of article 8 data protection rights are not adversely affected because the text of data retention directive includes a note that says data protection must be respected. On that basis you could stick a token 'respect data protection' clause in every liberty bashing regulatory instrument and not "adversely affect" data protection.

The object of the the data retention is to fight serious crime and article 6 of the Charter of rights lays down the fundamental right to security. So fighting serious crime is a legitimate 'objective of general interest.' And communications technology is an important crime fighting tool. So

"44.  It must therefore be held that the retention of data for the purpose of allowing the competent national authorities to have possible access to those data, as required by Directive 2006/24, genuinely satisfies an objective of general interest."

Disproportionate nature of the data retention directive

The objective of data retention is acceptable. But is data retention a proportionate way to achieve that crime fighting objective? Proportionality requires acts of EU institutions to "not exceed the limits of what is appropriate and necessary in order to achieve" the objective in hand, in this case fighting serious crime.

The ECJ takes guidance from the European Court of Human Rights decision in 2008, S and Marper v UK, on the retention of DNA and fingerprints.

"47. ... the EU legislature’s discretion may prove to be limited, depending on a number of factors, including, in particular, the area concerned, the nature of the right at issue guaranteed by the Charter, the nature and seriousness of the interference and the object pursued by the interference (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., S. and Marper v. the United Kingdom [GC], nos. 30562/04 and 30566/04, § 102, ECHR 2008-V)."

Privacy and data protection are fundamental and so the discretion of EU legislature to interfere with them is reduced and any review of that discretion should be strict. (para 48). Data retention may be appropriate for crime fighting. (Para 49). The fight against serious crime requires modern techniques but that doesn't mean the kind of mass data retention required by the directive is necessary. (Para 51). Data protection is especially important for privacy.

"54. Consequently, the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (see, by analogy, as regards Article 8 of the ECHR, Eur. Court H.R., Liberty and Others v. the United Kingdom, 1 July 2008, no. 58243/00, § 62 and 63; Rotaru v. Romania, § 57 to 59, and S. and Marper v. the United Kingdom, § 99)."

Data retention should have clear rule on scope and application and minimum safeguards against unlawful access. The unstated critique is that the directive fails on all counts.

"55.  The need for such safeguards is all the greater where, as laid down in Directive 2006/24, personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data (see, by analogy, as regards Article 8 of the ECHR, S. and Marper v. the United Kingdom, § 103, and M. K. v. France, 18 April 2013, no. 19522/09, § 35)."

Safeguards are particularly important with respect to the automatic large scale processing of data. Again the 2006 directive fails.

56. ... Directive 2006/24... entails an interference with the fundamental rights of practically the entire European population. [My emphasis]

"57.   In this respect, it must be noted, first, that Directive 2006/24 covers, in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime.." [My emphasis]

Paragraph 58 goes on to criticise Directive 2006/24's mandate to engage in the mass surveillance of innocent people not remotely connected to serious crime. Additionally it circumvents rules protecting privileged communications.

Then in recognition of the need for targeted rather than mass surveillance they state:

"59.  Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences."

That paragraph alone could be interpreted as a serious judicial uppercut to the UK government's mass surveillance practices revealed by Edward Snowden. At the risk of being boring I'm going to repeat my old mantra here.  It is unnecessary and completely disproportionate, not to mention dangerously ineffective, to collect innocent communications in order to find serious criminals. Finding a terrorist or serious criminal is a needle in a haystack problem – you can’t find the needle by throwing infinitely more needle-less electronic hay on the stack.  Law enforcement, intelligence and security services have to be able to move with the times. They need to use modern digital technologies intelligently in their work and through targeted data preservation regimes – not the mass surveillance regime they are currently operating – engage in technological surveillance of individuals about whom they have reasonable cause to harbour suspicion. That is not, however, the same as building an infrastructure of mass surveillance or facilitating the same through the legal architecture of directives like 2006/24 on data retention.

The ECJ follows up this mass surveillance critique with a clear declaration in paragraph 60 that the data retention directive has no limits on access to and use of retained data to the purpose of fighting serious crime and no criteria for determining such limits. In a way paragraphs 60 to 68 provide a blueprint for the Commission and particularly rabid surveillance addicted governments to re-write the data retention directive in a way that might be acceptable to the ECJ. Since these paragraphs spell out what is missing from the directive and might be read as suggesting 'make a token effort with these things next time and you'll be ok.'

Para 61 criticises Directive 2006/24's lack of procedures on determining access to data or its use or even limiting these to crime fighting. Para 62 notes the directive does not limit the number of people with access to the retained data to those strictly necessary. Nor does it subject access to the data to the prior review or oversight of a court, in order to limit access to that which is strictly necessary. Nor are member states obliged to set down such procedures.

Para 63 complains that the blanket data retention mandated doesn't make any distinction between categories of data. Para 64 says there is not even an attempt to justify the arbitrary period of retention chosen of between 6 months and 2 years.

Then comes the clincher.

"65.  It follows from the above that Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary." [My emphasis]

"66.   Moreover, as far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. In the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down." [My emphasis]

Para 67 says the 2006 directive doesn't specify a high enough data security threshold and doesn't require the irreversible destruction of data at the end of the retention period. Then in 68 the ECJ has serious concerns that the data retention directive does not require data to be retained within the borders of the EU. So control by independent authority of data protection and access to the retained data cannot be fully ensured. Such control is an essential corner stone of EU data protection law.

And that's the ballgame

They conclude:

"69. Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.

70. In those circumstances, there is no need to examine the validity of Directive 2006/24 in the light of Article 11 of the Charter.

71.  Consequently... Directive 2006/24 is invalid."

In short, the data retention directive presents a disproportionate interference with the fundamental rights to respect for private and family life and the protection of personal data. Consequently the directive is invalid, null and void. And because it is invalid on privacy grounds the ECJ don't see the need to pursue the question of whether it also might be invalid on the grounds of Article 11 of the Charter of Fundamental Rights relating to freedom of expression.

If the Charter of Fundamental Rights proves to have staying power as the legislative architecture protecting the rights of EU citizens into the distant future, then this ECJ decision could well prove to be historic. On a par with the civil rights cases of the US Supreme Court such as Brown v the Board of Education or the NYT v Sullivan. Only time will tell whether it achieves that fame or notoriety but it was certainly a welcome development in the battle to avoid a mass surveilled future.

Congratulations and thanks to TJ McIntyre, Simon McGarr and Digital Rights Ireland and to Mr Seitlinger, Mr Tschol et al and the Austrian Constitutional Court the Verfassungsgerichtshof in what was a long and difficult battle and a hard fought but very welcome victory in the end. 

US Supreme Court on patent trolls: make 'em pay when they lose

The US Supreme Court yesterday issued decisions in two cases essentially relating to patent trolls, Octane Fitness v. Icon Health & Fitness and Highmark Inc. v. Allcare Health Management System, Inc.
US law (35 USC § 285) says patent suit losers should pay the winners legal costs but only in "exceptional circumstances". In practice, in spite of the mountains of ridiculous patents and strategic business patent lawsuits, very few cases are held to be sufficiently exceptional for the court to award such costs. Which is a licence for patent trolls to pursue their extortion rackets with relish.

The decisions in the Octane and Highmark cases theoretically make the awarding of legal costs to winners easier. Take the Octane decision:

"No. 12–1184. Argued February 26, 2014—Decided April 29, 2014

The Patent Act’s fee-shifting provision authorizes district courts toaward attorney’s fees to prevailing parties in “exceptional cases.” 35 U. S. C. §285. In Brooks Furniture Mfg., Inc. v. Dutailier Int’l, Inc., 393 F. 3d 1378, 1381, the Federal Circuit defined an “exceptional case” as one which either involves “material inappropriate conduct” or is both “objectively baseless” and “brought in subjective bad faith.” Brooks Furniture also requires that parties establish the “exceptional” nature of a case by “clear and convincing evidence.” Id., at 1382.

Respondent ICON Health & Fitness, Inc., sued petitioner Octane Fitness, LLC, for patent infringement. The District Court granted summary judgment to Octane. Octane then moved for attorney’s fees under §285. The District Court denied the motion under the Brooks Furniture framework, finding ICON’s claim to be neither objectively baseless nor brought in subjective bad faith. The Federal Circuit affirmed.

Held: The Brooks Furniture framework is unduly rigid and impermissibly encumbers the statutory grant of discretion to district courts.Pp. 7–12.

(a) Section 285 imposes one and only one constraint on district courts’ discretion to award attorney’s fees: The power is reserved for“exceptional” cases. Because the Patent Act does not define “exceptional,” the term is construed “in accordance with [its] ordinary meaning.” Sebelius v. Cloer, 569 U. S. ___, ___. In 1952, when Congress used the word in §285 (and today, for that matter),“[e]xceptional” meant “uncommon,” “rare,” or “not ordinary.” Webster’s New International Dictionary 889 (2d ed. 1934). An “exceptional” case, then, is simply one that stands out from others with respect to the substantive strength of a party’s litigating position (considering both the governing law and the facts of the case) or the unreasonable manner in which the case was litigated. District courts may determine whether a case is “exceptional” in the case-by-caseexercise of their discretion, considering the totality of the circumstances. Cf. Fogerty v. Fantasy, Inc., 510 U. S. 517. Pp. 7–8.
(b)
The Brooks Furniture framework superimposes an inflexible framework onto statutory text that is inherently flexible. Pp. 8–11."

Justice Sotomayor, writing for the Court in the unanimous decision, goes on (p7-8):

"We hold, then, that an “exceptional” case is simply one that stands out from others with respect to the substantive strength of a party’s litigating position (considering both the governing law and the facts of the case) or the unreasonable manner in which the case was litigated. District courts may determine whether a case is “exceptional” in the case-by-case exercise of their discretion, considering the totality of the circumstances.6 As in the comparable context of the Copyright Act, “‘[t]here is no precise rule or formula for making these determinations,’ but instead equitable discretion should be exercised ‘in light of the considerations we have identified.’” Fogerty v. Fantasy, Inc., 510 U. S. 517, 534 (1994)."

So district courts can be confident that decisions (to award legal costs to those successfully defending themselves from bogus patent troll lawsuits) in "exceptional" cases won't be overturned as long as "exceptional" is construed as:

• “in accordance with [its] ordinary meaning” (in 1952)
• "uncommon"
• "rare"
• "not ordinary"

and now, in the wake of the Supreme Court decision yesterday, 29 April, 2014,

• "stands out from others with respect to the substantive strength of a party’s litigating position (considering both the governing law and the facts of the case) or the unreasonable manner in which the case was litigated."

I doubt adding "stands out from to the list of "ordinary" meanings of "exceptional" will make a great deal of difference either to patent trolling or to the US Federal Appeals Court judges willingness to overturn lower court decisions they disapprove of in this area. Call me a skeptic but given the money and power embodied in such patent suits, I suspect it will take something stronger to break the cycle of legitimate patent applicants and defendants paying the price; whilst the well-resourced, wielding sharp-suited lawyers and huge portfolios of often indefensible patents, make off with the prizes.

Free is a lie - Aral Balkan at TNW

Take 32 mins and listen to Indie phone's Aral Balkan's talk at the recent TNW conference.



Balkan opens with a simple thought experiment. He's setting up a hypothetical business, Schnail Mail, which will solve the problem of mail delivery by delivering letters and parcels of all shapes and sizes anywhere in the world for free. He asks his audience how many of them would sign up for it. Sounds like an attractive enterprise so many would. In the interests of full disclosure he then explains that by the way Schnail mail will open and forensically examine all letters and parcels to learn about their customers, obviously in the interests only of offering them a better service. How many would now sign up? Not very many though there were still a hard core half a dozen or so. In any case the Schnail Mail business model is the Google, Facebook, [big tech co of choice] "free" service business model.

The business model of "free" is the business model of mass surveillance. We effectively hand over quarries of personal data for these corporations to mine for their own ends. He quotes Eric Schmidt noting Google knows who you are, where you are and what you are thinking; and Facebook knowing people are on the path to a relationship before those people possibly even know it themselves.

He also quotes the Google executive chairman saying:

"If you have something you don't want everyone to know maybe you shouldn't be doing it in the first place."

That's not the kind of world Balkan wants. Privacy is not about whether you have something to hide. It's about having control of what you want to share and what to keep to yourself. But in the world of "free" mass surveillance you don't have that control. The corporations do and they have acquired that control by deceit because consumers largely have no idea of the information they have surrendered/bartered in exchange for "free" services.  If we make the panopticon the default that leads to a society where anything we want to keep private has an association of guilt attached. Privacy becomes only about hiding bad things. Balkan rejects that notion.

Ordinary consumers currently have no choice - all roads lead to digital feudalism regardless of which corporate walled garden is chosen. Techies say use free and open source alternatives. But ordinary mortals have not got the time, skills or resources to architect or build our own FOSS, experience-led digital privacy assured shells to shield our rich personal data quarries / digital personas, thereby enabling us to participate in the information society without compromising our privacy. So techies, entrepreneurs, the market have to start to provide custom built user friendly privacy enhanced technologies. One such effort is Balkan's indie phone.

The true cost of "free" he says is our privacy, our civil liberties, our human rights.

Good luck to Mr Balkan with his indie phone venture. His success will likely depend on the degree to which he can manage the pathological calculus that is -

Privacy vs Convenience/attraction/gratification/access/community/conformity/convenience

- in addition to the small matter of taking on the power of the mass surveillance addicted market incumbents.

Feynman, education & public engagement on digital rights

This Horizon programme on Richard Feynman is full of terrific engaging Feynman observations.



I'll just pick out two that are close to home at the moment.

Feynman talks about teaching and how he didn't really know how to do it. To hook everyone with our different interests and different learning styles and aptitudes the teacher has to take a chaotic approach. Otherwise the teaching will only reach or appeal to one kind of person. The implication is that all the rest are locked out. He gives a lovely example of the stories he used to make up for his son exploring wood-like worlds which turned out to be tiny people living in a carpet land; and caves where the air flowing in was cold and air flowing out was warm - this turned out to be the dog's nose; then they could explore the respiratory systems and learn all kinds of real world things in a fun way. His daughter, on the other hand, didn't like him making up stories. She liked him to read proper stories from proper books. She had a different personality and different way of taking on the world

The top down superficial dogmatic ill-informed rhetoric driving formal education systems in the UK at the moment (and which has been doing so for a long time) has lead to systems that fail most of the people most of the time. They fail the teachers/lecturers trying to make them work against all the odds and they fail the children and older students that get processed from year to year, standardised widgets all.

The second thing that struck me was Feynman's ruse for avoiding the drudgery of academic administration. He would refuse to do it by claiming he was irresponsible and by implication could not be relied upon to do it properly. So every time he was asked e.g sit on an admissions committee he would say he didn't care about students (he did) and couldn't be bothered and anyway would be irresponsible. He'd say to himself let so and so do it - it was selfish but it left him time to do physics.

To do any kind of substantive work it takes absolute solid lengths of time. If you're working on something complex, he describes it like a house of cards. It's wobbly. All the ideas holding it together are like the cards. If you forget one or lose it the whole thing collapses and you have to start all over. If you are weighed down with administration you'll never have the time to do anything deep.

Well I've had three books in draft for several years and not had a substantive run at any of them. Much though I'd like to offload or avoid a chunk of my admin duties, Feynman style, that's not a realistic option in the short to medium term. The privilege of working at an amazing institution like The Open University brings with it the duty to engage in the requisite battles to protect its core values and terrific students and staff. I have an equivalent duty, however, to engage deeply with my academic areas of interest - including the digital rights arena - particularly when they have an impact that extends way beyond the boundaries of a single institution.

So something has to give and I've decided, no doubt to the collective background sigh of relief from organisational behaviour theorists, to abandon one of my draft books. Perhaps a little ironically it is the one on the convergent evolutionary bureaucratic cancerous insanity of large organisations. It is incredible the degree to which care, trust, goodwill, decency, simple understanding of the difference between right and wrong - the fundamentals of providing a good product or service - can get completely decimated in the labyrinth of tightly coupled, complex, often mutually exclusive and diametrically opposed rules, regulations, procedures, good intentions, sociopathic ambitions, agendas and ignorant digital Taylorism that constitute modern large mature organisations. Both in the private and public sectors. NASA's 'Criticality 1' waiver system - a procedure for bypassing safety procedures which had determined space shuttle components/systems were so dangerous as to be life threatening - is a classic example. The working title was The Insanity of Bureaucracy and the sound bite description, 'if large organisations were people they'd be diagnosed clinically insane.'

Will the dropping of the Insanity of Bureaucracy give me more space to work my tome on systems failure in the regulation of the Net? We'll see. The latter began as a collection of case studies on the emergent effects of the scientific and technical ignorance of policymakers. But in a world of mass surveillance these real life stories are not really enough. There is an urgent need for academics, techies, lawyers, engineers, scientists, educators to be better at explaining - through as many forums, physical and virtual, political and institutional, mass media, social networks and any other social, physical, technological, economic, environmental or cognitive construct of influence -  the maths, science and technology that forms the infrastructure of our information society. In ways and through narratives that are engaging, convincing, evidence based, entertaining (if necessary), chaotically as Feynman says, widely accessible and with memes that stick -

• privacy AND security NOT privacy OR security
• mass surveillance doesn't work
• mass surveillance is sinister
• mass surveillance is odious
• mass surveillance is monstrous
• mass surveillance is wrong
• mass surveillance is poisonous
• mass surveillance is corrosive
• did I say mass surveillance doesn't work
• we need intelligence lead targeted technological surveillance of individuals about whom there is reasonable cause to harbour suspicion NOT mass surveillance ... ok now you can see why I'd never get a job in PR or politics... (Marcus Lipton MP in 1957 (at 1min 50s) declared phone tapping of a suspected gangster "most sinister", "odioius" and "montrous", as did the outraged mainstream media at the time. How times have changed.)
• censorship is odious...
• hate mongering is poisonous...
• demonisation of [minority target of choice] is monstrous...
• Extraordinary rendition is odious, monstrous, wrong...
• torture is odious, monstrous, wrong... 
• enclosure of the public domain is wrong...
• the best network is the hardest to monetise...
• communications infrastructure is a public good...
• concentration of control of communications infrastructure is contrary to the public good...
• sound bite attack dog 'public debate' undermines our capacity to engage in informed, enlightened, collective, democratic policy making in the public good ... see - I can't do PR...
• and just to prove I can't do PR... complex corporate welfare regulatory instruments built into secretly negotiated international trade agreements, which undermine both the sovereignty of nation states and fundamental liberties, and which are substantively written by the industries they are tailored to benefit, are contrary to the public good...

One book is a drop in ocean of this kind of essential public engagement but it is a drop I really need to carve out some time and space to deliver. Then when the grandkids, if I'm lucky enough to have any and supposing they can cope with the dysfunctional world we bequeath them, ask what the hell I was doing when my generation was so busy normalising the destruction fundamental liberties in the metaphorical blink of a historical eye, I may at least have a story or two to tell and a battered old monograph to point to on the shelf.

The third book in the Corrigan cognitive hinterland is a young adult novel with a Cory Doctorow type Little Brother / Homeland theme but in a sporting context. That's simply proving very difficult to write and has given me a greater respect than ever for children's authors who do an incredible job. (Cory's books are terrific btw and should be required reading for teens and adults everywhere). My kids sometimes encourage me to stop, rewind and repeat in short sentences using words of preferably no more than two syllables. I naturally point out that 'sentences', 'preferably and 'syllables' breach those rules... but writing for young adults is a much more challenging task than I had expected it to be.

The wet Friday afternoon contemplative musing will have to stop there for now, as the relentless clamour of the zombiecrats for boxes to be ticked, forms to be filled and meetings to be attended must be soothed. That's this evening. Tomorrow real students in a real classroom await and though there are reports to be filed in the aftermath, OU students almost invariably cheer me up.

Russia's surveillance state

The autumn 2013 issue of the World Policy Journal has the best outline of Russian mass surveillance I've seen to date By Andrei Soldatov and Irina Borogan. Not so long ago, Western media and politicians would have been all over this, condemning the unethical behaviour of the Russian state. But I guess that's difficult and/or potentially embarrassing when you've spent a lot of effort defending the same behaviour on the part of Western governments.

"In March 2013, the Bureau of Diplomatic Security at the U.S. State Department issued a warning for Americans wanting to come to the Winter Olympics in Sochi, Russia next February: Beware of SORM. The System of Operative-Investigative Measures, or SORM, is Russia’s national system of lawful interception of all electronic utterances—an Orwellian network that jeopardizes privacy and the ability to use telecommunications to oppose the government. The U.S. warning ends with a list of “Travel Cyber Security Best Practices,” which, apart from the new technology, resembles the briefing instructions for a Cold War-era spy...

But the Russian surveillance effort is not limited to the Sochi area, nor confined to foreigners. For years, Russian secret services have been busy tightening their hold over Internet users in their country, and now they’re helping their counterparts in the rest of the former Soviet Union do the same. In the future, Russia may even succeed in splintering the web, breaking off from the global Internet a Russian intranet that’s easier for it to control.

Over the last two years, the Kremlin has transformed Russia into a surveillance state—at a level that would have made the Soviet KGB (Committe for State Security) envious. Seven Russian investigative and security agencies have been granted the legal right to intercept phone calls and emails. But it’s the Federal Security Service (FSB), the successor to the KGB, that defines interception procedures...

...In Russia, FSB officers are also required to obtain a court order to eavesdrop, but once they have it, they are not required to present it to anybody except their superiors in the FSB. Telecom providers have no right to demand that the FSB show them the warrant. The providers are required to pay for the SORM equipment and its installation, but they are denied access to the surveillance boxes.

The FSB has control centers connected directly to operators’ computer servers. To monitor particular phone conversations or Internet communications, an FSB agent only has to enter a command into the control center located in the local FSB headquarters. This system is replicated across the country. In every Russian town, there are protected underground cables, which connect the local FSB bureau with all Internet Service Providers (ISPs) and telecom providers in the region. That system, or SORM, is a holdover from the country’s Soviet past and was developed by a KGB research institute in the mid-1980s. Recent technological advances have only updated the system. Now, the SORM-1 system captures telephone and mobile phone communications, SORM-2 intercepts Internet traffic, and SORM-3 collects information from all forms of communication, providing long-term storage of all information and data on subscribers, including actual recordings and locations."

They are still working on how to deal with social networks but see mass surveillance, threats, net filtering, structural Balkanization of the net and the amoral self interest of the big tech companies (including Facebook and Google) as the key drivers of the evolution towards a much more controlled future.

Intelligence Gathering and the Unowned Internet

The Berkman Center at Harvard has hosted a 90 minute discussion on  Intelligence Gathering and the Unowned Internet involving Yochai Benkler, Bruce Schneier and Jonathan Zittrain, Terry Fisher plus John DeLong and Anne Neuberger the latter two being from the National Security Agency.



The video is essential viewing and John Naughton's thoughts triggered by the discussion are also well worth a further 5 to 10 minutes of your time.

Cory Doctorow & Barton Gellman at SXSW

Cory Doctorow and Barton Gellman discussing Edward Snowden, secure communications, encryption tools so easy your boss can use them, privacy, the revealing nature of metadata and mass surveillance, at SXSW should be required viewing.

Snowden quizzes Putin about mass surveillance on Russian TV

Edward Snowden just got to quiz Russian president Vladimir Putin about whether Russia engages in mass surveillance...


Guess what? Major surprise. Putin said no they don't. They fight crime and terrorism not like the rich Americans by spying on everyone but by engaging in surveillance controlled by the rule of law.

Call me a skeptic but it's a little unlikely Mr Putin has not heard of SORM not to mention a variety of other unethical surveillance and intelligence practices.

It is disappointing Edward Snowden would get sucked into such a publicity stunt though I guess he would not have had a lot of choice in the matter.

Update: Edward Snowden has defended his decision to participate in the TV show with Putin. In fairness, he makes a good case.

Suing the state: hidden rules within the EU-US trade deal

Thanks to Glyn Moody for pointing me at this excellent short video explaining the dangers of the investor state dispute settlement (ISDS) provisions in the proposed EU-US trade deal.



Additionally it is really worth reading Corporate Europe Observatory's excellent analysis of ISDS, Still not loving ISDS: 10 reasons to oppose investors’ super-rights in EU trade deals.

ORG Stop UK Internet Censorship Campaign

The Open Rights Group want to launch a campaign to educate the public about the dangers of software filters.



They need help to accumulate the requisite finances.

UK media ignore Guardian's Pulitzer Prize

We learned last night that the Guardian and the Washington Post have shared the Pulitzer prize for public service for their stories, based on documents leaked by Edward Snowden, on the US and UK governments' mass surveillance practices.

The story of the award has topped the news agenda all over the world - NYT, LA Times, The Times of Israel, Le Monde. The Times of India, even Fox News offered grudging repect whilst not missing the chance to denigrate Snowden.

In the UK the accolade has been ignored by The Times, The Daily Telegraph and the Daily Mail, though it got coverage from the BBC, The Indpendent and the FT.

A reminder. perhaps, of the need, always, to be alert to the underlying agenda(/s), motives and values of the controlling mind(/s) of the organisations from which we source our news.

What do you need to know about the Heartbleed security vulnerability?

Simon Budgen at OpenLearn asked yesterday if I could offer some ordinary-mortal-interpretable thoughts on the Heartbleed OpenSSL security earthquake.

I offered Simon the rambling steam of consciousness below which he kindly edited into a more ordered Q&A here.

There is a lot of panic, misreporting and bad advice going round about Heartbleed as you say. Though there are a few key things it is worth making sure get included in any article.

Include the Heartbleed link http://heartbleed.com/ which outlines  the problem -

" The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

That's about as bad as it gets security wise. Security expert Bruce Schneier has described it as “catastrophic” and I wouldn’t disagree with that.

The OpenSSL bug has compromised half a million plus sites from what we're able to tell.

Ordinary internet users should change their passwords on sites affected but generally only after - the companies running the websites concerned have done a security audit to check if they are affected, patched their systems if they are, acquired a new public/private key pair and new SSL certificate, tested the patched systems, informed the user they have done all this and determined the system to be secure (and preferably pro-actively changed passwords that might have been affected). Now the news on the bug is out credible commercial entities are keen to do this in double quick time and many have already done so.

It’s not the best advice to change your password before a website has been patched as that might expose your details to a higher risk of being compromised and will certainly expose your new details/passwords. Some mainstream news media are informing people they should change all passwords immediately – not great advice if it leads you to assume your new credentials are safe when in fact they won’t be, if the site has not been patched yet. People should check with or have confirmation from the company or an independent trustworthy source that they have fixed their systems first. (Though if someone with existing compromised credentials chooses to use those for nefarious ends, in the window between now and the site being patched, then there may be a slight preference in favour of changing passwords temporarily and then changing again once the fix is done. None of this is really straightforward unfortunately).

All the usual advice about choosing strong passwords applies – change them regularly, don’t use the same ones on different sites, don’t use dictionary words or names, make them long, include upper and lower case, numbers and symbols.

If there are several layers of authentication use them for stronger security e.g. pin numbers, passwords, tokens etc.

It may be the time now people begin to realise how many passwords they are actually using, to consider investing in a password manager like LastPass, SplashID or Password Genie – software which does all the heavy lifting on choosing long difficult passwords and managing and “remembering” them for you.

Also note since the bug has been around for a couple of years that it is almost certain that a multitude of organised crime gangs will likely have gathered the encryption keys to all compromised sites, as will intelligence and security services like the NSA and GCHQ. Just to be clear on this – the usernames and passwords used on these sites will likely be in the hands of organised criminal gangs and intelligence services.

The other big issue for ordinary users is to find out exactly what sites have been compromised and where and when they need to go about changing passwords. Various news sites are providing lists of affected sites and those that have been patched but you need to choose your sources of information carefully. Mainstream news sites are not always the best guide. We do know the big guys like Google, Facebook and Yahoo! were compromised and appear to be patched. Apple and eBay we’re not sure, Tumblr yes, big banks apparently not (but don’t quote me on that), Linkedin apparently not, Amazon no, though Amazon cloud services yes. It’s basically taking quite some sorting out.

There are sites that enable you to test whether a service you use has been compromised by Heartbleed eg http://filippo.io/Heartbleed/ or https://www.ssllabs.com/ssltest/ Just enter the url you are concerned about and click the Go!/Submit button. These are not 100% reliable and will generate false positives (alerts on sites that are patched) and occasionally false negatives (giving the all clear to insecure sites). Do be a little careful with these too as there will be false test sites which attempt to mislead people about the security of sites which remain compromised.

If people have not heard from the sites they use, they should actively contact them to ask – if they have done the requisite Heartbleed related security audit, if they have been compromised and if they have patched any vulnerabilities; and don’t stop asking until a definitive answer is forthcoming. Then if necessary change their passwords once the fix is implemented.

Hope that gives you something to start with.

Comments welcome here or over at OpenLearn.

European Court of Justice annuls 2006 data retention directive

On Tuesday, 8 April, 2014, the Court of Justice of the European Union, (also known as the European Court of Justice) in a scathing indictment of widespread mass surveillance practices, abolished the 2006 EU data retention directive. The Court said the directive was a serious and unjustified interference with the fundamental right to privacy enshrined in Article 7 of the EU Charter of Fundamental Rights.

The directive constituted such a serious interference with the fundamental right to privacy that it had to be annulled - it was an affront to liberty that should never have existed.

TJ McIntyre of Digital Rights Ireland (DRI), the heroic litigants in chief, has made a copy of the full decision available at scribd and it will appear on the Court website in due course. Credit also to the 11,130 Austrian citizens whose case was joined to that of DRI since they had challenged the directive on similar grounds.

For the uninitiated, the data retention directive was the instrument through which the EU required communications service providers, both fixed line and mobile, to store details of everything everyone does on the telephone or internet; for a period of between 6 months and two years. The details of what should be collected are laid out in article 5 of the directive and the only thing not allowed was recording of the content of calls or messages.

It's actually worth spending 5 or 10 minutes looking at that list of things in Article 5 that has been gathered by communications service providers throughout the EU. At first pass it seems a bit legalistic but if you cut through that and think about it – names, addresses, who spoke to whom, where, when, for how long, on what device, how often, websites visited etc. etc. This all paints a very detailed picture and most people don’t know it is going on. The who, where, why, how, what and when of individual lives is all there in this metadata.

With what may be interpreted as half and eye on the Edward Snowden revelations, the Grand Chamber of the Court, effectively condemned pre-emptive, suspicionless, warrantless mass surveillance and consequent "interference with the fundamental rights of practically the entire European population". The case is the first major court decision on mass surveillance since the Snowden stories started to break in June 2013. Though high courts in Romania (2009), Germany (2010), Bulgaria (2010),  the Czech Republic (2011) and Cyprus (2011) have all declared the data retention directive unconstitutional and/or a disproportionate unjustified interference with the fundamental right to privacy, free speech and confidentiality of communications. As recently as 2011 following the national courts' striking down of regulations implementing data retention, the European Commission were hounding Germany and Romania to re-implement the directive. The Commission subsequently sued Romania which went on to pass a widely criticised version of data retention law in 2012, nicknamed "Big Brother". The Commission had also previously sued Greece, the Netherlands, Austria and Sweden for failing to implement the directive by the due date of September 15 2007.

The previous UK Labour government were one of the key driving forces behind the original implementation of the the data retention directive. The current UK government is one of the biggest cheerleaders for and operators of mass surveillance standards and practices. Though the UK government was not involved directly in the case, (and are scrambling madly to find a way to circumvent the decision as, sadly, are the Commission), both the current and the previous administrations' behavior, in the data retention context, is considered so heinous in law that it should never have happened; and the laws facilitating that behavior should never have existed.

Some commentators have also suggested the Court was firing a message not just to the UK but across the pond (2 min 40sec audio) to the effect that US mass surveillance standards are totally unacceptable in an EU context.

I have now managed to read the decision in full (in fits and starts) and will endeavour to post an analysis here at the earliest opportunity. (Aka when grown up admin duties allow and I can construct a sufficiently robust buffer between me and the zombiecrats to take a sustained run at it).

Appelbaum on mass surveillance

Take 5 minutes 33 seconds to listen to Jacob Appelbaum on mass surveillance and the  WePromiseEU 10 point charter for digital rights

Daniel Solove: Nothing to Hide, Nothing to Fear?

Nice interview with Daniel Solove (24 minutes) on the nothing to hide meme.



Kafka better captures the modern privacy issues we face. Decisions about our lives are being made on the basis of secret uses of our personal data - look at airline screening for example.

Categories of data which were required to be retained under the data retention directive

The data retention directive, DIRECTIVE 2006/24/EC, thanks to the efforts of a small number of digital rights activists in Ireland and a slightly larger group from Austria has been declared unlawful - a serious and unjustified interference with the fundamental right to privacy enshrined in Article 7 of the EU Charter of Fundamental Rights - by the European Court of Justice today.

I'm hoping to blog about the decision soon but it is worth pointing out the categories of data that this directive required service providers to retain and facilitate crime fighting authorities access to. They are specified exhaustively in article 5 of the directive:

Article 5

Categories of data to be retained

1. Member States shall ensure that the following categories of
data are retained under this Directive:

(a) data necessary to trace and identify the source of a
communication:

(1) concerning fixed network telephony and mobile
telephony:
(i) the calling telephone number;
(ii) the name and address of the subscriber or registered
user;
(2) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the user ID(s) allocated;
(ii) the user ID and telephone number allocated to any
communication entering the public telephone
network;
(iii) the name and address of the subscriber or registered
user to whom an Internet Protocol (IP) address, user
ID or telephone number was allocated at the time of
the communication;

(b) data necessary to identify the destination of a
communication:

(1) concerning fixed network telephony and mobile
telephony:
(i) the number(s) dialled (the telephone number(s)
called), and, in cases involving supplementary services
such as call forwarding or call transfer, the
number or numbers to which the call is routed;
(ii) the name(s) and address(es) of the subscriber(s) or
registered user(s);
13.4.2006 EN Official Journal of the European Union L 105/57
(2) concerning Internet e-mail and Internet telephony:
(i) the user ID or telephone number of the intended
recipient(s) of an Internet telephony call;
(ii) the name(s) and address(es) of the subscriber(s) or
registered user(s) and user ID of the intended recipient
of the communication;

(c) data necessary to identify the date, time and duration of a
communication:

(1) concerning fixed network telephony and mobile telephony,
the date and time of the start and end of the
communication;
(2) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the date and time of the log-in and log-off of the
Internet access service, based on a certain time zone,
together with the IP address, whether dynamic or
static, allocated by the Internet access service provider
to a communication, and the user ID of the
subscriber or registered user;
(ii) the date and time of the log-in and log-off of the
Internet e-mail service or Internet telephony service,
based on a certain time zone;

(d) data necessary to identify the type of communication:

(1) concerning fixed network telephony and mobile telephony:
the telephone service used;
(2) concerning Internet e-mail and Internet telephony: the
Internet service used;

(e) data necessary to identify users’ communication equipment
or what purports to be their equipment:

(1) concerning fixed network telephony, the calling
and called telephone numbers;
(2) concerning mobile telephony:
(i) the calling and called telephone numbers;
(ii) the International Mobile Subscriber Identity (IMSI)
of the calling party;
(iii) the International Mobile Equipment Identity (IMEI)
of the calling party;
(iv) the IMSI of the called party;
(v) the IMEI of the called party;
(vi) in the case of pre-paid anonymous services, the date
and time of the initial activation of the service and
the location label (Cell ID) from which the service
was activated;
(3) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the calling telephone number for dial-up access;
(ii) the digital subscriber line (DSL) or other end point
of the originator of the communication;

(f) data necessary to identify the location of mobile communication
equipment:

(1) the location label (Cell ID) at the start of the
communication;
(2) data identifying the geographic location of cells by reference
to their location labels (Cell ID) during the period
for which communications data are retained.

2. No data revealing the content of the communication may be
retained pursuant to this Directive.

Blanket retention of this data is theoretically now invalid in the EU but it remains astonishing that it was ever lawful in the first place. Seriously. Take a look at that list of metadata and think about what it can tell you about an individual.

ECJ: Intermediaries can be responsible for blocking copyright infringement

The Court of Justice of the EU last week decided Case C‑314/12,

REQUEST for a preliminary ruling under Article 267 TFEU from the Oberster Gerichtshof (Austria), made by decision of 11 May 2012, received at the Court on 29 June 2012, in the proceedings

UPC Telekabel Wien GmbH

v

Constantin Film Verleih GmbH,

Wega Filmproduktionsgesellschaft mbH

A panel of five judges, not unexpectedly given the advice of the Advocate General, decided that ISPs can be required to block access by its customers to a website which infringes copyright.

A first glance at the ruling suggested there might be a conflict here with the earlier decision of the Court in the 2008 Promusicae case, noting that privacy trumps copyright. But the Court carefully steers a route past that earlier decision.

Firstly they conclude, at paragraph 40, that

"Article 8(3) of Directive 2001/29 must be interpreted as meaning that a person who makes protected subject-matter available to the public on a website without the agreement of the rightholder, for the purpose of Article 3(2) of that directive, is using the services of the internet service provider of the persons accessing that subject-matter, which must be regarded as an intermediary within the meaning of Article 8(3) of Directive 2001/29."

ISPs are 3rd parties potentially making copyright infringing materials available to their customers. The preventative proactive copyright protective nature of the 2001 directive means that no proof that an ISP's customers are accessing the alleged copyright materials is required, before said ISP can be required to block an alleged infringing source.

The Court then asks if ordering an ISP to block a website offering infringing works undermines fundamental rights recognised by EU law. They (paragraph 46)  re-emphasise the Promusicae decision that copyright cannot undermine fundamental rights:

"The Court has already ruled that, where several fundamental rights are at issue, the Member States must, when transposing a directive, ensure that they rely on an interpretation of the directive which allows a fair balance to be struck between the applicable fundamental rights protected by the European Union legal order. Then, when implementing the measures transposing that directive, the authorities and courts of the Member States must not only interpret their national law in a manner consistent with that directive but also ensure that they do not rely on an interpretation of it which would be in conflict with those fundamental rights or with the other general principles of EU law, such as the principle of proportionality (see, to that effect, Case C‑275/06 Promusicae [2008] ECR I‑271, paragraph 68)."

and note that court ordered web blocking to negate copyright infringement constitutes:

"a conflict between (i) copyrights and related rights, which are intellectual property and are therefore protected under Article 17(2) of the Charter, (ii) the freedom to conduct a business, which economic agents such as internet service providers enjoy under Article 16 of the Charter, and (iii) the freedom of information of internet users, whose protection is ensured by Article 11 of the Charter."

They go on to say the Court doesn't get to specify the web blocking measures. That decision is in the hands of the ISP. Such injunctions do amount to an interference with an ISP's freedom to conduct a business but this does not involve "unbearable sacrifices". As long as the ISP takes "reasonable measures" to block their customers access to the alleged copyright infringing materials, copyright holders have no cause of direct action against them.

The Court is very vague, however, on what these "reasonable measures" should be. It's for the ISP concerned, not a court, to decide the precise blocking methods (para 52) that should be deployed. Yet the Court are also apparently adamant (para 54) that intermediaries should have legal certainty on the measures they need to take to avoid penalty.

The ISP must also insure the blocking does not interfere with their customers' freedom of information and that the blocking techniques used should be "strictly targeted" to terminate the copyright infringement whilst not undermining fundamental rights. To that end from the the customers' fundamental rights perspective, they should be able to challenge any blocking processes implemented by the ISP in their national courts (para 57):

"It must be possible for national courts to check that that is the case. In the case of an injunction such as that at issue in the main proceedings, the Court notes that, if the internet service provider adopts measures which enable it to achieve the required prohibition, the national courts will not be able to carry out such a review at the stage of the enforcement proceedings if there is no challenge in that regard. Accordingly, in order to prevent the fundamental rights recognised by EU law from precluding the adoption of an injunction such as that at issue in the main proceedings, the national procedural rules must provide a possibility for internet users to assert their rights before the court once the implementing measures taken by the internet service provider are known"

Interestingly enough, though it doesn't appear necessary, at paragraph 61 the Court states -

"The Court notes that there is nothing whatsoever in the wording of Article 17(2) of the Charter to suggest that the right to intellectual property is inviolable and must for that reason be absolutely protected (see, to that effect, Scarlet Extended, paragraph 43)."

Then go on to conclude on the substantive questions before them:

"the Court (Fourth Chamber) hereby rules:

1.      Article 8(3) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society must be interpreted as meaning that a person who makes protected subject-matter available to the public on a website without the agreement of the rightholder, for the purpose of Article 3(2) of that directive, is using the services of the internet service provider of the persons accessing that subject-matter, which must be regarded as an intermediary within the meaning of Article 8(3) of Directive 2001/29.

2.      The fundamental rights recognised by EU law must be interpreted as not precluding a court injunction prohibiting an internet service provider from allowing its customers access to a website placing protected subject-matter online without the agreement of the rightholders when that injunction does not specify the measures which that access provider must take and when that access provider can avoid incurring coercive penalties for breach of that injunction by showing that it has taken all reasonable measures, provided that (i) the measures taken do not unnecessarily deprive internet users of the possibility of lawfully accessing the information available and (ii) that those measures have the effect of preventing unauthorised access to the protected subject-matter or, at least, of making it difficult to achieve and of seriously discouraging internet users who are using the services of the addressee of that injunction from accessing the subject-matter that has been made available to them in breach of the intellectual property right, that being a matter for the national authorities and courts to establish."

Whilst I understand why the Court does not want to specify particular blocking or filtering techniques, it seems that copyright owners and ISPs and other internet intermediaries are left in something of a legal limbo.

• Under Article 8(3) of Directive 2001/29/EC, intermediaries can be ordered by a court to block sites thought to be distributing unauthorised copyright materials
• It does interfere with intermediaries' freedom to conduct a business to implement such measures but not unbearably so
• It is for the intermediaries not the Court to decide what specific blocking measures should be taken
• These measures, however, must - be 1. reasonable 2. strictly targeted 3. effectively protect the copyright holder 4. effectively protect fundamental rights of the ISP's customers
• Intermediaries have no guidance from the Court on what is meant by "reasonable" blocking measures or how to balance fundamental rights with the (not-inviolable) right to intellectual property
• If intermediaries don't get their measures sufficiently "reasonable" to make their customers and the requisite copyright holders happy, they leave themselves open to legal challenge from one or other or both

ISPs can be ordered to block but neither they nor the offended copyright holders know what kinds of specific blocking measures can be considered reasonable.  Given such legal uncertainty and the crude nature of software filters, I suspect the ultimate outcome will be that ISPs will tend towards over-blocking, since the risks of being sued by copyright holders for facilitating infringement are significantly higher than those of being sued by individual customers for breaching their fundamental rights.

MP note on Don't Spy on US

My MP, Nicola Blackwood, tells me she has written to William Hague to draw his attention to the Don't Spy on Us campaign.

"Dear Mr Corrigan,

Many thanks for your email about the ‘Don’t Spy on Us’ campaign. I apologise for the delay in my response.

I certainly appreciate that is an issue you feel strongly about, and I have taken the time to read your submission to the Intelligence and Security Committee’s inquiry. I understand your position that there is no balance to be struck between the individual right to privacy and the collective right to security, as privacy and security are not opposites. As discussed in our previous correspondence, I do firmly believe that our intelligence agencies do vital work in tackling terrorism and international crime.

The various levels of checks and balances that exist to hold our security services to account cannot be overstated, and as previously discussed these include oversight mechanisms by  Secretaries of State, the Interception of Communications Commissioner and the Intelligence Services Commissioner, and through Parliament via the Intelligence and Security Committee. One further level of accountability here that I have not discussed with you previously and I feel is worth noting here, is the strict operation of GCHQ within the Regulation of Investigatory Powers Act (RIPA). The Office of Surveillance Commissioners analyse GCHQ’s activity in detail, and also some of the codes of practices that the agencies have in place to ensure their adherence to RIPA.

I know that you have previously been unsatisfied with the response you have received from the Minister on this issue, but I have written to the Secretary of State for Foreign and Commonwealth Affairs, the Rt Hon William Hague MP, to discuss this specific campaign and to ask for a response to the concerns you have raised below. I shall of course pass any response I receive on to you in the usual way.

I will certainly keep your views on this subject in mind when considering the issue again in the future, and of course I intend to follow any further developments on this carefully. I also look forward to further announcements on the progress of the Committee’s inquiry into privacy and security, I understand the next stage will be the provision of oral evidence.

Thank you again for taking the time to contact me on this.

Kind regards

Nicola"

 I've replied.

"Nicola,

Thanks for getting back to me and for taking the time to read my response to the ISC.

As before, I don’t dispute that our intelligence agencies do vital work in tackling terrorism and international crime. However, they will do that work more effectively under a targeted data preservation regime rather than a suspicionless mass surveillance regime. Rather ironically this is one area where government ministers’ mantra of getting more from less actually applies.

We do differ in our relative positions on the checks and balances on the security services. If these had been effective as you have come to believe we would not have evolved the mass surveillance measures now operated by the security and intelligence services. As for RIPA, it’s widely accepted now on all sides to be out of date. You can drive a coach and horses through the loopholes in the RIPA regulations and the intelligence services basically do.

Finally for now, thanks for taking the time to write to William Hague about the Don’t Spy on Us campaign.

Regards,

Ray

On the week of the World Wide Web's 25th anniversary, we've learned  How the NSA Plans to Infect “Millions” of Computers with Malware. A couple of weeks ago it was revealed that GCHQ have been collecting millions of Yahoo webcam images via their OpticNerve system.

The mass surveillance stories flowing from the Snowden revelations keep coming. These are fundamentally, as Cory Doctorow put it so eloquently in his Guardian article earlier this week, matters of public health and societal wellbeing because so much of what we do these days involves the internet. 

The Don't Spy on Us campaign believe -

"Our campaigning is having an impact. The main political parties are edging towards reform of surveillance laws. We can't take anything for granted though. We have to keep pressing for change."

I would add that we need to keep pressing for public understanding and engagement. Concern about mass surveillance is still very much a minority sport in the UK.

Lib Dems conference motion on digital bill of rights

The text of the Liberal Democrats spring conference policy motion on a digital bill of rights is below (c&p from their Spring conference agenda p64-67).

"10.45 Policy motion
Chair: Sal Brinton (Vice Chair, Federal Conference Committee)
Aide: Sandra Gidley
F19 A Digital Bill of Rights
Cambridge
Mover: Tim Farron MP
Summation: Dr Julian Huppert MP (Co-Chair, Parliamentary Party Committee
on Home Affairs, Justice and Equalities)

Conference believes:

i) Monitoring or surveilling people without suspicion is alien to our
traditional British values.
ii) That systematic surveillance of people’s communications and
online activities undermines a number of fundamental human rights,
including the right to respect of private life and correspondence,
freedom of expression, of association, of conscience and of religion;
that these rights are essential in safeguarding the democratic
principles of our society; and that any interference with these rights
must be necessary and proportionate.
iii) That our online communication and behaviour should be treated with
the same respect and legal due process that we expect for our offline
communication and behaviour.
iv) Government-supported filtering of the internet will prevent people
from accessing legitimate information and educational resources,
whilst giving parents a false sense of security.
v) That the indiscriminate harvesting and storage of the communications
and metadata of people without suspicion is incompatible with our
liberal and democratic principles, and has the potential to cast a
chilling effect on free speech and free association.
vi) Whilst there are legitimate concerns surrounding national security,
such concerns must not be invoked simply as a pretext to undertake
blanket surveillance, stifle investigative journalism, or discourage
public debate.
vii) That the work of the intelligence and security services is essential to
the underpinning of a free, fair and open society, and that clear public
agreement as to their remit and the extent of their powers would be to
their benefit as well the country more broadly.

Conference endorses:

A. The International Principles on the Application of Human Rights to
Communications Surveillance, which emphasise that any surveillance
of citizens by the state must be necessary and proportionate.
B. The United Nations General Assembly resolution on the Right to
Privacy in the Digital Age (A/C.3/68/L.45), emphasising that the same
rights that citizens have offline must also be protected online.
C. The Reform Government Surveillance Principles signed by Apple,
Google, Microsoft, Facebook, Yahoo, LinkedIn, Twitter and AOL,
which call for overhaul of the oversight, accountability and laws
governing government surveillance programmes in order to restore
the balance between security and liberty and to restore public trust in
the internet.
D. Existing Liberal Democrat policy that data belongs by default to the
individual to whom it refers; this ownership of data means that the
individual citizen has a right to access all their own data and, where
reasonable, can decide who else has access.
E. The Deputy Prime Minister’s decision to veto the unworkable and
disproportionate Communications Data Bill.

Conference therefore calls for:

1. The annual release of Government Transparency Reports which
publish, as a minimum, the annual number of user data requests
made by law enforcement, the intelligence agencies, and other
authorities, broken down by requesting authority, success rates, types
of data requested and category of crime or event being investigated.
2. The establishment of a commission of experts to review state
surveillance and all recent allegations from the Edward Snowden
leaks, with specific scope to:
a) Scrutinise relevant legislation including the Regulation of
Investigatory Powers Act 2000, the Intelligence Services Act 1994
and section 94 of the Telecommunications Act 1984.
b) Assess the implications for privacy and internet freedoms of
Project Tempora and other programmes revealed by the Snowden
leaks, and consider alternatives to the bulk collection of data.
c) Review powers, scope, appointment and resources of oversight
committees, commissioners and tribunals.
d) Consider the use of judicial involvement and approval for
surveillance and for access to communications data and
metadata likely to reveal sensitive personal data.
e) Publish its findings and recommendations.
3. The Government to define and enshrine the digital rights of the citizen
to protect from overreach by the state, through:
a) Ensuring that powers of surveillance, accessing data, and
accessing new technologies are not extended without
Parliamentary approval.
b) Ensuring that government does not undertake the bulk
collection of data and only accesses the metadata or content
of communications of an individual if there is suspicion of
involvement in unlawful activity.
c) Ensuring that oversight of government surveillance is
independent, informed, transparent and adequate.
d) Supporting a prompt, lawful and transparent framework for data
requests across jurisdictions and between governments.
4. The Government to accelerate and expand the midata project,
to grant citizens access to all their data in an open digital format,
regardless of which business holds that data, by using powers under
the Enterprise and Regulatory Reform Act 2013.

Applicability: Federal.

Mover of motion: 7 minutes; summation: 4 minutes; other speakers: 3 minutes.
For eligibility and procedure for speaking in this debate, see page 15.
In addition to speeches from the platform, conference representatives will be
able to make concise (maximum one-minute) interventions from the floor during
the debate on the motion; see page 14.
The deadline for amendments to this motion is 13.00, Tuesday 4th March;
those selected for debate will be printed in Saturday’s Conference Daily. The
deadline for requests for separate votes is 09.00, Saturday 9th March. See
page 17."

Just one major note. Although it's fine to see the Lib Dems making an effort on this issue it is disappointing to see the dangerously false notion that there is a mythical "balance between security and liberty" trotted out unthinkingly yet again. This time it's done in endorsing (item C) the not-our-fault-guv-if-only-governments-would-stick-their-unwelcome-noses-out-of-our-er-the-surveillance-business-we'd-all-be-ok corporate behemoths that have facilitated the mass surveillance we are all now subjected to.

Mr Farron and Dr Huppert - thanks for making some effort but can you please stop - I cannot emphasize this strongly enough - stop painting security and liberty (or security and privacy) as opposites. They are fundamentally interdependent. Unless that understanding can be embedded in the DNA of the public debate about this stuff, we won't ever get off the starting blocks to address mass surveillance.