thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Saturday, December 14, 2013

layers of the struggle privacy vs surveillance, in my picture of the year

This is the picture of the year for me, on so many different layers: 
Stewart Baker, ex-NSA general counsel, and Jacob Appelbaum, internet freedom activist/hacker/journalist (left, right).
Eingebetteter Bild-Link
  • They pretty much symbolise the two sides of the global scandal of the year.
  • They also symbolise the attitudes of both sides.
  • This struggle has defined a large part of my professional life in 2013.
  • I was involved in defining much of this struggle (at least on the EU Parliament side) as a large part of my professional life in 2013.
  • I was on a panel with both of them yesterday, which was one of the most unlikely things I ever imagined in my life.
  • This picture was one of the more unlikely pictures in my life of which I imagined to be there when they were taken. 
  • But hey, I was involved in pulling that panel together.
  • Most basic question that says it all: With whom of these guys would you prefer to hang out and collaborate and try to change the world? The answers to this one again can be on many layers, but they actually converge to the same answer.
  • [fill in your own layer in the comments / shares] 
(picture by Omer Tene, who also moderated the panel) 

Update, 6 April 2014: Jake and Stewart now finally got into the heated discussion they were supposed to have back in December. 

Labels: ,

Sunday, December 09, 2012

EU Commission: No new law enforcement databases needed

In a communication and a press release, somewhat hidden on a Saturday Friday for whatever reasons, European Union Home Affairs Commissioner Cecilia Malmström announced that her services had done an assessment of EU-wide law enforcement information exchange mechanisms. She concluded that
information exchange generally works well, and no new EU-level law enforcement databases are therefore needed at this stage.
This is the first time in a long while that a top-level home affairs official has said that they don't need more new databases. Emphasis is added in the quote for a reason!

This conclusion is based on an "Overview of information management in the area of freedom, security and justice" which the Commission had released in 2010 and which introduced a number of criteria for further policy development in this field:
  • Safeguarding fundamental rights, in particular the right to privacy and data protection
  • Necessity
  • Subsidiarity
  • Accurate risk management
  • Cost-effectiveness
  • Bottom-up policy design
  • Clear allocation of responsibilities
  • Review and sunset clauses
In the new communication, the Commission examines a number of EU-wide information exchange instruments among law enforcement agencies. Oddly enough, they mix existing EU stuff such as Europol and the Schengen Information System (SIS) with projects started by a number of member states which have not yet been Europeanised, such as the Püm Decision or the European Border Surveillance System EUROSUR.

The Commission does also not address a number of other initiatives and databases that are currently in the legislative pipeline:
  • Eurodac, the database of fingerprints of asylum seekers, where Parliament and Council are currently debating law enforcement access;
  • EU-PNR, the proposed system of EU-wide gathering, profiling, and retention of data on all air passengers entering or leaving Europe (and with an extension to inner-European flights under discussion);
  • Smart Borders, a legislative package probably coming in early 2013, which would collect data about everbody entering and leaving the EU, including fingerprints (Entry-Exit System) and which would allow easier entering of the EU if travellers were pre-checked and profiled.
The Commission is to be applauded for such a sober look at the state of play in information exchange. Members of the European Parliament as well as several stakeholders had repretedly asked "when is it enough?" after the Commission in alliance with the Member States had pushed through massive surveillance projects such as telecommunications data retention, bulk bank data transfers to U.S.  financial intelligence services through the SWIFT agreement or air passenger mass surveillance through the PNR-agreements with Australia and the U.S. Good to finally see a red line here.

However, this raises urgent questions about the need for the above-mentioned measures still in the pipeline. The European Parliament is about to vote on the negotiation mandate for EU-PNR and Eurosur, and on the final agreements for law enforcement access to Eurodac. And one can wonder how the Commission will justify its "smart borders" package next year.

It seems the EU institutions should stop current initiatives and have a more general debate on further databases and information exchange in the field of justice and home affairs. It would make sense to align this with the debates on the work programme of the upcoming Irish Council presidency as well as the legislative reports from the Parliament on the EU data protection reform, which both will be debated in the Civil Liberties, Justice and Home Affairs Committee on 10th January 2013. 

Saturday, July 07, 2012

Post-ACTA: declassified negotiation documents on criminal provisions

Immediately after the defeat of the notorious Anti-Counterfeiting Trade Agreement (ACTA) in the European Parliament on 4th of July, it seems the institutions are quickly wrapping it up. Right on the next day, the Council of the European Union has declassfied the different (and still secret) negotiation versions of the ACTA criminal sanctions chapter (these fall under Council competence, whereas the Commission was in charge of the general trade provisions). A list in chronological order is provided below. Let's see if the Commission will also declassify the other chapters.

21 November 2008
http://register.consilium.europa.eu/pdf/en/08/st15/st15588-re02.en08.pdf

3 December 2008
http://register.consilium.europa.eu/pdf/en/08/st15/st15588-re03.en08.pdf

25 March 2009
http://register.consilium.europa.eu/pdf/en/09/st08/st08031-re01.en09.pdf

9 October 2009
http://register.consilium.europa.eu/pdf/en/09/st13/st13867-re01.en09.pdf

19 October 2009
http://register.consilium.europa.eu/pdf/en/09/st14/st14696-re01.en09.pdf

29 October 2009
http://register.consilium.europa.eu/pdf/en/09/st15/st15044-re01.en09.pdf

22 December 2009
http://register.consilium.europa.eu/pdf/en/09/st17/st17779-re01.en09.pdf

Labels: , ,

Wednesday, July 04, 2012

EU Commission will link data retention reform to e-privacy reform in 2013

EU home affairs commissioner Cecila Malmström has announced in an interview with German newspaper Frankfurter Allgemeine Zeitung that she will not propose a revision of the notorious data retention directive this year. Instead, she will work with information society commissioner Neelie Kroes to review the e-privacy directive and the data retention directive together in 2013.

This is big news. Malmström and her services have been struggling with the data retention reform for almost two years. Now she and Kroes want to reform it together with the e-privacy directive in a package, both closing loopholes for further data use in the latter and reducing retention periods and police access in the former.

My reading is this: The liberal Malmström does not know how to get out of this data retention mess in one piece, with activists and "the internet" (c.f. ACTA) on one side, and home affairs ministers in Council on the other side. So she is now siding with Kroes in a hope to get anything agreed under the stewartship of an experienced telco regulator. They will try to ease industry opposition and in return get an okay for a limited version of data retention.

The big question is: How will this interact with the data protection reform package proposed by justice commissioner Viviane Reding in January? It was supposed to also amend and have an impact on the e-privacy directive with the data protection regulation for the internal market, and the proposed directive on data protection in the law enforcement field would need some rules on access of police investigators to corporate databases about their customers.

Time for some interesting coalition-building of institutional players, activists and lobbyists all across the field.

Competing schools in political science would suggest:
  1. Whoever gets the major conflict lines and narratives set up first and firmly, will win (constructivism);
  2. Whoever controls the institutional agenda, will win (institutionalism);
  3. Whoever is in better understanding of economic and political interests, will win (realism).
And this finally reminds me of my academic years and also shows how unpredictable all of this is in theory. Think ACTA, again.

Labels: , , ,

Saturday, June 02, 2012

EU Commission to present regulation on electronic identity cards (Update)

EU information society commissioner Neelie Kroes will present a new regulation on the mutual recognition of national e-ID systems on Monday (4th June), according to news reports. There will for sure be a number of data protection issues related to this.

This is from the Commission Work Programme 2012:
Pan European framework for electronic identification, authentication and signature - Legislative

The proposal will present legislation to boost trust and facilitate electronic transactions notably by ensuring the mutual recognition of electronic identification and authentication across the EU, and of Electronic Signatures. (2nd quarter 2012)
Electronic identification and authentication schemes have a number of data protection issues. EurActiv.com has seen an internal Commission paper which shows that EU Justice Commissioner Viviane Reding (in charge of data protection) seems to only focus on breach notifications.
Link
But I am not sure anyone is addressing the inherent data protection issues related to functioning and non-breached e-ID schemes, such as the problem that the issuing authority ("identity provider" in technical jargon) may be notified every time one uses his or her eID card. I hope that someone reminds the Commission of e.g. the recommendations on "Identity Management and Reputation" from Civil Society to the OECD ministerial meeting "The Future of the Internet Economy" in Seoul in June 2008.

What does not seem to be the case is an EU-wide obligation for member states to introduce eID schemes or even use a harmonised European standard, as had been reported by more europsceptic, right-wing and conspiracy-driven news websites.

Update: Here is the draft regulation, here is an FAQ from the Commission.

Wednesday, June 15, 2011

EU Fundamental Rights Agency: EU-PNR Directive not good

The Fundamental Rights Agency of the European Union (FRA) has finished its opinion on the proposed directive for an EU-PNR system for the retention and mass analysis of flight passenger data. It had been asked by the Civil Liberties Committee of the European Parliament in March 2011, on initiative of the Greens/EFA group.

I provide a summary of the most important findings below. A summary in their own words is at page 20.

Further reading: In the meantime, the legal service of the EU Council has also shred the proposed directive into pieces (German version only, sorry!).

The FRA opinion criticises the proposed PNR directive on the following grounds:

1) Data Protection Violations
FRA shares the concerns published by the EUropean Data Protection Supervisor (EDPS) and the Article 29 Working Party. The FRA opinion therefore is seen as complementing it and only touches on issues that are not addressed by the data protection bodies:
"In general, the FRA shares these analysis and opinions and takes them as a point of departure. This FRA opinion complements and adds to the opinions of the EDPS and the Article 29 Working Group by focusing on topics from a broader fundamental rights perspective." (p. 5)
2) Ban of Discrimination not sufficiently respected

a) Discriminatory Profiling based on sensitive Data: The directive would have to exclude many more categories than the ones listed in articles 5 and 11. The Commission did not cover the following categories in its proposal, though they are protected under EU law:
"[I only list the ones not covered by the proposed directive, RB] sex, colour, social origin, genetic features, language, any other opinion (beyond political views), membership of a national minority, property, birth, disability, age” (p. 7)
b) Indirect Discrimination based on Profiling for Other Data: This would also be prohibited and is not by the proposed directive. It includes all data categories that are not covered by a) (p. 9). To me it reads like a cautiously written general ban on profiling, because any data category can be used for discrimination. Surveillance studies scholars have called profiling "digital discrimination" years ago.
An example by anaologue: Discrimination based on language or nationality or religion is banned, but if someone travels from Islamabad to Mekka once a year, you can assume he or she is Muslim. This would be prohibited.

3) Clarity of the law is not given:
"Individual passengers may be generally aware that their flight details are being recorded and exchanged but will typically know neither the assessment criteria applied nor whether or not they have been flagged by the system for further scrutiny. Therefore, any measure giving the authorities power to interfere with fundamental rights should contain explicit, detailed provisions" (p. 12)
This clarity is lacking because of

a) Generic clauses such as “general remarks (...) such as" in the description of the data transmitted, retained and analysed (item 12 in the annex to the proposed directive, see p. 13 of FRA opinion). The types of data are also not limited:
"The explanatory text within the brackets also indicates solely what kind of information is included, but does not limit the data to be collected. This might possibly permit unlimited information gathering and transfer and, therefore, might not be justified by the purpose of the PNR system" (p. 13)
b) Purpose Limitation is lacking:
"The definition of serious crime included in Article 2 (h) includes an open formulation: (...) the discretion the proposal grants Member States to decide which crimes are covered and which are not seems unnecessarily broad." (p. 14)
c) Data Matching is unspecified:
"Article 4 (2) (b) states that “the Passenger Information Unit may compare PNR data against relevant databases, including international or national databases or national mirrors of Union databases, where they are established on the basis of Union law, on persons or objects sought or under alert, in accordance with Union, international and national rules applicable to such files.” This provision allows for matching PNR data ‘with undetermined databases’. Because the databases are not specified, the use of PNR data might not reach the required level of foreseeability" (p. 14)
4) No Proof of Necessity:
"The FRA is aware that further evidence proving the necessity of a PNR system might exist beyond what was disclosed." (p. 15)
In plain English: Do your homework! (Fun fact: The Commission currently has the same problem with regards to the evaluation of the data retention directive 2006/24/EC, where they were not able to prove the necessity based on hard data.)

5) False Positives / Repression against Innocent People
"The examples provided by the European Commission relate only to cases in which PNR data were successfully used in the course of investigations. For a more complete picture, it would also be necessary to analyse those cases in which the use of data proved to be misleading and led to the investigation of innocent people. Such a case is included by the European Union Committee of the UK House of Lords in its 2007 report on the EU/US Passenger Name Record (PNR) Agreement: the case of Maher Arar." (p. 16)
6) Proportionality of Applying the Measures to all Passengers: The FRA quotes at length from rulings by the German Constitutional Court etc., and then concludes:
"The FRA suggests for proportionality reasons to include an explicit obligation in the proposal to make every reasonable effort to define assessment criteria in a manner which ensures that as few innocent people as possible are flagged by the system. This aspect could also play an important role for the review envisaged in Article 17 of the proposal which states that special attention should be given in the course of the review to “the quality of the assessments”. (p. 18)
7) Effective Oversight unclear: Any data protection oversight must be fully independent and must have powers of investigation and binding rulings, which apparently is not clear from the proposed directive draft. (p. 19f)

Tuesday, June 07, 2011

Conservative hardliner admits: lack of data retention has no impact on crime clearance rate

Uwe Schünemann, conservative home affairs minister of the German Land of Lower-Saxony, admits in a reponse to a parliamentary question:
Erhebliche Auswirkungen im Hinblick auf die Aufklärungsquote bei Straftaten, die im Zusammenhang mit dem Tatmittel Internet begangen wurden, sind für das Jahr 2010 nicht festzustellen.
English translation:
Significant impact in terms of the clearance rate for crimes that were committed in connection with the Internet for the year 2010 can not be determined.
After a constitutional court ruling, Germany has had no data retention in place since 2nd of March 2010.

Fun fact I: Schünemann just received a Big Brother Award in Germany for the second time. German laudation here.

Fun fact II: The question came from Social Democrats. This is the party that was crucial for adopting data retention in the EU in 2005 and then later in Germany. They have been losing so many votes in recent years (of course also for factors not related to privacy) that they seem to move into the right direction again. Hopefully.