NSA Screws Up Another Thing: EU Court Of Justice Throws The Internet For A Loop In Ending Safe Harbor

from the well,-now-what? dept

A couple of weeks ago we wrote about the fact that it appeared that the EU Court of Justice was likely to throw out the EU-US data protection safe harbor as invalid, following a case brought over the NSA’s snooping on US tech companies — and now it has happened. The “the EU-US data protection safe harbor” may sound boring, but it’s actually been fairly important in making sure that US internet companies can operate in Europe. It’s been under attack for some time from those who feel that these American companies don’t take European privacy interests seriously enough, but it’s really the NSA and its idiotic “collect it all” mentality that has brought the whole structure crashing down. Many will celebrate this, but probably for the wrong reasons. As it stands right now, this result is undoubtedly bad for the internet. What happens next is key. If you want to blame anyone… blame the NSA. And if the US wants to fix this mess, it needs to stop mass surveillance.

The case was brought by Max Schrems, an Austrian privacy activist who argued that the NSA’s PRISM surveillance program (a program that resulted from Section 702 of the FISA Amendments Act, and enables the NSA to request certain information from internet companies, once approved by the FISA Court) violates the safe harbor. The safe harbor itself was established back in 2000 in order to allow internet companies to transfer data from Europe back to the US, with a promise that the privacy of that data would be kept at a similar level as if it were in Europe. The process for getting such safe harbor protections is something of a joke (we’ve gone through it here at Techdirt), and mostly involves throwing money at an organization that takes money to make sure your policies comply with the safe harbor requirements. Like so many regulations, it really seems to only serve to shift money to those who make sure you comply.

Still, losing those safe harbors can really shake up the internet — and not necessarily in a good way. While I’m sure some (probably short-sighted) privacy advocates will cheer on this result, it’s going to make a mess of things for the time being. Europe has been working on a new data protection directive to update the old one (which the safe harbor is based on) and early indications are that it will be a mess, and potentially hazardous to free speech rights. In addition, the US and EU have been trying to negotiate a new data protection safe harbor anyway, and that hasn’t been going smoothly, and this will continue to throw a wrench into things.

Big companies will likely be able to negotiate their way around this, but there will likely be some legal flareups in one or two countries, creating a mishmash of jurisdictional confusion over privacy rights. Smaller internet companies will now face much greater threats in doing business in Europe. Even worse, some are going to use this as an opportunity to try to fragment the internet, demanding companies keep data locally within country borders — which actually will create more targets for mass surveillance, rather than fewer. Chances are that little will change in the immediate future — as many companies will just keep right on doing what they’re doing and hoping no one really cares. But the potential for people to bring lawsuits could shake things up.

In the specific case here, the Court of Justice found that the safe harbor was invalid, and thus it did not stop Irish officials from considering Schrems’ complaint that Facebook violated his rights in making data available to the NSA. So that specific case still needs to move forward and should be interesting to watch.

In short, though, this is yet more damage directly done by the NSA and the US’s ridiculous attitude towards mass surveillance, without any concern at all to the economic costs that such mass surveillance creates for US companies. As the EFF notes in its response to the news, the US brought this on itself with its idiotic mass surveillance efforts. This end result is a mess that could lead to greater fragmentation of the internet, which won’t do anything to better protect people’s privacy (and, actually, might make it more exposed). The only logical way forward is to move away from mass surveillance and towards a more comprehensive view of privacy that takes into account the public’s rights — including the right to free expression. Danny O’Brien at EFF sums it up nicely:

That would certainly force the companies to re-think and re-engineer how they manage the vast amount of data they collect. It will not, however, protect their customers from mass surveillance. The geographic siloing of data is of little practical help against mass surveillance if each and every country feels that ordinary customer data is a legitimate target for signals intelligence. If governments continue to permit intelligence agencies to indiscriminately scoop up data, then they will find a way to do that, wherever that data may be kept. Keep your data in Ireland, and GCHQ may well target it, and pass it onto the Americans. Keep your data in your own country, and you’ll find the NSA?or other European states, or even your own government? breaking into those systems to extract it.

What will change the equation is for states, including and especially the United States, to realize that dragnet surveillance undermines their national security and the global security of our data. It has economic consequences, as regulators, companies and individuals lose trust in Internet companies and services. It has political consequences as nations vie to keep data out of the hands of other countries, while seeking to keep it trackable by their own intelligence services.

There’s only one way forward to end this battle in a way that keeps the Internet open and preserves everyone’s privacy. Countries have to make clear that mass surveillance of innocent citizens is a violation of human rights law, whether it is conducted inside their borders or outside, upon foreigners or residents. They have to bring their surveillance programs, foreign and domestic, back under control.

The ruling today is not a win for privacy. It creates a bigger mess, but it’s one that needs to be cleaned up at the source, and that’s where governments (and not just the US government) are going with mass surveillance. Unfortunately, there doesn’t seem to be any indication that this is what’s going to happen. Instead, expect the US and EU to try to paper over this by coming up with a new safe harbor plan that won’t change anything, but which may just be more expensive for companies. That’s a mistake. There’s a way to fix this mess and it’s to stop mass surveillance.

Filed Under: , , , , , , , , , , ,
Companies: facebook

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NSA Screws Up Another Thing: EU Court Of Justice Throws The Internet For A Loop In Ending Safe Harbor”

Subscribe: RSS Leave a comment
45 Comments
Violynne (profile) says:

Full stop.

It’s impossible to say this ruling affects US businesses at the fault of the NSA.

Because to claim otherwise means there’s a terrifying consequence: The NSA can read encrypted traffic.

Safe Harbor means US companies must encrypt the data as it transfers over the Atlantic. No encryption means the law was violated to begin with, regardless if the NSA was snooping.

This has zero impact on the internet as a whole, except by those who don’t understand what’s going on, which sadly, means those who just changed the EU ruling.

You can’t have it both ways: you’re either violating the law without encryption or your not affected because of encryption.

Someone needs to sort this mess out before even more ignorance spreads.

Violynne (profile) says:

Re: Re: Re:

Ninja,

Assuming the NSA has access, it’s still a moot point. You can bet if the NSA has access on our side, the GBHQ has access on their side, making the whole privacy issue pointless.

What’s at stake here is far more important than whether or not government agencies has access to the data.

It’s more important to focus on the ruling’s complete and utter ignorance, because it’s just a first step toward more asinine and ignorant law making.

We work with the Safe Harbor all the time, so I’m well versed on what we need to do to capture and protect EU data. Not only is our transfer encrypted, but the data itself is twice encrypted, which actually exceeds the recommendation.

If the NSA/GBHQ has access to that, everyone is fucked and no law will change that. Ever.

Whatever (profile) says:

Re: Re:

I think you have a very valid point here. If the data was encrypted, then it was nominally in compliance with EU law, and generally NSA (and anyone else) couldn’t capture it and decode it at a reasonable level.

So, if NSA did in fact capture this guys data from Facebook (or some other source) then the implication is that they moved the data via insecure, un-encrypted methods, in violation of EU policy in the matter. NSA doesn’t generally have the keys to decrypt the data, someone had to do it for them.

While what NSA was doing may be deplorable, it doesn’t in any way excuse poor data handling. NSA only would obtain the data if it was moved without encryption. Proper (and compliant) data handling would have resolved the issue before it happened.

So let’s not have a rush to judgement.

Mike Masnick (profile) says:

Re: Re:

Because to claim otherwise means there’s a terrifying consequence: The NSA can read encrypted traffic.

This is not true. You are confusing encryption in transport with encryption of the data itself. The data is encrypted in transit, which protects it from snooping on the fly. But at rest on servers, companies like Facebook have access to it (for everything except Whatsapp, which has real end-to-end encryption).

So I think you’re jumping to conclusions.

Anonymoose says:

Re: Re:

I think you’ve misunderstood. This was about PRISM which did not sit on the outside of these companies networks, but was a legally forced tap to the inside of these networks.

They were getting the information in the clear, before the outgoing was encrypted and after the incoming was decrypted. That’s why you saw companies like Google touting that they now encrypt their internal network after PRISM was revealed to the public.

PRISM was a legal order that forced compliance on these companies with an attached gag order, and there’s nothing to say this isn’t currently going on with all these big tech companies in the US.

Machin Shin (profile) says:

Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.

You can opt-out yes, but as has been shown with Windows 10 for example, they can opt not to listen to you.

This is why I’m really liking the idea that we push forward with making everything encrypted. The governments and the companies took advantage of the trusting nature of how the net was built. Now it is time that we slap their hand and make them at least have to work harder to vacuum up data.

Anonymous Coward says:

Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.

You can opt-out yes, but as has been shown with Windows 10 for example, they can opt not to listen to you.

If you opt out of Windows by using Linux or one of the BSDs, then Microsoft will take not as their sales drop off.

John Fenderson (profile) says:

Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.

“You can opt-out yes, but as has been shown with Windows 10 for example, they can opt not to listen to you.”

You’re opting out wrong. You opt out of Windows 10 surveillance by either firewalling off Windows 10 or (preferably) not using it.

“opt out” is not asking permission from spies to not spy on you. “Opt out” is to avoid using products and services that spy on you.

Anonymous Coward says:

Re: Re: Re:2 "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.

But that’s hardly a solution.

Sure, you don’t use such products. But others do. Will you stop talking or chatting with anyone that uses Windows 10, for example? Are you sure that the hardware of the computer you’re using isn’t spying on you? And the ISP? And the VPN you’re using?

Because by spying on what they do, they spy on what you do too. Remember that a chain is as weak as the weakest link.

In the end, the reality is that you can’t opt out of corporations either, the same as governments.

Ninja (profile) says:

Re: Re: Re:3 "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.

You can still opt out once it’s revealed that the corporation is spying on you and you can take steps to educate people not to use Windows 10 for instance or at least use proper encryption. You CANNOT opt out from government surveillance even when it is revealed.

Anonymous Coward says:

Re: Re: Re:4 "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.

For starters, education tactic never works. Just try to explain your friends/lover/relatives/co-workers/whoever you may be chatting with about, uhm, something easy… how to use bookmarks, and half of them will tell you that they can’t do so.

Most people don’t care about computers and they just use the given package. Don’t expect them to learn to use Linux just because you are telling them that Windows spies on them. Or to stop using Facebook, Whatsapp, Apple or Google.

Secondly, if you can opt out from corporations using encryption, then you can do the same from governments, using the same or better encryption (it’s always a matter of using a good enough one).

Of course, no method is immune if whoever is headstrong enough. Corps tend to be a bit less, sure.

But that’s because they control the government, that does what they want to do. Easy as that. Why bother themselves when they got dogs that will do their dirty job?

So in the end, opting out from corps is as hard than doing so from the government; because in the end, they are the same.

You have already heard that the NSA has been spying on foreign citizens, not to catch terrorist, but to further the economic interests of the USA, haven’t you?

Who do you think to told them to do that? Obama? Bush?

To be honest, the “opt out” strategy isn’t the solution. For starters, because that isn’t the way the things should be.

If everyone is selling rotten meat, the solution isn’t to stop eating meat, but to forbid them from selling rotten meat.

And yeah, education is a solution. But you don’t educate a few people, you need to educate a nation.

It’s harder, but people might be more supportive to forbid people from selling rotten meat than from not eating meat at all.

nasch (profile) says:

Re: Re: Re:2 "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.

I think it’s safe to say, anyone who uses Facebook in the first place is not someone who cares overly much about their privacy.

He’s talking about people who don’t want to use Facebook, but Facebook has a profile on them anyway.

Hoosiwhatsis says:

Re: Re:

As a young man I used to work w/some major tech companies in the wild and heady early days of the Internet, ~95-’05, and was absolutely amazed at what we were doing (and how much $$ was being made) and chuckled at the whole ‘This Internet thing is only a fad’ joke. Yuk yuk yuk.

Sadly, as I have grown older and seen how governments and corporations have largely perverted and thoroughly prostituted the Internet with all their tracking, surveillance, and Orwellian – and largely successful – attempts to control it all – I am closer to thinking that the ‘Internet is a fad’ people really weren’t that far off, they just didn’t understand why it was a fad.

These days I can hardly justify working in such tech companies anymore, and instead I am going completely in the other direction: tuning out, going silent, going off grid, getting debt free, unsubscribing from more and more sites and services, getting a burner phone and throwing my iPhone plan away, setting up my own solar power, harvesting my own rainwater, growing my own food.

In short, disconnecting from the sick cancer that is sweeping the US…and much of the world…in the only way I can – by disconnecting. Frankly, it wouldn’t surprise me if in a couple more years I don’t even ‘surf the web’ at all. Except, maybe at a public library every once in awhile.

To be honest, my sanity and wellness has increased immeasurably since I started disconnecting. Reading books in a cozy cabin is so relaxing. Eating food I prepared myself is healthy and tasty.

Who knows, maybe someday when things like mesh networks take over I might start venturing out into the ‘Internet’ again, but as it is currently constituted…I look upon the existing ‘Internet’ as a zone that is now essentially a Digital Concentration Camp where I am a number to be tracked, monetized, surveilled, intimidated, stomped on, imprisoned, cast aside, and otherwise folded…spindled…and mutilated…at the will and whim of our Corporate & Stasi Overlords.

What a long strange trip it’s been.

And, Jesus WEPT.

David says:

I think you got it wrong

And if the US wants to fix this mess, it needs to stop mass surveillance.

No, not at all.

All the NSA has to do is to lie about the mass surveillance of non-U.S.-citizens like it does about that of U.S. citizens.

The official stance of the U.S. government is that Fourth Amendment protections apply only to U.S. citizens and everybody else is free game for snooping.

Now of course we all know since Snowden that obviously every U.S. citizen is equally free game for snooping. But there is a flimsy pretense that this isn’t so.

But with regard to non-U.S.-citizens the official stance is that they enjoy no legal or factual protection whatsoever from pervasive surveillance and, since they enjoy no protection, are also free game for economical espionage.

With that official stance, a safe harbour agreement is, of course, not even worth pretending to be worth the paper it is printed on.

All the U.S. government needs to do in order to fix this is to invest the same amount of lying about foreign surveillance than they do for domestic surveillance and they should be good to go.

But as long as they do not even bother lying about it, there just is no basis for even pretending anything like a safe harbour is making any sense.

Anonymous Coward says:

You cannot handle NSA by legislation as their word-play legality has proven and I am not sure it would be desirable either way since less well regulated national governments are doing as problematic, if not worse things.

It is important to be specific here: What needs to go, is the surrender of data from a trusted party towards a third party without consent or judicial recourse!

The possibility of judicial recourse will never exist for individuals in todays national sovereignty world (so much for “corporations are people”, since multinationally incorporated entities have no passport and can hold as many legal nationalities as they like, and in that way circumvent unwanted laws!), Thus consent would be the only way foreward.

Only by making people consciously consent to selling their soul they will be able to see what they give up and eventually improve the broader adoption of univeral encryption, which is the only way out of the spy-on-all conundrum! While NSA are screaming in rage about encrytion since it hurts their collect-it-all paradigm, it is perfectly possible to go back to real-time and targeted surveillance even with 100% encryption!

Anonymous Coward says:

I’d say that this sums up this pretty nicely too:

“It’s been under attack for some time from those who feel that these American companies don’t take European privacy interests seriously enough”

To be honest, I wouldn’t say it’s only because of the NSA mass surveillance. That was just the finishing combo.

Many people from the EU are quite worried because it seems that US companies don’t take privacy seriously enough. The EU ones are bad enough, just that the perception is that US ones are worse, in part because that market is way less regulated.

Also, a question, I saw that on the 2011 PSN hacking incident, they applied the California laws even if the data were breached from users worldwide. That’s how the suit got dismissed (plus the “there is no perfect security”).

Does that mean that US laws apply and not, for example, EU ones?

If so, what are the safe harbours for? The idea is that they would be allowed to use and transfer EU citizen data if they follow the EU laws, don’t they?

Oh, and btw, this has nothing to do with encrypting in transfer or not, but what happens on their servers (and their soil) afterwards. If the NSA has any backdoor (legal or not) to those servers, no wonder anyone would be worried.

And yet, knowing what I know, I wouldn’t trust my government with my privacy, they are as bad as any other.

I guess that the difference is that I get some say (once every 4 years, lol) regarding the laws of my government, while I can’t say a thing about the laws of the US.

David says:

Re: Re:

I guess that the difference is that I get some say (once every 4 years, lol) regarding the laws of my government, while I can’t say a thing about the laws of the US.

In the U.S., you get a say about the laws of the U.S. whenever you want, and with the tally you want. You’ve probably seen the ballots. They are rectangular and carry the portrait of Ben Franklin in green and black. Well, those ballots don’t really count for much, but there are also ballots with Woodrow Wilson’s portrait and writing your wishes on those gets them some nice consideration.

Anonymous Coward says:

Re: Re: Re:

In the EU there is more variety to those ballots, though the preferred colour is a purplish one, properly placed in Switzerland.

It’s smaller that Woodrow Wilson’s ones, but it feels better to be given a bunch of papers rather than a few smaller ones. At least you can cool yourself with them while waiting for the next vote.

I guess every country prefers the votes given in their proper ballot.

boundlessinformant says:

Can never trust US based internet services with sensitive data again...

As a foreign (to the US) citizen, I can never (atleast the forseeable near future) trust a US based internet company again with any kind of sensitive data.

Sorry, your government fucked up, and your corporations (the ones that we know of) played ball instead of being honest with their customers and respecting their rights.

Trust is hard earned, but easily lost!

Wyrm (profile) says:

Paradox

It’s amusing to see how EU rules that “US mass-surveillance is bad” and thus ends “safe harbor” provision… and some EU countries (eg. France) actually move towards more surveillance (including mass-surveillance), with significantly little protection and close to none when foreigners are involved.

Some people are trying to bring this to the EUCJ, so let’s see if they manage some consistency or if it all comes crashing down in a hypocritical “do as I say, not as I do”.

Anonymous Coward says:

Re: Paradox

I think the same.

One of the positive parts of this ruling is that well, the EUCJ has grounds to repeal the mass surveillance from France, Germany and the UK at least. If it ruled the opposite, then it would have meant that it sanctioned the mass surveillance programs as being in line with EU Data Privacy Directives.

Of course, it could all end how you said.

Anonymous Coward says:

Re: Paradox

Indeed. It seems the entire western world is obsessed with monitoring everything their citizens do. The countries are just arguing about details in how precisely it’s to be carried out, and if the public could please be kept silent or better yet oblivious.

Take Sweden for example, who happily whines about the NSA and US corporations, but when the ECJ rules the data retention directive compleely and utterly void due to it’s uncontitutional nature, does Sweden remove it? Of course not. The conservatives were not about to throw away perfectly good surveillance, and as the socialists took over in the next election, the silence on the matter was simply eerie.

Wendy Cockcroft says:

The ruling today is not a win for privacy.

Well, no. The win is that the need to end mass surveillance has been exposed; and that those corporations that are complicit in it will be made to suffer one way or the other if they don’t change their ways. That’s what we’re cheering for.

Unfortunately, there doesn’t seem to be any indication that this is what’s going to happen. Instead, expect the US and EU to try to paper over this by coming up with a new safe harbor plan that won’t change anything, but which may just be more expensive for companies.

Sometimes things have to get worse before they get better. It doesn’t help that those companies that aren’t actively profiteering from surveillance are caught between a rock and a hard place; they’re damned by the courts, etc., if they DO enable surveillance, and damned by the governments involved if they don’t. Not a place I’d like to be in.

There’s a way to fix this mess and it’s to stop mass surveillance.

Follow the $$$. There’s too much money to be made from surveillance (I’m convinced the surveillance companies are selling our data on the side, or colluding with entities that do) to give it up. Ultimately, it’s not even about having all the information you’ll ever need at your fingertips; if I’m right, it’s about having all the information you can ever sell at your fingertips. Until we get the profit motive out of the equation, enjoy surveillance.

Anonymous Coward says:

Actually, ¿doesn’t this ruling bring something interesting into the table?

Isn’t this the first time that a EU institution shows that they actually believe what Snowden leaked?

Yeah, yeah, I know. We got plenty of governments, and even the EP, making statements over the NSA surveillance and such; but they were that, mere statements, even with votes, directives and such.

Now the EUCJ has spoken. Well, it has ruled. It has applied a law regarding this issue, and believes what Snowden say.

You can gloss over what a governing body (EP, EC, Commission, national government) says or states by claiming it’s pure political speech.

But you can’t gloss over a sentence of the highest court in the EU as “political speech”. It’s a ruling.

I’d say it’s the first time that the law has been applied by believing the Snowden leaks.

I’d say it’s something to consider.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...