International chronicle of surveillance events – 2016

By Adina Schwartz and Aidan Booth

April 13, 2016

Despite acknowledging that the Privacy Shield is a significant improvement on the Safe Harbor Agreement, the Article 29 Working Party issued a Statement urging the European Commission to revise its draft Adequacy Decision to address “strong concerns.” In particular, the Working Party pointed to the “overall lack of clarity” in the text of the draft adequacy decision and its annexes, and  “regret[ted} that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not provide sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU.” Further, the Working Party saw a need to clarify the recourse mechanisms available to EU citizens in US courts, and claimed that the Ombudsman created to enforce EU citizens’ rights in regard to US intelligence activities might not be sufficiently independent or vested with sufficient power. The Working Party also stated that once the EU’s General Data Protection Regulation came into effect in 2018, the text of the Privacy Shield would need to be reviewed to ensure equivalent protection of data in the US,

The Statement of the Article 29 Working Party is available here

April 12, 2016

Contrary to earlier reports, the US government was not aided by Cellebrite, but by professional hackers who discovered a previously unknown software flaw in the San Bernardino shooter’s iPhone, and were paid a one-time flat fee for their discovery. At least one of the hackers is a so-called “gray hat” researcher whose practice is not to disclose flaws to the companies responsible for software, but instead to sell discoveries of flaws to governments or to companies that make surveillance tools. The software flaw was used to create a piece of hardware that allowed the FBI to bypass the iPhone’s limits on numbers of password guesses. Although under established Obama administration procedures, a group of senior government officials will decide whether to disclose the software vulnerability to Apple, FBI Director James Comey has stated that disclosure would allow Apple “to fix it and then we’re back we’re started from.” Apple has decided not to sue the government for disclosure.

A Washington Post article is available here

April 8, 2016

The US has decided to continue its appeal of Magistrate Orenstein’s ruling in favor of Apple in the federal district court for the Eastern District of New York. In response, Apple’s lawyers plan to argue that the government would be able to turn to the marketplace for help in unlocking the phone, especially since the phone in the San Bernardino case used a newer operating system and was much harder to unlock than the phone in the Eastern District of New York case. In the meantime, a judge has ordered Apple to unlock an iPhone in a Boston violent gang conspiracy case.

FBI Director James Comey said that the method that the FBI used to unlock the San Bernardino shooter’s iPhone 5c would not work on newer models, including iPhones 5s, 6, and 6s. An iPhone 5s is at issue in the case in the federal district court for the Eastern District of New York in which Magistrate Orenstein refused the government’s request to order Apple’s assistance under the All Writs Act.

April 5, 2016

WhatsApp announced that while previously one-to-one text messages sent through its service were fully encrypted, it has now extended end-to-end encryption by default to photos, videos, group text messages and all communications through its service.

April 2, 2016

On April 1, the FBI sent an advisory to local law enforcement agencies stating that it had used the method demonstrated by “an outside party” to successfully unlock the San Bernardino shooter’s iPhone. Professing to “know that the absence of lawful, critical investigative tools due to the ‘Going Dark’ problem is a substantial state and local law enforcement challenge that you face daily,” the FBI promised that in accord with “longstanding policy,” it would “of course consider any tool that might be helpful to our partners” and “do everything we can to help you consistent with our legal and policy constraints.”

An article reporting on and providing the full text of the advisory is available at

March 31, 2016

Less than a day after announcing that it had unlocked San Bernardino shooter Farook’s iPhone, the FBI agreed to aid Arkansas police to unlock the iPhone and iPod of two teenagers accused of killing a couple.

March 30, 2016

The US government notified the federal trial court for the Eastern District of New York on March 29 that it would decide by April 11 whether to continue appealing Magistrate Orenstein’s refusal to order Apple to assist it in unlocking the iPhone in a Brooklyn drug case. Thus far, the government has not revealed whether the technique that a third party used to unlock the iPhone in the San Bernardino case would work on other iPhones, including the one in the Brooklyn case. A source told Reuters that if the government continues its appeal of Magistrate Orenstein’s ruling, Apple could pursue discovery that might force the government to reveal the technique used on the San Bernardino phone.

March 28, 2016

In a two-page court filing, the US government said that it had succeeded in accessing the content on San Bernardino shooter Farook’s phone and therefore no longer would seek Apple’s assistance. Speaking on the condition of anonymity, a senior law enforcement official admitted that it was possible that no useful information would be recovered from the phone. Another law enforcement official, also speaking anonymously, refused to name the company that had aided the government in unlocking the phone or discuss the methods the company had used and whether they would be disclosed to Apple.

A New York Times article is available here

March 23, 2016

In response to press reports, including the New York Times article described in the February 26 entry below, of a proposed policy change in which the NSA would routinely share raw signals intelligence obtained without a warrant with domestic law enforcement agencies, Members of the House Oversight and Government Reform Committee Ted Lieu and Blake Farenthold warned, in a letter to NSA Director Admiral Michael Rogers, that the proposed change would be unconstitutional. The letter further stated, “The proposed shift in the relationship between our intelligence agencies and the American people should not be done in secret. NSA’s mission has never been, and should never be, domestic policing or domestic spying.”

The letter is available at

On the basis of a report in Israeli newspaper Yedioth Ahronoth, Reuters reported that Israel’s Cellebrite, a provider of mobile forensic software that is a subsidiary of Japan’s Sun Corp, was the company that volunteered to help the FBI unlock the San Bernardino shooter Farook’s iPhone. However, although Cellebrite is known to be an FBI contractor, both the FBI and Cellebrite have refused to comment on whether it is working to unlock Farook’s iPhone.

March 22, 2016

UK Secretary of State for Culture, Media and Sport John Whittingdale confirmed that Elizabeth Denham, who is currently the Information and Privacy Commissioner for British Columbia, Canada, is the UK government’s preferred candidate to replace Christopher Graham as Information Commissioner. If she passes a pre-scrutiny hearing by the Culture, Media and Sports Select Committee and receives final approval from the Queen, Denham will begin a five-year term in mid-2016.

An announcement by the Information Commissioner’s office is available here

March 21, 2016

The hearing scheduled for March 22 in the litigation before Magistrate Pym in the federal district court for the Central District of California was postponed after the government stated that an outside party had shown it a way to possibly unlock the San Bernardino shooter’s iPhone without Apple’s assistance. Speaking anonymously, a senior Apple executive said that if the government failed to unlock the phone and resumed its demand for Apple’s assistance, Apple would want to know more about the outside party in order to determine what methods can circumvent the company’s security features. The government is scheduled to file a status report on its progress in unlocking the phone by April 5.

March 18, 2016

The Electronic Privacy Information Center (EPIC) filed a third-party intervention in the pending appeal before the European Court of Human Rights (ECtHR), 10 Human Rights Organizations and Others v. United Kingdom, of the Judgments of the UK Investigatory Powers Tribunal (IPT) on December 5, 2014 and February 6, 2015 in the challenge brought by Liberty and others to the UK’s Tempora program and use of information obtained through the NSA’s Upstream and Prism programs. The purpose of EPIC’s intervention is to inform the ECtHR of the NSA’s use of mass surveillance, particularly in regard to the communications of non-Americans overseas.

EPIC’s filing is available at

Liberty, et al.’s challenge before the IPT is discussed at

March 17, 2016

A Munich court sentenced Markus Reichel to eight years’ imprisonment for providing more than 200 secret documents to the CIA and unsuccessfully attempting to provide Russian intelligence with three documents. Reichel, who had worked in the post room of the German federal intelligence service (BND) between 2008 and July 2014, told the judge that, “No one trusted me with anything at the BND. At the CIA it was different. I would be lying if I said that I didn’t like that.” The judge responded that the €90,000 he was paid suggested a financial motive. The CIA had been particularly interested in the German parliamentary committee’s investigation of NSA spying in the wake of the Snowden revelations, and in 2014, the discovery of Reichel’s spying caused a rift between the US and Germany.

March 16, 2016

In response to US government accusations that Apple has made “special accommodations” to the Chinese government in exchange for access to the Chinese market, Apple’s reply brief in the San Bernardino shooter iPhone litigation was accompanied by a declaration from its chief engineer, Craig Federighi. The declaration stated, in part, that “Apple has never worked with any government agency from any country to create a ‘backdoor’ in any of our products or services,” and “Apple has also not provided any government with its proprietary iOS source code.”

The declaration is available at

Apple’s reply brief is available at

March 15, 2016

During the debate in the UK Parliament for the second reading of the Investigatory Powers Bill, former Conservative home secretary Ken Clarke called for strengthened judicial oversight of interception warrants and also voiced concern about using broad notions of “economic well being” and “national security” to justify interception. Although the bill was passed onto the next stage by a vote of 281-15, Conservative chair of the Intelligence and Security Committee Dominic Grieve suggested that it needed improvements and almost 50 Conservatives were absent from the vote. Those voting against the bill were mainly Liberal Democratics, while Labour and the Scottish Nationalists abstained.

The US and UK marked the 75th anniversary of their intelligence sharing relationship, which began with the arrival of four American intelligence officers late one night in February 1941 at Britain’s wartime code-breaking center Bletchley Park. The undercover mission involved exchanging US expertise in cracking Japan’s secret communications system Purple with UK knowledge of the German Enigma system.

The New York Times article is available here

In a footnote to its latest filing in the case, the government suggested that if Apple refused to aid it in unlocking the San Bernardino shooter’s iPhone, it might demand the source code that underlies Apple products and the signing key that authenticates software as coming from Apple. Together, the source code and signing key would enable the government to develop spying software and trick any iPhone into accepting it.

March 14, 2016

Article 19 filed a third-party intervention on March 4 in the pending appeal before the European Court of Human Rights (ECtHR), 10 Human Rights Organizations and Others v. United Kingdom, of the Judgments of the UK Investigatory Powers Tribunal (IPT) on December 5, 2014 and February 6, 2015 in the challenge brought by Liberty and others to the UK’s Tempora program and use of information obtained through the NSA’s Upstream and Prism programs. Article 19 is a non-profit devoted to freedom of expression and information that is registered in the UK, US, Bangladesh, Brazil, Kenya, Mexico, Senegal, and Tunisia. Its intervention argues that the Liberty, et al appeal presents the ECtHR “with an important opportunity to affirm that the indiscriminate interception, storage and analysis of online communications has a chilling effect on the freedom of expression of non-governmental organisations (NGOs).”

Article 19’s press release is available at

Its filing before the ECtHR is available at

Liberty, et al.’s challenge before the IPT is discussed at

March 11, 2016

In his annual report, UK biometrics commissioner Alastair MacGregor QC revealed that a police counter-terrorism database contains the DNA profiles and fingerprints of more than 7,800 identified individuals. 55% or 4,350 of the people whose biometric details are in the counter-terrorism database have never been convicted of a crime.

Court filings in the upcoming trial of alleged Russian spy Evgeny Buryakov revealed that the FBI bugged binders of “confidential” industry information that an informant supplied to Buryakov. This enabled the US government to record hours of conversations among Russian intelligence agents between January and May 2013.

March 10, 2016

The government filed a reply brief in support of its motion to compel Apple to assist it in unlocking the San Bernardino shooter’s iPhone, claiming, among other things, that Apple had assisted the Chinese government in unlocking more than 4000 iPhones. In seeming contradiction to FBI Director James Comey’s testimony before the Senate Judiciary Committee on March 1, the government also argued that even if the FBI had not arranged for the password on the shooter’s iCloud account to be changed, it would still not have been possible to recover data from the account. A hearing in the case is scheduled for March 22, and Apple CEO Tim Cook has said that he is willing to take the case to the US Supreme Court.

The brief is available at

March 9, 2016

In a report to the UN Human Rights Council on worldwide privacy concerns, UN special rapporteur on privacy Joseph Cannataci said that the UK government’s draft Investigatory Powers Bill “set[s] a bad example to other states by continuing to propose measures, especially bulk interception and bulk hacking” that are counter to recent European court judgments and “undermine the spirit of the very right to privacy.” Parliament is scheduled to vote on the second reading of the bill next week.

March 7, 2016

The government filed an appeal in the United States District Court for the Eastern District of New York of Magistrate Orenstein’s ruling denying its application for an order requiring Apple to assist it in unlocking an iPhone.

The government’s appeal is available at

March 4, 2016

Taking sides in the controversy between the FBI and Apple, UN High Commissioner for Human Rights Zeid Ra’ad Al Hussein stated that, A successful case against Apple in the US will set a precedent that may make it impossible for Apple or any other major international IT company to safeguard their clients’ privacy anywhere in the world. It is potentially a gift to authoritarian regimes, as well as to criminal hackers. …  In an age when we store so much of our personal and professional lives on our smart phones and other devices, how is it going to be possible to protect that information without fail-safe encryption systems?” He urged governments to “take inspiration” from Judge Orenstein’s decision in the Eastern District of New York refusing to order Apple to unlock an iPhone.

As part of what The New York Times called “a torrent [of support for Apple] compared with the stream of filings backing the Justice Department in the [San Bernardino] case,” technology companies submitting amicus briefs in support of Apple including Twitter, AirBnB, eBay, LinkedIn, Reddit, Amazon, Microsoft, Snapchat, Yahoo, Facebook, Google, AT&T, Intel, and Box.

The Office of the UN High Commissioner’s Press Release is available at

The amicus briefs in support of Apple are available at

March 2, 2016

In order not to waive the possibility of formally objecting to Magistrate Pym’s ruling before a U.S. district court judge, Apple filed formal objections on March 1, despite the ongoing briefing schedule before Magistrate Pym.

March 1, 2016

The UK government introduced a revised Investigatory Powers Bill (a.k.a. the “snooper’s charter”) in Parliament.

The Bill is available at

The reaction of Independent Reviewer of Terrorism Legislation David Anderson, QC is available here and other reactions are available here and here

At a hearing before the Senate Judiciary Committee, FBI director James Comey acknowledged that the FBI could have recovered data stored on San Bernardino shooter Farook’s iPhone since it was last backed up in October if it hadn’t  directed San Bernardino county staff to reset Farook’s iCloud password. Although he told the Committee that the fight with Apple only pertained to Farook’s phone, when questioned, Comey said that the FBI would “of course” seek to unlock other encrypted phones if it prevailed in the San Bernardino case.

A New York Times article is available here

In a 50-page decision, Magistrate Judge James Orenstein of the federal district court for the Eastern District refused the government’s request to order Apple to bypass the security of the cell phone of a drug defendant who had already pled guilty. Notably, the judge reasoned that the All Writs Act of 1789 did not authorize the Order because “it is arguable that CALEA explicitly absolves a company like Apple of any responsibility to provide the assistance the government seeks.” In addition, “even if CALEA does not have such an explicit prohibition, it is part of a larger legislative scheme that is so comprehensive as to imply a prohibition against imposing requirements on private entities that the statute does not affirmatively prescribe.” Magistrate Orenstein further reasoned that the government’s interpretation of the All Writs Act to “allow… a court to confer on the executive branch any investigative authority Congress has decided to withhold, so long as it has not affirmatively outlawed it” contravened the basic Constitutional principle of separation of powers.

The decision is available at

See the October 9, 21, 24 and 26 entries in our Chronicle for 2015 for discussion of earlier proceedings in the case.

By contrast to other relatives of San Bernardino shooting victims, Salihin Kondoker, whose wife was shot three times, filed an amicus brief in support of Apple, arguing on the basis of his wife’s experience as an employee of the San Bernardino county government, that Farook was unlikely to have stored personal information, including clues about the attack, on his work phone. In addition, Kondoker wrote that he was backing Apple as a matter of principle, “Neither I, nor my wife, want to raise our children in a world where privacy is the tradeoff for security.”

Court documents, as well as commentary and legal precedent, in both the San Bernardino case and the case before Judge Orenstein are available at

February 29, 2016

The European Commission released the legal texts intended to implement the EU-U.S. Privacy Shield that is supposed to replace and answer the criticisms of the Safe Harbor Agreement in the Schrems Judgment. The College of Commissioners will make a final decision on the new framework after the Article 29 Working Party holds an extraordinary plenary meeting at the end of March and issues a non-binding opinion and a committee composed of representatives of the EU member states is consulted.

The European Commission’s annoucement,  including links to a press release, draft Adequacy Decision, Q&A, fact sheet, and Communication to the EU Parliament and the Council, is available at

Security and law enforcement experts say that unlocking San Bernardino shooter Farook’s iPhone is unlikely to yield much, if any, useful information that the FBI cannot access by other means.

February 26, 2016

The Obama Administration is fine tuning procedures to permit the NSA to share the unanalyzed content of emails and phone calls that it acquires from other countries or overseas, including bulk collection of satellite transmissions, with the CIA, FBI and other government agencies. Executive Order 12333 governs the acquisition and use of such overseas communications, and until now, the NSA applied minimization procedures to protect names and other information about Americans before passing the communications on to other agencies. In addition, other agencies were only provided with the parts of emails and phone calls that the NSA deemed relevant.

President Obama signed the Judicial Redress Act into law, including the amendment discussed in the February 11 entry below, on February 24.

February 25, 2016

Testifying before a Senate Judiciary Committee Hearing on “International Conflicts of Law Concerning Cross Border Data Flow and Law Enforcement Requests,” Principal Deputy Assistant Attorney General David Bitkower stated that it was crucial that US law enforcement be able to use the Stored Communications Act (SCA), rather than Mutual Legal Assistance Treaties (MLATs), to obtain data American internet service providers store overseas. He also said that the administration was working on an agreement that would allow US providers to respond to lawful UK orders by directly disclosing data stored in the US to UK authorities. The agreement would provide similar access for the US to data stored in the UK.

Mr. Bitkower’s testimony is available at, and his full written statement is at

February 24, 2016

Since late 2015, Germany’s ministry of interior has approved police and intelligence agency use of Trojan software to secretly target computers and track internet traffic, log keystrokes, and monitor social media activity. The government claims that the spyware is used only under strict court orders.

The government is attempting to use the All Writs Act to obtain Apple’s cooperation in  unlocking at least nine iPhones besides the one used by San Bernardino shooter Farook, and Apple has refused to cooperate in at least seven of the cases. The existence of the cases came to light when Magistrate Orenstein of the federal district court for the Eastern District of New York asked Apple to detail other pending government requests before ruling on the government’s request for an Order under the All Writs Act for Apple’s help in unlocking the iPhone of a defendant in a drug conspiracy. Although the defendant has pled guilty, the government has persisted in its request, in part on the ground that unlocked data might lead to other drug suspects. The other requests disclosed to Magistrate Orenstein are in New York, Chicago, Los Angeles, San Francisco and Boston. Although some of the cases remain sealed, they appear to involve run-of-the-mill prosecutions for offenses such as drug trafficking and pornography.

For discussion of and links to articles court documents pertaining to the case before Magistrate Orenstein, see October 9, 21, 24 and 26 entries in our International Chronicle of Surveillance of Events – 2015

February 23, 2016

Representative Ted Lieu, a Democrat from California who has a degree in computer science, is pressing FBI Director James Comey to withdraw the request for an Order directing Apple to aid in unlocking the iPhone of one of the San Bernardino shooters. Criticizing the government for basing its request on “an antiquated law,” the All Writs Act, Lieu stated that, “The precedent set in this case would essentially enact a policy proposal to weaken encryption that has not yet gained traction in Congress and was previously rejected by the White House.

At the Mobile World Congress in Barcelona, Spain, Facebook chief Mark Zuckerberg supported Apple’s refusal to unlock the phone in the San Bernardino case, stating that, “I don’t think building back doors is the way to go, so we’re pretty sympathetic to Tim and Apple.”

February 22, 2016

Prosecutors and police departments throughout the US hope that the San Bernardino case will set a precedent requiring Apple and other technology companies to assist them in unlocking phones.

February 21, 2016

Speaking via Google Hangouts, Edward Snowden stated to a libertarian conference, the New Hampshire Liberty Forum, that he’d told the US government that he’d return to the US if he were guaranteed “a fair trial where I can make a public interest defense of why this was done and allow a jury to decide.”

February 16, 2016

A newly declassified report from 2015 by the NSA’s Inspector General suggests that in the Upstream program conducted under Section 702 of the FISA Amendments Act, internet companies sort through Americans’ overseas emails for emails to, from, or pertaining to email addresses that the NSA designates as foreign targets, and provide only those emails to the NSA. Previously, critics had assumed that the companies provided the NSA with wholesale access to all communications passing through their switches.

A redacted version of the Inspector General’s report, which the New York Times obtained through a FOIA lawsuit, is available at

Magistrate Sheri Pym of the federal district court for the Central District of California ordered Apple to assist the FBI to hack into the work iPhone of Syed Farook, one of the shooters in the December 2 attack in San Bernardino county. The phone, which was provided to Farook by his former employer, the San Bernardino County Department of Public Health, carries the latest version of Apple’s iPhone software and was configured to self-destruct and erase its data after 10 unsuccessful attempts at unlocking it. In a 3-page order containing no rationale, the Magistrate ordered Apple, under the All Writs Act, to provide software that the FBI could use  to bypass the self-destruct feature and try different combinations in rapid sequence in order to find the correct password. Farook was not carrying his work iPhone at the time of the shooting, and he and his wife and co-shooter, Tashfeen Malik, had previously physically destroyed two cell phones and removed the hard drive from their computer, which has yet to be found despite investigators’ numerous dives for potential electronic evidence in a nearby lake.

Magistrate Pym’s Order is available at

In a Message to Customers, Apple CEO Tim Cook vowed to oppose Magistrate Pym’s Order, explaining that “the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.” Stating that “bypass[ing] security in this way would undeniably create a backdoor,” Cook rejected the government’s suggestion that the software they were asking Apple to create would only be used once, on Farook’s particular phone. “Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes.”

February 11, 2016

In a 194-page report, the Joint Committee of the UK House of Lords and House of Commons on the Draft Investigatory Powers Bill said that although the value to law enforcement of the “internet connection records” that the bill would require internet service providers to store for a year “could outweigh the intrusiveness involved in collecting and using them,” the bill’s proposal to protect users’ privacy by only collecting names of websites, rather than individual web pages, visited might not be technically feasible. The Report also called for amending the bill to ensure that its anti-encryption provisions do not lead to the creation of “back doors” for law enforcement, and claimed that greater justification was needed for the provisions on bulk data sets and bulk collection of internet traffic entering the UK.

Separately, former deputy Prime Minister Nick Clegg criticized the bill’s “dragnet” and “disproportionate” approach to the collection of personal data. Shadow home secretary Andy Burnham stated although Labor  supports the bill’s aim of providing necessary powers to the police and security services, the bill needs to be amended to strike “the right balance for our security and privacy.

The Report is available at

The Judicial Redress Act, including an amendment by the Senate Judiciary Committee conditioning EU citizens’ right to sue on the US Attorney General’s certifying that their country’s data transfer policies “do not materially impede the national security interests of the United States,” was passed by the Senate and House respectively on February 10 and 11, and sent on to President Obama to sign.

February 9, 2016

The UK Court of Appeal upheld the unprecedented restrictions on reporting during the trial of London student Erol Incedal of preparing for acts of terrorism. Incedal was acquitted of the charge last March after only 10 of the 70 hours of evidence were heard in open court and more than a third of the prosecution case was held in complete secrecy with jurors told they could be jailed if they ever revealed what they had heard. Specially accredited journalists were allowed to hear some of the secret evidence in locked sessions, but their cell phones were put in a metal case every time they entered the court, their notebooks were handed over to be locked in a safe at the end of each day, and they were banned from telling others what they had seen or heard.

In their Judgment, Lord Chief Justice Lord Thomas and two other senior judges acknowledged the strong public interest in learning about counter-terrorist measures by the police and the security services, but reasoned that reporting about counter-terrorism must not “materially compromise the effectiveness of [the police or security services] or otherwise … damage national security.” While holding that “departure from the principles of open justice was strictly necessary” during Incedal’s trial, the justices allowed that an application to lift the secrecy might be granted at a future time”when there could no longer be any reason to keep the information from the public.

The Judgment in the case, Guardian News and Media Ltd. v. R and Erol Incedal, [2016] EWCA Crim 11 (Ct. of Appeal Feb. 9. 2016) is available at

February 8, 2016

Although Facebook has stated that it does not rely on Safe Harbor, but on other legal mechanisms, to transfer EU citizens’ data to the US, the French data protection authority, Commission Nationale de l’Informatique et des Libertes (CNIL), issued a statement that Facebook transfers personal data to the United States on the basis of Safe Harbour, although the Court of Justice of the European Union declared invalid such transfers in its ruling of October 6, 2015.” In a decision that Reuters called “the first significant action [in the wake of the CJEU’s Safe Harbor Judgment] to be taken against a company transferring Europeans’ data to the United States,” the CNIL ordered Facebook to stop relying on Safe Harbor for data transfers and also to stop tracking non-users’ web activity without their consent, to require eight character rather than six character user passwords, and to give users the option of not being profiled in order to be served personalized ads. The CNIL will impose fines if Facebook does not comply within three months.

Decision no. 2016-007 of January 26, 2016 issuing formal notice to FACEBOOK, INC. and FACEBOOK IRELAND is available at

February 4, 2016

More than 50 political activists from countries across Europe and North America complain that after notifying them in mid-December that their accounts may have been the target of state-sponsored hacking, Twitter refused to provide them with details about the attacks and did not respond to an open letter from they and developers from the Tor Project and EFF campaigners sent in mid-January. EFF staff stated that after issuing similar warnings about state-sponsored hacking, Google and Facebook had provided their users with much more information.

The open letter to Twitter is available at

February 3, 2016

In a “Statement on the Consequences of the Schrems Judgment,” the Article 29 Working Party said that it needed to assess whether the EU-US Privacy Shield alleviated its concerns about whether the US legal framework comports with the four essential guarantees that EU jurisprudence establishes for the processing of data by intelligence agencies: “clear, precise and accessible rules;” “necessity and proportionality with regard to the legitimate objectives pursued;” the existence of an “effective and impartial” “independent oversight mechanism;” and effective remedies for the individual.

Reiterating that Safe Harbor can no longer be relied on for data transfers, the Working Party called on the European Commission to provide it with all documents pertaining to the EU-US Privacy Shield by the end of February, so that it could assess whether, in light of the new agreement, data transfers from the EU to the US could still be based on Standard Contractual Clauses and Binding Corporate Rules.

The Article 29 Working Party’s Statement is available at

February 2, 2016

US negotiators and the European Commission (“EC”) agreed on the EU-US Privacy Shield as a replacement for the Safe Harbor Agreement that the European Court of Justice invalidated in October. Although it is expected to take several weeks for the text of the agreement to be published, a key requirement is a written annual guarantee by the US that intelligence agencies will not indiscriminately access Europeans’ data transferred to the US. This guarantee is to be enforced by an annual joint review conducted by the EC and the US Department of Commerce, with the invited participation of European Data Protection Authorities and national intelligence experts from the US. The leader of the EU negotiating team, EU Justice Commissioner Vera Jourova, conceded that the prohibition of mass surveillance will be lifted if targeted surveillance is not technically or operationally possible or if a “dangerous new trend” makes mass surveillance necessary.

The EC is to draft an “adequacy decision” pertaining to the EU-US Privacy Shield agreement within the coming weeks, and approval by the European Parliament and the national data protection authorities is necessary. Criticism of the new agreement and the prediction that it would be struck down by the European Court of Justice was voiced by Max Schrems and by Member of the European Parliament Jan Philipp Albrecht, with Albrecht calling the agreement “little more than a reheated serving of the pre-existing Safe Harbor decision” and a “sellout of the fundamental EU right to data protection.

The House Judiciary Committee held a hearing on Section 702 of the FISA Amendments Act at which representatives from the NSA, FBI, Department of Justice, and Office of the Director of National Intelligence testified and submitted a joint unclassified statement. Although 25 civil liberties, human rights, and transparency organizations submitted a letter on January 27 calling for an open hearing, by a roll call vote of 20-0, the Committee passed a “Motion to Close Hearing to Public Because Disclosure of Matters to be Examined Would Endanger National Security.”

The Committee’s announcement of the hearing is available at

The Joint Unclassified Statement is available at

The Letter is available at

January 28, 2016

A report presented to the Canadian House of Commons by Communications Security Establishment (“CSE”) Commissioner Jean Pierre Plouffe, the independent watchdog for Canada’s analogue of the NSA, the CSE, indicates that the CSE had likely tapped into the backbone of the internet and shared Canadians’ metadata with the NSA and the other members of the Five Eyes (the UK, New Zealand, Australia, US and Canada) intelligence alliance. Mr. Plouff stated that the CSE’s failure to properly minimize Canadians’ metadata to protect their identity was contrary to CSE’s own operational policy and the ministerial directive on metadata. Further, he criticized the ministerial directive for failing to provide clear guidance on CSE’s collection, use, and sharing of metadata, including not clearly delineating the information encompassed by the term  “metadata.”

The simultaneously released report of the Security Intelligence Review Committee, the review body for Canada’s human intelligence agency, the Canadian Security Intelligence Service (CSIS), indicated that the CSIS has used secret warrants to collect and use the metadata of Canadians who are only tangentially connected with investigations.

In response to the CSE Commissioner’s Report, Defence Minister Harjit Sajjan stated that Canada’s sharing of certain metadata with international partners would be suspended until proper protections of Canadians’ privacy were in place. Mr. Sajjan opined, however, that the “metadata in question … did not contain names or enough information on its own to identify individuals” and that “taken together with CSE’s suite of privacy protection measures, the privacy impact was low.”

GCHQ files leaked by Snowden show that under a program code-named “Anarchist,” the GCHQ and the NSA used a Royal Air Force installation in the Trodos Mountains in Cyprus to systematically spy on Israeli drone operations by intercepting signals between drones and orbiting satellites. Although the Israeli government does not acknowledge that it flies attack drones, snapshots that the Anarchist program intercepted in 2009 and 2010 appear to show drones carrying missiles.

A selection of snapshots from Israeli drone feeds, scheduled to appear as part of Laura Poitras’ solo exhibition, Astro Noise, opening on February 5 at the Whitney Museum of American Art in New York, is available at

The Senate Judiciary Committee passed the Judicial Redress Act, which the House previously passed unanimously in October, with an added amendment conditioning EU citizens’ right to sue in the US for privacy violations on the US Attorney General’s certifying that EU member states’ “policies regarding the transfer of personal data for commercial purposes. . . do not materially impede the national security interests of the United States.” Commenting that the amendment might “further disrupt already turbulent US-EU negotiations on an agreement to replace the Safe Harbor Agreement,” Forbes quoted Republican Senator Cornyn of Texas’ statement to Reuters that he was “for doing what’s in America’s best interests, not necessarily the interests of the European Union.”

The amendment to the Judicial Redress Act is available at

On January 13, the Russian Data Protection Authority (Roscommandzor) released this year’s plan for audits of compliance with Russia’s data localization law, which became effective on September 1, 2015 and requires companies to store the personal data of Russians in databases in Russia. The plan indicates that this year, the Roscommandzor will audit compliance with the localization law by large, multinational companies that conduct business in numerous jurisdictions and process the personal data of Russian citizens.

January 27, 2016

25 civil liberties groups sent a letter to House Judiciary Committee Chairman Robert W. Goodlatte and Ranking Member John Conyers asking that the Committee’s planned “members only” meeting next week on Section 702 of FISA be opened to the public, at least in part.

The text of the letter is available at

Writing in French policy magazine FIC Observatoire, Erik Barnett, the US Department of Homeland Security’s attaché to the European Union, called for a ban on anonymity on the Internet, saying that people should be required to carry the equivalent of a license plate in order to engage in any transactions or communications on line.

January 25, 2016

In response to a Freedom of Information Act lawsuit, the US Department of Justice provided the Electronic Privacy Information Center (EPIC) with the full text of the Umbrella Agreement between the EU and US on the protection of  personal data transferred for law enforcement purposes. On January 14, EPIC had asked the Senate Judiciary Committee to delay acting on the Judicial Redress Act until the text of the Umbrella Agreement was disclosed, and on January 20, the vote scheduled for January 21 was postponed. Passage of the Judicial Redress Act, which would enable US citizens to sue for violations of their privacy in US courts,  is considered critical to reaching a new Safe Harbor Agreement. The Senate Judiciary Committee has rescheduled the hearing on the Act for January 28.

The DOJ’s letter to EPIC, including the full text of the Umbrella Agreement, is available at

EPIC’s Press Release is available at

January 22, 2016

In an article entitled “The Espionage Economy,” James Bamford decries the failure to regulate the sale of surveillance equipment to repressive governments by private companies, as illustrated by the obtaining and use of such equipment by the former President of Panama, Colombia’s security apparatus, and the governments of Kazakhstan and Uzbekistan.

January 21, 2016

Despite its earlier statement in October that it would not permit data transfers to the US in the wake of the CJEU’s Schrems Judgment, Israel’s Law, Information and Technology Authority (“ILITA”) announced that for the time being, it would not bring any review or enforcement actions in regard to data transfers from Israel to the United States that are based on the US-EU Safe Harbor framework.

By contrast to FBI Director James Comey’s advocacy of backdoors to encryption,  NSA Director Adm. Mike Rogers opined before Washington, D.C., think tank Atlantic Council that more, rather than less, encryption is necessary for the US to meet cybersecurity threats. “So spending time arguing about ‘hey, encryption is bad and we ought to do away with it’ … that’s a waste of time to me.” Former NSA Directors Michael Hayden and Michael McConnell have also rejected Comey’s call for backdoors.

January 20, 2016

While Senate Intelligence Committee Chairman Richard Burr and Senator Dianne Feinstein are seeking the swift passage of legislation providing law enforcement access to encrypted data, Senator Mark Warner and House Homeland Security Committee Chairman Michael McCaul want first to convene a national commission to investigate the issue. The proposed commission would include technology industry leaders, privacy advocates, academics, law enforcement officials and members of the intelligence community.

January 19, 2016

The Court of Appeal for England and Wales issued a Judgment in the case brought by David Miranda after he was stopped at Heathrow Airport while attempting to carry materials leaked by Snowden from Laura Poitras in Berlin to his husband, Glenn Greenwald, in Brazil. Writing for the Court, the most senior civil judge in England and Wales, Lord Dyson, held that although the stop of Miranda had been authorized under schedule 7 of the Terrorism Act 2000, “[t]he [schedule 7] stop power , if used in respect of journalistic information or material, is incompatible with article 10 [freedom of expression] of the [European convention on human rights] because it is not ‘prescribed by law’.” In addition, the Judgment  rejected the government’s broad definition of terrorism, holding that the correct legal definition requires intent to cause a serious threat to public safety such as endangering life. Concluding that UK law was inconsistent with the country’s international human rights obligations, the Court took the highly unusual step of issuing a certificate of incompatibility, stating that it would be up to Parliament to decide how to avoid the risk that the stop power at airport and ports would be exercised arbitrarily. Lord Dyson opined that “[t]he most obvious safeguard would be some form of judicial or other independent and impartial scrutiny in such a way as to protect the confidentiality in the [journalistic] material.”

The Court of Appeal’s Judgment is available at

January 15, 2016

The French government rejected an amendment to the Digital Republic law introduced in the wake of the Paris attacks in November that would require technology companies to provide law enforcement with backdoors to encryption. Digital affairs minister Axelle Lemaire called the proposal for backdoors “vulnerability by design.

January 14, 2016

By using IMSI catcher detection equipment, Privacy International and Vice News discovered signs of the use of IMSI catchers (also known as stingrays or cell-site simulators) in London at an anti-austerity demonstration on June 20, 2015, near St. Paul’s Cathedral, at the Ecuadorian embassy, and at an entrance to the  Westminster Parliament. Vice News’ Freedom of Information Act requests to UK police forces were almost always met by a refusal on grounds of national security to either confirm or deny that they used IMSI catchers. Conservative MP David Davis told Vice News that he thought “the whole approach of IMSI catchers, which is a block collection of people’s telephone information, is a general cause for concern. Largely because the public at large assume that interception of communications is the sort of thing that is done very specifically.”

January 12, 2016

In Szabo v. Hungary (application no. 37138/14), the European Court of Human Rights (Fourth Section) issued a Judgment holding that Hungary’s anti-terrorist surveillance legislation of 2011 violates the right to respect for private and family life, the home and correspondence in Article 8 of the European Convention on Human Rights. Focusing on the danger of mass surveillance and the lack of judicial oversight, the Court’s press release summarizes the vices in the legislation as “the scope of the measures could include virtually anyone in Hungary, … the ordering was taking place entirely within the realm of the executive and without an assessment of whether interception of communications was strictly necessary, … new technologies enabled the Government to intercept masses of data easily concerning persons outside the original range of operation, and … the absence of any effective remedial measures, let alone judicial ones.” 

Although the Fourth Section’s Judgment may be revised by the Grand Chamber if a party applies, commentators predict that the Judgment makes it likely that the ECtHR will find against the UK in pending challenges to Tempora and its use of Prism and in potential challenges to the draft Investigatory Powers bill.

The Court’s Press Release is available at

The Judgment  is available at

January 8, 2016

In written evidence presented to the UK Parliament committee considering the draft Investigatory Powers Bill, Google, Twitter, Facebook, Yahoo, and Microsoft expressed concerns about the opacity of the Bill’s provisions on judicial authorization, encryption and technical requirements on tech firms. The firms joined Apple in opposing “any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means,” and raised concerns about extraterritorial jurisdiction, citing their “collective experience around the world of personnel who have nothing to do with the data sought being arrested or intimidated in an attempt to force an overseas corporation to disclose user information,” and stating that “[w]e do not believe that the UK wants to legitimise this lawless and heavy-handed practice.”

In a separate submission, Vodafone objected that the draft Bill did not explain the meaning of its requirement that tech firms obtain and generate data, including whether it “could be used to require an operator to make changes to its networks and services simply to get more data — even relating to other companies’ services — and to hold on to it for law enforcement.”

In an eleven page submission to the Parliamentary committee, the UK Information Commissioner’s Office questioned the Bill’s provision for the retention of internet connection records, stating that “[a]lthough these [records] are portrayed as conveying limited information about an individual they can, in reality, go much further and can reveal a great deal about the behaviours and activities of an individual.”

Google, Twitter, Facebook, Yahoo, and Microsoft’s submission is available here

January 7, 2016

European Data Protection Supervisor (“EDPS”) Giovanni Buttarelli published an Inventory of Priorities for 2016, stating that a principal focus would be “[t]he EU-US transatlantic dialogue, and in particular the need for a legal framework for ensuring transborder flows of data in the ‘post-Safe Harbour’ context,” and that the EDPS would also be concerned with reaching an EU-US “umbrella agreement” in regard to the protection of personal data transferred and processed for the purpose of investigating and prosecuting crime.

The Inventory is available at

January 6, 2016

In a written declaration that legal measures against encryption are “currently not desirable,” the Dutch government recognized that backdoors could not be created for law enforcement without enhancing access for criminals as well. The government intends to “propagate this conclusion, and the arguments that underlie it, in the international context,” and will make a 500 Euro grant to the OpenSSL project.

At a House Intelligence Committee hearing called in response to a Wall Street Journal report in December of NSA spying on Israeli government officials during Congress’ debate about a nuclear power agreement with Iran, Director of National Intelligence James Clapper and NSA Director Adm. Mike Rogers stated that no conversations between Israeli officials and Congress members had been monitored. Citing the classified nature of the briefing, members of the Committee refused to provide reporters with any information about NSA monitoring of Israeli Prime Minister Netanyahu during that time.

Leave a Reply