Saturday, November 21, 2015

The poisonous seduction of the demonising of whole classes of people

This is no time for people who oppose Senator McCarthy's methods to keep silent.

Politicians, journalists and their paymasters would do well to heed Edward R. Murrow, who repeatedly inveighed against the extremism of Congressional McCarthyism.

The demonisation of Muslims, Syrians, refugees, [pick a categorisation for your discrimination of choice] is poisonous and destructive.

Wednesday, November 11, 2015

Science and Technology Committee IP Bill hearings

Some day when you find yourself with a couple of hours free, sit down in front of your computer and watch a debate in parliament on something you know a little about. I couldn’t spare a couple of hours but nevertheless couldn’t resist the Science and Technology Select Committee’s hearings on the draft Investigatory Powers Bill published by the government last week.

My very own MP, Nicola Blackwood, the recently installed Chair of the committee, opened proceedings with a briefing from the Home Office. She assured us that the Home Office had assured her that there were no plans for new powers to ban encryption deployed by overseas companies. I assume that was rushed to Ms Blackwood in advance of the briefing, following Apple chief Tim Cook’s dim view of the Bill headlining the front page of the Telegraph that morning. The only new power in the bill, Nicola assured us, was the facilitation of access to internet connection records. Given the amount of public relations there has been in the run up to the publication of the bill, I was assured that Nicola was assured and that MPs had been assured that all was ok and they need not worry too much about what that bill actually says.

One problem with watching parliamentary proceedings on the Internet, however, is that no, not that the spies/police might be watching when the IP Bill passes, but that the Parliamentlive streaming service can be decidedly flaky. I spent a fair and irritating chunk of my couple of hours watching a buffering circle on my screen.

First up in the witness chairs were Matthew Hare, Chief Executive Officer, Gigaclear, John Shaw, Vice President, Product Management, Sophos, and James Blessing, Chair, Internet Services Providers' Association. All three tried valiantly to enlighten but separating an MP in thrall to a party briefing from a clear view of the world is a bit like trying to separate a toddler from a beloved comfort blanket.

  • High speed internet connections could result in an annual storage requirement of 15 terrabytes of data, just relating to a single home
  • The amount of data the IP bill requires service providers to collect, indiscriminately, is huge and costly and will not meet the aims of the bill
  • Serious criminals are already using strong encryption the IP Bill won’t address
  • Keeping massive stores of data safe and secure is really difficult... cough… TalkTalk cough…
  • Definitions in the bill are ridiculously broad – not even clear what a service or a service provider is
  • The Bill disadvantages UK companies which appear obliged to hand over data overseas companies do not
  • Internet protocol data networks are not run the same way as telephony networks and assuming they do is a fundamental error
  • Engaging in a population wide data dragnet in order to engage in a historical data fishing expedition at some point in the future is inappropriate
  • What is being proposed in the IP Bill is what has already been done in China
  • With port mirroring everything delivered to a customer can be delivered to 3rd party (MPs eyes glazing over)
  • It’s going to cost taxpayers a lot of money
  • Targeted rather than mass surveillance is a more effective, efficient and practical approach to the aims of the bill. If service providers get a request to intercept traffic to a particular IP address they can and do do that today.
  • The removal of electronic protection aka nobble encryption clause is a baaaaad idea
  • The Bill talks about 3 layers of data – communications data, content and one or the other. Unfortunately, once you capture comms data it becomes content, when you analyse it, it becomes information. (MPs glazing over again)
  • The IP Bill, as it stands, potentially makes it a criminal offense for service providers to share information about security vulnerabilities
In summary their evidence amounted to – the Bill is technically complicated and unclear what it really means in practice; it'll cost a fortune, fail to catch terrorists and other serious criminals, damage business, undermine everyone’s security and result in large numbers of innocent people being inappropriately dragged into the net of suspicion.

  • But, but, but…
  • We’re already paying to be spied on – that’s how we fund the secret services
  • It’s ok to have a dragnet for the internet because we have a dragnet for phones and it’s just the same
  • Stella Creasy enthusiastically jumped in to share her knowledge of IPv6 which would fix everything by allowing the “spearfishing” of the baddies’ data from giant data stores and thereby making everything ok with bulk personal data collection. Unfortunately, as the techies heroically tried to explain, IPv6 generates vastly more data and makes everything more not less complicated technically
  • But, but, but…
  • It’s ok because we don’t intend to do all those things you’re complaining about
In summary, but, but but…

Just as the ever excellent Professor Ross Anderson of Cambridge opened for the second collection of witnesses of the day, my dreaded buffering circle kicked in again… The second group also included Professor Mike Jackson, Birmingham City Business School, Dr Joss Wright, Oxford Internet Institute, and Professor Sir David Omand, King's College London.

My feed came back online just in time to hear Nicola Blackwood emphatically declaring that there was no place for ethics in the hearing. The committee was here to be educated purely on the technology issues.  Prof Omand open by profoundly disagreeing with everything Prof Anderson had just said.

Ah shucks. What did I miss?

As far as Prof Omand was concerned the questions underpinning the bill were not ethical in nature but empirical. Unfortunate though the revelations of former NSA contractor, Edward Snowden, were, they demonstrated, empirically and without question, that the intelligence authorities were very good at handling large quantities of data.

Prof Omand went on to explain that in his opinion the main “fuzziness” in the bill was in the distinction between communications data and content. It was, however, a fuzziness with minimal practical relevance. The bill was as close as you can get to clear on the distinction between the two. The word "clear" did draw some sharp intakes of breath in the room but he ploughed on. The real significance was in the authorisation process for intercepting or accessing the data; and since that could be worked out by the insiders with the appropriate expertise, there was nothing to be concerned about.

Joss Wight respectfully disagreed with the good Prof about there being a clear practical line between metadata and content. His main opening concern was with mass retention or “bulk” retention which the government likes to call it. Dr Wight would want to see some respect for proportionality. Prof Omand was a little irritated with this and noted that the mistake the Home Office made in last 5 years was to not update interception and surveillance codes of practice. If the public had known there were secret codes of practice governing everything, all would have been ok and then the Snowden wouldn't have been such a shock.

Prof Anderson was invited back into proceedings again and decided it was time to ground all this abstract stuff in something the MPs might understand – their Google calendars – Google calendar data relating to who they were meeting with, where and when would be within the scope of what the Bill would consider content. Prof Omand jumped in insisting that this was not intended and accusing critics of the bill of using “worst case” examples to undermine it. Theoretically, the Infinite Power (sic) Bill could be abused but trust us, it won’t be.

Dr Wight noted a fundamental misunderstanding underpinning the bill being the assumption that metadata (or communications data) is less sensitive than content. Prof Omand was, metaphorically at least, on his feet again – the authors of the bill (by this stage observers must have been wondering if he was one) were not disagreeing that communications data might be sensitive but "most of the time" it is not.

Dr Wight insisted that comparing web communications data to telephony data is ridiculous. A better analogy is to real life - what shop, home, workplace, place of leisure you visit are all captured. That provides a much more intrusive picture of life than telephone billing records. Content data is not more sensitive than communications data. It is merely differently sensitive.

An MP ventured a really good question (that was not of the variety ‘can you confirm how clever I am’) – how do we frame this kind of surveillance legislation so it is practical now and future proof? 

Prof Anderson gently explained you can't. The technology is changing too quickly and parliament will have to continually revisit access to personal data issues for the foreseeable future. Technology and policy are inextricably interlinked and guess what? The internet of things is about to hit us. Also whether we like it or not, the networks are international in nature and Prof Anderson strongly encouraged international cooperation in their regulation.

Dr Wight then pointed out that from an investigatory perspective a targeted approach to surveillance was more effective and more practical. Though he understood the seductive attractions of creating a time machine with which to explore, at some future point, the intimate details of anyone’s past life, it was somewhat unethical. 

Prof Anderson agreed. There may be information gold in them there communications data hills but that didn’t make it ethical to build them. 

Prof Jackson confirmed that even as you continue to construct these data mountains you’ll find only a tiny amount of the data is useful. This is mass surveillance.

Nicola Blackwood was now getting tired of reminding these techies that the panel was here to discuss technology not ethics.

And Prof Omand was having none of it from his fellow witnesses. The British government simply does not and would not indulge in mass surveillance. It’s not the done thing. Mass surveillance is the persistent surveillance of all or large part of population. And since it is only computers that are engaged in the persistent recording, storage and analysis of the intimate details of everyone's lives, that’s perfectly fine. Human beings only look at a small amount of the data you see. [By which measure, incidentally, you could make an argument for installing the most sophisticated modern video cameras, filming 24/7 in every corner of every room and space in the country - it will be ok if nobody looks at it].

Prof Jackson pointed out that when mass data bases exist that opens the personal data to the post hoc (rather than real time) equivalent of mass surveillance. Dr Wight agreed – proponets of the IPbill might be claiming there is no mass surveillance going on because human beings only see a small proportion of the data but computers can do a phenomenal amount with mass data before humans ever get involved in the loop. We also need to be cognisant of the clear and empirically measured chilling effects of a population’s awareness of constant surveillance.

Ms Blackwood: No ethics please, we’re here to discuss technological issues!

Profs Anderson, Jackson & and Dr Wight: The elephant in the room here is the destruction of privacy and you cannot deal with this bill without discussing it.

Prof Anderson tried again to bring the discussion back to something the MPs would understand. There are, he noted, significant sensitivities around medical records for example. Likewise bank records – did the MPs want police or other public services trawling through people’s bank records?

Prof Omand was in no doubt that of course we do – it was perfectly reasonable. It was perfectly unreasonable for Prof Anderson to be attempting to scare people witless about abuse of these powers with worst case scenarios. It won’t happen because we will now have stronger oversight including the involvement of judicial oversight. We listened to our US cousins on that one.

Dr Wight, at this point, disputed the notion that the IP Bill was not expanding existing powers. It would additionally lead to a reluctance on the part of commerce to do business in the UK and people seeking to subvert what the bill is trying to do would simply use services overseas.

Prof Anderson again noted that if we’re to get a handle on the regulation of these technologies we have to have international cooperation. Something along the lines of an international cyber evidence convention is called for.

Prof Omand: The security of the internet is the number one priority. The policy in the bill is extremely clear. You simply cannot remove the right of the authorities to deal with pedophiles and the IP bill might give the police and security services a chance to catch them. We do note, however, that the judicial commissioners involved in the oversight processes will need a lot of technical expertise.

Prof Anderson: Yes and the problem with the proposed set up is that the experts on the advisory board will have representatives from police, security services and service providers. No one from civil society or academia is entitled to even a look in – no representatives, in short, for Jo Public. Given big data is manna from heaven for government and commerce, that appears somewhat unbalanced.

Nicola Blackwood watching the clock, with relief, summed up: We’re out of time. We need to give the security services what they need. We need to insure proportionality in the deployment of these powers. She also thanked the witnesses for their heated advice. [Actually it was all reasonably civilised even though there was a split in opinions on the panel]

So, in summary where did we actually get to?

Profs Anderson, Jackson and Dr Wight: The government are collecting digital dossiers on the intimate details of the personal lives of the entire population.  Whatever you choose to call it that is mass surveillance

MPs: But, but, but…

Prof Omand: No it isn’t and it is irritating that people keep saying so

MPs: Ah that’s a relief... and they vacated the room, party briefing comfort blankets still tightly clenched.

Update: The Science and Technology Committee has invited written submissions on the Investigatory Powers Bill by Friday 27 November. As Nicola Blackwood repeatedly reminded her witnesses, they are looking for submissions that focus on technology issues, including:

  • The technical feasibility and costs of meeting the obligations imposed by the Bill 
  • The impact on communications service providers and related businesses 
  • The likely consequences for citizen/consumer use of ICT services
You can submit your thoughts via the UK Parliament website.

Update 2:  A full official transcript of the hearings is now available.

Tuesday, October 06, 2015

CJEU Schrems, The Irish Data Protection Commissioner and Facebook

The Court of Justice of the European Union has today declared the EU-US Safe Harbour agreement, which  facilitates the transfer of personal data from the EU to the US, invalid.

The Court opens by highlighting the provisions of the 1995 Data Protection Directive
Object of the Directive
1. In accordance with this directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.
Article 25 of the directive lays down the principles under which it may be permitted to transfer personal data to countries outside the EU, "a third country" (or countries), primarily that the 3rd country offer "an adequate level" of data protection. The European Commission has the power to declare 3rd countries compliant with EU standards but are obliged to engage in due diligence in accordance with procedures outlined in article 31 of the directive, to ensure the requisite checks and balances are in place.

Under article 26, EU member states can sanction personal data transfers to third countries not yet in possession of the Commission's seal of approval under a specific set of circumstances e.g. if the person whose data is to be transferred agrees to it.

From an initial scan of the decision, it seems that the Safe Harbour agreement of 2000, declaring the US a safe 3rd country for EU personal data transfers, has been declared invalid by the Court because the EU were not careful enough in checking out the US; and because untrammeled US mass surveillance practices would appear to make it an unsafe third country.

From paragraph 5, the Court outlines the Commission's Safe Harbour Decision 2000/520 (including principles and US organisations' self certification and dispute resolution processes) declaring the US a safe third country for personal data transfers. The agreement allowed for US law to override Safe Harbour obligations. So if US law explicitly imposes an obligation on US organisations to process or transfer data in ways that would breach the Safe Harbour principles it is ok for them to do so. The idea being to give US companies an exit when caught between complying with conflicting legal obligations.

At the time, privacy advocates were unhappy with the Safe Harbour decision, accusing EU negotiators of folding in the face of US demands. Several reviews of the agreement, including this one by a group of internationally renowned scholars, in the summer of 2007, have noted that the Safe Harbour scheme does not meet the requirements of the 1995 data protection directive or EU privacy standards. Documentary evidence, released to journalists by NSA whistleblower Edward Snowden in 2013, on the mass surveillance practices of the US and UK governments, have given weight to those conclusions.

The CJEU get to the Snowden revelations and the EU's response to these in paragraph 11 to 25 of the Schrems decision. In a kind of an 'ooops, oh dear, those nice US Safe Harbour compliant companies are doing things they shouldn't be with EU data; but let's not upset them because it's the government's fault' realisation, the Commission issued Communication COM(2013) 846 final and Communication COM(2013) 847 final; noting US mass surveillance (though they didn't call it that) "raises serious questions".

As our US cousins might say, you're darn tootin' it raises serious questions.

Paragraph's 26 to 36 deal with the Schems complaint about Facebook to the Irish Data Protection Commissioner and the Irish High Court.

Schrems asserted that Facebook's data transfers to the US undermined his fundamental rights to privacy and the protection of his personal data, guaranteed by articles 7 and 8 the Charter of Fundamental Rights of the European Union.

The Irish Data Protection Commissioner said not my job guv, get lost but even if it was, there was no specific evidence that the NSA had been playing with Mr Schrems's data.

Judge Hogan in the Irish High Court took a different view. Whilst accepting that electronic surveillance and interception "serve necessary and indispensable objectives in the public interest... the revelations made by Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies." [para 30 Schrems] Judge Hogan also noted that EU citizens have no effective right to be heard in relation to the "indiscriminate surveillance and interception" carried out on them on a large scale by US federal agencies like the FBI and NSA. Protections for privacy, fundamental rights and freedoms guaranteed by the Irish Constitution were essentially being undermined by indiscriminate and disproportionate mass surveillance by US authorities. On the basis of Irish law alone, the Irish Data Protection Commissioner was wrong to reject Mr Schrems complaint.

Judge Hogan's view, that then brings the Commission's Safe Harbour decision of 2000 into play. Does that decision, certifying the US as a safe place for EU personal data, bind member states, obliging them to accept that certification; or can a data protection authority of a Member State, independently examine the claim of a person concerning a breach of their rights by a third country, when the law and practices in the third country do not ensure an adequate level of protection? Additionally, given what we know from Snowden, Judge Hogan believes the Safe Harbour decision itself to be invalid - as the fundamental right to privacy would be rendered meaningless if "State authorities were authorised to access electronic communications on a casual and generalised basis without any objective justification based on considerations of national security or the prevention of crime that are specific to the individual concerned and without those practices being accompanied by appropriate and verifiable safeguards."

The Court's deliberations play out in paragraphs 37 to 107.

The fundamental rights to privacy and data protection have been affirmed and re-affirmed in the Court time and again (Österreichischer Rundfunk and Others, Google Spain and Google, Ryneš, Rijkeboer, Digital Rights Ireland and Others). The independence of national supervisory authorities is an important element in protecting those rights in practice. They are obliged, however, to balance those rights with the interests of those requiring free movement of data and have no power relating to the processing of data, once it is transferred to another country. They do have an obligation, under articles 25, 26 and 28 of the 1995 directive, to monitor the transfer of data to a third country and ensure it complies with EU standards. Transfers may only be effected where the country the data is being sent to offers an "adequate level of protection".

Member states or the Commission may assess and determine whether protections offered by a third country are adequate. When the Commission makes a decision that a third country provides adequate protections it is binding on member states, until it is declared invalid by the CJEU. But that Commission decision cannot prevent EU citizens from pursuing a claim through the national supervisory authorities and, if necessary, national courts, if they have reason to be concerned that their fundamental rights are being undermined by the transfer to and processing of their personal data in a third country. If the national courts consider the complaint well founded, as did Judge Hogan in the Schrems case, they must refer it to the CJEU.

Bottom line - even if the Commission white-lists a country like the US, it does not prevent national data protection authorities investigating and national courts hearing an individual's complaint. And if an individual, like Mr Schrems, has a legitimate complaint, then it may be referred to the CJEU and the Commission's decision approving the US as a privacy respecting jurisdiction, may itself be reviewed [exclusively] by the Court of Justice.
"66 Having regard to the foregoing considerations, the answer to the questions referred is that Article 25(6) of Directive 95/46, read in the light of Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Decision 2000/520, by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection."
Paragraphs 67 to 106 review the validity of the Commission's Safe Harbour decision and constitute another CJEU warning over US and UK mass surveillance practices and the tepid European Commission response to these, following in the tradition of the Google Spain and Digital Rights Ireland cases from 2014.

Short version: the Commission failed totally, in its obligation to ensure that the laws and international obligations of the US actively respected the privacy rights of EU citizens, when approving the US as a trusted data protection nation, in their Safe Harbour decision of 2000. US organisations were permitted approval under a Safe Harbour self certification scheme which had no effective US public authority or legislative oversight (the US Federal Trade Commission's oversight being restricted to commercial disputes relating to unfair or deceptive practices in or affecting commerce and not the legality of interference with fundamental rights) and no remedies for individuals concerned about the potential abuse or misuse of their personal data. Not only did it fail, the Commission didn't even bother to check but eventually did get round to admitting, once the Snowden revelations emerged, that there might be "serious questions" over the Safe Harbour agreement.

Additionally the Commission, in the Safe Harbour decision, exceeded its authority in attempting to nullify national data protection authorities' powers to enable individuals to raise concerns about the processing of data in Commission approved third countries like the US.
86 ... Decision 2000/520 lays down that ‘national security, public interest, or law enforcement requirements’ have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them. ...
88 In addition, Decision 2000/520 does not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security.
89 Nor does Decision 2000/520 refer to the existence of effective legal protection against interference of that kind...
92 Furthermore and above all, protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary (judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 52 and the case-law cited).
93 Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail ...
94 In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (see, to this effect, judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 39).
95 Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter...
96 As has been found in particular in paragraphs 71, 73 and 74 of the present judgment, in order for the Commission to adopt a decision pursuant to Article 25(6) of Directive 95/46, it must find, duly stating reasons, that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order, a level that is apparent in particular from the preceding paragraphs of the present judgment.
97 However, the Commission did not state, in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. 98 Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid... 
99      ... national supervisory authorities must be able to examine, with complete independence, any claim concerning the protection of a person’s rights and freedoms in regard to the processing of personal data relating to him. That is in particular the case where, in bringing such a claim, that person raises questions regarding the compatibility of a Commission decision adopted pursuant to Article 25(6) of that directive with the protection of the privacy and of the fundamental rights and freedoms of individuals...  
102 The first subparagraph of Article 3(1) of Decision 2000/520 must ... be understood as denying the national supervisory authorities the powers which they derive from Article 28 of Directive 95/46, where a person, in bringing a claim under that provision, puts forward matters that may call into question whether a Commission decision that has found, on the basis of Article 25(6) of the directive, that a third country ensures an adequate level of protection is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
103 The implementing power granted by the EU legislature to the Commission in Article 25(6) of Directive 95/46 does not confer upon it competence to restrict the national supervisory authorities’ powers referred to in the previous paragraph of the present judgment.
104 That being so, it must be held that, in adopting Article 3 of Decision 2000/520, the Commission exceeded the power which is conferred upon it in Article 25(6) of Directive 95/46, read in the light of the Charter, and that Article 3 of the decision is therefore invalid.
105 As Articles 1 and 3 of Decision 2000/520 are inseparable from Articles 2 and 4 of that decision and the annexes thereto, their invalidity affects the validity of the decision in its entirety. 106 Having regard to all the foregoing considerations, it is to be concluded that Decision 2000/520 is invalid."
The Court concludes that the Safe Harbour Decision 2000/520 is invalid.

I would just repeat paragraph 93 for emphasis: "Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail"

So, in summary, national data protection authorities and national courts can review claims of abuse of personal data by third countries and the Safe Harbour EU-US agreement, Decision 2000/520 is invalid.
"On those grounds, the Court (Grand Chamber) hereby rules: 1. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
2. Decision 2000/520 is invalid."

Update: Peter Swire who was one of the US expert negotiators when the Safe Harbour provisions were agreed, yesterday criticised CJEU AG's opinion in the case, as suffering from particular inaccuracies concerning the law and practice of U.S. foreign intelligence law, notably the PRISM program. He particularly emphasises changes to US law since the original Snowden revelations notes with approval the PRISM program is governed by Section 702 of the law enacted in 2008 to amend the Foreign Intelligence Surveillance Act. I suspect, given s702's 'guilty of being a foreigner' provisions Caspar Bowden would have had a few words to say on the subject.

The full court don't get into the intricacies of PRISM but it does hint strongly that Kafkaesque mass surveillance, without remedy available to those affected, undermines the rule of law.

Update 2: Daniel Solove does a really accessible analysis of the Court's decision and its possible implications. I suspect he over-estimates the likely impact of the coming revisions to EU data protection laws, given the giant privacy avoidance loopholes built into the draft general data protection regulations. But it is still essential reading.

Update 3: I also highly recommend Andres Guadamuz's analysis of the case.

Update 4: Some typos plus one error relating to FTC corrected. There follow links to EU Commission/Parliament reviews of Safe Harbour in 2002, 2004 and the post Snowden reviews of 2013 COM(2013) 846 final Rebuilding Trust in EU-US Data Flows and COM(2013) 847 final on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU

Friday, September 25, 2015

John Oliver, Privacy International & Ryan Gallagher on mass surveillance

In the light of The Intercept's latest story on the Snowden documents, could I recommend revisiting John Oliver on government surveillance plus his Snowden interview...

 ... and Privacy International's short videos on communications surveillance, big data, data protection, metadata and privacy

Tuesday, September 15, 2015

In praise of Open University people

The Open University (OU) is a phenomenal institution with fundamentally decent ethos and values which it has been a privilege for me to be able to tell people I work for, for the past 20 years or so.  We are, however, facing some serious challenges.

The latest plan to deal with those challenges is to close seven front-line regional operations centres. The OU centres marked for closure are London, Oxford, Bristol, Birmingham, Cambridge, Leeds and Newcastle.

Understanding the OU deeply takes a long time. It is full of incredible people who care deeply about our students and who have repeatedly shown they will go to the ends of the earth for this place, even to the point of putting their own health and welbeing at risk. Staff in the East Grinstead regional office which was shut down by the University at the end of November 2014, worked evenings and weekends, even in the knowledge they would be unemployed by Christmas, to ensure the students were settled with experienced, well qualified-tutors for our courses starting last autumn. In the thick of all the complexity and accommodation of massive structural changes of the past few years, though, it's worth noting that fundamentally the OU is simply about putting people in touch with people, people who care.

Historically the OU turned a discredited education method - correspondence courses - into hugely effective supported open learning at a distance which, for over 40 years, has outstripped the personal support provided by most of the conventional university sector by a street. Through a combination of energy, novelty, creativity, mutual support, organisation, sense, care, goodwill, a following wind and the right people, we, by accident as much as by design, got a lot of the key structural things right in the early days -
  1. The course production module - multidisciplinary concentrated teams producing intensely peer reviewed, tailored, self-contained, high quality self-study print, audio, video,multimedia and networked course material 
  2. The central administrative infrastructure needed to support production and operation at scale, on everything from exams to summer schools and associated  logistics 
  3. The regional administrative infrastructure - essentially front end regional offices and operations - that put the OU in the local community and real people who cared in touch with the people who were our students; names and faces that students got to know and trust throughout their period of study.
  4. Above everything else, the foundation stone that the place is built on is the deep level of care and the goodwill of the staff and students.
Unparalleled care, dedication to duty and goodwill are at the heart of all public services from education to policing, the health services and beyond. Care, dedication to duty and goodwill, unfortunately are also things that cannot be easily measured or counted. Things that politicians and bureaucrats are not easily held accountable for and things in recent generations, therefore, that have been sadly neglected and badly damaged, across the entire public sector. Simplistic targets, process, efficiency and cost cutting are the order of the day.  

Vice-chancellors, like all senior officers in the public sector, have been under intolerable pressure to rationalise and provide more for less.  The OU’s vice-chancellor, Peter Horrocks is quoted by the Times Higher Education Supplement as saying that the regional centre closures were aimed at providing students with the “best possible experience”.
“With developments in technology changing how we work, the student’s experience of the OU has not been limited by geography for some time. This is a difficult decision and I fully recognise the impact it will have on many of our staff, but we cannot afford to stay still.
This recommendation, if approved, would allow us to enhance student support in a way that’s simply not possible in our current office network, and offer our students the sort of support they expect and deserve.”
At its heart, education is a gift economy and the OU, for most of its life, has been the high water benchmark service for that economy, with care and goodwill at the core of its DNA.

I had been trying to hold onto the hope that when the dust settles on all the upheaval, we at the OU and the higher education sector in the round would emerge heavily bruised but re-trenched and largely intact. I'm now seriously concerned that we are evolving towards a future where students are numbers to be processed rather than people we care about and enable to develop their inherent talents and potential. 

Education cannot be done by treating people as numbers and it cannot be packaged as standardised widgets and sold via automated processes. Putting people in touch with people is the key. 

When universities feel they are forced to put the futures of the staff who care at risk - in this case incredibly special, unbelievably caring, dedicated OU people, with impossibly high standards, who demand nothing but the best of themselves and our institution in support of our students - then we put the futures of our students, our universities and our education system as a whole at risk.

Thursday, July 09, 2015

RIP Caspar

It's hard to believe but privacy activist, Caspar Bowden, has died following a short battle with cancer.

My first encounter with Caspar was on a listserv when he was director (and co-founder) of the Foundation for Information Policy Research. I believe it was the late 1990s but he was telling me off for spelling his name wrong. I apologised and we subsequently became friends. The substance of what we were discussing is lost to my memory but I suspect it was something around key eschrow and the original crypto wars at the time. It's shocking that Caspar should be lost to the security and privacy community just as that ugly battle is rearing its head again, with politicians and securocrats both sides of the Atlantic demanding back door access to encryption.

Combative and prickly, Caspar was also unfailingly kind and generous.

Whilst at FIPR Caspar worked tirelessly to inform parliamentarians and the public of the personal data pollution dangers of the burgeoning information age and ill designed regulations like the Regulation of Investigatory Powers Act (RIPA). He won the Winston award in 2000 for his work on RIPA and he carried that activism into his role as Chief Privacy Officer of Microsoft (initially for Europe, the Middle East and Africa, then for 40 countries worldwide) between 2002 and 2011. 

Long before the Snowden revelations, Caspar was warning of the nature of a huge range of privacy invading behaviour, commercial and governmental, and the facilitating evolving regulations round the world; not least the US Foreign Intelligence Surveillance Act 1978 (FISA) and the FISA Amendments Act 2008, in particular s1881, subsequently implemented as s702 FISA, Procedures for targeting certain persons outside the United States other than United States persons. His report, "The US surveillance programmes and their impact on EU citizens' fundamental rights", for the Civil Liberties, Justice and Home Affairs (LIBE) committee of the EU parliament is the definitive document on the subject.

It was Caspar's insistence on publicly spreading the word about this s702 'guilty of being a foreigner' provision of FISA that he recently explained led to his parting of the ways with Microsoft. 

Caspar was a big believer in a Rawlsian model of justice, a stickler when it came to the universality of human rights and was unstinting in his criticism of corporate or government entities or agents who sought to undermine those rights and principles; and even of US civil rights organisations who he felt passively endorsed the notion of better rights for US citizens.

He was a member of the board of directors of the Tor project. In recent times had become convinced of the potential of Qubes to form at least part of the technical architecture of a counter-insurgency against the seemingly all powerful, unstoppable erosion of personal privacy, by corporate and government agencies and others. 

Caspar was a rare polymath, an expert practitioner in the computer science, the laws of multiple jurisdictions, the technology more generally, identity management and information ethics. And he was prepared to wrestle with the user unfriendly inconveniences of privacy enhancing technologies, as the almost meltdown of his laptop, 4 minutes into his 'Reflections on Mistrusting Trust' talk at QCon last summer, demonstrated. 

For some time he had been contemplating and working on the establishment of a pan-European privacy rights organisation. It would be an appropriate legacy if an effective sustainable such institution could be brought into being.

There were few, if any, more deeply informed, active, passionate and energetic advocates for the privacy cause. Caspar you will be sadly missed. My thoughts and condolences go to your wife Sandi and family.

Update: a truly lovely personal tribute to Caspar by Malavika Jayaram, So long and thanks for all the fish, Caspar Bowden. Other really nice pieces from Natasha Lomas, Chris Soghoian, Robin Wilton, John Leonard, Ben Goldacre, Danny O'Brien, Martin Hoskins, Wendy Grossman, Simon Davies, Joanna Rutkowska, the Open Rights Group,, Sarah Clarke, Phil Booth, EDRi, the Tor Project, here, here, here, here, here, here, here, here, here, here, here, here, here, herehere and here.

Update 2: Guardian Obituary by Ross Anderson and tribute from John Naughton.