By Adina Schwartz and Aidan Booth
December 30, 2015
The NSA spied on Israeli government attempts to make Congress reject a nuclear deal with Iran, intercepting both Israeli communications with members of Congress and Prime Minister Netanyahu’s communications with his aides.
December 23, 2015
A top secret GCHQ document from February 2011 leaked by Snowden shows that GCHQ and the NSA found ways to penetrate the NetScreen line of security products made by Juniper Networks, a leading provider of networking and Internet security gear. Companies use the NetScreen products to create online firewalls and virtual private networks (VPNs). The document, which was authored by an NSA employee working with GCHQ as part of of an “Access Security Team,” indicates that GCHQ and the NSA had repeatedly exploited security holes in Juniper products in order to engage in surveillance, and raises the possibility that the agencies were involved in creating security holes that Juniper disclosed last week.
The document is available at https://www.documentcloud.org/documents/2653542-Juniper-Opportunity-Assessment-03FEB11-Redacted.html
December 22, 2015
On December 17, 2015, Germany’s Bundestag adopted a draft law enabling consumer protection associations to bring class action-like actions against companies for violations of German law on the processing of personal data. The law, which will come into effect when signed by the president and published in the Federal Law Gazette, bars consumer protection associations from bringing claims until September 30, 2016 for violations of international data transfer rules based on reliance on the Safe Harbor Agreement.
The draft law is available (in German) at http://dip21.bundestag.de/dip21/btd/18/046/1804631.pdf
December 21, 2015
In an unprecedented move, Apple submitted written evidence to the UK parliamentary committee examining the draft Investigatory Powers Bill, claiming that the bill’s provisions for weakening encryption and legalizing hacking by the security services “would weaken the protections built into Apple products and endanger all our customers. A key left under the doormat would not just be there for the good guys. The bad guys would find it too.” Further, Apple claimed that by requiring non-UK tech companies to violate their countries’ laws, the bill would “immobilise substantial portions of the tech sector and spark serious international conflicts.”
December 18, 2015
The Permanent Representatives Committee (Coreper) of the European Council confirmed the final draft of the EU General Data Protection Regulation (the “Regulation”), which the European Parliament, Council and Commission had informally agreed to on December 15. The Regulation is intended to replace the EU Date Protection Directive of 1995, Directive 95/46/EC, and member states will have two years to apply it after the full European Parliament votes on it in spring 2016. Among the Regulation’s provisions are a more expansive definition of personal data, a more rigorous definition of consent to the processing of data, and the extension of its obligations to companies based outside of the EU. Fines of up to 4% of global annual turnover or 20 million euros can be imposed for violations.
The consolidated text of the Regulation is available at http://static.ow.ly/docs/Regulation_consolidated_text_EN_47uW.pdf
The Press Releases of the Council, Parliament, and Commission are available, respectively, at http://www.consilium.europa.eu/en/press/press-releases/2015/12/18-data-protection/, http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+IM-PRESS+20151217IPR08112+0+DOC+XML+V0//EN, and http://europa.eu/rapid/press-release_IP-15-6321_en.htm
December 10, 2015
Open Rights Group director Jim Killock told a UK Parliamentary committee that the draft Investigatory Powers Bill’s provisions for downloading “personal details” from bulk data sets would allow the security services to engage in mass surveillance. Asking what a “bulk data set” was, Mr. Killock stated that, “Just about every business in the country operates a database with personal information in it.This could be Tesco Clubcard information. It could be Experian’s data around people’s financial transactions, it could be banking details, it could certainly be any government database that you care to mention.”
December 9, 2015
Antony Walker of techUK, which represents 850 UK technology companies, told the House of Commons Science and Technology Committee that the Home Office needed to be much clearer about the limits on the power to hack into devices that the draft Investigatory Powers Bill grants to the security services. Mr. Walker questioned whether as the “Internet of things” develops “equipment interference” warrants would allow driverless cars, household appliances, and “smart” toys to be hacked into to track locations or switch on microphones and cameras.
November 20, 2015
The UK Court of Appeal issued a judgment in MPs Davis and Watson’s challenge to the data retention provisions of DRIPA 2014 that, according to Independent Reviewer of Terrorism Legislation David Anderson QC, “changes the legal weather around the bulk retention of (and access to) communications data, in a way that the Government will welcome.” While the Divisional Court had found that in light of the European Court of Justice (CJEU)’s Digital Rights Ireland Judgment, DRIPA’s data retention provisions were incompatible with the EU Charter of Fundamental Rights, the Court of Appeals provisionally held that Digital Rights Ireland did not impose any “definitive mandatory requirements” in regard to government access to retained communications data. Noting, however, that the courts of six EU member states had applied Digital Rights Ireland to invalidate national legislation, the Court of Appeal referred the question to the CJEU of whether Digital Rights Ireland established mandatory requirements for member states’ legislation. The Court also referred the question of whether Digital Rights Ireland had expanded the protections of Article 7 and/or 8 of the EU Charter beyond those afforded by Article 8 of the ECHR, as interpreted by the European Court of Human Rights.
Mr. Anderson’s press release is available at https://terrorismlegislationreviewer.independent.gov.uk/daviswatson-appeal/
The Judgment in Secretary of State v. Davis and Watson et al., [2015 EWCA Civ 1185] is available at https://terrorismlegislationreviewer.independent.gov.uk/wp-content/uploads/2015/11/Davis-FINAL.pdf
On November 19, the French Data Protection Authority (CNIL) posted Guidance and responses to Frequently Asked Questions, stating that in the wake of Schrems, EU Model Clauses are the most suitable mechanism for transferring personal data to the US. The CNIL stated that if a new Safe Harbor Agreement is not arrived at by the end of January 2016, the European DPAs will consider using their enforcement powers to suspend or forbid data transfers to the US.
The CNIL’s Guidance and FAQ’s are respectively available (in French) at http://www.cnil.fr/linstitution/actualite/article/article/safe-harbor-que-doivent-faire-les-entreprises/ and http://www.cnil.fr/vos-obligations/transfert-de-donnees-hors-ue/safe-harbor-faq/
November 19, 2015
NSA Inspector General Reports that The New York Times obtained through a Freedom of Information Act lawsuit show that after ending the bulk collection of email metadata from within the United State in December 2011, the NSA took advantage of a November 2010 change in its rules to sweep up and analyze Americans’ email metadata found on fiber optic cables overseas. In addition, the NSA used warrantless surveillance under Section 702 of the FISA Amendments Act to obtain the “functional equivalent” of the information previously obtained through the bulk domestic email metadata program.
The Inspector General Reports are available at http://www.nytimes.com/interactive/2015/11/19/us/20-foia-nsa.html
The lawsuit, The New York Times Co. and Charlie Savage v. NSA, 15 Civ. 2383 (SDNY), and the information obtained therefrom are summarized in Section 4 of Charlie Savage, “NYT/Savage Freedom of Information Act Litigation,” http://www.charliesavage.com/?page_id=303#anchor4
November 17, 2015
At his trial in state court in Munich, a former official of Germany’s foreign intelligence agency, the BND, admitted that he had provided the CIA with classified information. The defendant, identified only as Markus R. due to German privacy laws, admitted that the CIA had paid him $102,000 for the documents, which allegedly listed the names and aliases of current and former German intelligence agents working outside the country.
November 16, 2015
Although the French and Belgian intelligence services knew about the jihadi backgrounds of the perpetrators, they failed to connect the dots to discover the conspiracy to commit the Paris attacks. The Belgian parliamentary committee that oversees the country’s intelligence services has opened an inquiry into the failures, and a member of the French senate’s foreign and defense committee, Natalie Goulet, stated that, “What we know is that most of these people came back from Syria and nobody stopped them. Whatever the reform that has been implemented [in the intelligence agencies] it’s not working.” By contrast, CIA director John Brennan stated that “a number of these operatives and terrorist networks .. have gone to school on what … they need to do in order to keep their activities concealed from the authorities,” and decried “a number of unauthorized disclosures and a lot of handwringing over the government’s role in the effort … to uncover these terrorists.”
November 13, 2015
In a letter to US Secretary of Commerce Penny Pritzker and EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová, human rights and consumer organizations from the EU and US insisted that the Schrems Judgment required major changes in domestic law and international commitments. Among the groups’ recommendations were the end of mass surveillance by EU member states and of non-US persons by the US under Sec. 702 of the FISA Amendments Act, US support for strong encryption, EU suspension of the SWIFT and PNR Agreements and enactment of an effective General Data Protection Regulation by the end of the year, and US enactment of a comprehensive legal framework for data protection based on the Consumer Privacy Bill of Rights.
November 12, 2015
Russia’s Federal Security Service (FSB) said that a former Moscow police officer had been convicted of spying for the CIA and passing state secrets to a foreign intelligence agency, and sentenced to 13 years’ imprisonment.
November 11, 2015
Microsoft announced that in the second half of 2016, it will begin offering cloud services, including Azure, Office 365 and Dynamics CRM Online, from datacenters in Magdeburg and Frankfurt am Main, Germany, to be operated under German law by Deutsche Telekom subsidiary, T-Systems. The Press Release stated that, “Microsoft will not be able to access this data without the permission of customers or the data trustee, and if permission is granted by the data trustee, will only do so under its supervision,” and referred to a study finding that 83% of German companies expect their cloud provider to operate datacenters in Germany. Microsoft also plans to offer cloud services from datacenters in the UK and to expand its datacenters in Ireland and the Netherlands.
Microsoft’s Press Release is available at http://news.microsoft.com/europe/2015/11/11/45283/
November 9, 2015
During a visit to the UK, Apple’s chief executive, Tim Cook, criticized the obligation that the draft investigatory powers bill imposes on companies to assist the government in decryption. “Any back door is a back door for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a back door can have very dire consequences.”
The NSA sent a memo to relevant US Congressional committees stating that it would have the technological capacity to operate an alternative to the bulk telephony metadata program by the November 29 deadline set by the USA Freedom Act.
November 7, 2015
In a piece entitled “To MI5 with Love,” The Economist opined that the draft investigatory powers bill “leans on the side of the spies, extending their powers.” As evidence that “the crusts thrown to civil-rights campaigners crumble on closer examination,” The Economist contrasted the power to review warrants that the draft bill grants to judges with “America’s larger, tougher and more thorough system of authorisation.” The Economist further stated that “authorities will be able to see if someone visited a website specialising in radical Islam, even if they cannot see the pages they viewed.”
November 6, 2015
The European Commission issued a Communication to the European Parliament and Council and a Q&A sheet on transatlantic data transfers in the wake of the CJEU’s Judgment in Schrems. The Commission’s Press Release stated that within three months, it aims to conclude negotiations on a new Safe Harbor Agreement “which must meet the requirements identified in the Court ruling, notably as regards limitations and safeguards on access to personal data by U.S. public authorities.” Despite acknowledging national data protection authorities’ power to assess the adequacy of data transfers, the Commission stated that until negotiations were concluded, data transfers to the US could be based on contractual solutions, Binding Corporate Rules for the transfer of personal data between different branches of multinational corporations, or Derogations. The Derogations, which are to be strictly interpreted, include the performance or conclusion of contracts, the establishment, defense or exercise of legal claims, and, absent any other ground, the free and informed consent of the individual data subject.
The Commission’s Press Release, Communication and Q&A sheet are available, respectively, at http://europa.eu/rapid/press-release_IP-15-6015_en.htm, http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/files/eu-us_data_flows_communication_final.pdf, and http://europa.eu/rapid/press-release_MEMO-15-6014_en.htm
November 5, 2015
During the presentation of the draft investigatory powers bill, the UK government confirmed the existence of the Tempora program of bulk interception of communications, whose existence had previously been revealed by Snowden, and also revealed for the first time that over the past ten years, the UK’s domestic counter-intelligence and security agency, MI5, had been collecting massive amounts of data about UK phone calls in order to search for terrorist connections. Independent Reviewer of Terrorism Legislation David Anderson QC told the BBC that the MI5 program “wasn’t illegal in the sense that it was outside the law, it was just that the law was so broad and the information was so slight that nobody knew it was happening.” Also for the first time, the government published the “Arrangements for the Acquisition of Bulk Communications Data Pursuant to Directions Under Section 94 of the Telecommunications Act 1984” (the “Arrangements”), that had provided the putative authority for the security and intelligence services’ collection of large amounts of telephone data in order “to identify subjects of interest within the UK and overseas.”
Mrs. May stated that after consultation with Parliament, a bill would be formally introduced in the New Year.
The Arrangements are available at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473780/Handling_arrangements_for_Bulk_Communications_Data.pdf
The draft investigatory powers bill’s requirement of judicial authorization for police attempts to use metadata to determine a journalists’ sources does not extend to the intelligence services, and such surveillance would be kept secret from journalists and their attorneys. The bill would also criminalize any disclosure of details about government surveillance by telecommunications employees. In The Intercept, Ryan Gallagher opined that the draft bill’s provision for “bulk equipment interference” by the intelligence services, or, in other words, “large-scale hacking of computers or phones to covertly collect data or monitor communications” “represents an attempt to institutionalize, broaden, and perhaps in some cases even retroactively legalize the tactics the agencies have been deploying in recent years on dubious legal footing under cover of secrecy.”
November 4, 2015
UK Home Secretary Theresa May introduced a draft investigatory powers bill in Parliament intended to replace the UK’s current fragmented system of laws governing surveillance by the police and intelligence and security services. Key provisions of the proposed bill include requiring internet and telephone companies to retain for up to a year “internet connection records,” which would track websites, but not webpages, visited, and apps connected to through computers, smartphones, tablets and other devices. Police and the intelligence and security services would be allowed to access these records without a warrant. A new seven member panel of judges, the Investigatory Powers Commission, would be empowered to veto government ministers’ approval of warrants for the interception of the contents of communications. The bill would also enact into law the Wilson Doctrine’s requirement that the Prime Minister be consulted before interception of MPs’ communications and would require judicial approval for police access to journalists’ sources. Explicit legal authorization would be provided for the first time for the intelligence and security services’ powers to collect bulk personal datasets and to use “equipment interference powers” to hack computers and phones around the world.
Although shadow home secretary Andy Burnham welcomed the bill, Labour leader Jeremy Corbyn is known to be more skeptical. Conservative former shadow home secretary David Davis questioned the independence of the judiciary who would be involved in the warrant process. He and Liberty director Shami Chakrabarti criticized the bill for giving judges only minimal powers to review ministers’ approval of warrants, and Ms. Chakrabarti also charged that it created “breath-taking new powers for the police and the authorities to hack into our systems and servers and devices.” Liberal Democratic MP Nick Clegg questioned whether it might be better to eliminate a role for ministers and have judges directly authorize warrants, and asked why so much browsing history needed to be retained. Edward Snowden tweeted that the bill “legitimizes mass surveillance. It is the most intrusive and least accountable surveillance regime in the West.” While he gave the bill “four stars,” Independent Reviewer of Terrorism Legislation, David Anderson QC, warned that Parliament shouldn’t approve of it without being sure that the “obvious risks” created by “a lot of data … being kept by … service providers and … kept for a very long time” were minimized.
Calling the bill “the single most important piece of legislation in this parliament by the prime minister,” The Guardian predicted that Parliament would scrutinize it for over a year and that the bill would be “likely to be changed substantially, mainly in the Lords next autumn before it reaches the statute book.”
The draft bill is available at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf
November 3, 2015
The UK’s independent reviewer of terrorism legislation in the wake of 9/11 until 2011, Lord Carlile, has received £400,000 from SC Strategy Ltd, a consultancy firm offering advice on UK policy and regulations, that he co-owns with Sir John Scarlett, the head of MI6 from 2004 to 2009. On November 2 on the BBC Radio 4’s Today program, Lord Carlile called for an end to the “demonisation” of the security services and denied the need for judicial authorization of warrants, stating that “I cannot think of any example – certainly in the period since 2001 when I’ve been intimately involved in this kind of work – in which I have seen a politician make a decision that was against the interest of the privacy of the public.”
In a speech on the consequences of the CJEU’s Judgment in Schrems before the US House of Representatives Committee on Energy and Commerce and Subcommittee on Commerce, Manufacturing and Trade, the Senior Vice President for International Policy of the Chamber of Commerce, John Murphy, emphasized the economic importance of data flows between the US and EU, and warned that “it is unclear that any … mechanisms [for the transfer of personal data] can work so long as the Court’s rational [sic] for rejecting Safe Harbor stems from its finding that U.S. authorities have excessive and indiscriminate access to personal data held by companies.” Mr. Murphy voiced concern that the Schrems Judgment would allow the data protection authorities of individual EU countries, such as Germany, to be especially vigilant about data transfers. He applauded the House of Representatives for passing the Judicial Redress Act and urged the Senate to do the same.
Mr. Murphy’s speech is available at https://www.huntonprivacyblog.com/files/2015/11/testified.pdf
November 1, 2015
Former shadow home secretary David Davis said that the investigatory powers bill that the UK government plans to introduce on November 4 will not be passed by Parliament unless it requires warrants for the interception of communications to be judicially authorized. Others insisting on judicial authorization of warrants include former Liberal Democrat leader Lord Ashdown and Labor’s leader Jeremy Corbyn and deputy leader Tom Watson, shadow home secretary Andy Burnham, and shadow home office minister, Keir Starmer.
October 31, 2015
Due to fears that civil liberties concerns would prevent passage of the surveillance bill that it plans to introduce in Parliament on November 4, the UK government abandoned plans to allow the police and intelligence services full access to everyone’s browsing history. Senior government sources said that the bill would bar police and security services from accessing people’s browsing histories, and that “any access to internet connection records will be strictly limited and targeted.” The government also ruled out plans to restrict or ban companies from encrypting material on the internet.
October 29, 2015
The European Parliament voted 285-281 for a non-binding resolution calling on member states to grant Edward Snowden “protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistle-blower and international human rights defender.”
The Resolution is available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+TA+P8-TA-2015-0388+0+DOC+PDF+V0//EN
Yesterday, at the Lord Mayor of London’s annual defence and security lecture, Andrew Parker, the head of the UK’s domestic counter-intelligence and security agency MI5, said that the terrorist threat in the UK was the greatest it had been during his 32-year career. Contending that surveillance powers needed to be brought in line with modern technology, Mr. Parker stated that, “Today the conversations of our adversaries are happening on a bewildering array of devices and digital platforms, often provided by companies based overseas. And an increasing proportion of such communications are now beyond our reach – in particular with the growing prevalence of sophisticated encryption.” BBC security correspondent Gordon Corera called Mr Parker’s comments “part of a broader campaign by spies and police to make their case ahead of the new bill” on state surveillance powers to be published next week.
The text of Mr. Parker’s speech is available at https://www.mi5.gov.uk/home/about-us/who-we-are/staff-and-management/director-general/speeches-by-the-director-general/a-modern-mi5.html
UK police seized the laptop of Secunder Kermani, a journalistic with the BBC’s flagship current affairs program Newsnight, using a judicial order under the Terrorism Act that required the BBC to hand over Kermani’s communications with a man in Syria who had publicly identified himself as an ISIS member. Yesterday, Newsnight editor Ian Katz responded that, “While we would not seek to obstruct any police investigation, we are concerned that the use of the Terrorism Act to obtain communication between journalists and sources will make it very difficult for reporters to cover this issue of critical public interest.”
October 27, 2015
On October 26, Germany’s federal and state data protection authorities (“the German DPA’s) responded to the CJEU’s Judgment in Schrems by issuing a joint Position Paper stating that they would prohibit data transfers to the US based solely on Safe Harbor, to the extent that they become aware of them, and would not approve of transfers based on Binding Corporate Rules (“BCRs”) or data export agreements. Consent was deemed not to provide a provide a legal basis for massive or routine or repeated data transfers to the US, and the narrow conditions under which transfers would be approved on the basis of consent were said to extend to employee data only in exceptional cases. The German DPAs asked German legislators to grant them a right to file an action in accord with the CJEU Judgment, and called on the European Commission to push for the right to a judicial remedy, data protection rights, and recognition of the principle of proportionality during negotiations with the US.
The German DPAs’ Position Paper is available (in German) at https://www.datenschutz.hessen.de/ft-europa.htm#entry4521
In an Op Ed piece in The New York Times entitled “Europe Is Spying on You,” the Council of Europe Commissioner for Human Rights Nils Muiznieks criticized enacted or draft changes in the laws of Germany, France, the UK, Finland, the Netherlands, and Austria, stating that “[b]y shifting from targeted to mass surveillance, governments risk undermining democracy while pretending to protect it.”
The piece is available here
In a blog post on the CJEU’s Judgment in Schrems, UK Deputy Commissioner and Director of Data Protection David Smith advised businesses not to panic, stating that transfer mechanisms other than Safe Harbor “may turn out to be less than ideal,” and that “[t]he impact of the judgment on standard contractual clauses and binding corporate rules is still being analysed.” Mr. Smith wrote that under UK law, instead of relying on Commission decisions, businesses could rely on their own judgments of whether data transferred to the US would be adequately protected, and that the UK Information Commissioner’s Office (“ICO’) provided guidance about how to do so. Voicing the hope that a new Safe Harbor Agreement would emerge, Mr. Smith stated that the ICO was “certainly not rushing to use our enforcement powers. There’s no new and immediate threat to individuals’ personal data that’s suddenly arisen that we need to act quickly to prevent.”
October 26, 2015
In a speech before the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová announced that the Commission would “soon issue an explanatory Communication on the consequences of the Schrems ruling setting out guidance on international data transfers.” Although she stated that arriving at a new agreement on transatlantic data flows was crucial, Ms. Jourová insisted on the “need to make sure that the new arrangement lives up to the standard of the Schrems ruling,” and stated that the biggest challenge was imposing “clear conditions and limitations” on US government access to data for law enforcement and national security purposes.
At a hearing in the case described in the October 9, 21 and 24 entries below, Judge Orenstein rejected the government’s argument that ordering Apple to decrypt data on a user’s smartphone was the same as ordering it to produce information, saying “What you’re asking them to do is do work for you.” The judge analogized the government’s request to ordering a drug company to make a lethal injection drug over its conscientious objections, and when the Assistant United States attorney replied that “the hypothetical is somewhat inflammatory,” he responded, “Purposefully so.” The judge also pressed Apple to explain why it was objecting to the decryption order in the case when it had complied with such orders for years. After requesting both sides to submit letters addressing his questions by October 28, the judge stated that he wouldrule as soon as he could.
October 24, 2015
In a brief filed on October 22 in a case before Judge Orenstein in the federal district court for the Eastern District of New York, the government argued that Apple should be required to assist it under the All Writs Act because Apple was able to decrypt the data on the seized phone that used iOS 7 software and had assisted the government in the past by decrypting data on phones using iOS 7 or lower software. The government also advanced the novel argument that Apple was required to assist it because as a result of its licensing agreements with buyers, Apple continued to own the software on their phones. In a brief filed on October 23, Apple replied that its software licensing agreements do not permit it “to invade its customers’ devices uninvited…. To hold that the existence of such a license is enough to conscript Apple into government service would be to say that the manufacturer of a car that has licensed software in it (which is increasingly the case) could be required to provide law enforcement with access to the vehicle or to alter its functionality at the government’s request.” A hearing in the case is scheduled for October 26.
Former magistrate judge and current law professor at the University of North Texas Brian Owsley commented that although the government “may win this battle over this phone, … they are losing war because … [i]t is only a matter of time before almost all phones have a system that cannot be decrypted.”
The government’s brief is available at https://www.eff.org/files/2015/10/23/gov.uscourts.nyed_.376325.15.0.pdf
Apple’s Supplemental Response of October 23 is available at https://www.eff.org/files/2015/10/23/e.d.n.y._1-15-mc-01902_16.pdf
See the October 9 and 21 entries below for discussion of earlier filings and rulings in the case
October 21, 2015
In a brief filed on October 19 resisting the government’s application before Judge Orenstein in the federal district court for the Eastern District of New York for an order under the All Writs Act for the decryption of data on a lawfully seized device, Apple stated that 90% of its iPhones used iOS 8 or higher software that encrypted the majority of users’ data, and that it was impossible for Apple to access the encrypted data on those phones without the user’s passcode. The device at issue in the case used iOS 7 software, and Apple admitted that extracting data from a pre-iOS 8 device “would not likely place a substantial financial or resource burden on Apple.” The company asserted, however, that compliance with orders for extractions under the All Writs Act, “absent clear legal authority to do so, could threaten the trust between Apple and its customers and substantially tarnish the Apple brand.” Although Apple’s brief only addressed the technical feasibility and burdensomeness of extracting data from iPhones, on October 21, Judge Orenstein invited the company to submit its views on “whether the All Writs Act empowers the court to compel Apple to provide the technical assistance the government seeks.”
The Judge rejected the ACLU and EFF’s request of October 19 to submit an amicus brief.
Apple’s brief is available at http://ia801501.us.archive.org/27/items/gov.uscourts.nyed.376325/gov.uscourts.nyed.376325.11.0.pdf
See the October 9 entry below for discussion of Judge Orenstein’s initial decision in the case
October 20, 2015
At a hearing before the Irish High Court, Mr. Justice Hogan awarded Mr Schrems full legal costs for bringing a case of “transcendent international importance,” leading to “possibly one of the most important decisions” by the CJEU in recent years. Irish Data Protection Commissioner Helen Dixon stated that in response to the CJEU’s Judgment, she would expeditiously investigate Maximilian Schrems’ complaint about the transfer of his Facebook data to the US. After the hearing, a Facebook spokesperson stated that, “Facebook is not and has never been part of any program to give the US government direct access to our servers.”
The House of Representatives passed the Judicial Redress Act giving European citizens the right to bring Privacy Act lawsuits in United States courts for unlawful disclosure of their data by the United States.
October 19, 2015
In response to the Investigatory Powers Tribunal (IPT)’s Judgment of October 14 holding that the Wilson Doctrine prohibiting interception of parliamentarians’ communications was not legally binding on the intelligence and security services, the UK House of Commons held an emergency debate. Stating that the government’s interpretation of the Doctrine “remains unchanged” and agrees with the IPT’s interpretation, Home Secretary Theresa May said that the security services had always been able to spy on parliamentarians under certain circumstances, including when national security was at stake. Calling the Wilson Doctrine “defunct,” Labour’s Shadow Commons leader Chris Bryant stated that, “[I]n a new era we have to have a rational approach which involves judicial oversight rather than political oversight of warrants to make sure that the country is defended, so too the rights of constituents when they approach a member of Parliament.”
The Emergency Debate may be watched at http://parliamentlive.tv/event/index/fc87da5f-4439-4d87-99eb-ccea8b08adc4
October 16, 2015
In a Statement on the consequences of the CJEU’s Judgment in Maximilian Schrems v. Data Protection Commissioner, the Article 29 Working Party emphasized that “massive and indiscriminate surveillance … is incompatible with the EU legal framework and … existing transfer tools are not the solution” to the CJEU’s invalidation of the European Commission’s decision that the Safe Harbor regime adequately protects EU citizens’ data transferred to the US. The Working Party stressed the need for US authorities and EU institutions and member states to “open discussions … in order to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights.” Although “Standard Contractual Clauses and Binding Corporate Rules” could be used as the basis for data transfers while the Working Party continued analyzing the impact of the CJEU’s Judgment on transfer tools other than Safe Harbor, during this time, data protection authorities would nonetheless have the power to investigate complaints and protect individuals. Moreover, if an appropriate solution was not reached with the US by the end of January 2016, EU data protection authorities might take “coordinated enforcement actions.” Warning that “transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful,” the Working Party concluded that “businesses should reflect on the … risks they take when transferring data and should consider putting in place any legal and technical solution in a timely manner ….”
The Article 29 Working Party’s Statement is available at https://www.huntonprivacyblog.com/files/2015/10/20151016_wp29_statement_on_schrems_judgement-2.pdf
The German Parliament passed a data retention law that would require telecommunications providers to retain customers’ Internet and phone usage data, including phone numbers, call times, IP addresses, and international identifiers of mobile users (if applicable) for 10 weeks and cell site location data for 4 weeks. Contents of communications, websites accessed and metadata on email traffic are explicitly excluded from the data required to be retained. Law enforcement can access the data only with a judicial order and in the presence of two authorized individuals, and use of the data is limited to the investigation of a list of “severe crimes.” Providers are required to ensure that retained data is stored in Germany and to encrypt the data and store it on air-gapped servers. To become effective, the law must be signed by Germany’s federal president and published in the Federal Law Gazette.
October 15, 2015
In response to the CJEU’s Judgment in Maximilian Schrems v. Data Protection Commissioner, 56 members of the US House and Senate signed a letter encouraging Secretary of Commerce Penny Pritzker and Federal Trade Commission Chairwoman Edith Ramirez “to work closely with your European counterparts to issue interim guidance for businesses that have relied upon the Safe Harbor. It is imperative these businesses are able to continue operating in the absence of the Safe Harbor.”
October 14, 2015
The UK’s Investigatory Powers Tribunal (“IPT”) issued a Judgment rejecting challenges brought by Green Party politicians Caroline Lucas MP and Baroness Jenny Jones and former Respect Party MP George Galloway. The complainants had alleged that as a result of GCHQ’s indiscriminate interceptions of telecommunications under the Tempora program, their communications must have been illegally intercepted in violation of the Wilson Doctrine prohibiting interception of parliamentarians’ communications. The IPT limited the application of the Wilson Doctrine to the targeting of parliamentarians’ communications for interception under s. 8(1) warrants or their selection for examination after untargeted mass interception of communications under s.8(4) warrants. The Doctrine was held not to be legally binding, even as so limited.
Commenting on the ruling, Baroness Jones said, “Our job is to hold the executive to account, and to do that effectively it’s crucial that people feel they can contact us without their communications being monitored.In a democracy there is absolutely no excuse for people who contact parliamentarians to be subject to blanket surveillance by the security services.”
The IPT’s Judgment is available at http://www.ipt-uk.com/docs/Caroline_Lucas_JUDGMENT.pdf
The Data Protection Authority (“DPA”) of the German state of Schleswig-Holstein issued a Position Paper on the CJEU’s Judgment in Maximilian Schrems v Data Protection Commissioner in which it rejected the European Commission’s position that the Judgment leaves in place legal mechanisms other than Safe Harbor for transferring personal data from the EU to the US. Stating that the principles set forth in the Judgment must be used to evaluate alternative transfer mechanisms, the Position Paper insists on the need for significant changes in US law. The DPA asserts that data transfers to the US without a legal basis constitute an administrative offense subject to a fine of up to 300,000 euros, and is considering using its powers under Article 4 of Commission decision 201/87/EU of February 5, 2010 to “prohibit or suspend data flows to third countries in order to protect individuals with regard to the processing of their personal data.”
The Position Paper is available (in German) at https://www.huntonprivacyblog.com/files/2015/10/20151014_ULD-Positionspapier-zum-EuGH-Urteil.pdf
October 12, 2015
London’s Metropolitan Police Service (“MPS”) announced that it would no longer station police outside the Ecuadorian Embassy in an effort to arrest Julian Assange for failure to surrender for extradition to Sweden. Stating that “there is no imminent prospect of a diplomatic or legal resolution to this issue,” the MPS announced that [w]ith so many different criminal, and other, threats to the city it protects, the current deployment of officers is no longer believed proportionate.” Other covert and overt tactics, which the MPS would not discuss, will be employed in an attempt to arrest Assange should he leave the Embassy.
As of the end of April, the stationing of MPS officers outside the Ecuadorian Embassy had cost British taxpayers 11.1 million pounds, or $17 million, and the expense had prompted an outcry by local politicians,
October 11, 2015
In an opinion piece in The Guardian, John Naughton opined that the CJEU’s Judgment in Maximilian Schrems v Data Protection Commissioner “provides yet another confirmation of the sterling service that Snowden has rendered to civil society. His revelations have prompted a wide-ranging reassessment of where our dependence on networking technology has taken us and stimulated some long-overdue thinking about how we might reassert some measure of democratic control over that technology.” Further, Naughton stated that Snowden’s revelations “also indirectly highlight the symbiotic relationship between the US National Security Agency and Britain’s GCHQ on the one hand and the giant internet companies on the other.”
October 9, 2015
In response to an application for an order under the All Writs Act to force Apple to provide the government with access to encrypted data on a customer’s lawfully seized device, Magistrate James Orenstein of the federal district court for the Eastern District of New York reasoned that since the legislative history shows that “Congress is plainly aware of the lack of statutory authority and has thus far failed either to create or reject it,” “it is far from obvious that the relief the government seeks … is available under the All Writs Act.” Despite concluding that “analysis strongly suggests that granting the instant motion would be inconsistent with the purposes of the All Writs Act,” Judge Orenstein deferred ruling on the application until Apple submitted written views by October 15 on the technical feasibility and burdensomeness of providing the assistance the government seeks.
The decision is available at https://ia801501.us.archive.org/27/items/gov.uscourts.nyed.376325/gov.uscourts.nyed.376325.2.0.pdf
In an editorial on the Judgment in Maximilian Schrems v Data Protection Commissioner, Case-362/14, the New York Times concluded that, “The Court of Justice is right to question whether the personal information of Europeans is being protected adequately in the United States. But mass surveillance by European governments is just as intrusive of privacy, and requiring data storage in Europe offers little comfort.”
October 8, 2015
The Obama administration has decided, at least for now, to not seek legislation requiring companies to decrypt customers’ data, but instead to try to persuade companies to encrypt data in a way that provides the government with a backdoor.
October 6, 2015
The European Court of Justice (“CJEU”) issued its Judgment in Maximilian Schrems v Data Protection Commissioner, Case-362/14. Contrary to the Irish Data Protection Authority, the CJEU held that the European Commission’s decision of July 26, 2000, Decision 2000/520 (the “Safe Harbor Decision”) holding that the Safe Harbor Agreement ensured an adequate level of protection for EU citizens’ data transferred to the US neither eliminated nor reduced the power of national data protection authorities to find that transfers violated claimants’ rights under the EU Data Protection Directive or the Charter of Fundamental Rights of the European Union. The CJEU affirmed, however, that it had sole jurisdiction to decide whether a Commission decision or other EU act was valid.
The CJEU went on to invalidate the Safe Harbor Decision for failing to take into account that the Safe Harbor Agreement is not binding on US governmental authorities and that United States national security, public interest and law enforcement requirements prevail over the safe harbor scheme. Contrary to the Safe Harbor Decision, the CJEU found that in authorizing the storage of all personal data of EU citizens transferred to the United States, without any limits on access and use by public authorities, the Safe Harbor Agreement contravenes the principle of necessity in EU law. By allowing US governmental authorities unlimited access to the content of electronic communications, the Agreement also essentially compromises the right to respect for private life. In addition, the essence of the right to effective judicial protection is compromised by the Agreement’s failure to provide EU citizens with legal remedies for access to personal data or means for having data rectified or erased.
An additional ground on which the CJEU invalidated the Safe Harbor Decision was that it denied national supervisory authorities’ power to protect claimants’ privacy and fundamental rights and freedoms.
The CJEU’s press release is available at http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf
The Judgment is available here
Reacting to the Judgment, Edward Snowden tweeted, ‘‘Congratulations, @maxschrems. You’ve changed the world for the better.’’ US lawyer Brian Hengesbaugh, who was involved in negotiating the original safe harbor agreement, opined that, “The ruling is so sweepingly broad that any mechanism used to transfer data from Europe could be under threat.” Dutch privacy lawyer Ot van Daalen said that, “For those who are willing to take on big companies, this ruling will have empowered them to act.”
Companies such as Facebook and Microsoft kept their services running on the assumption, supported by Frans Timmermans, the first vice president for the European Commission, that their services were protected by other agreements with the EU. In addition to voicing disappointment with the Judgment, US secretary of commerce Penny Pritzker said she would work with the European Commission to complete the new safe harbor agreement, which has been under negotiation for the past two years.
The Article 29 Working Party stated that the CJEU’s “milestone judgment” “confirms that due to in particular the existence of mass surveillance and the absence of possibility for an individual to pursue legal remedies in order to have access and to obtain rectification or erasure, serious questions exist regarding the continuity of the level of protection when data are transferred to the United States.” Due to the “major consequences on all stakeholders,” the Working Parties will convene a first round of discussions between experts in Brussels this week and will shortly schedule an extraordinary plenary meeting.
Deputy Director David Smith of the UK Information Commissioner’s Office issued a statement saying, in part, that “It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions.” Mr. Smith voiced the understanding that “negotiations … between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement” were “well advanced.”
Although he stated that he would “look to see if there is an opportunity” for intervention with Saudi Arabia on behalf of Ali Mohammed Baqir al-Nimr, who is on death row for participating in anti-government protests in 2011 when he was 17, UK Prime Minister David Cameron told Channel 4 News that for him, “Britain’s national security and our people’s security comes first.” “We have a relationship with Saudi Arabia, and … [i]t’s because we receive from them important intelligence and security information that keeps us safe. There was one occasion since I’ve been prime minister where a bomb that would have potentially blown up over Britain was stopped because of intelligence we got from Saudi Arabia.”
October 5, 2015
Interviewed in Moscow for Peter Taylor’s film, “Edward Snowden: Spies and the Law,” broadcast on BBC One’s Panorama program, Edward Snowden stated that the US Justice Department had never contacted him about a plea deal, even though he’d offered to go to prison many times, so long as his sentence wouldn’t “serve as a deterrent to people trying to do the right thing in difficult situations.” Former NSA Director Michael Hayden responded, “If you’re asking me my opinion, he’s going to die in Moscow. He’s not coming home.”
Snowden explained the “Smurf Suite” programs that the GCHQ uses to hack into cell phones without their users’ knowledge, turn them on and off, and learn “who you call, what you’ve texted, the things you’ve browsed, the list of your contacts, the places you’ve been, the wireless networks that your phone is associated with. And they can do much more. They can photograph you.” One of the programs, “Paranoid Surf,” makes it extremely difficult for technicians to detect GCHQ manipulation when users become suspicious and bring phones in for servicing.
The NSA is suspected of having programs similar to “Smurf Suite,” and Snowden characterized GCHQ as “to all intents and purposes a subsidiary of the NSA. They [the NSA] provide technology, they provide tasking and direction as to what they [GCHQ] should go after.”
September 29, 2015
The European Court of Justice announced that it will deliver its Judgment in Maximilian Schrems v Data Protection Commissioner, Case-362/14, on October 6. While the Court usually delivers its Judgment three to six months after the Advocate General’s opinion, the Advocate General issued his opinion in the Schrems case on September 23.
For discussions of the case, see the March 24, June 10, July 1, and September 23 entries below and the June 18, August 1 and August 21 entries in our Chronicle for 2014 and our sections on Austrian, Irish, and CJEU legal challenges.
September 24, 2015
A campaign for “The International Treaty on the Right to Privacy, Protection Against Improper Surveillance and Protection of Whistleblowers,” otherwise known as the “Snowden Treaty,” was launched in New York City. Speaking at the event were David Miranda, who originated the idea of the treaty, his husband Glenn Greenwald, and Edward Snowden via videoconference. The treaty would require signatories to take measures to prevent dragnet intelligence, offer protection to whistleblowers, and provide periodic updates to the United Nations on compliance with treaty obligations. Although the treaty draft lacks a UN member sponsor, Mr. Miranda stated that he had spoken with representatives from countries which he did not name, and that several countries might publicly support the treaty within weeks.
A leaked working paper shows that despite concluding that it would be “technically feasible” for tech companies to use four possible approaches for providing law enforcement with access to encrypted communications, an Obama administration working group decided that none of the approaches should be advanced as “administration proposals” or even publicized. The working paper states that, “Rather than sparking more discussion, government-proposed technical approaches would almost certainly be perceived as proposals to introduce ‘backdoors’ or vulnerabilities in technology products and services and increase tensions rather [than] build cooperation.”
September 23, 2015
Advocate General of the European Court of Justice (“CJEU”) Yves Bot issued his opinion in the case brought against Facebook Ireland Ltd. by attorney and Europe v Facebook member Maximilian Schrems and referred to the CJEU by the Irish High Court, Maximilian Schrems v Data Protection Commissioner, Case-362/14. The Advocate General held that under the EU Data Protection Directive, the European Commission’s decision of July 26, 2000, Decision 2000/520, that the Safe Harbor Agreement ensured an adequate level of protection for EU citizens’ data transferred to the US neither eliminates nor reduces the powers of national Data Protection Authorities to find to the contrary and therefore suspend transfers to the US. Mr. Bot went on to find that Decision 2000/520 was invalidated by the Irish High Court’s and Commission’s findings that the law and practice of the US allows the large scale collection of personal data transferred from the EU without affording EU citizens effective legal protection. Hence, the Decision does not comport with the EU Data Protection Directive or the Charter of Fundamental Rights of the EU. In addition, the Advocate General found that the Charter rights to respect for private life and to the protection of personal data were breached due to US intelligence services’ access to transferred data. The Charter right to an effective remedy was also breached because EU citizens are not able to raise questions about surveillance or the interception of their data in US courts. Due to the infringement of EU citizens’ fundamental rights, the Advocate General reasoned that data transfers to the US ought to have been suspended while the EU and US negotiated revisions to Safe Harbor.
Although influential, Advocate Generals’ opinions are not binding on the judges of the CJEU. After the CJEU opinion issues, the Irish High Court is to apply the ruling to the Schrems case.
By contrast to Mr. Schrems’ reaction that companies providing cloud services and processing EU citizens’ data might be compelled to invest in secure data centers in the EU, a Facebook spokesperson averred that the company “operates in compliance with EU Data Protection law. Like the thousands of other companies who operate data transfers across the Atlantic we await the full judgement.” The deputy chief executive of UK industry lobby group TechUK commented that, “The approach that Europe takes to how data flows in and out of the EU will impact the global ambitions of data-driven companies in the UK and right across Europe. Thousands of companies, employing tens of thousands of people in the UK alone, rely upon Safe Harbour every day.”
The CJEU’s press release is available at http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf
The Advocate General’s opinion is available here
For discussion of the proceedings in Ireland, before the CJEU, and in a companion case brought by Schrems in Austria, see the March 24, June 10, and July 1 entries below and the June 18, August 1 and August 21 entries in our Chronicle for 2014. See also the discussions in our sections on Austrian, Irish, and CJEU legal challenges.
A top secret document obtained by NBC News, entitled “Tips for a Successful Quick Reaction Capability,” recounts that in response to President Bush’s request, the FISA Court authorized NSA surveillance of then-Iranian President Mahmoud Ahmadinejad and his entire 143-member delegation to the UN General Assembly in 2007. The spying extended to listening to thousands of conversations and learning the “social networks” of Iran’s leadership. A spokesperson for U.N. Secretary General Ban Ki-moon stated that although he could not confirm or deny that the spying had occurred, “We would expect every member state to respect the inviolability of communications to and from the United Nations, whether by phone or internet.” Ahmadinejad’s official translator in New York during the 2007 General Assembly session reacted that she was “not much surprised” by the report of the spying, but wondered how successful it could have been since every member of the Iranian team was aware of the possibility of surveillance and behaved accordingly.
Former intelligence analysts told NBC News that the NSA will probably spy on foreign leaders like Iranian President Hassan Rouhani during the current UN General Assembly session, including intercepting cellphone calls and monitoring conversations in hotel rooms,
Together with extensive English commentary, Netzpolitik.org published the full German text of the BND’s “VS-secret” classified strategy paper, “Strategic Initiative Technology,” together with attachments. The paper proposes that Germany invest 300 million euros from 2014-2020 in order to put its intelligence service on a par with those of the US, UK and France, warning that “[i]f the BND does not catch up capabilities on the state of the art, it is endangered to fall back behind countries like Italy or Spain, causing negative consequences for the knowledge exchange within the Community and the risk of isolation.”
See the August 4, 7 and 10 entries below for discussion of the forced ouster of German federal prosecutor Harald Range for his decision to investigate two Netzpolitik journalists for treason in connection with the publication of secret documents.
September 20, 2015
Newly declassified portions of a 746-page report from 2009 by six agencies’ inspectors generals that was released in response to a Freedom of Information Act (“FOIA”) action by the New York Times provide additional information about Attorney General Ashcroft’s hospital bed refusal in March 2004 to certify that the Bush Administration’s Stellarwind program was lawful. Documents leaked in 2013 had indicated that the Attorney General objected to the bulk collection of data about Americans’ emails. The newly released documents show that the Justice Department also objected to the NSA’s bulk acquisition of domestic phone and internet metadata on the ground that President Bush’s secret directives had allowed metadata to be acquired only if it pertained to a specific message linked to terrorism or at least one end of the communication was foreign. The day after the confrontation with the Attorney General, President Bush “fixed” the gap by declaring that the NSA had been authorized all along to engage in bulk collection of domestic metadata, so long as analysts only looked at records linked to terrorism. The President also declared that his authorizations as Commander in Chief “displaced” FISA and criminal wiretapping laws. In response, however, to top Justice Department officials’ threat of mass resignation, the President agreed to limit the Stellarwind program to investigations of Al Qaeda, and not other types of international counterterrorism investigations.
The newly declassified portions of the report are available at http://www.nytimes.com/interactive/2015/09/21/us/21foia-stellarwind-report.html
September 17, 2015
In the first live interview ever given by a head of the UK’s home security agency MI5, Andrew Parker stated on the BBC’s Today program that advances in technology were enabling terrorists to communicate “out of the reach of authorities.” While stating that internet companies had an “ethical responsibility” to alert agencies to potential threats, Mr. Parker added that MI5 was not interested in “browsing the lives” of the public.
In his annual report on the operation of the UK’s Terrorism Acts 2000 and 2006, the Independent Reviewer of Terrorism Legislation, David Anderson QC, warned that proposed laws against extremism could provoke a backlash within Muslim communities. According to Mr. Anderson, “These issues matter because they concern the scope of UK discrimination, hate speech and public order laws, the limit that the state may place on some of our most basic freedoms, the proper limits of surveillance, and the acceptability of imposing suppressive measures without the protections of the criminal law. If the wrong decisions are taken, the new law risks provoking a backlash in affected communities, hardening perceptions of an illiberal or Islamophobic approach, alienating those whose integration into British society is already fragile and playing into the hands of those who, by peddling a grievance agenda, seek to drive people further towards extremism and terrorism.”
Mr. Anderson’s press release on the Report is available at https://terrorismlegislationreviewer.independent.gov.uk/
September 15, 2015
The intelligence and security committee of the UK Parliament named Conservative MP and former attorney general Dominic Grieve as its chair, to succeed Sir Malcolm Rifkind who departed after a cash-for-access scandal. Grieve has warned that opting out of the European Court of Human Rights would have disastrous consequences for the UK and that removing passports from UK-born citizens would violate UK common law and international law.
September 14, 2015
Following on the Judgments of the UK’s Investigatory Powers Tribunal (“IPT”) on December 5, 2014 and February 6, 2015 in Liberty and others vs. The Security Services, SIS, GCHQ, IP 13/77/H, Privacy International posted forms for individuals to submit in order to receive a determination from the IPT of whether the GCHQ unlawfully obtained their records from the NSA before December 2014.
The IPT’s Judgments of December 5, 2014 and February 6, 2015 in Liberty and others vs. The Security Services, SIS, GCHQ are available, respectively, at http://www.ipt-uk.com/docs/IPT_13_168-173_H.pdf and http://www.ipt-uk.com/docs/Liberty_Ors_Judgment_6Feb15.pdf, and are discussed in our posts on the Liberty et al challenge.
September 9, 2015
A panel of the United States Court of Appeals for the Second Circuit heard oral argument in Microsoft’s appeal of a ruling by Judge Preska of the federal district court for the Southern District of New York that the Stored Communications Act authorized a search warrant for a customer’s emails stored on a Microsoft server in Ireland.
See the discussions of the case in the April 25, June 10, July 31, August 13, September 2 and 10, November 19, and December 9, 15 and 23 entries in “International chronicle of surveillance events — 2014”
September 4, 2015
On August 31, non-profit French internet service providers French Data Network (FDN), the FDN federation (FFDN), and online rights group La Quadrature du Net brought two lawsuits asking France’s Council of State to make public and suspend a secret decree issued in 2008 that authorized massive interception by France’s foreign intelligence service, the Directorate General of Exterior Surveillance (DGSE), of internet communications entering or leaving French territory. The existence of the hitherto secret decree was revealed by the magazine l’Obs in July, and has not been denied by the government.
The challengers contend that the secrecy of the decree is inconsistent with the jurisprudence of the European Court of Human Rights. In accord with the French Constitutional Council’s decision in July invalidating the provisions for international surveillance in the new French surveillance law, the failure to provide real and detailed safeguards against abuses by the security services is claimed to render the decree unconstitutional.
See the July 24 entry below for discussion of the French Constitutional Council’s decision on the surveillance law.
September 2, 2015
Privacy International published a new report, “Demand/Supply: Exposing the Surveillance Industry in Colombia,” as a companion to the report on bulk surveillance published on August 31. The report shows that Colombia intelligence purchased surveillance equipment from companies in the UK, US, Israel, Finland, New Zealand, and elsewhere. Among the purchases were IMSI catchers from New Zealand Spectra Group by the Directorate of Police Intelligence (DIPOL). In 2014, the Colombian police had a contract with Hacking Team, which had a field engineer stationed in Colombia.
Privacy International’s press release and report are available, respectively, at https://www.privacyinternational.org/node/639 and https://www.privacyinternational.org/sites/default/files/DemandSupply_English.pdf
August 31, 2015
Privacy International published a report, “Shadow State: Surveillance, Law and Order in Colombia,” detailing how intelligence agencies in Colombia have been collecting vast amounts of data automatically without judicial warrants. One tool, the Integrated Record System that police intelligence built starting in 2005, has the capacity to monitor 3G cell and trunk lines throughout Colombia, capturing 100 million cell phone data records and 20 million text messages per day and allowing analysts to monitor conversations of selected targets. Much of the technology was built with the assistance of the US, which has provided billions of dollars in cash, training and equipment to Colombia over the past 15 years.
The Report is available at https://www.privacyinternational.org/sites/default/files/ShadowState_English.pdf
August 24, 2015
In an interview with The Guardian, the first UN special rapporteur on privacy, Joseph Cannataci, singled out the UK, rather than the US, as having the weakest oversight of surveillance in the western world, stating that “if your oversight mechanism’s a joke, and a rather bad joke at its citizens’ expense, for how long can you laugh it off as a joke?” Cannataci called for a Geneva type convention law to safeguard personal data and combat the risk of massive clandestine surveillance, and said that Snowden’s “revelations confirmed to many of us who have been working in this field for a long time what has been going on, and the extent to which it has gone out of control.” Cannataci was appointed special rapporteur after the German president of the UN Human Rights Council blocked the appointment of Katrin Nyman-Metcalf, ranked first by a “consultative group” of ambassadors from Poland, Chile, Greece, Algeria, chaired by Saudi Arabia, on the ground that she would not be sufficiently critical of US surveillance.
August 17, 2015
The United Nations intends to contact AT&T in response to The New York Times report of August 15 that it provided technical support to the NSA in wiretapping all Internet communications at UN headquarters. UN spokeswoman Vannina Maestracci said that when similar allegations arose in the past, U.S. officials had assured the United Nations “that they are not … monitoring our communications.” She stated that, “The inviolability of the United Nations is well established under international law and we expect member states to act accordingly and to respect and protect that inviolability.”
August 15, 2015
Documents leaked by Snowden and jointly analyzed by The New York Times and ProPublica show that from 2003 to 2013, AT&T was a particularly important partner of the NSA, described as “highly collaborative” and lauded for its “extreme willingness to help.” In 2013, the NSA budgeted more than twice for its AT&T partnership than for its next largest partnership with a telecommunications company.
“Within days” of the start of the Bush warrantless surveillance program in October 2001, AT&T turned over emails and telephone calls to the NSA, whereas the other telecommunications company involved in the program, MCI, did not turn over traffic until February 2002. In September 2003, AT&T became the first partner in the NSA’s attempt to mount a “ ‘live’ presence on the global net,” and in one of the first months of operation, provided the NSA with more than 400 billion Internet metadata records and “more than one million emails a day.” Corroborating the allegations of whistleblower Mark Klein in the Electronic Frontier Foundation’s ongoing Jewel lawsuit (see the posts on Hepting and Jewel in our Legal Challenges section), the documents show that AT&T provided the NSA with “peering” Internet traffic consisting of communications from other companies’ networks. For years before its similarly sized competitor Verizon began doing so in 2013, AT&T gave the NSA access to the contents of the large numbers of emails between people outside the United States transiting across its domestic networks, allowing surveillance equipment to be installed at many more of its Internet hubs on American soil, at least 17, than Verizon allowed. In 2012, AT&T complied with a FISA Court order for the wiretapping of all communications on the Internet service that it provided to United Nations headquarters.
The documents are available at http://www.nytimes.com/interactive/2015/08/15/us/documents.html
August 13, 2015
Swedish prosecutors announced that because the five year statute of limitations had either run out today or would run out next Tuesday, three charges of sexual molestation and unlawful coercion against Wikileaks founder Julian Assange would be dropped. Sweden will continue, however, to investigate a charge of rape that was brought in 2010, for which the statute of limitations runs for five more years. Since 2012, Assange has been holed up in the Ecuadorian Embassy in London while UK police have been stationed outside and prepared to arrest him. From June 2012 to April 2015, this cost UK taxpayers 9.2 million pounds (about $14 million). While Assange has refused to travel to Sweden to be investigated out of fear of being extradited to the US to be tried for leaking diplomatic cables, Swedish officials claim not to have received any extradition request from the US and dismiss Assange’s fears as “hypothetical.”
A security researcher who goes by the single legal name of Sai provided The New York Times with an unredacted copy, which he obtained through a Freedom of Information Act (FOIA) request, of a May 28, 2014 Audit Report by the Postal Service Inspector General on the Postal Inspection Service Mail Covers Program. The Report contains the first disclosures about the use in national security investigations of the mail cover program, under which, at the behest of law enforcement officers, postal workers record names, addresses and other information on the outside of letters and packages before delivery to their intended recipients. The Inspector General found that “sufficient controls” were not in place to ensure that Postal Service policies on national security mail covers were followed, citing, in particular, failures to ensure that covers were collected only for specified time periods, that employees who handled covers had proper nondisclosure agreements in regard to classified materials in their files, and that law enforcement agencies returned documents to the Postal Inspection Service’s Office of Counsel within 60 days of the closing of a case.
An unredacted copy of the Postal Service Inspector General’s Audit Report is available at https://drive.google.com/file/d/0BzmetJxi-p0VOExOZGo2V1ktWHM/view?pli=1
August 12, 2015
An August 2010 letter from the Department of Justice to then-presiding Judge John Bates of the Foreign Intelligence Surveillance Court (FISC) indicates that the NSA used its bulk telephony metadata program to search for operatives from the government of Iran and its suspected allies, as well as Al Qaeda and its allies. Due to an unusual and likely inadvertent absence of government redaction before disclosure, the letter also indicates that AT&T, Sprint and various subsidiaries of Verizon Communications, including Verizon Wireless, were included in the list of companies that the FISC ordered to produce bulk telephony metadata in February 2010.
The inclusion of Verizon Wireless, which was then in partnership with UK firm Vodafone, is in tension with The Wall Street Journalist’s report in June 2013 that Verizon Wireless and T-Mobile had not been subject to telephony metadata orders because of their foreign ownership stakes. The listing of Verizon Wireless seemingly also contradicts reports in The Wall Street Journal, New York Times, and Washington Post in 2014 that for technical reasons, the telephony metadata program only extended, for the most part, to landline phone records.
The letter was included in 350-odd pages of NSA Inspector General reports that the government released on August 11, 2015 in response to a Freedom of Information Act (FOIA) request by The New York Times.
The 350-odd pages of documents obtained through The New York Times’ FOIA request are available at http://www.nytimes.com/interactive/2015/08/12/us/nsa-foia-documents.html
August 11, 2015
In an interview with CBS News, US Secretary of State John Kerry said “it is very likely” that Russia and China were reading his emails, “and I certainly write things with that awareness.”
August 10, 2015
Germany’s acting chief federal prosecutor, Gerhard Altvater, announced that documents published by Netzpolitik.org detailing plans to increase German government surveillance of online communications did not constitute state secrets and that all treason charges have against the blog’s journalists have therefore been dropped.
August 7, 2015
In an interview with German newspaper Frankfurter Allgemeine Zeitung, ex-German federal prosecutor Harald Range defended his actions in the treason investigation of two journalists from Netzpolitik.org. An external consultant hired by Range had concluded that the journalists had stolen state secrets, but the German Justice Ministry had replaced the consultants’ conclusions with its own comments. Criticizing Justice Minister Heiko Maas on the ground that “[t]o influence investigations because their possible results could be politically controversial is an intolerable encroachment on the independence of the judiciary,” Range stated that he had brought in an external consultant so as not to repeat the mistakes that the German Defense Ministry had made in the 1960’s when it accused Der Spiegel journalists of stealing state secrets.
August 6, 2015
August 5, 2015
Following on Wikileaks’ publication last week of documents on NSA surveillance of high level Japanese government and corporate officials, Prime Minister Abe asked Vice President Biden to investigate the spying allegations. Japan’s Chief Cabinet Secretary Yoshihide Suga said that Abe told Biden over the phone, “If it is true that these  Japanese individuals [named in the Wikileaks documents] were targeted, it could shake the relationship of trust in our alliance and I would have to express serious concerns.”
August 4, 2015
Germany’s top federal prosecutor Harald Range stated that the Justice Ministry had instructed him to halt an external assessment commissioned as part of investigating whether two journalists from news website Netzpolitik.org committed treason by revealing state secrets. The suspected state secrets were in two documents published on February 25 and April 15 detailing German government plans to request more money to expand online surveillance and to form a special unit to monitor social media in order to combat terrorism.
Last week, German Justice Minister Heiko Maas stated that it was important to defend the independence of the press and that he doubted that the publication of the documents had endangered Germany. Mass’ stance has been supported by Chancellor Angela Merkel and Interior Minister Thomas de Maiziere.
At a hastily convened press conference, German Justice Minister Heiko Maas announced that with the agreement of the Chancellery, he was requesting the early retirement of federal prosecutor Harald Range and had nominated Munich prosecutor Peter Frank as Range’s successor. Range, who is 67-years-old, would otherwise have been scheduled to retire early next year.
Earlier in the day, Dunja Mijatovic, the representative on media freedom of the Organization for Security Cooperation in Europe, released a letter stating that, “The threat of being charged with treason has a clear general chilling effect on journalists engaged in investigative reporting.” The letter indicated that Mijatovic had complained to German Foreign Minister Frank-Walter Steinmeier about the Netzpolitik investigation.
July 31, 2015
Wikileaks released “top secret” NSA documents listing 35 Japanese government and corporate telephone numbers that the NSA targeted for interception over a period of at least eight years. The NSA reportedly intercepted internal Japanese government discussions on such issues as trade talks, climate change policy and nuclear and energy policy, and obtained the contents of a confidential briefing in Prime Minister Shinzo Abe’s residence. Bank of Japan officials and the fossil fuel departments at Japanese firms Mitsubishi and Matsui were also wiretapped. The information was shared with the intelligence agencies of the other Five Eyes countries (the UK, Canada, New Zealand, and Australia).
Wikileaks’ press release is available at https://wikileaks.org/nsa-japan/; “top Japanese NSA targets” is available at https://wikileaks.org/nsa-japan/selectors.html; and “top Japanese NSA intercepts” is available at https://wikileaks.org/nsa-japan/intercepts/
July 30, 2015
NBC News claims to have exclusively obtained a secret NSA map purporting to locate over 600 corporate, private and government entities in the US that were “Victims of Chinese Cyber Espionage” from 2009-2014. The map, which an intelligence source told NBC News was prepared as part of a briefing by the NSA Threat Operations Center (NTOC) in February 2014, “suggests that NSA has been able to monitor and assess the Chinese cyber espionage operations, and knows which specific companies, government agencies and computer networks are being targeted.”
July 28, 2015
A table on data retention laws in individual EU countries in the wake of the Judgment of the European Court of Justice on April 8, 2014 in Digital Rights Ireland was posted at http://mslods.com/2015/07/28/update-on-how-the-west-is-backing-away-from-data-retention/
July 26, 2015
Michael Chertoff, secretary of the Department of Homeland Security during the last Bush administration, and General Michael Hayden, the former head of the CIA and the NSA, have both criticized FBI Director James Comey’s call for a backdoor into encrypted communications.
July 24, 2015
In a decision allowing major portions of a law authorizing broad surveillance of terrorism suspects to come into effect, France’s Constitutional Council ruled that the French constitution was not violated by requiring telecommunications firms to allow the intelligence services to install electronic “lock-boxes” to record metadata from all Internet users in France. While requiring the data to be anonymized, the law allows the data to be mined to detect suspicious behavior, and provides for intelligence agents to make follow up requests to an independent panel for surveillance that can identify users. The Council also approved the bill’s provisions for government monitoring of the emails and phone calls of suspected terrorists without prior authorization from a judge and for the installation of microphones, cameras, and keystroke loggers in suspected terrorists’ homes.
In the first request by a French president for judicial pre-approval of a law, President François Hollande had asked the Constitutional Council to review the bill, which was enacted in June, before it went into effect. Among the three provisions of the law that the Council struck down were permission for the government to intercept any communications sent or received overseas and permission for the intelligence services to initiate surveillance without authorization from the prime minister when faced with “urgent threats.”
On the second day of the IPT hearing on the cases brought by MPs Lucas and Baroness Jones and former MP Galloway, James Eadie QC stated for the government that the Wilson Doctrine “simply cannot work sensibly” when bulk interception is taking place, and claimed that the Doctrine does not have the force of law and cannot constrain the intelligence agencies’ operations. While conceding that the MPs’ communications might have been intercepted as part of the bulk interception authorized under the Regulation of Investigatory Powers Act (RIPA), Mr. Eadie stated that “there is so much data flowing along the pipe” that it is not examined at the point of interception. “The interception at that stage isn’t in any event objectionable, if one stands back and takes a broad view of the Wilson doctrine: it isn’t intelligible at the point of interception.”
The government also told the IPT that MI5’s, MI6’s and GCHQ’s internal policies did not require them to inform the Prime Minister when parliamentarians’ communications were intercepted.
Following revelations that the GCHQ had changed its internal guidelines in March so as to exempt members of the devolved parliaments of Scotland, Wales and Northern Ireland and the European Parliament from the Wilson Doctrine’s protections, First Minister of Scotland Nicola Sturgeon wrote asking Prime Minister David Cameron for urgent clarification, stating that surveillance on Members of the Scottish Parliament should take place only in “truly exceptional circumstances involving national security.” The presiding officer of the Scottish parliament, Tricia Marwick, also wrote to ask Cameron for “urgent clarification,” stating that the Scottish Parliament should be consulted about any change in GCHQ’s policies. In the UK House of Commons, shadow Scottish secretary, Labor MP Ian Murray, asked the prime minister to confirm or deny whether Members of the Scottish, Welsh or European Parliaments had been spied on, and to confirm that GCHQ’s rules had changed. Andrew Davies, leader of the Welsh Conservatives, Kirsty Williams, leader of the Welsh Liberal Democrats, Simon Thomas, a Plaid Cymru assembly member and former MP, and Anthony Slaughter, deputy leader of the Wales Green party, voiced concerns about the privacy of communications between members of the Welsh Parliament and their constituents
July 23, 2015
The UK’s Investigatory Powers Tribunal (“IPT”) began a public two-day hearing on Green Party MPs Caroline Lucas and Baroness Jenny Jones’ complaint and a joined, separate complaint by former Respect MP George Galloway alleging that the intelligence services very likely intercepted their telecommunications under the Tempora, bulk surveillance program. The MPs seek a declaration that the Wilson Doctrine, which prohibits the interception of MPs telecommunications absent a major national emergency and requires the Prime Minister to report changes in the intelligence services’ policies to Parliament, has the force of law, and that the intelligence agencies’ surveillance of MPs’ communications violated the European Convention on Human Rights.
At the hearing, hitherto secret documents revealed that MI5, MI6 and GCHQ had changed their internal policies on surveillance of parliamentarians eight times in the past 12 months. The rewriting began after the filing of MPs Lucas and Jones’ challenge.
The hearing followed revelations last month that prison staff had recorded 3,150 prisoner calls to MPs and downloaded 280 for playback since 2006. Chief Inspector of Prisons Nick Hardwick said that most calls had been listened to “in error.”
In its first review of the UK since 2008, the United Nations’ Human Rights Committee voiced concerns about, among other things, UK policies on the detention of terrorist suspects and the seizure of passports of terrorist suspects suspected of planning to travel abroad. The Committee was also “concerned that the current legal regime … allows for mass interception of communications and lacks sufficient safeguards against arbitrary interference with the right to privacy,” pointing to RIPA’s lower legal safeguards for “external” than “internal” communications and to “the lack of sufficient safeguards for obtaining private communications from foreign security agencies and for sharing personal communications data with such agencies.” It recommended revising the 2014 Data Retention Investigatory Powers Act (“DRIPA”)“to ensur[e} that access to communication data is limited to the extent strictly necessary for the prosecution of the most serious crimes and dependent upon prior judicial authorization.”
The UK Home Office responded that, “We believe the UK’s counter-terrorism legislation strikes the right balance between privacy and security and has, where appropriate, been upheld by the European court of human right. At a time of very significant threat, it is vital police have the powers they need to protect the British public.
“In addition, we are currently drawing up our legislative proposals on investigatory powers. These will build on the independent reports produced by David Anderson QC, independent reviewer of terrorism legislation, [as well as] the intelligence and security committee of parliament and the Royal United Services Institute. A draft bill will be published in the autumn.”
The Committee’s “Concluding observations on the seventh periodic report of the United Kingdom of Great Britain and Northern Ireland” can be downloaded at http://tbinternet.ohchr.org/_layouts/treatybodyexternal/Download.aspx?symbolno=CCPR%2fC%2fGBR%2fCO%2f7&Lang=en
July 21, 2015
According to an article in The New York Times, “The Islamic State has … studied revelations from Edward J. Snowden … about how the United States gathers information on militants. A main result is that the group’s top leaders now use couriers or encrypted channels that Western analysts cannot crack to communicate, intelligence and military officials said.”
The article is available here
July 16, 2015
In response to a letter that the Chairman of the Senate Judiciary Committee, Senator Chuck Grassley of Iowa, sent in April, the DEA admitted on July 14 that it had spent $927,000 on Italian surveillance firm Hacking Team’s Remote Control System (RCS) software since 2012, but stated that it had canceled its contract several months ago. The DEA claimed to have used RCS on 17 devices in one foreign country, but said the tactic worked only once, due to “technical difficulties with the software.” The letter to Grassley stated that, “Having encountered evidence collection challenges in a number of foreign investigations, and without the resources to internally develop its own technical solution, DEA sought to lawfully acquire a commercially-available tool that would allow for remote, overseas deployment of communication monitoring software on foreign-based devices used by foreign-based traffickers and money launderers.”
Grassley sought the same information from the FBI and Defense Department in a letter to the FBI on July 15, stating that the government may have broken a 2007 law, the Sudan Accountability and Divestment Act, forbidding business with companies engaged in restricted businesses with Sudan, such as selling military equipment. Grassley wrote, “It is troubling that the leaked documents also revealed Hacking Team’s business relationships with a number of repressive regimes around the world, including Sudan. While it is vital that U.S. law enforcement and our military have the technological tools needed to investigate terrorists and criminals in order to keep the public safe, it is also important that we acquire those tools from responsible, ethical sources who are acting in accordance with the law.”
See the July 7, 8 and 10 entries below on Hacking Team
July 14, 2015
The Royal United Services Institute (RUSI) think tank delivered the conclusions to the UK Prime Minister of its year-long review of surveillance undertaken at the behest of then-Deputy Prime Minister Nick Clegg. RUSI’s Report, “A Democratic Licence to Operate,” calls for overhauling the UK “legal framework authorising the interception of communications,” finding that the current law “is unclear, has not kept pace with developments in communications technology, and does not serve either the government or members of the public satisfactorily.” In addition, the Report calls for senior judges to authorize interception for the purposes of preventing and detecting serious crimes and for judicial scrutiny of warrants signed by Secretaries of State for national security purposes. The Report found no evidence that “the British government knowingly acts illegally in intercepting private communications, or that the ability to collect data in bulk is used by the government to provide it with a perpetual window into the private lives of British citizens.”
Former heads of MI5 Jonathan Evans, M I6 Sir John Scarlett, and GCHQ Sir David Omand, were on the RUSI panel that conducted the review.
RUSI’s press release and a downloadable report are available at https://www.rusi.org/news/ref:N55A40513857F8/#.Va6ZZEW6mhT
July 13, 2015
Documentary filmmaker Laura Poitras filed a FOIA (Freedom of Information Act) lawsuit in the United States district court for the District of Columbia in regard to the routine secondary security screening and/or the detention and questioning of her at US airports during international and domestic travel. Ms. Poitras was a primary recipient of documents from Snowden in 2013, and her documentary about him, “Citizenfour,” won an Academy Award in 2015. The complaint alleges that the enhanced screening began in July 2006 when Ms. Poitras was travelling to a film festival in Jerusalem for the showing of her documentary on the US occupation of Iraq, “My Country, My Country.” The extra screening ended in April 2012 after journalists submitted a petition protesting Ms. Poitras’ treatment to the Department of Homeland Security and Glenn Greenwald published an article in salon.com.
The New York Times’ article on the screening is available here
The legal complaint is available at https://www.eff.org/files/2015/07/13/01_poitras_complaint.pdf
Mr. Greenwald’s 2012 article is available at http://www.salon.com/2012/04/08/u_s_filmmaker_repeatedly_detained_at_border
July 10, 2015
Wikileaks published over a million searchable emails from the hack of Italian surveillance firm Hacking Team.
Although Canada’s Royal Canadian Mounted Police (RCMP) ultimately decided against a purchase, they met with Hacking Team representatives in Ottawa in 2011 to discuss purchasing its Galileo remote control service (RCS) software in order to intercept phone calls, text messages, passwords, and app data from Android and Blackberry phones. RCMP was also interested in, but decided not to purchase, Hacking Team’s remote mobile infection (RMI) tools, injection proxy appliance (IPA) and access to the company’s exploit portal, which infect targets to be infected with spy software over the Internet. RCMP invited Canada’s partner in the Five Eyes Alliance, the Canadian Security Intelligence Service (CSIS), to the meeting, but when questioned about the meeting, CSIS spokesperson Tahera Mufti stated that, “CSIS does not confirm nor deny any details with respect to our methodologies, interests, or activities.”
On June 16, 2015, the EU’s Article 29 Working Party adopted “Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilization of Drones,” advising that national and EU regulators promulgate specific rules for the use of drones and that the packaging on small drones be required to include information about potential intrusiveness and EU and national law on privacy and the protection of personal data. The Opinion also recommends that the use of drones for law enforcement purposes be subject to judicial review and that law enforcement not be allowed to use drones for constant tracking of individuals’ locations.
The Working Party’s Opinion is available at https://www.huntonprivacyblog.com/files/2015/06/wp231_en.pdf
July 9, 2015
The UN appointed Joseph Cannataci, the chair of European Information Policy and Technology Law at the University of Groningen in The Netherlands, as its first special rapporteur on the right to privacy.
The official announcement is available at http://www.ohchr.org/EN/HRBodies/SP/Pages/HRC29.aspx
July 8, 2015
A leaked spreadsheet from May 2015 shows that Hacking Team sold its technology to 23 intelligence agencies, 30 law enforcement agencies, and 11 institutions listed as “other,” where “other” included the DEA, the Egyptian Ministry of Defense, and the United Arab Emirates Intelligence Agency. Total client revenues from government clients were 40,059,308 euros ($44,358,072). Since 2008, as many as 6,550 devices may have been infected with Hacking Team’s premiere product, Remote Control Systems, which is capable of siphoning off a targets’ emails, social media messages, and Skype calls.
Hacking Team spokesperson Eric Rabe stated that the release of the source code for Remote Control Systems (RCS) on the Internet had created a “major threat” and “extremely dangerous situation” in which “anyone” including “terrorists, extortionists” and criminals could create their own versions of its RCS and hack and monitor whomever they chose. Experts stated, however, that criminals already had access to many software tools similar to RCS, and that the release of the RCS source code would enable antivirus teams to update their software to detect Hacking Team’s spyware, requiring hackers who’d obtain the source code to repurpose and modify RCS in response. Hacking Team’s unnamed hacker, who told Motherboard that he was also responsible for breaching its competitor Gamma Group last year, stated that, “No hackers will use RCS except to play around for amusement, there are much better tools already available. The value of RCS was in tailoring its capabilities to law enforcement requirements, and in the support contracts and training hacking team provided.”
Wikileaks released three NSA reports on intercepts of Chancellor Angela Merkel’s communications, including a 2009 report on her views on the international financial crisis that outlined her concerns about the impaired assets of banks and her disagreement with the US Federal Reserve’s approach.
July 7, 2015
On July 5, a hacker obtained and released to the Internet 400 GB of emails and other internal files from Hacking Team, an Italian surveillance firm whose technology infects smartphones and computers with malware enabling the covert recording of conversations and the theft of data. In recent years, the company’s top sales have been from governments and law enforcement agencies in the following countries, in descending amounts of sales: Mexico, Italy, Morocco, Saudi Arabia, Chile, Hungary, Malaysia, UAE, the United States, Singapore, Kazakhstan, Sudan, Uzbekistan, Panama, Ethiopia, Egypt, Luxembourg, Czech Republic, South Korea, Mongolia, Vietnam, Spain, Ecuador, Oman, Switzerland, Thailand, Russia, Nigeria, Turkey, Cyprus, Honduras, Azerbaijan, Colombia, Poland, and Bahrain.
The DEA (Drug Enforcement Agency) has deployed Hacking Team spyware from the US embassy in Bogota, Colombia and is using other Hacking Team products to conduct dragnet Internet surveillance in Colombia.
UK law enforcement agencies expressed interest in purchasing Hacking Team technology, but were prevented from doing so by concerns about the legality of using it.
Emails from 2011 in which UK law enforcement agencies expressed eagerness to purchase the technology, but said there were legal concerns, are available at https://www.documentcloud.org/documents/2159874-uk-hacking-team-legal-concerns.html
In an usual step, three members of the UK’s all-party parliamentary group on drones, UK Conservative MP David Davis and Labor MPs David Anderson and Richard Burgon, asked the director of public prosecutions, Alison Saunders, to clarify how to respond to The Guardian and New York Times’ allegations about the assistance that the GCHQ provided to the US in the location of targets for extrajudicial drone strikes. The MPs’ letter to the DPP follows on numerous calls for the UK government to reveal the nature and extent of the cooperation between UK and US intelligence agencies and the policies in place to protect UK agents from legal action. Some UK lawyers stated that the GCHQ agents who assisted in US extrajudicial drone strikes could be charged as accessories to murder.
See the June 24 entry below for discussion and links to articles concerning the GCHQ’s assistance in drone strikes
Fourteen pre-eminent cryptographers, computer scientists and security specialists released a paper that The New York Times called “the first in-depth technical analysis” of UK and US government proposals for the creation of backdoors that would provide them with “exceptional access” to encrypted communications. Rejecting the proposals, the group contended that as shown by recent breaches of government agency databases, US and UK authorities cannot be trusted to keep encryption keys safe from hackers and criminals. In addition, US and UK mandates for backdoors would lead to similar mandates by the Chinese and other governments.
In 1997, the group pointed to technical risks and practical shortcomings in the Clinton administration’s proposal, which ultimately failed to be enacted, for the implantation of chips in technology products to ensure government access to encrypted communications. The current paper, which results from the group’s convening for the first time since 1997, argues that the potential harm from government circumvention of encryption is even greater today, with the rapid move on line of financial and medical data and critical systems, such as pipelines, nuclear facilities, and the power grid.
The sole UK author of the group is University of Cambridge Professor Ross Anderson.
The paper is available at http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=6
July 4, 2015
Wikileaks claimed that a top secret list that it published of 29 Brazilian government phone numbers that the NSA targeted for intensive interception casts doubt on the confidence that US spying on Brazil has ended that President Dima Rousseff expressed during a recent White House visit. The targets on the list also suggest that the NSA engaged in economic espionage. The cell phone of Brazil’s Minister of Foreign Affairs from 2013 to 2015, who is now its Ambassador to the US, and phone numbers for Brazil’s ambassadors to Germany, France, the EU, and Geneva were also targeted.
Julian Assange’s legal team said that it was incorrect to characterize his open letter to President Hollande as a plea for asylum.
Prominent French figures, including soccer legend Eric Cantona and economist Thomas Piketty, have urged that Assange be offered asylum.
July 3, 2015
Julian Assange published an open letter on the website of Le Monde to French President François Hollande, who responded by denying the letter’s request for asylum.
The letter is available (in French) at http://www.lemonde.fr/idees/article/2015/07/03/julian-assange-monsieur-hollande-accueillez-moi-en-france_4668919_3232.html
Wikileaks posted a classified US intelligence report based on intercepted communications between Chancellor Angela Merkel and President Nicolas Sarkozy, as well as other German and French officials, about cooperating on the drafting of an EU treaty to prevent financial crises. The intercepts were gathered by the SCS (Special Collection Service), a joint NSA and CIA collection program, in which NSA employees working under diplomatic cover conduct foreign surveillance from US embassies. This is the first time that material based on SCS intercepts has been leaked.
Wikileaks’ press release is at https://wikileaks.org/nsa-germany/
The documents are available at https://wikileaks.org/nsa-germany/intercepts/#intercept3
In the summer of 2011, the CIA’s station chief in Berlin told Günter Heiss, the head of Department Six, which is responsible for coordinating Germany’s intelligence services, that his deputy, Hans Josef Vorbeck, was sharing official information with Spiegel reporters. Vorbeck, who had been responsible for counterterrorism, was transferred to a post in a department dealing with the history of the BND. Although a small circle within the Chancellery concluded that the CIA tip was based on the wiretapping of Vorbeck’s conversations, they did not reveal the suspected wiretap to the Bundestag’s Parliamentary Control Panel responsible for oversight of the German intelligence services or to the Office for the Protection of the Constitution, which is responsible for counterintelligence. On November 9, 2011, the Chancellery responded to the chairman of the Parliamentary Control Panel’s questions as to why “a reliable coordinator in the fight against terrorism [like Vorbeck] would be shifted to a post like that,” by saying that the move was necessitated by cutbacks and the need for Vorbeck to work on an historical appraisal of the BND.
In May 2015, Bild am Sonntag reported that a Chancellery official had been sidelined “in the wake of evidence of alleged betrayal of secrets through US secret services.” On July 1, the Parliamentary investigatory committee into the NSA’s activities in Germany questioned Günter Heiss and his former supervisor, Merkel’s former Chief of Staff Ronald Pofalla.
On July 3, Spiegel filed a complaint with the German Federal Prosecutor about intelligence agency activity and violations of German data protection law.
July 2, 2015
Wikileaks published UK intelligence reports, labeled “two levels above top secret,” based on intercepted phone calls by top German ministers, public officials and Merkel’s personal assistant about the Greek financial crisis in 2011. The reports were shared with the NSA and, in some cases, with the other Five Eyes countries (Canada, New Zealand, and Australia).
The director of Amnesty International USA’s Security and Human Rights program, Naureen Shah, raised ten questions about the IPT’s acknowledgment that the statements in its June 22, 2015 Determination about the GCHQ’s violations of the rights of The Egyptian Initiative for Personal Rights in fact pertained to the violation of Amnesty International’s rights. Ms. Shah was particularly concerned as to whether the GCHQ had shared Amnesty’s intercepted communications with the US and with countries where Amnesty had alleged there were human rights abuses.
July 1, 2015
In an email, the IPT informed the parties in Liberty & Others vs. the Security Service, SIS, GCHQ, IPT/13/77/H, that its Determination of June 22 had mistakenly identified The Egyptian Initiative for Personal Rights, instead of Amnesty International Ltd, as the complainant whose rights under Article 8 of the ECHR were violated by the retention of its communications for a “materially longer” time period than GCHQ’s internal policies allowed. In a press release, Amnesty International called “for an independent inquiry into how and why a UK intelligence agency has been spying on human rights organisations,” stating that, “Today’s revelations underscore the urgent need for significant legal reform, including proper pre-judicial authorisation and meaningful oversight of the use of surveillance powers by the UK security services.”
The IPT’s email to the parties is available at http://www.ipt-uk.com/docs/IPT_to_Liberty_Others.pdf
Amnesty International’s Press Release is available at http://www.amnesty.org.uk/press-releases/surveillance-uk-government-spied-on-amnesty-international
Wikileaks published a protocol or memorandum allegedly intercepted by the NSA that relayed a conversation between Chancellor Angela Merkel and an unidentified adviser in 2011 about options for Greek debt relief, and a document allegedly intercepted by the NSA from Merkel’s top aide for European affairs that was shared with UK intelligence and revealed the German negotiating position with Greece. A list of 69 telephone numbers said to belong to members of the German government and their aides indicated that the NSA had been eavesdropping on the German government as early as the 1990’s. According to The New York Times, “The files seem to contain little new information, but if authentic, they would appear to be the first solid evidence that the N.S.A. eavesdropped on Ms. Merkel ….”
The New York Times article is available here
The documents posted by Wikileaks are available at https://wikileaks.org/nsa-germany/intercepts/
In the class action brought against Facebook Ireland Ltd. by attorney and Europe v Facebook member Maximilian Schrems, the Viennese Regional Court (“Landesgericht”) held that it had no jurisdiction over the “class action” because since Schrems used at least one of his Facebook accounts for professional purposes, he was not a consumer. Europe v Facebook intends to appeal the determination of no jurisdiction to the Higher Regional Court (“Oberlandesgericht”).
June 30, 2015
During a visit to the White House, President Dima Rousseff of Brazil said that the anger at revelations that the NSA had hacked into her cellphone and private email that caused her to cancel a state visit in 2013 had been dissipated by President Obama’s assurance that the spying had ended.
Documents posted by Wikileaks show that the NSA spied on approximately 100 French companies, including almost the companies on the Paris stock market list of the top forty equities. Principal targets of surveillance were deals valued at more than $200 million and telecommunications, electricity, gas, oil, nuclear and renewable energy, and health projects. Pierre Moscovici, former minister of the economy under President Francois Hollande and now a European commissioner, and Francois Baroin, minister for the budget and then for the economy under Nicholas Sarkozy, were both targeted. France responded to the revelations by summoning the US ambassador, prompting a conciliatory phone call from President Obama to President Hollande.
June 25, 2015
While stating that it would be up to the French Prime Minister and President to make the decision, French Justice Minister Christiane Taubira told CNN affiliate BFMTV that she “wouldn’t be surprised” if France offered Edward Snowden and Julian Assange asylum.
Based on documents released by Wikileaks, French newspaper Libération reported that spying equipment was hidden behind trompe l’oeil paintings of windows in the top floor of the US embassy in Paris. Two cables – dealing with then-president Sarkozy and his predecessor Chirac – were marked “USA, AUS, CAN, GBR, NZL”, suggesting that the material was intended to be shared with the intelligence services of all the Five Eyes countries.
The French government reacted with what The New York Times termed “carefully calibrated anger” to the publication of documents showing that the N.S.A. engaged in electronic surveillance of French government officials from 2006-2012. After speaking to President Obama, President Hollande said he had been assured that the spying had been discontinued. According to The New York Times, “The modulated reaction suggested that the surveillance, by the National Security Agency, was not a surprise and several French lawmakers and officials said as much, even noting that it was part of the diplomatic game.”
June 24, 2015
GCHQ documents leaked by Snowden to The Guardian and reported on in collaboration with The New York Times discuss how a program codenamed “Overhead” supported a fatal drone strike in Yemen in 2012 and developed location-tracking capacities in Yemen and Pakistan. Overhead is based on satellite, radio and phone collection of intelligence, and although it began as a US operation, the US and UK have collaborated on it for decades and have more recently been joined by Australia. Among the documents is a legal briefing from 2009 advising GCHQ personnel that because the Operation Enduring Freedom rules governing US forces in Afghanistan are less restrictive than the Nato-led International Security Assistance Force rules governing UK personnel, it may be illegal for GCHQ staff to share intelligence. Commenting on the revelations, UK Conservative MP David Davis stated that, “It’s no good the government hiding behind its standard security line that they never comment on security matters. The phrase extra-judicial killing is a euphemism. What we are talking about here is murder. … It is important the government makes plain: what are the limitations it puts on the use of its intelligence, and under what statutes and on whose approval this information is shared?”
The New York Times article is available here
France enacted a law under which instead of obtaining judicial warrants, security officials will be permitted to use phone taps, cameras, hidden microphones, and other spying devices on the approval of a newly created supervisory body dedicated to issuing such approvals. In exceptional circumstances, the law permits surveillance agencies to use IMSI catchers to record all phone, internet or text-messaging conversations in an area.
In response to the revelations about NSA spying on French government officials, President Francois Hollande convened an emergency meeting with France’s top security officials. The US Ambassador to France was summoned to the French foreign ministry.
An analysis for BBC News states that the documents Wikileaks published about NSA spying on the French government do not contain any “earth-shattering” information, and “[m]ost of [the information the NSA obtained] could have been gleaned by diplomats at the US embassy simply doing their job…. The impression given is of an agency scooping up indiscriminate quantities of information, and for little benefit.”
June 23, 2015
Top-secret NSA documents released by Wikileaks and published by French news website Mediapart and newspaper Libération as well as Wikileaks show that from 2006-2012, the NSA tapped the phones of French senior diplomats, civil servants and politicians, including Presidents François Hollande, Nicolas Sarkozy and Jacques Chirac.
The documents are available at https://wikileaks.org/nsa-france/
June 22, 2015
In the challenge brought by Privacy International, Liberty and other NGO’s against the GCHQ’s Tempora program and sharing of communications from the NSA’s Prism and upstream collection programs, the Investigatory Powers Tribunal (IPT) determined that the rights under Article 8 of the ECHR of The Egyptian Initiative for Personal Rights were violated by the retention of its communications for a “materially longer” time than allowed under GCHQ internal policies. The IPT also found that the Article 8 rights of The Legal Resources Centre, South Africa were violated because the GCHQ breached its own policies when it selected the Centres’ communications for examination. The IPT refused, however, to award either the Egyptian or the South African NGO damages, finding that neither had “suffered any material detriment, damage or prejudice as a result of the breach.”
The IPT made “no determination” in favor of claimants Liberty, Privacy International, the American Civil Liberties Union, Canadian Civil Liberties Union, Hungarian Civil Liberties Union, Irish Council for Civil Liberties, Amnesty International Ltd, or Bytes for All. In accord with the IPT’s limited recognition of a duty to disclose, the “no determinations” could mean that either that the NGO’s were not subject to surveillance or that they were subject to surveillance, but the surveillance was lawful.
As indicated below, on February 17, 2015, Privacy International posted a petition for the purpose of enabling individuals to learn whether before December 2014, the GCHQ had illegally obtained their communications from the NSA’s Prism and Upstream programs. However, by stating that its determination of June 22, 2015 “addressed … the only matters left” after the Judgments of December 5, 2014 and February 6, 2015, the IPT implied that individuals will not be afforded a determination of whether their rights were violated.
The IPT’s Open Determination is available at http://www.ipt-uk.com/docs/Final%20_Liberty_Ors_Open_Determination.pdf
In response to the draft embargoed version of its Determination that the IPT sent to the parties on June 18, Liberty, The Egyptian Initiative for Personal Rights, the American Civil Liberties Union, Canadian Civil Liberties Union, Hungarian Civil Liberties Union, Irish Council for Civil Liberties, and The Legal Resources Centre, South Africa requested further information from the IPT about the GCHQ’s interception, selection, examination, transmission, and retention of the email communications and associated metadata of The Egyptian Initiative for Personal Rights and The Legal Resources Centre, South Africa. In addition, the claimants asked to be notified of the laws and policies on which the GCHQ relied.
Liberty, et al’s letter requesting further information is available at http://www.lrc.org.za/images/pdf_downloads/Court_papers/2015/IPT_22.6.15.pdf
The Intercept published documents revealing that the GCHQ’s Joint Threat Research Intelligence Group (JTIG) is involved in UK domestic law enforcement, including collaborating with London’s Metropolitan Police, the Serious Organised Crime Agency (SOCA), Border Agency, Revenue and Customs (HMRC), and National Public Order and Intelligence Unit (NPOIU). JTRIG specializes in deploying behavioral science research for propaganda and other online deceit and manipulation tactics. A released document states that key JTRIG functions include “providing intelligence for judicial outcomes,” “conducting online HUMINT” to monitor “domestic extremist groups such as the English Defence League,“ “denying, deterring or dissuading” criminals and “hacktivists,” and “deterring, disrupting or degrading online consumerism of stolen data or child porn.”
Documents leaked by Snowden show that the NSA and GCHQ reverse engineered software products and monitored web and email traffic in order to thwart anti-virus software and obtain intelligence about security software and its users. A particular target was Moscow-based Kaspersky Labs, which is registered in the UK and claims that it has over 270,000 corporate clients and protects more than 400 million people with its products. Among anti-virus firms, Kaspersky has done the most to expose government malware.
A warrant renewal request by GCHQ in 2008 states that “[p]ersonal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ’s CNE [Computer Network Exploitation] capability and SRE [software reverse engineering] is essential in order to be able to exploit such software and to prevent detection of our activities.” GCHQ sought the warrant on the ground that reverse engineering would otherwise be “unlawful” and amount to “a copyright infringement or breach of contract.” The warrant is the first time that Section 5 of the UK’s 1994 Intelligence Services Act is known to have been applied to allow interference with intellectual property.
The NSA has also monitored other foreign anti-virus companies, but not the US McAfee or Symantec brands or UK company Sophos, for reports of new vulnerabilities and malware. A NSA presentation from 2010 on “Project CAMBERDADA” states that the TAO (Tailored Access Operations) Unit “can repurpose the malware.”
Security software is an extremely important target for the NSA and GCHQ because it is typically more trusted by operating systems than other applications and the executive privileges with which it runs provide more vectors for surveillance and attack. According to Joxean Koret, a researcher with Singapore-based information security consulting company Coseinc, “Anti-virus products, with only a few exceptions, are years behind security-conscious client-side applications like browsers or document readers. It means that Acrobat Reader, Microsoft Word or Google Chrome are harder to exploit than 90 percent of the anti-virus products out there.”
June 16, 2015
An article in The Guardian opines that UK intelligence chiefs have accepted the need for increased oversight of surveillance and likely welcomed the recent report by David Anderson QC, the independent reviewer of terrorism legislation, including Mr. Anderson’s call for judicial, rather than ministerial, approval of warrants. Home secretary Theresa May, foreign secretary Philip Hammond, and justice secretary Michael Gove may disagree with the intelligence chiefs and insist that the power to approve warrants remain with ministers, leading to a challenge on this issue before the European Court of Human Rights. The article cites the discussions at the recent Ditchley Foundation conference, described in the May 25 entry below, as evidence of intelligence officials’ changed attitude.
The article can be found here
June 15, 2015
Reporter Ryan Gallagher posted a critique of The Sunday Times article described in the June 14 entry, including an analysis of an interview with CNN in which the article’s lead author, Tim Harper, was unable to provide any support for its conclusions besides blind reliance on anonymous officials’ assertions.
June 14, 2015
Citing unnamed “senior officials in Downing Street, the Home Office and the security services”, The Sunday Times (London, England) reported that Snowden had provided Russia with access to more than 1 million encrypted files. China had also gained access to encrypted files from Snowden, and the information gained by China and Russia had forced MI6 to pull agents out of operations in hostile countries. “A senior Downing Street source” told The Sunday Times that, “It is the case that Russians and Chinese have information. It has meant agents have had to be moved and that knowledge of how we operate has stopped us getting vital information.” The source stated, however, that, “There is no evidence of anyone being harmed.” A “senior Home Office source” said, “Why do you think Snowden ended up in Russia? Putin didn’t give him asylum for nothing.”
Privacy campaigners, including Liberty, Privacy International, and UK MP David Davis, noted that The Sunday Times article relied on anonymous sources and did not provide any factual support for its assertions about Snowden’s provision of files to the Russians and Chinese or the harm he caused. Questions were also raised about whether the allegations in The Sunday Times were timed to distract attention from the severe criticisms of UK oversight of intelligence and security agencies in the report that the independent reviewer of terrorism legislation, David Anderson QC, issued on June 11. Despite stating that he did not “approve of what Snowden did,” former cabinet minister Andrew Mitchell said that the story was undoubtedly published because of Mr. Anderson’s report. Mr. Mitchell added that, “we have to be very careful of the argument ‘listen sonny, we know what you don’t know and therefore you should do what we say’. That is not a good argument; we need to have a proper debate about all of this.” He also claimed that during recent trips to Washington, D.C., he had seen “a massive change of view in the United States … [and] that has resulted from Snowden, whether you like it or not.”
Glenn Greenwald called The Sunday Times article and the uncritical acceptance of its allegations by many British and American journalists “one of the purest examples” of how “it’s hideous, corrupt and often dangerous journalism to give anonymity to government officials to let them propagandize the public, then uncritically accept those anonymously voiced claims as Truth.”
June 12, 2015
The federal prosecutor’s office in Karlsruhe, Germany announced that it was closing its year-long inquiry into suspected US spying on Chancellor Angela Merkel’s cell phone, stating that, “The accusations made would not stand up in court with the means available for criminal proceedings. The vague remarks from U.S. officials about U.S. intelligence surveillance of the chancellor’s cell phone – i.e. ‘not any more’ – are insufficient evidence.”
The Belgian Constitutional Court invalidated the law that Belgium passed in 2013 to transpose the since-invalidated EU Data Retention Directive by requiring telecommunications providers to retain customers’ data for a year.
The Court’s opinion is available (in French) at http://nurpa.be/files/20150611_ruling-const-cour-dataretention-belgium_fr.pdf
June 11, 2015
In a 379-page report entitled “A Question of Trust,” the UK’s independent reviewer of terrorism legislation, David Anderson QC, criticized existing law for being “fragmented” and “obscure” and called for “a clean slate.” Among Mr. Anderson’s recommendations were that judges, rather than ministers, have the power to authorize warrants for the interception of communications, that the legality and effectiveness of proposed “snoopers’ charter powers” be rigorously assessed, and that the definition of “communications data” (the UK legal analog of the US term “metadata”) be “reviewed, clarified, and brought up to date.” Although he stated that the intelligence and security services should continue to have the power to engage in “bulk collection,” Mr. Anderson insisted that “strict additional safeguards” were needed.
June 10, 2015
The European Court of Justice (CJEU) informed Europe v Facebook member Maximilian Schrems that the Advocate General’s opinion in his case challenging the EU-US Safe Harbor Agreement would be delayed. The Advocate General’s opinion had been scheduled for June 24, no new date was set.
Mr. Schrems’ tweet of June 9 announcing the delay, including a copy of the CJEU’s communication to him (in French), is available at https://twitter.com/maxschrems
The proceedings before the CJEU in Maximillian Schrems v Data Protection Commissioner (Case C-362/14) and the Irish High Court’s opinion referring the case to the CJEU (Maximilian Schrems v. Data Protection Commissioner, 2013 No. 765 JR (Ir.H.Ct. June 18, 2014)), are discussed in the Challenges section of this website.
June 9, 2015
A study for The Information Technology and Innovation Foundation concluded that the US technology industry is likely to lose far more from the loss of foreign customers due to fears over government surveillance than the think tank’s previous estimate of $35 billion by 2016. The study found that foreign governments were using disclosures about US government surveillance as a justification for enacting protectionist policies to foster their own technology industries. Stating that “Some European companies have begun to highlight where their digital services are hosted as an alternative to U.S. companies,” the study called for reforms to US policy, including eliminating backdoor access by law enforcement to encrypted communications and agreeing to trade agreements, including the Trans-Pacific Partnership, that “ban digital protectionism.”
The study is available here
June 8, 2015
Privacy International filed a challenge in the UK’s Investigatory Powers Tribunal to the legal regime governing the intelligence and security services’ “acquisition, use, retention, disclosure, storage and deletion of Bulk Personal Datasets.” Bulk Personal Datasets were defined in the ISC Report of March 12, 2015 as “large datasets containing personal information about a wide range of people,” and Privacy International alleges that the governing legal regime “is not sufficiently accessible to the public” and does not “contain adequate safeguards to provide proper protection against arbitrary conduct.” The Statement of Grounds contends that Article 8 of the European Convention on Human Rights and section 6 of the UK Human Rights Act 1998 are violated. In support of its claims, Privacy International notes that until the ISC Report was published on March 12, “the capacity to hold and use Bulk Personal Datasets was not publicly acknowledged, and there was no public or parliamentary consideration of the necessary privacy considerations and safeguards.” In addition, there was no statutory provision for oversight of the use of Bulk Personal Datasets until, on the day the ISC Report was published, Prime Minister David Cameron issued Intelligence Services Commissioner (Additional Review Functions) (Bulk Personal Datasets) Direction 2015.
In a press release, Privacy International called the GCHQ’s use of Bulk Personal Datasets the equivalent of the NSA’s telephony metadata program curtailed by passage of the USA Freedom Act on June 2.
Privacy International’s Statement of Grounds and press release are available, respectively, at https://www.privacyinternational.org/sites/default/files/Bulk%20Personal%20Datasets%20Grounds%20FINAL_0.pdf, and https://www.privacyinternational.org/?q=node/594
June 6, 2015
Responding to the June 4 article described below, a New York Times editorial voiced concerns about cooperation between the NSA and FBI on cyberthreat investigations. Although the cooperation relies on the NSA’s authority under Section 702 of the Foreign Intelligence Surveillance Act to target communications of foreigners abroad, it may result in the collection of large amounts of data on Americans. “Back door searches” of the databases for information about Americans may then enable criminal cases unrelated to cyberthreats to be built. The Times called on Congress not to wait until the scheduled expiration of Section 702 in December 2017 “to demand a fuller and clearer accounting of how the government has interpreted those authorities.” Despite opining that the changes in the USA Freedom Act are “insufficient,” the editorial stated that “it is encouraging, at least, that more members of Congress from both parties have begun championing privacy in debates about national security. “
The editorial can be found here
June 4, 2015
The New York Times and ProPublica reported that documents leaked by Snowden show that starting in 2012, the Obama Administration secretly expanded the NSA’s warrantless surveillance within the US to searches for evidence of malicious computer hacking on internet cables. Although the authorized targets of the surveillance were IP addresses and cybersignatures that could be linked to foreign governments, “significant volumes of Americans’ information — anything from private emails to trade secrets and business dealings —[could be gathered] because monitoring the data flowing to a hacker involves copying that information as the hacker steals it.” The breakdown of the wall between intelligence and criminal investigations in the aftermath of 9/11 allowed the NSA to monitor the Internet for cybersecurity purposes and send intercepted traffic to the FBI’s “cyberdata repository” in Quantico, Virginia.
Documents provided to The New York Times are available here
The high court in London heard a challenge by Conservative Member of Parliament (MP) David Davis and Labor MP Tom Watson to the UK’s Data Retention and Investigatory Powers Act (DRIPA). In response to the invalidation of the EU Data Retention Directive of 2006 by the European Court of Justice (CJEU) in April 2014, DRIPA was rushed through Parliament in three days last July. Under DRIPA, telecommunications companies are required to retain Internet and telephony metadata for 12 months, to be provided to the police and security services if necessary. MPs Davis and Watson argue that DRIPA contains the same flaws as the CJEU identified in the EU Data Retention Directive, and is incompatible with the UK Human Rights Act, Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the EU Charter on Fundamental Rights. The MPs ask the court to invalidate DRIPA on the ground that it violates individuals’ rights under the European Convention and EU Charter or, in the alternative, to return the legislation to Parliament for further consideration.
The hearing before the high court is scheduled to continue on June 5. MPs Davis and Watson’s challenge was brought by human rights organization Liberty, and Privacy International, the Law Society, and the Open Rights Group are intervenors.
The European Court of Justice’s Judgment invalidating the EU Data Retention Directive (Joined Cases C-293/12 & C-594/12, Digital Rights Ireland and Seitlinger and Others (Apr. 8, 2014)), is discussed in the Challenges section of this website.
A report by the UN High Commissioner on Human Rights criticizes government calls for backdoors in software encryption, stating that “encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age and … deserve strong protection.”
The Report is available at http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx
June 3, 2015
In an article on the passage of the USA Freedom Act, The Register stated that, “The new legislation means that once again the NSA and others can access the logs of Americans’ phone calls, emails and internet use for investigations, but with some subtle changes to the rules,” and stressed that the “changes only affect American citizens. For the other 6.81 billion humans on Planet Earth, it’s business as normal.” Nontheless, The Register called the USA Freedom Act “a big step forward,” stating that “it’s the first time in nearly 40 years that the intelligence community has had their powers limited at all ….”
May 25, 2015
The Ditchley Foundation, which hosts several conferences each year on “complex issues of international concern” at its massion in Oxfordshire, England, hosted a conference on “Intelligence, Security and Privacy” from May 14-16. Sir John Scarlett, the former head of the UK’s M16, chaired the conference, and participants included senior policy and legal staff from Apple, Google, and Vodafone, intelligence regulators and human rights specialists from Europe and English-speaking countries, and twelve current or former directors or senior staff of intelligence and security agencies, including Germany’s BND, France’s DGSE, Sweden’s sigint agency FRA, Australia’s ASIO and ASIS, Canada’s CSIS, the CIA, and GCHQ and MI6.
The conference was conducted under the Chatham House Rule, which attempts to promote open and frank discussion by forbidding the public attribution of statements to particular attendees. Conference participants agreed that the Snowden leaks had stimulated overdue change towards transparency, “or at least ‘translucency,’” that relatively little embarrassing information had emerged from the leaks, and that the most embarrassing revelations were about spying on friendly states. There was also agreement that intelligence agencies should make front door requests for data from internet companies, instead of engaging in hacking or intercepting data flows, and that oversight should extend beyond data collection to data analysis and the use and sharing of data. The Ditchley Foundation is scheduled shortly to publish the conference conclusions, which focus on accountability, regulation, and oversight.
May 22, 2015
Janine Gibson, the editor who oversaw the coverage of the Snowden revelations that won The Guardian its first Pulitzer Prize, is leaving The Guardian after being passed over to replace Alan Rusbridger as senior editor when he departs next month. Last year, Gibson had come close to moving to The New York Times before Jill Abramson left that paper.
May 15, 2015
At a hearing in the UK Investigatory Powers Tribunal (IPT) on complaints brought by Privacy International and seven internet companies against the GCHQ and the Secretary of State for the Foreign and Commonwealth Office, the complainants stated that the day before the hearing began, the government had notified them for the first time that the Computer Misuse Act (CMA) had been amended to exempt GCHQ staff, intelligence officers and police from prosecution for hacking into computers, laptops and mobile phones. The exemption from prosecution in amended Savings Clause 10 of the CMA was promulgated as part of the Serious Crime Act 2015, which received royal assent on March 3, 2015 and came into effect on May 3. There was no public debate on the amendment, and no Privacy Impact Assessment was published. While the Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, Police and National Crime Agency were consulted as stakeholders, neither regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner’s Office, industry, nor NGOs were notified or consulted.
A UK government fact sheet on the amendments to the CMA is available at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/415953/Factsheet_-_Computer_Misuse_-_Act.pdf
For discussion of Privacy International’s and the seven internet companies’ complaints before the IPT, see Sections II (A) and (B) of Aidan Booth and Adina Schwartz, “Challenges in the UK to surveillance by the NSA and GCHQ,” available on this website.
May 8, 2015
Journalist Ahmad Muaffaq Zaidan, Al Jazeera’s longtime Islamabad bureau chief, was identified as a likely courier for senior Al Qaeda leaders in a slide from a June 2012 NSA power point presentation on the SKYNET program to detect suspicious patterns in location and metadata gathered from bulk call records. The slide indicated that Zaidan had previously been placed on the US intelligence community’s Terrorist Identities Datamart Environment (TIDE) database, and identified Zaidan as a member of the Muslim Brotherhood as well as Al Qaeda.
Zaidan, who rose to international prominence after 9/11 because of his access to senior Al Qaeda leaders, denied belonging to either Al Qaeda or the Muslim Brother in an interview with The Intercept, and stated, through Al Jazeera, that interviewing key people in Afghanistan and Pakistan was crucial to journalist mission of informing the public. Although Zaidan had interviewed Bin Laden multiple times and received a number of his taped messages to Americans, in May 2010, Bin Laden wrote that “journalists may be involuntarily monitored in a way that we or they do not know about, either on ground or by satellite, especially Ahmad Zaydan of Al Jazeera, and it is possible that a tracking chip could be put into some of their personal effects before coming to the meeting place.”
Another 2012 NSA presentation indicates that major Pakistani telecommunications companies provided the call data for SKYNET, but does not specify the technical means by which the data was obtained. According to the presentation, SKYNET discovers terrorist connections through such questions as “who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? Who does the traveler call when he arrives?” and by considering such behaviors as “excessive SIM or handset swapping,” “incoming calls only,” “visits to airports,” and “overnight trips.”
May 7, 2015
The BND reportedly ended its cooperation with the NSA after the NSA refused to agree to Chancellor Merkel and the BND’s condition that it provide a justification for each surveillance request. In an effort to defuse the scandal over the BND’s cooperation with the NSA, Chancellor Merkel offered to testify before the German Parliament.
May 5, 2015
Responding to suspicions that the NSA and BND might have spied on Austrian companies or government agencies, the Austrian Interior Ministry filed a complaint with the prosecutor’s office against an unknown entity, alleging that surveillance might have been secretly conducted to Austria’s disadvantage.
While reaffirming her position that friends do not spy on friends, Chancellor Angela Merkel also responded to questions by stating that the German “intelligence services, especially the B.N.D., … must and will cooperate internationally to protect the bodies and lives of 80 million Germans as best they can” and that means cooperating “first and foremost” with the NSA.
May 4, 2015
In response to revelations of the BND’s use of NSA-provided selectors that targeted German and other European governments and officials, EU institutions, and European companies, the German Federal Prosecutor’s Office is reviewing whether there is “initial evidence” of a criminal offense, such as espionage or treason-related crimes, that falls within its jurisdiction. One of the targets of the surveillance, the largest European defense company, Airbus, formerly known as EADS, filed a criminal complaint in Germany against persons unknown for industrial espionage.
In 2012, the BND, GCHQ and NSA began operation Monkeyshoulder to collect signals intelligence at the internet hub in Frankfurt operated by Deutsche Telekom. Training workshops took place until the operation was stopped by BND head Gerhard Schindler in August 2013.
The US is also suspected of targeting Chancellery staff in Berlin or targeting journalists.
Detailing “[t]he blame game [that] has long since begun in the German capital [and] efforts to determine who knew what and when and who misled which supervisory authority and when,” Der Spiegel concluded that “this scandal of the BND, NSA-spying, a lack of control and lying cabinet members could seriously shake the foundations of [Chancellor Merkel’s] power.”
April 24, 2015
As part of assisting the German Parliamentary investigation of the NSA, a project group from Germany’s foreign intelligence agency, the Bundesnachrichtendienst (BND), found that during surveillance at the Bad Aibling facility in Bavaria, BND agents had used 40,000 search parameters provided by the NSA to target German and other Western European governments and companies. In the aftermath of the Snowden revelations, a BND investigation in October 2013 had concluded that at least 2,000 NSA selectors were aimed at Western European or German interests. Before that, BND agents had become aware by 2008 at the latest that the Memorandum of Agreement signed by the US and Germany in 2002 in regard to surveillance at Bad Aibling had been violated by the use of NSA selectors targeting European defense company EADS, helicopter manufacturer Eurocopter, and French agencies. Until March 2015, however, the BND assured German parliamentarians that their cooperation with the NSA at Bad Aibling conformed to the law.
April 18, 2015
Twitter announced that effective May 18, services to users outside the United States would be provided by Twitter International Company, and that the company, based in Dublin, Ireland, would handle “account information under Irish privacy and data protection law, which is based on the European Union’s Data Protection Directive.” Twitter, Inc., based in San Francisco, California, would continue to provide services, governed by United States law, to users in the United States.
April 16, 2015
Documents leaked by Snowden and jointly analyzed by The New Zealand Herald and The Intercept show that starting in 2003 or 2004, New Zealand’s Government Communication Security Bureau (GCSB) played a leading role in conducting electronic surveillance in Bangladesh to aid US counterterrorism efforts. The GCSB shared intercepted material with Bangladesh’s state intelligence service, despite reports of severe human rights abused by Bangladeshi intelligence, but also secretly monitored the communications of Bangladesh’s lead counter-terrorism unit, the Rapid Action Battalion. Eavesdropping on mobile phone conversations was conducted from a collection site in Dhaka, likely located, since New Zealand does not have a high commission or any official building in Bangladesh, in a US building overseen by the NSA or CIA.
April 11, 2015
Privacy International, Bytes for All, Amnesty International, Liberty and other civil liberties groups filed an appeal in the European Court of Human Rights from the UK Investigatory Powers Tribunal’s Judgments of December 5, 2014 and February 6, 2015 that (i) Articles 8, 10 and 14 of the ECHR were not violated by the UK’s Tempora program and (ii) after disclosures by the Intelligence Services were published in the Judgments of December 5, 2014 and February 6, 2015, the UK’s sharing of information obtained by the NSA’s Prism and/or Upstream Programs did not violate Articles 8 or 10 of the ECHR.
For a discussion of the IPT’s Judgments of December 5, 2014 and February 6, 2015, see Section I (B) of Aidan Booth and Adina Schwartz, “Challenges in the UK to Surveillance by the NSA and GCHQ,” available on this website.
April 10, 2015
Applications for the position of UN Special Rapporteur on Privacy are now being considered. The deadline for submitting applications is April 30.
The application form is available at http://www.ohchr.org/EN/HRBodies/SP/Pages/HRC29.aspx
The UK Foreign Office has refused to disclose the job title, role and responsibilities, or salary of Cressida Dick, the former head of Specialist Operations at London’s Metropolitan Police who oversaw a criminal investigation into journalists who reported on documents leaked by Snowden. In December, Ms. Dick announced that she was leaving the Met Police for a top job with the Foreign Office. Although the salaries and job titles of senior Foreign Office officials are routinely posted on line, in response to The Intercept’s Freedom of Information Act (FOIA) requests, the Foreign Office would only disclose that Ms. Dick was appointed to a “director general” position and that director generals’ salaries are between £105,000 and £208,000 ($156,000 and $309,000). Citing an exemption for information related to or provided by the intelligence services, a Foreign Office spokesperson stated that, “As the details of Ms. Dick’s exact role and responsibilities relate to security matters, they are exempt for public disclosure under the Freedom of Information Act.” The UK Information Commissioner’s Office, which enforces the UK’s freedom of information laws, will be investigating The Intercept’s complaint about the limited disclosure.
April 8, 2015
Starting in 1992, the United States Justice Department and Drug Enforcement Agency (DEA) amassed metadata on all telephone calls from the United States to as many as 116 of the 195 countries recognized by the US. Although the targeted countries changed over time, Canada, Mexico, Italy, Iran, Pakistan and Afghanistan and other countries in Europe, Asia western Africa, and Central and South America and the Caribbean were included. The DEA obtained the call records without prior judicial approval by serving administrative subpoenas on telecommunications companies. The metadata to call records acquired outside the United States and to investigative reports from the DEA, FBI, and Customs Service. Although the DEA program was the model for the NSA’s bulk collection of metadata beginning in 2006, while agents reportedly searched the NSA database 300 times in 2012, that many searches of the DEA database were routinely made in a day.
In response to the Snowden revelations, searches of the DEA database were culminated in September 2013, and the collected metadata was purged not long after. In lieu of bulk collection of metadata on domestic calls to foreign countries, the DEA now assembles daily lists of telephone numbers suspected of being linked to drug trafficking, and issues electronic subpoenas to telephone companies for logs of these numbers’ international calls. In a day, phone companies may be served with subpoenas for more than a thousand numbers.
The government did not publicly disclose the existence of DEA bulk metadata program until January 2015. In the criminal case, United States v. Hassanshahi in the federal district court for the District of Columbia, in which the disclosure was made, the Justice Department redacted the list of targeted countries “to protect against any disruption to prospective law enforcement cooperation.”
The documents disclosing the DEA program in United States v. Hassanshahi are available at https://www.documentcloud.org/documents/1719876-database.html, and https://www.documentcloud.org/documents/1700104-d-d-c-13-cr-00274-dckt-000049-000-filed-2015-01-15.html – document/p3/a211046
April 2, 2015
In partnership with Argentine news site Todo Notícias, The Intercept published documents leaked by Snowden showing that between 2008-2011, GCHQ assisted the UK government’s efforts to prevent Argentina from using either military or diplomatic efforts to retake the Falkland Islands. While surveillance of Argentine “military and Leadership” communications was a “high priority,” by 2011, GCHQ’s Joint Threat Research and Intelligence Group (JTRIG) was conducting offensive cyberoperations. Although the particular tactics that JTRIG employed in the Falklands mission are unknown, the unit has the capacity to use “covert tools to seed the internet with false information, including the ability to manipulate the results of online polls, artificially inflate pageview counts on web sites, ‘amplif[y]’ sanctioned messages on YouTube, and plant false Facebook wall posts for ‘entire countries.’”
As of 2010, the NSA was assisting the GCHQ’s Falklands operations, despite the Obama Administration’s unwillingness to publicly support the UK government’s stance on the Falklands.
March 27, 2015
The decision of the Court of Appeals is available at http://www.bailii.org/ew/cases/EWCA/Civ/2015/311.html
March 26, 2015
New Zealand Inspector-General of Intelligence and Security Cheryl Gwyn announced that she would investigate complaints arising from recent articles on the activities of New Zealand’s Government Communications Security Bureau (GCSB) by The Intercept and its partners, the New Zealand Herald, Herald on Sunday, and Sunday-Star-Times, as well as “wider questions regarding the collection, retention and sharing of communications data.”
Also in response to the articles, former director of the GCSB Sir Bruce Ferguson stated on Radio New Zealand that, “It’s the whole method of surveillance these days – it’s mass collection. To actually individualise that is mission impossible.” Nonetheless, Sir Bruce agreed with Prime Minister and former GCSB director Key that GCSB was not spying on New Zealanders, stating that it wasn’t happening “willingly” or “intentionally.”
The articles were based on top-secret documents from 2009-2012, at which time it was illegal for GCSB to do anything leading to the interception of a New Zealand citizen’s or resident’s communications. In the event of accidental interception, such communications were required to be destroyed as soon as possible.
The Media Release by the New Zealand Office of the Inspector-General of Intelligence and Security is available at https://www.documentcloud.org/documents/1695301-new-zealand-inspector-general-gcsb-surveillance.html
Australia enacted a law requiring internet service providers and mobile phone networks to store customers’ metadata for two years. Widely-used third-party email, video, and social media platforms and apps, such as Gmail, Hotmail, Facebook Skype, Whatsapp, Viber, and Signal, are not required to retain metadata. Nor are internal email and telephone networks, such as those maintained by universities and corporations. The exemptions, which the government publicly announced, cast doubt on the law’s ability to achieve its intended purpose of combating domestic terrorism.
Spearheaded by Germany and Brazil, the United Nations’ top human rights body, the Human Rights Council, unanimously adopted a resolution calling for the appointment of a special rapporteur on the right to privacy for an initial period of three years.
The resolution is available at https://www.privacyinternational.org/sites/default/files/SR resolution.pdf
At the CJEU hearing in the case against Facebook described in the March 24 entry below, an attorney for the European Commission (EC) refused to confirm that the Safe Harbor rules adequately protect EU citizens privacy, stating that “You might consider closing your Facebook account, if you have one.” Nonetheless, the EC and the Irish Data Protection Supervisor argued that reforming Safe Harbor should be up to the EC, and the EC asserted that the continued existence of Safe Harbor was economically and politically necessary.
March 24, 2015
The European Court of Justice (CJEU) heard arguments in the case against Facebook brought by Austrian digital rights activist Maximilian Schrems and referred to the CJEU by the Irish High Court. The case raises the question of whether the Safe Harbor agreement between the EU and the US adequately protects EU citizens’ privacy.
A lawyer for Mr. Schrems stated that, “Mass surveillance is manifestly incompatible with the fundamental right to privacy and data protection,” and maintained that Mr. Schrems’ right to privacy was violated even though there was no evidence that the NSA had specifically accessed his data. A representative of the U.K. government warned that a victory for Schrems “would have quite serious effects…risking disruption of trade that carries significant benefit for the EU and its citizens.” While the European Commission also supported the Safe Harbor Agreement, lawyers for the governments of Belgium, Poland and Austria supported Schrems.
The Wall Street Journal called the case “the biggest threat yet” to the Safe Harbor Agreement, and stated that the lead judge on the case, Thomas von Danwitz, “appeared sympathetic” to Schrems’ position.
The Advocate General of the CJEU is scheduled to issue a non-binding opinion on June 24, and the Court is expected to issue its decision in October.
See the discussion of the Irish High Court’s decision in our Challenges section
March 23, 2015
President Obama’s Privacy and Civil Liberties Oversight Board (“PCLOB”) issued a request for comments from the public in regard to the implications for privacy and civil liberties of counterterrorism activities conducted by United States intelligence agencies under the authority of Executive Order 12333. The period for comments runs through June 16, 2015.
A New York Times editorial entitled “Britain’s Surveillance State” criticized the ISC report, linked to and described in the March 12 entry below, for proposing reforms “that are mostly cosmetic and would do little to protect individual privacy.” The editorial stated that the largely unsuccessful legal challenges brought before the IPT to the Prism and Tempora programs (see the February 6 entry below) “are likely to end up in the European Court of Human Rights [which] has taken an expansive view of the individual’s right to privacy under the European Convention on Human Rights.”
A top-secret document last modified on May 6, 2013 shows that as part of an ultimately unsuccessful effort to have National Minister Tim Groser appointed director-general of the World Trade Organization (WTO), New Zealand’s Government Communications Security Bureau (GCSB) intercepted communications pertaining to competing countries’ candidates. Using the NSA’s XKEYSCORE system, the GCSB searched the body of emails for references to Groser, the WTO, the director general candidacy, and the last names of the eight other candidates. GCSB also targeted all internet communications (not just emails) pertaining to Indonesian candidate Mari Pangestu. The instructions for the keyword searches were in French and Spanish as well as English.
According to The New Zealand Herald, “Deploying GCSB’s surveillance capabilities to gain the upper hand in the WTO selection is far away from terrorism, the Islamic State and other security issues for which Mr Key [the current Prime Minister of New Zealand who headed the GCSB at the time of the WTO surveillance] has claimed the agency is used.” “While the New Zealand Government collected intelligence on the other eight countries’ candidates, it is unlikely that those countries [South Korea, Indonesia, Brazil, Mexico, Kenya, Ghana, Jordan and Costa Rica] were spying on Mr Groser and New Zealand’s lobbying effort in return. None of the eight countries targeted in the operation have the capability to conduct surveillance against the internet on a global level.”
The GCSB had access to XKEYSCORE due to its membership in the Five Eyes alliance. According to an April 2013 NSA document, GCSB “continues to be especially helpful in its ability to provide NSA ready access to areas and countries that are difficult for the United States to access.” China, India, Pakistan, Vietnam, Iran, Japan, North Korea and South American and Pacific Island nations are among the countries that have been subject to GCSB surveillance.
The May 6, 2013 document is available at http://media.nzherald.co.nz/webcontent/document/pdf/201513/WTO document.pdf
Documents leaked by Snowden and jointly analyzed by CBC News/Canada and The Intercept show that Canada’s Communications Security Establishment (CSE) has the ability to hack into networks to gather intelligence or damage infranstructure, such as electricity, transportation or banking systems. CSE also is able to transmit progaganda over social media, to disrupt online traffic by such techniques as deleting emails, freezing internet connections, blocking websites and redirecting wire money transfers, and to conduct “false flag operations” that make other governments appear responsible for attacks. An April 2013 NSA briefing note states that, “NSA and CSEC cooperate closely … [on] active computer network access and exploitation on a variety of foreign intelligence targets, including CT [counter terrorism], Middle East, North Africa, Europe, and Mexico.”
Anti-Terrorism Act, Bill C-51 is currently being debated in the Canadian Parliament, and could legalize CSE’s use of some of these capabilities.
March 20, 2015
In response to a Freedom of Information Act (FOIA) request by reporter Ryan Gallagher of The Intercept, the UK’s Metropolitan Police Department refused to release any information about the status of the criminal investigation that it launched into Guardian journalists who reported on the Snowden documents, despite having acknowledged the existence of the investigation at Parliamentary hearings in 2013. In refusing to either confirm or deny its access to any information concerning any “current or previous investigations,” Met Police stated that, “In this current environment, where there is a possibility of increased threat of terrorist activity, providing any details even to confirm or deny that any information exists could assist any group or persons who wish to cause harm to the people of the nation which would undermine the safeguarding of national security.”
The refusal notice was issued in late February, and upheld by Met Police this month after an appeal. The Intercept has filed a complaint with the Information Commissioner’s Office, the public body that enforces the U.K.’s freedom of information laws.
The response to the FOIA request is available at https://www.documentcloud.org/documents/1689943-uk-met-police-snowden-criminal-investigation.html
March 19, 2015
Admiral Michael S. Rogers, who heads both the NSA and its military cousin, the United States Cyber Command, told the Senate Armed Services Committee that because “a purely defensive reactive strategy will be both late” and “incredibly resource-intense,” the US needs to expand its ability to conduct cyber attacks in order to deter attacks by other countries.
In a speech in which he praised the journalists who worked on the Snowden archive, Vice Chancellor Sigmar Gabriel of Germany lamented that Snowden was stuck in “Vladimir Putin’s autocratic Russia” because no other country was willing and able to protect him from imprisonment in the US. In response to questioning afterwards by Glenn Greenwald, who was present at the event to receive an award, the Vice Chancellor explained that Germany would not and could not offer Snowden asylum because the US had threatened to cut Germany off from all sharing of intelligence if it did so.
March 18, 2015
Privacy International published the UK government’s Open Response of February 6, 2015 to challenges brought before the IPT by Privacy International in regard to illegal hacking and by seven Internet Service Providers and Privacy International in regard to alleged network infrastructure attacks. In accord with the UK Intelligence Services’ traditional “neither confirm nor deny” (NCND) policy in regard to all factual details about their operations, the Open Response was accompanied by a Closed Response accessible only by the IPT. To claim that NCND was compatible with the foreseeability component of the “accordance with the law” component of Article 8 of the ECHR, the Respondents invoked the IPT’s power to examine their “below the waterline” arrangements in closed hearings. In addition, the Respondents relied on the draft Equipment Interference Code of Practice (the “EI” Code) that the Home Office published on February 6, 2015.
Notwithstanding NCND, the Open Response indicates that the EI Code allows “intended”, as well as “collateral,” “interference with the equipment” of “individuals who are not intelligence targets in their own right.” At the same time, the Claimants are criticized for making “very extreme factual allegations about the scope, scale and nature of GCHQ’s activities ….”
The Open Response and Privacy International’s press release are available, respectively, at https://www.documentcloud.org/documents/1688275-privacy-greennet-open-response-6-feb-2015.html, and https://www.privacyinternational.org/?q=node/545
See Section II of Aidan Booth & Adina Schwartz, “Challenges in the UK to Surveillance by the NSA and GCHQ,” available on this website, for a discussion of these challenges before the IPT.
March 17, 2015
In an explicit attack on the UK Parliament’s Intelligence and Security Committee (ISC), a former head of MI6, Sir Richard Dearlove, called for an independent watchdog, comprised of “citizens’ groups,” NGO’s, and people who “really understood technology,” to be established to scrutinize the operations of MI5, MI6, and GCHQ.
March 16, 2015
By an 11-1 vote, the Judicial Conference Advisory Committee on Criminal Rules approved amending Rule 41 of the Federal Rules of Criminal Procedure to allow judges to authorize warrants for remote searches of computers located outside their districts or at unknown locations. Under the current version of the Rule, judges are generally restricted to issuing search warrants for material located within their judicial district’s geographical bounds.
Critics warn that the proposed amendment to Rule 41 might allow the FBI to violate the sovereignty of foreign nations. In addition, the Amendment would allow the FBI to more easily infiltrate computer networks to install malicious tracking software.
The Amendment will go into effect only if approved by the Judicial Conference’s Standing Committee on Rules of Practice and Procedure, by the Judicial Conference itself, and by the U.S. Supreme Court, and then not vetoed by Congress. Even if the Amendment is passed, the process is likely to take over a year.
March 13, 2015
At a public hearing in the IPT in the Belhadj case described in the February 18 and 26 entries below, lawyers for the UK government argued that even if the government had unlawfully intercepted the complainants’ attorney-client communications, it was entitled to keep that fact a secret from the complainants, their lawyers, and the public.
March 12, 2015
The UK Parliament’s Intelligence and Security Committee (“ISC”) issued a Report, “Privacy and security: A modern and transparent legal framework,” upholding the legality of the surveillance of communications, but criticizing the legal framework for being “unnecessarily complicated” and “lack[ing] transparency.” The ISC concluded that the Intelligence Services “do not seek to circumvent the law,” and reasoned that bulk interception does not constitute mass surveillance if only a small proportion of the intercepted communications are read. “Given the extent of targeting and filtering involved, it is evident that while GCHQ’s bulk interception capability may involve large numbers of emails, it does not equate to blanket surveillance, nor does it equate to indiscriminate surveillance. GCHQ is not collecting or reading everyone’s emails: they do not have the legal authority, the resources, or the technical capability to do so.” In addition, GCHQ must “first obtain a specific authorization naming that individual, signed by a secretary of state” before searching for or examining communications of people in the UK that are acquired through bulk interception.
Separately, in a report covering January-December 2014, the Office of Interception of Communications Commissioner (“IOCCO”) Sir Anthony May disclosed that a GCHQ employee had been fired for performing unauthorized searches, stating that this was “the first known instance of deliberate abuse of GCHQ’s interception and communications data systems in this way.”
The ISC Report is available at http://isc.independent.gov.uk/news-archive/12march2015
The IOCCO Report is available at http://www.iocco-uk.info/docs/IOCCO Report March 2015 %28Web%29.pdf
Prime Minister David Cameron issued Intelligence Services Commissioner (Additional Review Functions) (Bulk Personal Datasets) Direction 2015, putting the Intelligence Services Commissioner’s oversight of the intelligence and security services’ use of Bulk Personal Datasets on a statutory basis. The change was called for by the Intelligence Services Commissioner and today’s ISC Report, which defines Bulk Personal Datasets as “large datasets containing personal information about a wide range of people.”
The Direction can be found here
March 11, 2015
The District Court of The Hague ruled that a Dutch law requiring telecommunications providers to collect and store traffic data for up to 12 months violated the rights to privacy and to the protection of personal data. Although appealable, the ruling is effective immediately, relieving telecommunications companies of any obligation to collect or retain data.
March 10, 2015
Documents from 2010-2012 leaked by Snowden show that researchers working with the CIA engaged in sustained efforts to break the security of Apple’s iPhones and iPads. The research was presented at the CIA’s annual Trusted Computing Base Jamboree whose aim is to host “presentations that provide important information to developers trying to circumvent or exploit new security capabilities,” as well as to “exploit new avenues of attack.” Consistently with the Apple research, the Congressional Budget Justification, widely known as the “Black Budget,” leaked by Snowden from 2013, speaks of a US government commitment to analyzing “secure communications products, both foreign and domestic” in order to “develop exploitation capabilities against the authentication and encryption schemes.”
Responding to proposals by Prime Minister David Cameron, the UK’s Parliamentary Office of Science and Technology (“Post”), issued a report on March 9 entitled “The darknet and online anonymity.” Post, whose mission is to provide independent, non-partisan advice on science and technology to Members of Parliament, cited the Chinese government’s failed attempt to block access to Tor, stating that there is “Widespread agreement that banning online anonymity systems altogether is not seen as an acceptable policy option in the UK. Even if it were, there would be technical challenges.” The Report also rejected proposals to allow users to access the web anonymously through Tor, while banning the anonymous websites accessible only through Tor (Tor Hidden Services (THS)) that comprise the darknet, explaining that THS “benefit non-criminal [as well as criminal] Tor users because they may add a further layer of user security.” In addition, it would be “technologically infeasible” to prevent access to THS from within the UK.“
The Report is available at http://www.parliament.uk/briefing-papers/POST-PN-488/the-darknet-and-online-anonymity
A lawsuit alleging that the NSA’s upstream data collection program violates Article III of the Constitution and the First and Fourth Amendments and goes beyond the warrantless surveillance authorized by the FISA Amendments Act (“FAA”) was filed in the federal district court for the district of Maryland. The plaintiffs, Wikimedia Foundation, The National Association of Criminal Defense Lawyers, Human Rights Watch, Amnesty International USA, PEN American Center, Global Fund for Women, The Nation Magazine, The Rutherford Institute, and The Washington Office on Latin America, emphasize that the NSA’s upstream surveillance of the contents of communications as they pass through internet switches “is not limited to communications sent or received by the NSA’s targets. … The NSA systematically examines the full content of substantially all international text-based communications (and some domestic ones) for references to its search terms.” The plaintiffs allege that their rights are violated and that they are hindered in conducting their work because their communications are intercepted, copied and reviewed as part of the NSA’s Upstream program. In addition, they claim that the NSA is substantially likely to read, retain or disseminate their overseas communications on the ground that they are to, from, or about overseas “targets” of its upstream program.
The complaint is available at https://www.aclu.org/files/assets/wikimedia_v2c_nsa_-_complaint.pdf
An op-ed piece by Jimmy Wales, the founder of Wikipedia and a board member of the Wikimedia Foundation, and Lila Tretikov, the executive director of the Wikimedia Foundation, is available at http://www.nytimes.com/2015/03/10/opinion/stop-spying-on-wikipedia-users.html?ref=opinion
March 9, 2015
Responding to the draft of an Equipment Interference Code of Practice that the UK Home Office published for public comment from February 6-March 20, Caroline Wilson Palow, legal officer at Privacy International, stated that, “The draft code grants the intelligence services incredible powers to hack into people’s phones, computers, and communications infrastructure. The power to hack should be closely controlled and governed by legislation, as communications interception has been.” David Cook, cyber crime and data security solicitor at law firm Slater & Gordon, opined that publication of the code “seems to be a method of seeking a veneer of lawfulness over an approach which is, at its core, absolutely abhorrent,” explaining that while warrants are needed to bug particular people’s houses, the Intelligence Services “would not necessarily need a specific warrant to do the same thing by hacking a computer.” Renate Samson, chief executive of civil liberties group Big Brother Watch, warned that the code would allow anyone to be hacked; it would be “not just a case of targeting a suspect, but people who are entirely neutral, too“.
March 6, 2015
Speaking via video link from Moscow to an audience in Geneva, Switzerland that had viewed Citizenfour, Edward Snowden stated that US authorities had refused to guarantee him a fair trial and that asylum in “Switzerland would be a sort of great political option because it has a history of neutrality.” Snowden, who had been an undercover CIA operative in Geneva, said that, “I would love to return to Switzerland, some of my favorite memories are from Geneva.”
March 4, 2015
Researchers discovered a new SSL/TLS vulnerability — the FREAK attack — that allows HTTPS connections between vulnerable clients and servers to be intercepted, forcing the use of ‘export-grade’ cryptography, which can then be decrypted or altered. The vulnerability results from the Clinton Administration’s requirement that weak cryptography be used in US software and hardware exports. Although many technology companies abandoned weak cryptography once the restriction on strong cryptography in exports was lifted, the code in a range of modern devices and websites still includes weak encryption keys.
Although no FREAK attacks have been discovered, Apple and Android phones are among the devices vulnerable to the attack, and 36% of online servers are vulnerable. Apple promised to patch the vulnerability in its iOS mobile operating system and OS X Macintosh operating system by next week, and Google claimed to have already developed and provided a patch to Android manufacturers for Android connections to websites. Although Blackberry and Amazon products are also vulnerable, the companies did not respond to requests for comment by The New York Times.
Computer scientists claim that the FREAK attack illustrates the problems with US and UK government calls for the creation of back doors to allow law enforcement to intercept strongly encrypted communications. An assistant professor of computer science and engineering at the University of Michigan, J. Alex Halderman, stated that, “When computer scientists say you can’t build a crypto back door without weak encryption for everyone, this is exactly what we’re worried about.”
An explanation of the Freak attack, including a tracking of its impact, is available at https://freakattack.com.
At a news conference in Moscow on March 3, Snowden’s Russian attorney, Anatoly G. Kucherena, said that he was working with a team of German and American lawyers to enable Snowden to return to the US with a guarantee of a legal and impartial trial. Comparing Snowden’s legal situation with that of General David Petraeus, the former director of the CIA who admittedly showed “black books” of classified information to his then-lover but was allowed to plead guilty this week to one count of removing classified documents and receive a sentence of two years’ probation and a fine of $40,000, one of Snowden’s US legal advisors, Ben Wizner of the ACLU, told The Guardian that, “The problem is that leniency is only extended to officials with friends in high places. If Petraeus deserves exceptional treatment because of his service to the nation, then surely the same exception should be offered to Edward Snowden, whose actions have led to a historic global debate that will strengthen free societies.”
February 26, 2015
The UK’s Investigatory Powers Tribunal (“IPT”) ordered that “there be a declaration that since January 2010 the regime for the interception/obtaining, analysis, use, disclosure and destruction of legally privileged material has contravened Article 8 ECHR and was accordingly unlawful.” The Order was issued after the UK government admitted, as described in the February 18 entry below, that its regime for dealing with legally privileged material was unlawful. The admission was made before a hearing in a case brought before the IPT by Libyans Abdel-Hakim Belhadj and Sami al-Saadi and their families, alleging that the security services illegally intercepted their communications with their attorneys in order to gain an unfair advantage in the civil action they brought against the UK government and others in connection with their abduction and subsequent torture by the Gaddafi regime.
Since the government would neither confirm nor deny that its illegal interception of attorney-client communications had extended to Belhadj, al-Saadi, and their families, the IPT Order of February 26 also directed that a closed hearing be held on “whether the Claimants’ legally privileged communications have in fact been intercepted/obtained, analysed, used, disclosed or retained (‘relevant interception’).” In addition, the IPT scheduled a public hearing on March 12 to consider “on the hypothetical assumption (the true position being neither confirmed nor denied), that there have been relevant interception, what if any remedies should be granted to the Claimants.”
The IPT’s Order is available at http://www.ipt-uk.com/docs/Belhadj_order_26Feb15.pdf
February 25, 2015
In response to the February 19 story in The Intercept described below, Gemalto issued a press release stating that it had “conducted a thorough investigation, based in particular on two elements: the purported NSA and GCHQ documents which were made public by [The Intercept], and our internal monitoring tools and their past records of attempts of attacks.” The principal results of the investigation were that (i) there were “reasonable grounds to believe” that NSA and GCHQ were responsible for “sophisticated attacks” detected by Gemalto in 2010 and 2011 that used the “intrusion methods” described in the leaked documents; (ii) since the attacks only breached Gemalto’s office networks, they could not have caused “a massive theft of encryption keys;” (iii) the attacks aimed to intercept keys while they were in transit between suppliers and mobile operators, but only “rare exceptions” to the “secure transfer system” that Gemalto deployed by 2010 could have caused keys to be intercepted; and (iv) even if keys were stolen, the intelligence services could only have listened in on communications on 2G, as opposed to 3 or 4G, mobile networks.
Gemalto’s Press Release is available at http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx
February 24, 2015
As a result of being caught in the sting operation described in the February 23 entry below, Sir Malcolm Rifkind resigned from chairing the UK Parliament’s Intelligence and Security Committee (“ISC”), but will continue to serve on the committee. In addition, Sir Malcolm stated that he would not run in the next Parliamentary election, which is scheduled for May at the latest.
February 23, 2015
Conservative UK MP Sir Malcolm Rifkind, the Chairperson of the Intelligence and Security Committee (“ISC”) of Parliament that oversees the intelligence services, was suspended from his political party after being secretly filmed responding positively to solicitations from reporters from The Daily Telegraph and Channel 4’s Dispatches who were posing as representatives of a fictitious Hong Kong-based communications agency called PMR. Sir Malcolm, whose Committee upheld the legality of the GCHQ’s use of Prism in July 2013, told the supposed PMR representatives that he could use his position to arrange “useful access” to every British ambassador in the world, and suggested that he would be willing to write to ministers on behalf of the company without providing its name. He was recorded saying, “I am self-employed – so nobody pays me a salary. I have to earn my income,” and that his usual fee for half a day’s work was “somewhere in the region of £5,000 to £8,000.”
Denying any wrongdoing, Sir Malcolm told the BBC he had only engaged in a preliminary discussion with the supposed company’s representatives. He admitted that it was “a silly thing to say” that he was not paid a salary, but stated that while an MP’s yearly salary of £ 67,000 a year “sounds a lot of money to anyone earning less than that,” limiting MP’s to their salaries would “exclud[e] very large numbers of very able people” from Parliament because they could not “accept such a substantial reduction in their standard of living.” Unless his colleagues on the Committee request it, Sir Malcolm does not intend to resign from chairing the ISC. “One’s got nothing to do with the other. None of the matters are remotely to do with intelligence or security.”
Characterizing the reports about Sir Malcolm’s behavior as “very serious,” Prime Minister David Cameron promised an “immediate disciplinary inquiry.”
Labor Party MP Jack Straw, who was also caught in the sting, suspended himself from his Party, and while denying that he had said anything improper to the supposed company representatives, said he was “mortified” to have fallen into the reporters’ “trap.”
February 22, 2015
Following up on the February 10 story in The Intercept, described below, on a document leaked by Snowden about cyber warfare between Iran and the United States, The New York Times reported that although the banks that Iran attacked in 2012 were not named in the document, Bank of America and JP Morgan Chase were the main targets. In addition, the Irani attack on Saudi Aramco described in the leaked document “appeared to pave the way for a technically similar strike on Sony [by North Korea] last year.” A former senior intelligence official told The New York Times that the leaked document provided “more evidence of how far behind we are in figuring out how to deter attacks, and how to retaliate when we figured out who was behind them.”
According to the Times, the leaked document hinted that the NSA and GCHQ had arrived at a less generous arrangement than the GCHQ would have preferred for sharing information with the Israeli National Sigint Unit about cyber warfare with Iran.
February 21, 2015
The UK Home Office fully accepted the criticisms of UK Interception of Communications Commissioner Sir Anthony May of police use of the Regulation of Investigatory Powers Act (RIPA) to obtain records of journalists’ phone and email traffic without prior judicial authorization. Henceforth, Home Secretary Theresa May announced, police would be required to obtain judicially approved production orders under the Police and Criminal Evidence Act 1984. This is an interim solution pending legislation in the next Parliament.
February 20, 2015
The Wall Street Journal reported that The Intercept’s article of February 19, described below, on the NSA and GCHQ’s hacking of Gemalto “raise[d] the prospect of significant financial pain, with some analysts saying the company may be forced to recall chips if the alleged leak raises widespread worry among telecommunications customers or individual users over privacy.” In a written statement, Gemalto said that they were taking The Intercept’s article “very seriously and will devote all our resources necessary to fully investigate and understand the scope of such sophisticated techniques.” Deutsche Telekom AG, which uses Gemalto SIM cards, stated that Gemalto needed rapidly to provide an exact account of the scope of the breach.
Jan Philipp Albrecht, chief negotiator for the European Parliament on the EU’s data protection law, urged the Dutch government to investigate the allegations, stating that “[m]ember states like the U.K. are frankly not respecting [the law of the] Netherlands and partner states.” A spokesperson for the Dutch Interior Ministry declined to say whether the Netherlands would launch an investigation, but averred that the Dutch intelligence agency AIVD does not assist foreign intelligence agencies in illegal activities.
February 19, 2015
Documents leaked by Snowden and included in an article in The Intercept show that in 2010, a joint NSA-GCHQ unit, the Mobile Handset Exploitation Team, hacked into the internal computer network of Dutch multinational Gemalto, the world’s largest manufacturer of SIM cards. AT&T, Verizon, Sprint, T-Mobile, Vodafone, Orange, and some 450 wireless network providers around the world are clients of Gemalto.
Stealing the encryption keys for Gemalto chips enabled the NSA and GCHQ to avoid the need to circumvent the strong encryption on communications between 3G, 4G and LTE cell phones and wireless carriers. The agencies were able to monitor cell phone users’ calls, texts, Internet communications, and contact lists without gaining approval from telecommunications companies or foreign governments and without leaving any trace of the interception on wireless providers’ networks.
Although the documents do not reveal the actual number of encryption keys stolen, a NSA document from 2009 states that the agency was able to process between 12 and 22 million keys per second and predicted that the agency would be able to process more than 50 million keys per second. GCHQ documents state that during three months in 2010, millions of encryption keys were harvested.
Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute, stated that “[g]aining access to a database of keys is pretty much game over for cellular encryption,” and that the massive theft by the NSA and GCHQ was “bad news for phone security. Really bad news.” Gemalto executive vice president Paul Beverly told The Intercept that he was “quite concerned that this has happened,” and that “the most important thing for us now is to understand the degree” of the breach. Gerard Schouw, a member of the Dutch Parliament and the intelligence spokesperson for D66, the largest opposition party in the Netherlands, stated that, “We don’t want to have the secret services from other countries doing things like this.” Schouw and other lawmakers intend to ask the Dutch government to provide an official explanation and to clarify whether the country’s intelligence services were aware that the NSA and GCHQ were targeting Gemalto.
The NSA declined to provide any comment to The Intercept. In addition to the GCHQ’s usual “neither confirm nor deny” statement and avowal of the strictness of its legal and policy framework, a GCHQ spokesperson stated in an email that, “[T]he UK’s interception regime is entirely compatible with the European Convention on Human Rights.”
February 18, 2015
Following on the IPT (Investigatory Powers Tribunal)’s decision against the UK government on February 6 in regard to the sharing of information with the NSA’s Prism and upstream collection programs, the UK government admitted that for the past five years, the security and intelligence services had been monitoring attorney-client communications under an illegal regime. According to a government spokesperson, “we acknowledge that the policies adopted since [January] 2010 have not fully met the requirements of the ECHR [European Convention on Human Rights], specifically article 8 (right to privacy). This includes a requirement that safeguards are made sufficiently public.” The spokesperson claimed, however, that the concession “does not mean that there was any deliberate wrongdoing on their [sic] part of the security and intelligence agencies, which have always taken their obligations to protect legally privileged material extremely seriously. Nor does it mean that any of the agencies’ activities have prejudiced or in any way resulted in an abuse of process in any civil or criminal proceedings.”
The concession comes in advance of an IPT hearing in a case brought by Libyans Abdel-Hakim Belhaj and Sami al-Saadi, who allege that the security services illegally intercepted their communications with their attorneys in order to gain an unfair advantage in the civil action they brought against the UK government and others in connection with their abduction and subsequent torture by the Gaddafi regime. In accord with its usual policy, the UK government refused to either confirm or deny that Belhaj and al-Saadi’s attorney-client communications had been intercepted.
February 17, 2015
Privacy International followed up on the IPT’s Judgment of February 6 by posting a petition on which individuals from any country can provide their email addresses and telephone numbers for the purpose of having the GCHQ ascertain whether it obtained their communications from the NSA’s Prism and Upstream programs before December 2014. People whose communications are found to have been so obtained will receive a declaration from the IPT that the GCHQ violated their rights under Articles 8 and 10 of the European Convention on Human Rights. They can also request that the GCHQ delete any information about them that it obtained from the NSA before December 2014.
Over 10,000 people had signed the petition by the evening of February 17. In an email to The Intercept, a Home Office spokesperson stated that, “The current regime governing both the intelligence agencies’ external interception and intelligence sharing regimes is lawful and European Court of Human Rights compliant. This government is committed to transparency. It has made public more detail than ever before about the work of the security and intelligence agencies, including through the publication of statutory codes of practice.”
The petition is available at https://www.privacyinternational.org/?q=illegalspying
“FAQ: Did GCHQ Spy on You?” is available at https://www.privacyinternational.org/?q=node/495
February 16, 2015
At a conference in Mexico, Russian firm Kaspersky Lab published the technical details of research showing that since 2001 and increasingly aggressively since 2008, the US has deployed techniques similar to Stuxnet to infect computers in thirty countries. The greatest number of infections were found in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. Government and military agencies, banks, Islamic activists, telecommunications companies, nuclear researchers, media and energy companies were among the targets.
The reported techniques include infecting the firmware that is embedded in and preps computers’ hardware before the operating system starts. This enables encryption keys to be surreptitiously obtained from computers. Antivirus products are ineffective against attacks on firmware, and hard drives that are wiped become reinfected.
According to the Kaspersky researchers, the firmware attacks would be effective on more than a dozen companies’ disk drives, comprising essentially the entire market. For the firmware attacks to be developed, access to the proprietary source code directing the hard drives’ actions would have been required.
A former NSA employee confirmed to Reuters that Kaspersky Lab’s analysis was correct.
February 11, 2015
In the long running Jewel case filed in 2008, Judge Jeffrey S. White of the federal district court for the Northern District of California granted the government summary judgment on February 10, 2015 against the plaintiffs’ claim that their Fourth Amendment rights were violated by the NSA’s upstream collection of their data under Section 702. In dismissing this constitutional claim without a trial, the district court relied on classified submissions by the government to find that the plaintiffs had not provided a sufficient factual basis to establish that as AT&T customers, their Internet communications had been and were being collected under Section 702. Using Catch 22-type reasoning, Judge White opined, in the alternative, that even if the plaintiffs’ evidence of standing were sufficiently probative to defeat summary judgment, “harmful disclosures of national security information” were crucial to its defense against the plaintiffs’ claims of standing and its defense on the merits. Hence, the state secrets privilege precluded any resolution in court of the plaintiffs’ Constitutional claims in regard to Section 702.
Judge White’s Order is available at https://www.eff.org/files/2015/02/10/jewel_order.pdf
February 10, 2015
An April 2013 NSA document prepared in connection with a planned meeting with the GCHQ and leaked by Snowden warned of the technological know how that Iran had gained from cyber attacks. Speaking of Iran’s cyber attack against Saudi Aramco in August 2012, which resulted in the destruction of data on tens of thousands of computers, the document stated that, “Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others.” While stating that it had no indication of a planned cyber attack by Iran against a US or UK target, the NSA warned that “we cannot rule out the possibility of such an attack, especially in the face of increased international pressure on the regime.”
The NSA document is available at https://firstlook.org/theintercept/document/2015/02/10/iran-current-topics-interaction-gchq
Pursuant to the requirements of Section 71 of the Regulation of Investigatory Powers Act 2000 (“RIPA”), the UK Home Office published drafts of a revised and updated Interception of Communications Code of Practice and a new Equipment Interference Code of Practice, for public comment from February 6 – March 20. The key changes in the draft Interception of Communications Code are clarification of the safeguards in Section 8(4) of RIPA for interception and handling of communications sent or received outside the UK and of the protections afforded to legally privileged and other confidential communications. The draft Equipment Interference Code explains when the UK Security and Intelligence Services, both in the UK and abroad, “can lawfully interfere with electronic equipment, such as computers, and the rules and safeguards that govern the use of any information obtained by these means.” In a Foreword, James Brokenshire MP, Minister for Immigration and Security, stated that “[t]he threat to the UK from terrorism, espionage and organised crime” had increased the importance of “[t]he abilities to read or listen to a suspect’s communications or to interfere with his or her computer equipment.” While stating that “[t]here are limits on what can be said in public,” Mr. Brokenshire acknowledged that “it is imperative that the Government is as open as it can be about these capabilities and how they are used.”
The revised and updated Codes and the UK government’s request for consultation are available at https://www.gov.uk/government/consultations/interception-of-communications-and-equipment-interference-draft-codes-of-practice
February 6, 2015
For the first time in its fifteen-year history, the Investigatory Powers Tribunal, the exclusive forum in the UK for complaints about illegal surveillance by intelligence agencies or law enforcement, issued a judgment against the Intelligence Services. In a case brought by Liberty, Privacy International, the American Civil Liberties Union, Pakistani organization Bytes For All, Amnesty International Limited, and others, the IPT held that until December 5, 2014, “the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities pursuant to Prism and/or (on the Claimants’ case) Upstream” contravened Article 8 or 10 ECHR [European Convention on Human Rights].” The IPT found that the Intelligence Services’ policies in regard to obtaining private communications from foreign governments and storing and transmitting them, including, in particular, policies in regard to communications obtained from the NSA’s Prism and upstream collection programs, were unknown to the public until their disclosure in hearings in the case and publication in the IPT’s Judgment of December 5, 2014. Hence, until December 5, 2014, the right to privacy in Article 8 and the right to freedom of expression in Article 10 of the ECHR were violated because the rules governing the Intelligence Services’ obtaining and use of communications from Prism and the upstream data collection programs were not sufficiently disclosed to the public. By contrast, in accord with its judgment of December 5, 2014, the IPT held that as a result of the Intelligence Services’ disclosure of the governing rules, Articles 8 and 10 of the ECHR were no longer violated.
Claimants Liberty, Privacy International, Bytes For All and Amnesty International plan to appeal to the European Court of Human Rights the IPT’s Judgment of December 5, 2014 that the ECHR is (i) not violated by the RIPA legal regime governing the GCHQ’s alleged Tempora program and (ii) no longer violated by the Intelligence Services’ obtaining and use of private communications from the NSA’s Prism and the upstream data collection programs.
The IPT’s Judgments of December 5, 2014 and February 6, 2015 and its Order of February 6, 2015 are available, respectively, at http://www.ipt-uk.com/docs/IPT_13_168-173_H.pdf, http://www.judiciary.gov.uk/wp-content/uploads/2015/02/liberty-v-fco.pdf, and https://www.scribd.com/fullscreen/254908600?access_key=key-NLzI97FQvT1DBPBdjt57&allow_share=false&escape=false&show_recommendations=false&view_mode=scroll
On January 28, the Brazilian government posted its Preliminary Draft Bill for the Protection of Personal Data in order to facilitate public debate. The Draft Bill imposes obligations on individuals and organizations that process personal data through automatic means if the processing occurs in Brazil or the data is collected in Brazil. The bill would also restrict the transfer of personal data to countries not providing as high a level of data protection as Brazil.
The Draft Bill (in Portuguese only) is at http://participacao.mj.gov.br/dadospessoais/
February 3, 2015
Marking the anniversary of President Obama’s signing on January 17, 2014 of Presidential Policy Directive-28, Signals Intelligence Activities (PPD-28) and accompanying speech on intended measures to protect people’s privacy regardless of nationality, the Office of the Director of National Intelligence released “The Signals Intelligence Reform Anniversity Report 2015.” The most significant expansion of foreigners’ rights to privacy was that SIGINT collected about them must now be deleted after five years “unless the information has been determined to be relevant to, among other things, an authorized foreign intelligence requirement, or if the Director of National Intelligence determines, after considering the views of … agency privacy and civil liberties officials, that continued retention is in the interest of national security.” By contrast, the Report states that “the government must delete communications to, from, or about U.S. persons acquired [through warrantless surveillance] under Section 702 that have been determined to lack foreign intelligence value.”
Cybersecurity expert Professor Alan Woodward of Surrey University voiced concerns to the BBC about the five-year rule for retaining foreigners’ data, stating that, “Regimes change, governments change, and if they keep your data – and it’s getting easier and cheaper to keep it – who knows what it might be used for in the future?”
The Report is available at http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties
January 29, 2015
On January 1, Finland’s Information Security Code (2014/ 917) came into effect, and made the obligation to protect the confidentiality of communications extend beyond telecommunications providers to all providers of electronic communications services, such as instant messaging services and online social networking tools. The Code’s approach to extraterritoriality is similar to that of the forthcoming EU General Data Protection Regulation, and its privacy protections extend to businesses established outside the EU that offer their services in Finnish or otherwise target Finnish residents.
January 28, 2015
The Intercept and Canada’s CBC News jointly reported on a power point presentation from 2012 leaked by Snowden describing the Levitation project of the Canadian counterpart of the NSA and GCHQ, the Communications Security Establishment (CSE). Under Levitation, CSE agents intercept 10 to 15 million downloads and uploads per day by people in Europe, the Middle East, North Africa and North America. Although the power point states that the CSE accesses data from 102 free file-sharing sites, the only sites named are RapidShare, SendSpace and the now defunct MegaUpload. 350 “interesting download events” are reportedly found each month, amounting to less than 0.0001 per cent of the total traffic collected. Once downloads or uploads are flagged as suspicious, CSE analysts can input the associated IP addresses into the GCHQ’s Mutant Broth database to view five hours of traffic associated with the IP address before or after the download or upload occurred. CSE analysts can also use the year’s work of online metadata in the NSA’s Marina database to find further information about flagged IP addresses. Instead of relying on cooperation from file-sharing companies, Levitation obtains data directly from internet cables that are tapped into by the CSE’s Atomic Banjo project.
While the CSE’s ability to monitor users of RapidShare and SendSpace may have been thwarted by these sites’ encryption of their users’ connections since 2012, many popular file-sharing sites have yet to adopt encryption.
New Chinese government regulations require companies selling computer equipment to Chinese banks to turn over secret source code, submit to invasive audits, and build back doors into hardware and software. In a letter to a Communist Party committee on cybersecurity led by President Xi Jinping, the US Chamber of Commerce and other foreign business groups objected to what they saw as a growing trend for concerns about cybersecurity to be used as a guise for requiring the exclusive use of technological products and services developed and controlled by Chinese companies. According to The New York Times, “Recent calls by the director of the Federal Bureau of Investigation, James B. Comey, to assure that the United States has a key to decrypt information stored on iPhones and other devices will doubtless be used by the Chinese to argue that all governments need access to sensitive computer systems.”
A senior government official acknowledged the Chinese government’s role in recent sophisticated attacks on popular VPN services in China, and promised more of the same.
The German conference of data protection commissioners hosted a European Data Protection Day event entitled “Europe: Safer Harbor for Data Protection? – The Future Use of the Different Level of Data Protection between the EU and the US.”
At the event, the initiation of administrative proceedings in the German states of Berlin and Bremen in regard to data transfers by two US companies pursuant to the Safe Harbor Framework was revealed.
The schedule for the event (in German only) is available at https://www.huntonprivacyblog.com/files/2015/01/Flyer_EuropäischerDatenschutztag_2015_web.pdf
January 27, 2015
In response to FOIA actions brought by The New York Times and the Electronic Frontier Foundation, on January 26, the US Department of Justice released a redacted version of an Order on May 31, 2007 in which FISC Judge Vinson relied on the “roaming wiretap” provisions of FISA to authorize warrantless surveillance of the contents of foreign telecommunications. Also released was an Order and Memorandum Opinion of August 2, 2007 in which Judge Vinson ruled that the provision for warrantless surveillance in his Order of May 31, 2007 applied to any foreign telephone number or email address for which, at the time it applied for the Order, the government had not “connected the dots” and found probable cause of use or imminent use by an member or agent of a foreign power.
The released versions of Judge Vinson’s Order of May 31, 2007 and Opinion and Order of August 2, 2007 are available at http://www.nytimes.com/interactive/2015/01/27/us/27-fisc-foia-documents.html
For discussion of the other FISC opinions and orders in 2007 pertaining to warrantless surveillance that were previously released in response to the FOIA actions by The New York Times and EFF, see the December 12 entry in Aidan Booth and Adina Schwartz, “International Chronicle of Surveillance Events-2014,” available on this website.
For a more detailed analysis of the legal issues in the FISC opinions and orders released on December 12, 2014 and January 26, 2015, see Section I H of Adina Schwartz, “Challenges in the United States to the Secrecy of NSA Surveillance,” available on this website.
January 23, 2015
At a ceremony on the historic thoroughfare of Unter den Linden, just opposite the Soviet embassy in former East Berlin, the Sam Adams Award for Integrity in Intelligence was awarded to whistleblower William Binney, former technical director of the NSA. In accepting the award, Binney stated that he had resigned from the NSA in 2001 because he believed that the agency’s bulk collection of US citizens’ data amounted to “purposefully violating the Constitution.” According to Binney, “That’s what the Stasi did, the KGB did it – every totalitarian state down through history did that.” Speaking by video hook up from Moscow, Edward Snowden, who received the Sam Adams Award in 2013, said, “Without Bill Binney, there would be no Edward Snowden.”
January 21. 2015
In a briefing paper prepared after this month’s terrorist attacks in Paris for a meeting of EU interior ministers meeting next week, EU Counter-Terrorism Coordinator Gilles de Kerchove wrote that, “The Commission should be invited to explore rules obliging Internet and telecommunications companies operating in the EU to provide … access of the relevant national authorities to communications (ie share encryption keys).” Jan Philipp Albrecht, a Green member of the European Parliament from Germany, accused de Kerchove of reaching for “the toolbox of repressive regimes … by asking for a back-door way into encrypted communication“.
January 19, 2015
A 70,000 line spread sheet from November 2008 leaked by Snowden summarizes information gained from a single intercept, suggesting that in a few minutes during a single day that month, the GCHQ collected emails to reporters and photographers at at least a dozen international news organizations, many United Nations officials, workers at far-flung oil companies and tens of thousands of other people.
January 17, 2015
Documents leaked by Snowden show that surveillance of the Internet is considered “Phase 0” of the US digital war attempt to “control/destroy critical systems & networks at will through pre-positioned accesses (laid in Phase 0).” A key component of the digital war strategy is “Fourth Party Collection” in which the NSA and its Five Eyes allies view the intelligence services of all other countries as potential targets. Fourth Party cyber attacks are traced, observed and analyzed with the stated aim of “[s]teal[ing] their tools, tradecraft, targets and take.”
January 16, 2015
In a filing in a prosecution for illegally exporting goods to Iran, the Justice Department revealed that the US Drug Enforcement Agency (“DEA”) had maintained records of the numbers, times, lengths and dates of calls from the United States to countries with connections to international drug trafficking and related criminal activities. Although Justice Department officials stated that telephone numbers were used to query the data base only where “federal law enforcement officials had a reasonable articulable suspicion that the telephone number at issue was related to an ongoing federal criminal investigation,” phone records were retained even if there was no evidence that callers were engaged in criminal activity. As shown by the filing in the illegal export case, other law enforcement agencies had access to the DEA data base.
A Justice Department spokesman said that the DEA had stopped collecting bulk call records in September 2013 and that all of the information in the database had been deleted. In a letter last March urging Attorney General Eric H. Holder Jr. not to restore the program, former head of the Senate Judiciary Committee Senator Patrick J. Leahy wrote that the DEA had been “indiscriminately” collecting “an enormous amount of information about many Americans for use in routine criminal investigations — rather than national security efforts, ” and stated that he was “deeply concerned about this suspicionless intrusion into Americans’ privacy in any context, but it is particularly troubling when done for routine criminal investigations.”
In response to the Charli Hebdo and kosher market shootings, Valérie Pécresse, a minister under former President Nicolas Sarkozy, suggested that the French government needed surveillance powers similar to those under the USA Patriot Act. The suggestion was strongly criticized on both sides of the Atlantic, with former French prime minister Dominique de Villepin warning against “exceptional” measures, and François Fillon, the prime minister under Mr. Sarkozy, stating that if any freedoms are abandoned, “we give justification to those coming to fight on our land.”
At a news conference in the White House with UK Prime Minister David Cameron, President Obama said that as part of the fight against terrorism, the US and UK governments had been talking to private companies about how they could obtain more access to encrypted messages on the Internet, while respecting “legitimate privacy concerns.”
January 14, 2015
In response to a decision by the Federal Information and Data Protection Commissioner, Switzerland’s State Secretariat for Economic Affairs (SECO) published a list of licenses issued in 2014 for the export of surveillance technology equipment, including costs and destinations. Twenty-one licenses were granted for the export of IMSI catchers, among them, exports to Ethiopia, Indonesia, Qatar, Kuwait, Lebanon, Lithuania and Thailand for a total of 8 million Swiss francs. In response to questions raised by Members of the Swiss Parliament and the government’s refusal to decide whether to grant licenses, in early 2014, companies withdrew requests to export internet monitoring equipment to Ethiopia, Indonesia, Yemen, Qatar, Malaysia, Namibia, Oman, Russia, Chad, Taiwan, Turkmenistan, UAE, and China.
January 11, 2015
On January 9, 2015, in response to a court order in a FOIA lawsuit brought by The New York Times, the Justice Department released a redacted version of a previously wholly classified report by the Department’s Inspector General (“IG”) in September 2012 on the FBI’s activities under Section 702, the warrantless surveillance provision of the FISA Amendments Act. The Report stated that in 2008, the FBI began reviewing NSA agents’ selection of email accounts for targeting under the Prism program, but saw “no reason to presume that the NSA is not upholding its constitutional duty” or “to question the [NSA’s] presumption that the vast majority of persons who are located overseas are not United States persons and that most of their communications are with other, non-United States persons who are also located overseas.” Beginning in October 14, 2012, raw data acquired by NSA agents under 702 was “dual routed” for analysis and retention by the FBI, and the FBI began nominating new email accounts and phone numbers for use in targeting communications in April 2012.
The Report also showed that after FISC Judge Vinson refused in April 2007 to re-authorize the warrant that Judge Howard had granted in January for indiscriminate interception of contents of communications, and Judge Howard’s subsequent one-time temporary renewal of the warrant expired, Judge Vinson issued a warrant on May 31, 2007 for the interception of international communications to and from specific email addresses and phone numbers that he found probable cause to believe were being or about to be used by agents of a foreign power. A former senior Justice Department official claimed that by requiring the NSA to make probable cause showings for each selector email address and phone number, Judge Vinson “caused the NSA to place fewer foreign selectors under coverage than it wanted to.” As a result of this and “the comparatively laborious process [that Judge Vinson’s Order imposed] for targeting selectors,” the Bush Administration accelerated the efforts to gain legislative approval for warrantless surveillance that led to the enactment of the Protect America Act in August 2007.
The heavy redactions in the released version of the IG’s Report include only one uncensored reference to the Prism program, and a New York Times attorney stated that it might challenge the redactions at a later stage in the FOIA litigation.
The redacted version of the IG’s report is available at http://www.nytimes.com/interactive/2015/01/12/us/12-doj-ig-fbi-702-foia.html
January 7, 2015
In response to questions by the Committee on Civil Liberties, Justice and Home Affairs, the Legal Service of the European Parliament issued an opinion on the implications of the invalidation of the EU Data Retention Directive by the European Court of Justice (“CJEU”) in Digital Rights Ireland (the “DRI judgment”). According to the opinion, the DRI judgment might be applied, in separate proceedings before the CJEU, to lead to the invalidation in whole or part of existing EU laws “requiring mass personal data collection other than traffic data, storage of the data of a very large number of unsuspected persons and access to and use of such data by law enforcement authorities” (e.g., the Terrorist Finance Tracking Program (“TFTP”) agreement and the Passenger Name Records (“PNR”) agreements with the US and Australia). Pending EU international agreements and new and pending internal EU legislation in “the general context of programmes of surveillance must clearly now take account of the reasoning of the Court of Justice in the DRI judgment.” While any obligation on the part of Member States to retain traffic data on publicly available telecommunications service and networks is abolished by the DRI judgment, any data retention laws enacted by Member States must conform to the judgment.
The opinion of the Legal Service is available at https://s3.amazonaws.com/access.3cdn.net/27bd1765fade54d896_l2m6i61fe.pdf