Bank data deal under heavy fire from EU Parliamentarians

The debate on the bank data ("SWIFT") agreement in the European Parliament's Committee on Civil Liberties, Justice and Home Affairs last week showed a clear conflict between parliamentarians on the one side and the EU Council as well as the European Commission on the other side.

The EU Justice and Home Affairs Ministers had signed an agreement with the US government on the transfer of bank data from the EU to the US for the Department of Treasury's "Terrorist Finance Tracking Program" (TFTP) on 30 November last year. It would legalize the use of bank data, including inner-European transactions, by US security agencies, which had been going on since 9/11 2001 and only became public in 2006. The new agreement had only been only possible because Germany abstained after a heavy fight between conservative and liberal parties in the Berlin coalition. Members of the European Parliament furiously criticized this move, because one day later, on 1st December, the Lisbon Treaty entered into force and gave the Parliament full veto powers in the area of justice and home affairs. Only later it turned out that because some national parliaments had announced reservations to the signature, the deal was not concluded and now has to be dealt with under codecision procedures.

The President of the European Parliament since December repeatedly had asked the Council and Commission to refer the agreement to the EP as soon as possible, without getting any reply. Only two weeks ago, the Spanish presidency told MEPs that the delay was caused by translation problems and that the EP would get it on 25 January. When MEPs found out that the text of the agreement had already been published in the Official Journal on 13 January, they immediately suspected a foul play by Council and Commission. The agreement has entered into force provisionally on 1st February, but the EP can only vote on it in the next plenary session (8 to 11 February). The Council has turned down a formal request by the EP to postpone the provisional application by two weeks. SWIFT itself has in the meantime announced that they will not turn over data unless there is a legal basis for it, including a parliamentary vote.

In the 27 January 2010 committee session, Commission representative Johnathan Faull revealed that there will also be a new, confidential, report by French anti-terror judge Jean-Louis Bruguière, when the committee will already have its vote on the agreement. MEPs from both Liberal and Green groups demanded that all such background documents be made public immediately, including an opinion of the Council's legal service and the secret annex that lists the financial service providers affected by the agreement. MEPs from all groups also criticized the substance of the agreement, citing numerous articles that are not in line with EU or Council of Europe data protection regulation or the EU charter of fundamental rights.

The EP's rapporteur on this dossier, Dutch liberal Jeanine Hennis-Plasschaert, also rejected the Council's and Commission's repeated claim that without the provisional application of the agreement, we would have a "security gap". Austrian Conservative MEP Ernst Strasser stated that "if there was a security gap, we would have it now - from 1st January to 31st January," referring to the fact that the global bank transaction provider SWIFT has already changed its architecture on 1st January. SWIFT is now routing inner-European transactions only within Europe, thereby cutting off direct access by US agencies.

The discussion became fully absurd when commission representative Faull suggested that we would even get a "privacy gap" if the agreement is vetoed by the EP. Vice European Data Protection Supervisor Giovanni Buttarelli quickly debunked such assertions, citing a new legal analysis done by his staff which also revealed several privacy and legal protection flaws in the agreement.The group of EU data protection commissioners had produced a similar analysis.

The next week before the EP plenary vote will now be decisive not only for privacy protection for EU citizens in the fight against terror, but also for transatlantic relations in this field and for the role of the European Parliament with its new powers under the Lisbon Treaty. Left, Liberal, and Green MEPs are willing to kill the agreement and protect privacy rights, while conservatives seem to be split. The decisive group will therefore be the Social Democrats. The committee vote is set for Thursday, 4 February, 15:00 CET.

(This is an updated and slightly edited version of an article I wrote for EDRi-Gram on 27 January 2010.)

European Parliament on Privacy vs Security and the "Balance" Metaphor

The European Parliament has adopted its resolution on the Stockholm Programme today. The Stockholm Programme is a political document that lays out the priorities for EU justice and home affairs policy for the years 2010 to 2014. It will be adopted by the Council of Ministers next Monday - therefore the Parliament's opinion on this was very timely. There were a lot of amendments, separate votes and split votes, so we have to wait a few days for the final consolidated text. Overall, it's a mixed bag, but that is a looong story.

What I want to point out here is only one amendment that was adopted - but it was an extremely crucial one:

The European Parliament

"... stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective"

I think this is one of the most important official contributions to the "freedom vs security" debate in the last few years. And it is the official opinion of Europe's directly elected representatives now.

Please help spreading the word and establishing this clarification firmly in the public discourse.

SWIFT Agreement Not in Line with European Parliament 's Demands

Update, 25 January 2010: The agreement has been signed, but not yet concluded, by the Council on 30 November 2009. Here is the final text. It will be voted on in the European Parliament on 10 or 11 February 2010. The only change to my analysis below (beyond some re-numbering of paragraphs) is the transfer of data to third countries or agencies, which is now limited to "leads", not raw data. The remainder of the criticism still stands.

The draft agreement on bank data transfer between the EU and the US for anti-terrorism purposes ("SWIFT Agreement") was leaked on 11 November. It stirred a heavy debate in the media, even made front-page news in Germany, and resulted in members and staff of the European Parliament and of the Committee of Permanent Representatives of EU member states (COREPER) having hectic phone calls. Background on the SWIFT deal is available elsewhere.

I want to focus here on the conformity of the draft with the demands of the European Parliament. The EP adopted a resolution on the SWIFT agreement in September, which was not too strong, but clearly spelled out some substantial and procedural criteria.

There are rumours that the Council and the Commission are trying to get an informal confirmation (whatever that means) from the Parliament that the current draft meets the demands of the Parliament. The following quick analysis shows that this is clearly not the case.

1) Definition of Terrorism

The EP demands in paragraph 7(a)

"that data are transferred and processed only for the purposes of fighting terrorism (...), and that they relate to individuals or terrorist organisations recognised as such also by the EU".

The draft agreement has a definition of terrorism in article 2 and also refers to the EU definition on this, but spells out no procedure on who would make such a decision and how.

2) Judge Approval

The EP demands in paragraph 7(c) that data transfers have to be

"subject to judicial authorization".

The draft agreement does not mention this at all. It only describes a procedure in article 4 where requests by the US government are scrutinized by an ominous "central authority" in the EU member state where the financial service provider concerned is located. I assume this will be agencies like the Federal Criminal Police Agency (BKA) in Germany and the likes. Not exactly what is meant by an independent judge.

3) Judicial Review

The EP demands in paragraph 7(d) that

"legality and proportionality of the transfer requests should be open for judicial review in the US"

and in paragraph 7(e) that

"transferred data are subject to the same judicial redress mechanisms as would apply to data held within the EU".

The draft only has a meaningless clause on this in article 11(3). There is an annex to the draft that lists a number of U.S. laws and codes that allegedly provide for judicial redress, but none of these actually does so. In detail:

- The Administrative Procedure Act of 1946 only states that

"a person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action within the meaning of a relevant statute, is entitled to judicial review thereof".

The problem: The US Privacy Act offers protection against unlawful data processing by government agencies, but only for US citizens and residents.

- The Inspector General Act of 1978 only establishes the powers of inspector generals, of the various agencies and departments for auditing and investigations. There is no option for citizens to demand judicial review. Quite the contrary:

"the Secretary of the Treasury may prohibit the Inspector General of the Department of the Treasury from carrying out or completing any audit or investigation".

- The Implementing Recommendations of the 9/11 Commission Act of 2007 establishes the Privacy and Civil Liberties Oversight Board in the Department of Homeland Security. But the PCLOP is not really independent, has very few rights and can not pursue independent investigations. There is no option for citizens to demand judicial review. Quite the contrary - the act establishes even more possibiliites for data-sharing among government agencies, e.g. through the "State, Local, and Regional Fusion Center Initiative".

- The Computer Fraud and Abuse Act criminalizes unauthorizes and authority-exceeding use of computers. But this is not what the SWIFT agreement s about - the US government could theoretically send a carrier pidgin to the Europeans with the message demanding specific data. A computer is not abused or even broken into here - otherwise every corruption, libel or other white-collar-crime case where a computer was used would be sanctionable under this act, too. Ridiculous.

- Freedom of Information Act (FOIA): Any possible right to access information is immediately annulled by the exception clauses in article 11 of the draft agreement.

- Standards for Ethical Code for Employees of the Executive Branch: This code includes no option for citizens to demand judicial review. It only foresees the option of disciplinary measures in case of wrongdoing by executives.

4) Purpose Binding

The EP demands in paragraph 7(f) that transfers of data are limited to investigations about "terrorism financing". The draft agreement includes "prevention, investigation, detection, or prosecution of terrorism or terrorist financing". This means that the US can ask for data that is not related to terrorism financing at all, as long as they make the case that it is somehow related to terrorism or may help its "prevention" (which is a broad and unclear clause anyway).

5) Onward Data Transfers

The EP demands in paragraph 7(f) that

"the transfer of such data to third parties other than the public authorities in charge of the fight against terrorism financing is also prohibited".

The draft agreement allows the onward transfer of bank data to third countries, not just third parties within the US. The parliament clearly meant the latter in its resolution and did not foresee any transfer to third countries. This would be the major hole in the agreement where all the other criteria (judicial review, purpose binding etc.) would be annulled even if they existed.

6) Scope

The EP demands in paragraph 9 that

"batches and large files such as those concerning transactions relating to the Single European Payment Area (SEPA) fall outside the scope of the data".

The draft agreement in article 4(6) allows for the transfer of "bulk data" if the service provider can not identify the specific data requested. A slightly newer version of the agreement, according to German press reports, explicitly excludes SEPA data. But the parliament explicitly mentioned SEPA only as an example, as is clear by the word "such as". The draft agreement does not exclude all batches and large files.


7) Procedural Aspects

The EP demands in paragraph 13 that

"the European Parliament and all national parliaments will be given full access to the negotiation documents and directives".

This has repeatedly not happened. Neither has the parliament received the text of the draft agreement, not was it even informed about its very existence. It only learned about it from the press reports.

Conclusion

The current draft agreement on bank data transfers is clearly in breach of the criteria established by the European Parliament - on substance as well as on procedures.

It would be a clear affront by the Council of Ministers if they adopted and signed the agreement at their next meeting on 30 November - one day before the Lisbon Treaty will enter into force and the European Parliament will get full veto powers in the area of justice and home affairs.

"Freedom not Fear" 2009 - Protests Against the Surveillance Mania

(I have not been bloggin much here lately because I took a new job and moved to Brussels. I hope I will find more time for regular updates soon.)

On Saturday, 12 September 2009, civil liberties activists in many countries again took it to the streets under the motto "Freedom not Fear - Stop the Surveillance Mania". It was the second time these activities took place after the first international action day on 11 October 2008.

The biggest event was held in Berlin, where more than 25 000 people marched through the streets and applauded the speeches and the bands. Frank Bsirske, chairman of the world's largest trade union ver.di, called for a comprehensive law for employee and workplace privacy protection. Patrick Breyer from the working Group against Data Retention (AK Vorrat), which again had initiated the protests, reminded participants of the democratic rallies and events of 1847 and 1989 and called for continuous resistance against the surveillance state. Other speakers included Franziska Heine from the Working Group against Censorship (AK Zensur), who had organized the most successful online petition ever to the German parliament against a recent German law that permits blocking of web sites by the federal police. The event sent a strong signal to the political parties and was widely reported in the context of the upcoming German federal election. At the end of the demonstration, activists from EDRi member Chaos Computer Club were able to film a police assault on a peaceful participant. Public pressure as a result of this has now led to an announcement of the Berlin police that all officers will get mandatory name badges in early 2010.

Other activities took place in Bulgaria, Finland, Italy, Macedonia, the Netherlands, Austria, Sweden, Switzerland, the Czech Republic, and the United Kingdom. Activists had organized a plethora of events, including a full week of activities in Prague; demonstrations in Amsterdam,
Stockholm and Sofia; public teach-inns in Skopje (co-organized by EDRi member Metamorphosis), Milano, and Helsinki (co-organized by EDRi member EFFi); privacy parties and film screenings, and much more. Activists in Vienna (from EDRi member Vibe.at) reported such big interest from the population that they had to print 1000 more leaflets on the same day.
Outside of Europe, privacy activists in Guatemala joined the action day this year with a reading event from a new volume of fiction stories about surveillance, titled "stop the surveillance mania".

Links

Overview of Freedom not Fear activities

Press center for the Berlin demonstration

Report from activities in Skopje - EDRi-gram: Macedonia: Activities for
citizen education about their privacy rights (23.09.2009)

Report from activities in Vienna (only in German, 12.09.2009)

International Action Day "Freedom not Fear" (11.10.2008)

This article was also published today in the EDRi-Gram newsletter, edition 7.18

What happens to your Online Identity when you Die?

Lilian Edwards, a professor of internet law at Sheffield University and also a hard bloggin' scientist at Pangloss, is talking about this in a five minute video interview: "Death 2.0". Interesting.

The Dawning of Internet Censorship in Germany

This post was written by Markus Beckedahl and published first at Netzpolitik.org. The Creative Commons license for it is CC-BY-NC, as the other posts here. RB

Germany is on the verge of censoring its Internet: The government – a grand coalition between the German social democrats and conservative party – seems united in its decision: On Thursday the parliament is to vote on the erection of an internet censorship architecture.

The Minister for Family Affairs Ursula von der Leyen kicked off and lead the discussions within the German Federal Government to block Internet sites in order to fight child pornography. The general idea is to build a censorship architecture enabling the government to block content containing child pornography. The Federal Office of Criminal Investigation (BKA) is to administer the lists of sites to be blocked and the internet providers obliged to erect the secret censorship architecture for the government.

A strong and still growing network opposing these ideas quickly formed within the German internet community. The protest has not been limited to hackers and digital activist but rather a mainstreamed effort widely supported by bloggers and twitter-users. The HashTag used by the protesters is #zensursula – a German mesh up of the Ministers name and the word censorship equivalent to #censursula.

As part of the public’s protest an official e-Petition directed at the German parliament was launched. Within three days 50,000 persons signed the petition - – the number required for the petition titled „No indexing and blocking of Internet sites“ to be heard by the parliament. The running time of an e-Petition in Germany is 6 weeks – within this time over 130,000 people signed making this e-Petition the most signed and most successful ever.

During the past weeks, protests became more and more creative – countless blogs and twitter-users followed and commented the discussions within governments and opposing arguments. Many mainstream media picked up on this and reported about the protest taking place on-line. A working group on censorship was founded and the protest coordinated with a wiki, mailing lists, chats and of course employing twitter and blogs. One website „Zeichnemit.de“ created a landing page explaining the complicated petitioning system and making signing the petition easier and more accessible for non net-experts.

Over 500 people attended the governments official press conference on the planed internet censorship – a number of whom used this occasion to demonstrate and voice their concerns. In fact, demonstrators began attending some of the Minister von der Leyens public appearances, carrying banners and signs to raise attention to the stifling of information freedom in Germany.

The net community did not only oppose the governments plans, but also made constructive suggestions how to deal with the problem of child pornography without introducing a censorship architecture and circumcising constitutional freedoms. The working group on censorship demonstrated the alternatives for instance by actually removing over 60 websites containing child pornographic content in 12 hours, simply by emailing the international providers who then removed this content from the net. The sites were identified through the black lists of other countries documented on Wikileaks. This demonstration underlines the protesters main arguments: instead of effectively investing time and efforts to have illegal content removed from the internet, the German government is choosing censorship and blocking – an easy and dangerous way out. The greatest fear of the protesters is that once in place, the infrastructure will be used to censor other forms of unwanted content, not only child pornography. German politicians already seem to be lining up with their wish-list of content to be censored in future – the suggestions ranging form gambling sites, islamist web pages, first person shooters, and the music industry cheering up with the thought of finally banning pirate bay and p2p.

You can find a detailed linklist of the zensursula-debate here (in german).
Thanks to Geraldine de Bastion for the translation.

UK introducing "Three Strikes and Your Traffic will be Censored"

The UK government just produced a comprehensive "Digital Britain" report that lays out its strategy to improve broadband connectivity. While there has been significant media coverage of the proposed levy of 50 pence a month to fund better broadband rollout in rural areas, the really interesting part are the copyright enforcement ideas. The Hermes Project reports:

The government will give powers to Ofcom to put in place a system for repeat offenders that is known as "write and sue", and they will also work with the ISPs on technical measures against the problem - which is a eminently sensible response given the lack of scaleable technical solutions for such incredibly complex requirements - which is naturally not something that the people at the BPI agree with.

As the "write and sue" name suggests, ISPs will be required to work with Ofcom under the terms of a Code of Practice to write to those infringing copyright, followed by a court process of the release of identity information and civil action if users do not desist. The interesting part is the technical measures that may happen if this is still not effective. From the report:

"The Government will also provide for backstop powers for Ofcom to place additional conditions on ISPs aimed at reducing or preventing online copyright infringement by the application of various technical measures. In order to provide greater certainty for the development of commercial agreements, the Government proposes to specify in the legislation what these further measures might be; namely:

* Blocking (Site, IP, URL)
* Protocol blocking
* Port blocking
* Bandwidth capping (capping the speed of a subscriber’s Internet connection and/or capping the volume of data traffic which a subscriber can access);
* Bandwidth shaping (limiting the speed of a subscriber’s access to selected protocols/services and/or capping the volume of data to selected protocols/services);
* Content identification and filtering– or a combination of these measures."

And that's where things start to get incredibly complex and costly - although no doubt there are plenty of DPI vendors who won't complain if the need to undertake these measures is enshrined in law.

This is where the interests of ISPs (saving bandwidth) and the content industry (filtering copyrighted content and punishing file-sharers) finally align. The Deep Packet Inspection (DPI) industry will love this.

I am not a lawyer, but I guess there will be serious problems with the EU's e-Privacy directive and the human right to telecommunications privacy in the EDHR. The EU commission has already opened an infringement procedure against the UK because of their weak position on Phorm.