thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Sunday, February 12, 2017

Internet of Things and Security - The Challenges

I had the pleasure of speaking at an event organised by the European Data Protection Supervisor (EDPS) on the Internet of Things. While the EDPS is focused on data protection, I tried to widen the perspective and also address the more pressing issues around IoT security. My final words addressed some of the issues around the economic aspects of the IoT, including data ownership. I used a lot of recent examples from the real world, including car hacking, pacemaker snitching, and hotel door ramsomware.

The video of the whole event is now available, I speak at 55:55.

Edited to add: The other speakers before me were: Giovanni Butarelli (EDPS, @Butarelli_G), Wojtek Wiewiorowski (assistant EDPS, @W_Wiewiorowski), Joe McNamee (EDRi, @why0hy), Riccardo Masucci (Intel, @riccardomasucci, Irene Kamara (Universities of Brussels & Tilburg, @kamara_irene), in that order.

Labels: , ,

Saturday, July 16, 2016

Minutes from EU Court of Justice on #DataRetention

On 19th July 2016, Advocate General Øe Saugmandsgaard will present the Court of Justice of the European Union (CJEU) his opinion in the joined cases C-203/15 and C-698/15,Tele2 Sverige and Davis and Others. They concern the validity of national laws in Sweden and the UK for the retention of telecommunications data under EU law and the EU Charter of Fundamental Rights. This is a very relevant question, since the Court invalidated the EU Data retention directive in 2014.

To see what is to be expected, it is helpful to know what happened at the oral hearing on 5th April 2016. Our legal trainee Antonia Latsch attended the hearing (which is public, but not streamed or recorded). She live-tweeted from there, and has allowed me to re-publish her tweets in chronological order here. I have done minor editing to clean up the language, correct typos, etc. So here we go:

Court is in session #dataretention #dripa

Judgement first, hearing about to start #dataretention #CJEU

Hearing started. Johansson addressing question of what constitutes electronic processing of personal data #dataretention

Tele2 Lawyer Johansson: Law needs to be proportional to what is strictly necessary for the concrete objectives #tele2 #CJEU

Tele2: legislation needs to limit access of data, only to fight serious crimes & subject to ex ante court control #dataretention

Tele2: Swedish data collection law is not limited to serious crimes, nor does it grant ex ante court control #tele2 #dataretention

Watson/Davis Lawyer: The United Kingdom does not provide sufficient safeguards for personal data collection #DRIPA #dataretention

Davis/Watson: Minimum safeguards need to be in place to protect personal data to prevent abuse #dataretention #DRIPA

Davis: Court should give guidance to what necessary safeguards are, UK does not meet the safeguards #dataretention

Davis: UK allows collection of data for purposes that are not in regards to suspected crimes, constitutes breach of Art. 51 #dataretention

Brice: authorization and purpose for what it is granted for are connected; intrusiveness needs to meet seriousness of crime #dataretention

Brice: Authorization to access to data must me be granted by structural independent body #dataretention

Brice: purpose of law is only in case of serious crimes. Domestic legislation goes way beyond, including tax purposes #dataretention

Open Rights Group: Case is of global significance, challenging the courts position on personal data protection #dataretention

ORG/Privacy International: states need to be able to prevent passing of data to states that don't comply with EU privacy law #dataretention

PI: Art. 15 e-privacy directive is lex specialis, it does not allow for the individual to be completely stripped of their privacy rights #dataretention

Law Society: Limitation by independent authorization for the kind of data that can be stored is missing #dataretention

Sweden: general obligation to keep data can be proportional for very important measures #dataretention

Sweden: not all access to general data needs to be directly related to a serious crime, but be strictly necessary #dataretention

Sweden: investigations have shown that it is impossible to limit retention of data prior for measurements to be effective #dataretention

Sweden: possibility of rapid decisions is necessary for effectiveness, therefore outside review is unpractical #dataretention

UK: Law requires commercial service providers to keep the data, not authorities #dataretention

UK: We cannot know in advance what data is necessary and valuable #dataretention

UK: in matters concerning national security, member states must make assessments of what is necessary and proportionate #dataretention

UK: objective requirements for necessity of the taken measurements are different from specific rules laid out by the court #dataretention

UK: it should be up to national courts to check that specific requirements and set standards are met #dataretention

Czech: important how domestic law allows access and safety of data, if safeguards are in place, it is not disproportionate #dataretention

Czech: "We live in troubled times, do we really want to constrain the member states in this way?"#dataretention

Denmark: data retention must be general to be effective as a crime fighting tool #dataretention

Denmark: Rules on access to and retention of date go hand in hand and can not be separated #dataretention

Denmark: proportionality test strikes the right balance, provided it gives clear and precise rules/guarantees of protection #dataretention

Denmark: approach to data retention should be all or nothing #dataretention

Denmark: no reason to assess these national measures more stringent than other national measures #dataretention

Germany: active passing of data by private sector allows government access, this must be compatible with fundamental rights #dataretention

Germany: objective safeguard criteria can be sufficient, therefore concrete implementation determines if law is proportionate #dataretention

Antonia Latsch re-tweeted ‏@TetsuwanAstro:
Germany: Data protection guarantees should be assessed as a whole, access AND retention rules together #dataprotection

Estonia: We consider it necessary in the fight against terrorism to collect data of all people #dataretention

Estonia: Saving someone's life and effectively fighting crime is worth allowing government's intervention #dataretention

Ireland: access of data is not directly governed by EU law #dataretention

Ireland: court is providing guidance for interpretation of EU law to national courts #dataretention

Ireland: member states must be given discretion on how to provide proportional measures #dataretention

Ireland: access of data is not directly governed by EU law #dataretention

Antonia Latsch re-tweeted @JanAlbrecht

Jan Philipp Albrecht quoted Antonia Latsch:
Rubbish. The ePrivacy Directive regulates use of personal telecom data, therefore governed by EU law. #dataretention
Ireland: access of data is not directly governed by EU law #dataretention
Ireland: Diversity of different member states needs to be respected by the court #dataretention

Spain: The burden that data retention puts on the internal market and private actors should not be underestimate #dataretention

Spain: The upholding of fundamental rights must be the upper limit to granted discretion #dataretention

Spain: General data retention cannot be seen as an indispensable measure taken by all means #dataretention

France: Data can be used for prosecution as well for proof of innocence. It is impossible to know in advance what is needed. #dataretention

France: French government finds the retention period of 1 year for data absolutely necessary to combat crime and terrorism #dataretention

European Commission: Interference must be proportional as well as respect the essence of the interfered right #dataretention

Finland: Connection between retention and use means that retention can only be justified if the later use is also justified #dataretention

Finland: Practical reasons necessitate a system of universal retention of data that can be compensated by limitation #dataretention

European Commission: procedural safeguards in their entirety need to be assessed to their efficiency #dataretention

after questioned by Judge Rapporteur von Danwitz, Tele2: about 10.000 data request have been made to tele2. No overall statistic available #dataretention

von Danwitz to UK: Does DRIPA enable public authority to collect data from persons outside of the UK? #dataretention

UK: Scope of data retention of DRIPA applies to all data generated and processed in the UK #dataretention

v. Danwitz:"how far are we taking this logic that we don't know who will be a criminal tomorrow and therefore need all data?" #dataretention

v. Danwitz: "Isn't there always something more effective and also more intrusive? Where do we stop?" #dataretention

Advoc. General Saugmandsgaard to UK: can you be more precise to when general retention is indispensable? #dataretention

UK: retention of general data is vital to prevent terrorism and preventing crime but also for protecting people in general #dataretention

Advoc. General to Tele2: Are Swedish authority demanding you to secure data you would otherwise not acquire? #dataretention

Tele2: No, its data that is there, but would not be kept and deleted at once. #dataretention

Advoc. General to Sweden: Is there information about the misuse of this data retention? #dataretention

Germany: data retention is not useful if limited to specific geographical locations #dataretention

Sweden: The chancellor of the data protection agency must be informed of mistakes; here ex-post control is more efficient #dataretention

Tele2: All retention of data carries a risk of misuse, member states should look closely at what is stored and for how long #dataretention

Davis: Case regards the lack of safeguards. Access to data takes place in secret; high demands cannot be monitored adequately #dataretention

Davis: Although individuals can, it's unlikely they will bring a complaint if they don't know their information was accessed #dataretention

Sweden: if data retention is to be an effective measure in fighting crime it needs to be general by nature #dataretention

Session is closed. Advocate General opinion will be delivered on the 19th of July 2016. #dataretention

Labels: , , , , ,

Monday, April 11, 2016

Minutes from EU Court of Justice on #CanadaPNR

On 5th April, I attended the oral hearing of the Court of Justice of the European Union (CJEU) on the draft agreement between the EU and Canada on the transfer, use, and retention of air passenger data (EU-Canada PNR agreement). The European Parliament has submitted this agreement to the Court in November 2014.

It was my first time at the Court, and the Grand Chamber is really impressive. However, I watched the hearing from the press room next door in order to be able to use the laptop and wifi.

Colleague Thomas van der Valk was also tweeting.

Here are my tweets in chronological order and with some typos corrected:

EU Court of Justice hearing on EU-Canada PNR agreement about to start. I'll tweet from there.
"The Court is in session". Two short judgements are announced first, then #CanadaPNR hearing in a few minutes. #CJEU
hearing started. First: legal service of @Europarl_EN, which submitted the agreement to the Court.
.: 2 questions: lack of data protection rights, wrong legal basis of the agreement. Candadian law only allows Canadians remedy.
 . questions compatibility with Art. 8 of the Charter of Fundamental Rights (data protection): independent oversight?
. is also live-tweeting from the hearing at the
.: Article 47 of the Charter (judicial redress / legal remedies) not met with the PNR agreement?
.@Europarl_EN: Article 52 of the Charter (proportionality and necessity) not met either, see judgement?
. lists the several typed of processing of PNR data: transfer, access, analysis, retention, onward transfer.
 .: systematic analysis of all passenger data (profiling) not yet covered by case law such as or .
.: Canadian privacy Commissioner has been critical about large-scale PNR data analysis. "mega-data" not "meta-data"
.: PNR data will be transferred to US authorities under the "beyond the border" agreement,
Now: Council legal service, defending the agreement. " also accepted PNR agreements with USA and Australia."
(Reason for to submit agreement was CJEU judgement. It came after USA and Australia PNR agreements.)
Council now on legal arguments about opt-out options for Denmark, Ireland and UK, Court had asked about this as well.

Labels: , , , , ,

Monday, May 11, 2015

Trade Agreements and the Internet - and the Zombies

I had the pleasure of speaking about what trade agreements such as TTIP or TiSA may do to the internet at re:publica, the greatest European conference about the digital society. The talk was together with Estelle Massé, Gaelle Krikorian, and Sanya Reid Smith.

Here are the slides, and here is the video recording. They may contain Plants and Zombies.

Labels: , , , , , , ,

Saturday, February 28, 2015

White House releases draft Consumer Privacy Bill

The US "Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015" was released yesterday. It follows up to the 2012 "Consumer Privacy Bill of Rights" from President Obama. 

The draft bill sets out some basic definitions and principles, such as "reasonable" collection of personal data, and consumer rights, such as access to their own data. For enforcement, it gives the Federal Trade Commission the powers to approve and enforce Codes of Conduct submitted by different industry sectors. So far, the FTC has enforced certain data protection rules under Title V of the FTC act, which prohibits "unfair and deceptive trade practices".

At first glance, the draft has a number of serious issues, especially if you look at it from an EU data protection perspective. A few points are worth mentioning:

1) The bill exempts "Cybersecurity data" from the scope:
The term “personal data” shall not include cyber threat indicators collected, processed, created, used, retained, or disclosed in order to investigate, mitigate, or otherwise respond to a cybersecurity threat or incident, when processed for those purposes."
This does not make any sense. It may be reasonable to allow the processing of personal data for IT security purposes (as certain drafts of the planned EU data protection regulation do), but with this approach, things such as IP addresses are removed from the scope of the privacy bill.

2) The bill is contradictory. It states in section 103:
"If a covered entity processes personal data in a manner that is reasonable in light of context, this section does not apply",
and then in section 104, it says
"Each covered entity may only collect, retain, and use personal data in a manner that is reasonable in light of context."
To me it is completely unclear when section 103 would apply at all...

3) Title III of the bill recycles the "Safe Harbor" term and the idea of self-certification which has consistently been criticised by the European Parliament and privacy experts from around the world since the EU Commission and the US Department of Commerce came up with the Safe Harbor approach in 2000:
"Safe Harbor Protection.—In any suit or action brought under Title II of this Act for alleged violations of Title I of this Act, the defendant shall have a complete defense to each alleged violation of Title I of this Act if it demonstrates with respect to such an alleged violation that it has maintained a public commitment to adhere to a Commission-approved code of conduct that covers the practices that underlie the suit or action and is in compliance with such code of conduct."
At least compliance is required, not just the mere committment, but the underlying problem is that the FTC would only be able to review submitted codes, not develop and issue their own ones.

4) The draft would preempt state laws, some of which, such as the Californian one, are stronger than the White House proposal.

5) The bill would exempt start-ups from data privacy requirements for the first 18 months. This will encourage an approach such as "grow quickly and ruthlessly while collecting as much data as you can, and sell to the highest bidder after 18 months". I don't think this is good for a sustainable long-term business strategy.

6) The penalties section (203) is quite interesting, however:
"(1) The civil penalty shall be calculated by multiplying the number of days that the covered entity violates the Act by an amount not to exceed $35,000; or
(2) If the Commission provides notice to a covered entity, stated with particularity, that identifies a violation of this Act, the civil penalty shall be calculated by multiplying the number of directly affected consumers by an amount not to exceed $5,000 (...)"
This could easily exceed the 5% annual global turnover which the European Parliament has set as the maximum penalty in its version of the coming Data Protection Regulation.

This Washington Post article gives a good summary of the reactions (in short: The FTC is not happy, the NGOs are not happy, industry is partially happy, except for the libertarians).

The White House apparently did not manage to find bipartisan congressional sponsors before releasing it, so this and the timing (Friday afternoon) has lead some observers to believe already that it's "dead in the water".

Senator Ed Markey, known as a strong privacy defender, has criticised the draft for not doing enough  for consumers here. As a result, he has announced that he will present his own draft next week (!).

There will be loads of things to discuss for the European Parliament delegation that will visit Washington mid-March. Among the MEPs taking part are Jan Philipp Albrecht, vice-chair of the Civil Liberties, Justice and Home Affairs Committee and rapporteur for the EU Data Protection Regulation and for the EU-US Data Protection Umbrella Agreement, and Claude Moraes, chair of the same committee and rapporteur for the NSA mass surveillance inquiry and its upcoming follow-up.

Labels: , ,

Friday, October 03, 2014

The Ballad of Google Spain

The judgement of the European Court of Justice in the case Google Spain from May 2014 has caused a very diverse and intense debate that is not finished by far. Though the ruling does not contain this, it has become known as the "right to be forgotten"-ruling, or #R2BF.

The best summary by far has been provided by Paul Bernal. The analysis is very much to the point, but even better: For the national poetry day yesterday, he wrote it in the form of a poem!
The Ballad of Google Spain

There was a case, called ‘Google Spain’
That caused us all no end of pain
Do we have a right to be forgotten?
Are Google’s profits a touch ill-gotten?

read the full poem

Labels: , , , , , ,

TTIP and TiSA: big pressure to trade away privacy

I have been asked by Statewatch before the summer to contribute to their collection of essays and analyses on transatlantic relations. I wrote an analysis of the pressure on European data protection and privacy rules, including strategic discourses and lobbying around it. It is based on the documents that are available so far.

The paper has finally been published in September, very timely after the end of the Brussels and Washington summer break.
TTIP and TiSA: big pressure to trade away privacy, Statewatch Analysis 257, September 2014

Labels: , , , , , ,