Thursday, April 17, 2014

Cory Doctorow & Barton Gellman at SXSW

Cory Doctorow and Barton Gellman discussing Edward Snowden, secure communications, encryption tools so easy your boss can use them, privacy, the revealing nature of metadata and mass surveillance, at SXSW should be required viewing.

Snowden quizzes Putin about mass surveillance on Russian TV

Edward Snowden just got to quiz Russian president Vladimir Putin about whether Russia engages in mass surveillance...

Guess what? Major surprise. Putin said no they don't. They fight crime and terrorism not like the rich Americans by spying on everyone but by engaging in surveillance controlled by the rule of law.

Call me a skeptic but it's a little unlikely Mr Putin has not heard of SORM not to mention a variety of other unethical surveillance and intelligence practices.

It is disappointing Edward Snowden would get sucked into such a publicity stunt though I guess he would not have had a lot of choice in the matter.

Update: Edward Snowden has defended his decision to participate in the TV show with Putin. In fairness, he makes a good case.

Wednesday, April 16, 2014

Suing the state: hidden rules within the EU-US trade deal

Thanks to Glyn Moody for pointing me at this excellent short video explaining the dangers of the investor state dispute settlement (ISDS) provisions in the proposed EU-US trade deal.

Additionally it is really worth reading Corporate Europe Observatory's excellent analysis of ISDS, Still not loving ISDS: 10 reasons to oppose investors’ super-rights in EU trade deals.

Tuesday, April 15, 2014

ORG Stop UK Internet Censorship Campaign

The Open Rights Group want to launch a campaign to educate the public about the dangers of software filters.

They need help to accumulate the requisite finances.

UK media ignore Guardian's Pulitzer Prize

We learned last night that the Guardian and the Washington Post have shared the Pulitzer prize for public service for their stories, based on documents leaked by Edward Snowden, on the US and UK governments' mass surveillance practices.

The story of the award has topped the news agenda all over the world - NYT, LA Times, The Times of Israel, Le Monde. The Times of India, even Fox News offered grudging repect whilst not missing the chance to denigrate Snowden.

In the UK the accolade has been ignored by The Times, The Daily Telegraph and the Daily Mail, though it got coverage from the BBC, The Indpendent and the FT.

A reminder. perhaps, of the need, always, to be alert to the underlying agenda(/s), motives and values of the controlling mind(/s) of the organisations from which we source our news.

Friday, April 11, 2014

What do you need to know about the Heartbleed security vulnerability?

Simon Budgen at OpenLearn asked yesterday if I could offer some ordinary-mortal-interpretable thoughts on the Heartbleed OpenSSL security earthquake.

I offered Simon the rambling steam of consciousness below which he kindly edited into a more ordered Q&A here.
There is a lot of panic, misreporting and bad advice going round about Heartbleed as you say. Though there are a few key things it is worth making sure get included in any article.

Include the Heartbleed link which outlines  the problem -

" The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

That's about as bad as it gets security wise. Security expert Bruce Schneier has described it as “catastrophic” and I wouldn’t disagree with that.

The OpenSSL bug has compromised half a million plus sites from what we're able to tell.

Ordinary internet users should change their passwords on sites affected but generally only after - the companies running the websites concerned have done a security audit to check if they are affected, patched their systems if they are, acquired a new public/private key pair and new SSL certificate, tested the patched systems, informed the user they have done all this and determined the system to be secure (and preferably pro-actively changed passwords that might have been affected). Now the news on the bug is out credible commercial entities are keen to do this in double quick time and many have already done so.

It’s not the best advice to change your password before a website has been patched as that might expose your details to a higher risk of being compromised and will certainly expose your new details/passwords. Some mainstream news media are informing people they should change all passwords immediately – not great advice if it leads you to assume your new credentials are safe when in fact they won’t be, if the site has not been patched yet. People should check with or have confirmation from the company or an independent trustworthy source that they have fixed their systems first. (Though if someone with existing compromised credentials chooses to use those for nefarious ends, in the window between now and the site being patched, then there may be a slight preference in favour of changing passwords temporarily and then changing again once the fix is done. None of this is really straightforward unfortunately).

All the usual advice about choosing strong passwords applies – change them regularly, don’t use the same ones on different sites, don’t use dictionary words or names, make them long, include upper and lower case, numbers and symbols.

If there are several layers of authentication use them for stronger security e.g. pin numbers, passwords, tokens etc.

It may be the time now people begin to realise how many passwords they are actually using, to consider investing in a password manager like LastPass, SplashID or Password Genie – software which does all the heavy lifting on choosing long difficult passwords and managing and “remembering” them for you.

Also note since the bug has been around for a couple of years that it is almost certain that a multitude of organised crime gangs will likely have gathered the encryption keys to all compromised sites, as will intelligence and security services like the NSA and GCHQ. Just to be clear on this – the usernames and passwords used on these sites will likely be in the hands of organised criminal gangs and intelligence services.

The other big issue for ordinary users is to find out exactly what sites have been compromised and where and when they need to go about changing passwords. Various news sites are providing lists of affected sites and those that have been patched but you need to choose your sources of information carefully. Mainstream news sites are not always the best guide. We do know the big guys like Google, Facebook and Yahoo! were compromised and appear to be patched. Apple and eBay we’re not sure, Tumblr yes, big banks apparently not (but don’t quote me on that), Linkedin apparently not, Amazon no, though Amazon cloud services yes. It’s basically taking quite some sorting out.

There are sites that enable you to test whether a service you use has been compromised by Heartbleed eg or Just enter the url you are concerned about and click the Go!/Submit button. These are not 100% reliable and will generate false positives (alerts on sites that are patched) and occasionally false negatives (giving the all clear to insecure sites). Do be a little careful with these too as there will be false test sites which attempt to mislead people about the security of sites which remain compromised.

If people have not heard from the sites they use, they should actively contact them to ask – if they have done the requisite Heartbleed related security audit, if they have been compromised and if they have patched any vulnerabilities; and don’t stop asking until a definitive answer is forthcoming. Then if necessary change their passwords once the fix is implemented.

Hope that gives you something to start with.
Comments welcome here or over at OpenLearn.

Thursday, April 10, 2014

European Court of Justice annuls 2006 data retention directive

On Tuesday, 8 April, 2014, the Court of Justice of the European Union, (also known as the European Court of Justice) in a scathing indictment of widespread mass surveillance practices, abolished the 2006 EU data retention directive. The Court said the directive was a serious and unjustified interference with the fundamental right to privacy enshrined in Article 7 of the EU Charter of Fundamental Rights.

The directive constituted such a serious interference with the fundamental right to privacy that it had to be annulled - it was an affront to liberty that should never have existed.

TJ McIntyre of Digital Rights Ireland (DRI), the heroic litigants in chief, has made a copy of the full decision available at scribd and it will appear on the Court website in due course. Credit also to the 11,130 Austrian citizens whose case was joined to that of DRI since they had challenged the directive on similar grounds.

For the uninitiated, the data retention directive was the instrument through which the EU required communications service providers, both fixed line and mobile, to store details of everything everyone does on the telephone or internet; for a period of between 6 months and two years. The details of what should be collected are laid out in article 5 of the directive and the only thing not allowed was recording of the content of calls or messages.

It's actually worth spending 5 or 10 minutes looking at that list of things in Article 5 that has been gathered by communications service providers throughout the EU. At first pass it seems a bit legalistic but if you cut through that and think about it – names, addresses, who spoke to whom, where, when, for how long, on what device, how often, websites visited etc. etc. This all paints a very detailed picture and most people don’t know it is going on. The who, where, why, how, what and when of individual lives is all there in this metadata.

With what may be interpreted as half and eye on the Edward Snowden revelations, the Grand Chamber of the Court, effectively condemned pre-emptive, suspicionless, warrantless mass surveillance and consequent "interference with the fundamental rights of practically the entire European population". The case is the first major court decision on mass surveillance since the Snowden stories started to break in June 2013. Though high courts in Romania (2009), Germany (2010), Bulgaria (2010),  the Czech Republic (2011) and Cyprus (2011) have all declared the data retention directive unconstitutional and/or a disproportionate unjustified interference with the fundamental right to privacy, free speech and confidentiality of communications. As recently as 2011 following the national courts' striking down of regulations implementing data retention, the European Commission were hounding Germany and Romania to re-implement the directive. The Commission subsequently sued Romania which went on to pass a widely criticised version of data retention law in 2012, nicknamed "Big Brother". The Commission had also previously sued Greece, the Netherlands, Austria and Sweden for failing to implement the directive by the due date of September 15 2007.

The previous UK Labour government were one of the key driving forces behind the original implementation of the the data retention directive. The current UK government is one of the biggest cheerleaders for and operators of mass surveillance standards and practices. Though the UK government was not involved directly in the case, (and are scrambling madly to find a way to circumvent the decision as, sadly, are the Commission), both the current and the previous administrations' behavior, in the data retention context, is considered so heinous in law that it should never have happened; and the laws facilitating that behavior should never have existed.

Some commentators have also suggested the Court was firing a message not just to the UK but across the pond (2 min 40sec audio) to the effect that US mass surveillance standards are totally unacceptable in an EU context.

I have now managed to read the decision in full (in fits and starts) and will endeavour to post an analysis here at the earliest opportunity. (Aka when grown up admin duties allow and I can construct a sufficiently robust buffer between me and the zombiecrats to take a sustained run at it).

Appelbaum on mass surveillance

Take 5 minutes 33 seconds to listen to Jacob Appelbaum on mass surveillance and the  WePromiseEU 10 point charter for digital rights

Tuesday, April 08, 2014

Daniel Solove: Nothing to Hide, Nothing to Fear?

Nice interview with Daniel Solove (24 minutes) on the nothing to hide meme.

Kafka better captures the modern privacy issues we face. Decisions about our lives are being made on the basis of secret uses of our personal data - look at airline screening for example.

Categories of data which were required to be retained under the data retention directive

The data retention directive, DIRECTIVE 2006/24/EC, thanks to the efforts of a small number of digital rights activists in Ireland and a slightly larger group from Austria has been declared unlawful - a serious and unjustified interference with the fundamental right to privacy enshrined in Article 7 of the EU Charter of Fundamental Rights - by the European Court of Justice today.

I'm hoping to blog about the decision soon but it is worth pointing out the categories of data that this directive required service providers to retain and facilitate crime fighting authorities access to. They are specified exhaustively in article 5 of the directive:
Article 5
Categories of data to be retained
1. Member States shall ensure that the following categories of
data are retained under this Directive:
(a) data necessary to trace and identify the source of a
(1) concerning fixed network telephony and mobile
(i) the calling telephone number;
(ii) the name and address of the subscriber or registered
(2) concerning Internet access, Internet e-mail and Internet
(i) the user ID(s) allocated;
(ii) the user ID and telephone number allocated to any
communication entering the public telephone
(iii) the name and address of the subscriber or registered
user to whom an Internet Protocol (IP) address, user
ID or telephone number was allocated at the time of
the communication;
(b) data necessary to identify the destination of a
(1) concerning fixed network telephony and mobile
(i) the number(s) dialled (the telephone number(s)
called), and, in cases involving supplementary services
such as call forwarding or call transfer, the
number or numbers to which the call is routed;
(ii) the name(s) and address(es) of the subscriber(s) or
registered user(s);
13.4.2006 EN Official Journal of the European Union L 105/57
(2) concerning Internet e-mail and Internet telephony:
(i) the user ID or telephone number of the intended
recipient(s) of an Internet telephony call;
(ii) the name(s) and address(es) of the subscriber(s) or
registered user(s) and user ID of the intended recipient
of the communication;
(c) data necessary to identify the date, time and duration of a
(1) concerning fixed network telephony and mobile telephony,
the date and time of the start and end of the
(2) concerning Internet access, Internet e-mail and Internet
(i) the date and time of the log-in and log-off of the
Internet access service, based on a certain time zone,
together with the IP address, whether dynamic or
static, allocated by the Internet access service provider
to a communication, and the user ID of the
subscriber or registered user;
(ii) the date and time of the log-in and log-off of the
Internet e-mail service or Internet telephony service,
based on a certain time zone;
(d) data necessary to identify the type of communication:
(1) concerning fixed network telephony and mobile telephony:
the telephone service used;
(2) concerning Internet e-mail and Internet telephony: the
Internet service used;
(e) data necessary to identify users’ communication equipment
or what purports to be their equipment:
(1) concerning fixed network telephony, the calling
and called telephone numbers;
(2) concerning mobile telephony:
(i) the calling and called telephone numbers;
(ii) the International Mobile Subscriber Identity (IMSI)
of the calling party;
(iii) the International Mobile Equipment Identity (IMEI)
of the calling party;
(iv) the IMSI of the called party;
(v) the IMEI of the called party;
(vi) in the case of pre-paid anonymous services, the date
and time of the initial activation of the service and
the location label (Cell ID) from which the service
was activated;
(3) concerning Internet access, Internet e-mail and Internet
(i) the calling telephone number for dial-up access;
(ii) the digital subscriber line (DSL) or other end point
of the originator of the communication;
(f) data necessary to identify the location of mobile communication
(1) the location label (Cell ID) at the start of the
(2) data identifying the geographic location of cells by reference
to their location labels (Cell ID) during the period
for which communications data are retained.
2. No data revealing the content of the communication may be
retained pursuant to this Directive.
Blanket retention of this data is theoretically now invalid in the EU but it remains astonishing that it was ever lawful in the first place. Seriously. Take a look at that list of metadata and think about what it can tell you about an individual.

Monday, March 31, 2014

ECJ: Intermediaries can be responsible for blocking copyright infringement

The Court of Justice of the EU last week decided Case C‑314/12,

REQUEST for a preliminary ruling under Article 267 TFEU from the Oberster Gerichtshof (Austria), made by decision of 11 May 2012, received at the Court on 29 June 2012, in the proceedings

UPC Telekabel Wien GmbH
Constantin Film Verleih GmbH,
Wega Filmproduktionsgesellschaft mbH

A panel of five judges, not unexpectedly given the advice of the Advocate General, decided that ISPs can be required to block access by its customers to a website which infringes copyright.

A first glance at the ruling suggested there might be a conflict here with the earlier decision of the Court in the 2008 Promusicae case, noting that privacy trumps copyright. But the Court carefully steers a route past that earlier decision.

Firstly they conclude, at paragraph 40, that
"Article 8(3) of Directive 2001/29 must be interpreted as meaning that a person who makes protected subject-matter available to the public on a website without the agreement of the rightholder, for the purpose of Article 3(2) of that directive, is using the services of the internet service provider of the persons accessing that subject-matter, which must be regarded as an intermediary within the meaning of Article 8(3) of Directive 2001/29."
ISPs are 3rd parties potentially making copyright infringing materials available to their customers. The preventative proactive copyright protective nature of the 2001 directive means that no proof that an ISP's customers are accessing the alleged copyright materials is required, before said ISP can be required to block an alleged infringing source.

The Court then asks if ordering an ISP to block a website offering infringing works undermines fundamental rights recognised by EU law. They (paragraph 46)  re-emphasise the Promusicae decision that copyright cannot undermine fundamental rights:
"The Court has already ruled that, where several fundamental rights are at issue, the Member States must, when transposing a directive, ensure that they rely on an interpretation of the directive which allows a fair balance to be struck between the applicable fundamental rights protected by the European Union legal order. Then, when implementing the measures transposing that directive, the authorities and courts of the Member States must not only interpret their national law in a manner consistent with that directive but also ensure that they do not rely on an interpretation of it which would be in conflict with those fundamental rights or with the other general principles of EU law, such as the principle of proportionality (see, to that effect, Case C‑275/06 Promusicae [2008] ECR I‑271, paragraph 68)."
and note that court ordered web blocking to negate copyright infringement constitutes:
"a conflict between (i) copyrights and related rights, which are intellectual property and are therefore protected under Article 17(2) of the Charter, (ii) the freedom to conduct a business, which economic agents such as internet service providers enjoy under Article 16 of the Charter, and (iii) the freedom of information of internet users, whose protection is ensured by Article 11 of the Charter."
They go on to say the Court doesn't get to specify the web blocking measures. That decision is in the hands of the ISP. Such injunctions do amount to an interference with an ISP's freedom to conduct a business but this does not involve "unbearable sacrifices". As long as the ISP takes "reasonable measures" to block their customers access to the alleged copyright infringing materials, copyright holders have no cause of direct action against them.

The Court is very vague, however, on what these "reasonable measures" should be. It's for the ISP concerned, not a court, to decide the precise blocking methods (para 52) that should be deployed. Yet the Court are also apparently adamant (para 54) that intermediaries should have legal certainty on the measures they need to take to avoid penalty.

The ISP must also insure the blocking does not interfere with their customers' freedom of information and that the blocking techniques used should be "strictly targeted" to terminate the copyright infringement whilst not undermining fundamental rights. To that end from the the customers' fundamental rights perspective, they should be able to challenge any blocking processes implemented by the ISP in their national courts (para 57):
"It must be possible for national courts to check that that is the case. In the case of an injunction such as that at issue in the main proceedings, the Court notes that, if the internet service provider adopts measures which enable it to achieve the required prohibition, the national courts will not be able to carry out such a review at the stage of the enforcement proceedings if there is no challenge in that regard. Accordingly, in order to prevent the fundamental rights recognised by EU law from precluding the adoption of an injunction such as that at issue in the main proceedings, the national procedural rules must provide a possibility for internet users to assert their rights before the court once the implementing measures taken by the internet service provider are known"
Interestingly enough, though it doesn't appear necessary, at paragraph 61 the Court states -
"The Court notes that there is nothing whatsoever in the wording of Article 17(2) of the Charter to suggest that the right to intellectual property is inviolable and must for that reason be absolutely protected (see, to that effect, Scarlet Extended, paragraph 43)."
Then go on to conclude on the substantive questions before them:
"the Court (Fourth Chamber) hereby rules:
1.      Article 8(3) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society must be interpreted as meaning that a person who makes protected subject-matter available to the public on a website without the agreement of the rightholder, for the purpose of Article 3(2) of that directive, is using the services of the internet service provider of the persons accessing that subject-matter, which must be regarded as an intermediary within the meaning of Article 8(3) of Directive 2001/29.
2.      The fundamental rights recognised by EU law must be interpreted as not precluding a court injunction prohibiting an internet service provider from allowing its customers access to a website placing protected subject-matter online without the agreement of the rightholders when that injunction does not specify the measures which that access provider must take and when that access provider can avoid incurring coercive penalties for breach of that injunction by showing that it has taken all reasonable measures, provided that (i) the measures taken do not unnecessarily deprive internet users of the possibility of lawfully accessing the information available and (ii) that those measures have the effect of preventing unauthorised access to the protected subject-matter or, at least, of making it difficult to achieve and of seriously discouraging internet users who are using the services of the addressee of that injunction from accessing the subject-matter that has been made available to them in breach of the intellectual property right, that being a matter for the national authorities and courts to establish."
Whilst I understand why the Court does not want to specify particular blocking or filtering techniques, it seems that copyright owners and ISPs and other internet intermediaries are left in something of a legal limbo.
  • Under Article 8(3) of Directive 2001/29/EC, intermediaries can be ordered by a court to block sites thought to be distributing unauthorised copyright materials
  • It does interfere with intermediaries' freedom to conduct a business to implement such measures but not unbearably so
  • It is for the intermediaries not the Court to decide what specific blocking measures should be taken
  • These measures, however, must - be 1. reasonable 2. strictly targeted 3. effectively protect the copyright holder 4. effectively protect fundamental rights of the ISP's customers
  • Intermediaries have no guidance from the Court on what is meant by "reasonable" blocking measures or how to balance fundamental rights with the (not-inviolable) right to intellectual property
  • If intermediaries don't get their measures sufficiently "reasonable" to make their customers and the requisite copyright holders happy, they leave themselves open to legal challenge from one or other or both
ISPs can be ordered to block but neither they nor the offended copyright holders know what kinds of specific blocking measures can be considered reasonable.  Given such legal uncertainty and the crude nature of software filters, I suspect the ultimate outcome will be that ISPs will tend towards over-blocking, since the risks of being sued by copyright holders for facilitating infringement are significantly higher than those of being sued by individual customers for breaching their fundamental rights.