European Court Of Justice Rules Against UK's Mass Surveillance Program

Privacy

from the will-it-matter-after-brexit? dept

Over the summer, we noted that the Advocate General for the European Court of Justice had sort of punted on the issue of whether or not the UK’s Data Retention and Investigatory Powers Bill (DRIPA) was actually legal. Thankfully, the final ruling is much clearer: “general and indiscriminate retention” of emails and other electronic communications is illegal in the EU according to the court. The only thing that is allowed is targeted interception, used to combat “serious crime.”

This is a pretty big deal, as the original recommendation from the Advocate General had suggested that DRIPA might be found legal. Of course, DRIPA is in the process of being superseded by the even worse Investigatory Powers Bill, better known as the Snooper’s Charter. If DRIPA violates the law, than the Snooper’s Charter almost certainly does so at an even greater level. Of course, there is some irony in all of this, in that the case that came to the CJEU was brought by a Member of Parliament, David Davis, who is now the “Brexit Secretary,” meaning that he’s helping to organize the process by which the UK will be removed from the EU… such that it may not even matter what the EU’s Court of Justice has to say on the matter.

The UK has also made it clear it’s going to appeal the decision, meaning that it will get to drag this process out as long as possible, potentially until the Brexit process is completed, at which point the ruling will not matter.

Still, it should at least raise question in the UK about why their politicians are granting the government powers to snoop on every member of the public at a level that goes way beyond what is considered appropriate.

Filed Under: cjeu, data retention, david davis, drip, dripa, european court of justice, investigatory powers bill, ip bill, mass surveillance, snooper's charter, uk

Parliament Passes Snooper's Charter, Opens Up Citizens To Whole New Levels Of Domestic Surviellance

Privacy

from the surfing-the-internet-with-The-Man dept

Despite loudly, and repeatedly, raised concerns from activists and members of Parliament, the UK’s Snooper’s Charter (a.k.a., Investigatory Powers bill [PDF]) has been passed by both parliamentary houses and only needs the formality of the royal signature to make it official.

These are the fantastic new things UK citizens have to look forward to with this expansion of government surveillance power.

The law will force internet providers to record every internet customer’s top-level web history in real-time for up to a year, which can be accessed by numerous government departments; force companies to decrypt data on demand — though the government has never been that clear on exactly how it forces foreign firms to do that that; and even disclose any new security features in products before they launch.

The list of new powers doesn’t end with these. UK intelligence agencies are also given permission to perform “electronic interference” — hack into computers and electronic devices belonging to UK citizens, not just individually, but in bulk. It also codifies secret (and illegal) surveillance of UK citizens that the country’s intelligence agencies have engaged in for years without proper authority or oversight.

The government, of course, is trying to portray this as nothing more than a fine tuning of preexisting laws, specifically the Regulation of Investigatory Powers Act (RIPA). Glossed over in its perfunctory “nothing to see here” explanation is the fact that RIPA was also rushed into existence to codify other secret and illegal surveillance programs.

But it’s no ordinary update of existing investigatory laws. Jim Killock of the Open Rights Group calls the Snooper’s Charter “the most extreme surveillance law ever passed in a democracy.” Thanks to the new powers, UK intelligence agencies should be able to put together very extensive dossiers on pretty much anyone they feel like.

This is the collection of Internet Connection Records (ICRs)—a record of which services every citizen it is connecting to, logged in real-time. This unprecedented level of micro-surveillance is accompanied by a machine to make sense of the mass of data, called a ‘Filter’, but is in essence, a search engine. It can match these ICRs with your mobile phone location data and call histories. It can, we believe, be used to profile the social relationships and the sexual and political activities of every U.K. citizen.

That’s how the UK government wants it, apparently: porn filtered out, but spy agencies let in.

Beyond the expansion of law enforcement and surveillance powers is the precedent set by the government in its continual codification of secret surveillance programs. Like RIPA before it, the new law sends a message to intelligence and law enforcement agencies that all misdeeds will ultimately be legislatively forgiven by their overseers. Agencies are implicitly invited to hide programs from overseers and explore new collection techniques without running it past anyone else in the government first. And years later, it will all be papered over by “updated laws.”

This is also good news for other Five Eyes surveillance partners. The NSA and GCHQ’s information sharing partnership means the US agency now has access to even more data on British citizens. Almost anything GCHQ can acquire, the NSA can access. And now GCHQ can access more than ever.

Filed Under: data retention, gchq, investigatory powers bill, ipbill, metadata, parliament, snooper's charter, uk

Australian Government Using Data Retention Law To Seek Out Journalists' Sources, Hunt Down Whistleblowers

Privacy

from the any-law-that-can-be-abused-will-be-abused dept

If there ever were decent protections for whistleblowers in Australia, they’re gone now. Australia’s Attorney General was pushing for harsher whistleblower punishments two years ago, while simultaneously claiming data retention laws — and expanded permissions for intelligence agencies to pore through retained data — were simply the way governments were doing business these days.

And what a business it is. The Australian government wants to punish whistleblowers but finds they’re often difficult to track down. It’s just so much easier to find those they leak documents to, like journalists, and work towards getting them to divulge their sources. The “best” part about the new data retention laws is that those seeking whistleblowers to punish won’t have to confront journalists directly. In fact, they may never need to speak to them at all.

[Journalists’] union, the Media and Arts Alliance, has warned that they’re likely to become a test case for a little known provision snuck into the Government’s Data Retention laws, the Journalist Information Warrant Scheme. The new laws allow police and other investigative bodies to seek access to the phone records, emails and browser histories of journalists in order to track down sources they suspect of leaking confidential information.

Obviously, this raised concerns when the data retention law was first proposed. A band-aid was presented by legislators who threw in a few token “safeguards” to protect journalists’ sources. But in practice, these safeguards aren’t guarding anything. At best, they only give the appearance of adversarial proceedings before the government is given the greenlight to go digging through metadata.

Journalists and their employers are not allowed to challenge these warrants to the issuing body or even in court. They’re not even told whether one has been granted. Instead, the legislation requires the Prime Minister to appoint two ‘Public Interest Advocates’ who can choose to make the case against issuing a warrant. However, these advocates aren’t actually required to show support for the journalist, or media organisation, or even show up to deliver their case. Warrants can be issued without an advocate’s attendance or submission, and last up to six months. The scope of the warrant extends to all the journalist’s metadata captured over the previous two years.

The article notes that 21 Australian agencies can access journalists’ data through this process — data that must be retained by ISPs to better serve the “fighting terrorism” call. If it’s used to sniff out whistleblowers or, I don’t know, copyright infringers, then that’s presumably considered a feature, rather than a bug.

The new law acts as a double-edged weapon against government accountability. It allows the government to seek out and punish those that expose wrongdoing and the chilling effect it creates means fewer journalists will be willing to publish documents showing evidence of government misconduct.

Filed Under: australia, data retention, privacy, whistleblowers

EU Court Of Justice Advisor Suggests UK's Last Surveillance Bill May Be Legal, But Hints That The New One Might Not Be

Privacy

from the reading-the-tea-leaves dept

Over at the EU Court of Justice, the Advocate General has weighed in on the legal challenge to DRIPA, the Data Retention and Investigatory Powers Bill (DRIPA) that was rushed through the UK Parliament almost exactly two years ago. The law was challenged by a group made up of cross-party Parliament Members, and the Advocate General has sort of punted on the issue. If you don’t recall, the Advocate General’s role in the EU Court of Justice is basically to make a recommendation for the actual rulings. The court doesn’t have to (and doesn’t always) follow the Advocate General’s suggestion, but does so often enough that the opinions certainly carry a lot of weight and suggest what’s likely to happen. In this case, the opinion stated that, even though the court had previously rejected the EU-wide Data Retention Directive as intruding on privacy — the UK’s data retention law might be okay.

The opinion basically says some data retention laws may be okay if the powers are “circumscribed by strict safeguards” set up by the national courts.

Of course, the timing on this is important, given that the UK is (1) eagerly trying to push through its new surveillance law, the Investigatory Powers Bill which was (2) championed by then Home Secretary Theresa May as a necessary surveillance tool — and May is now the Prime Minister due to a series of issues in the UK you may have heard about lately. And some folks who are trying to read the tea leaves of the Advocate General’s opinion are suggesting that it may actually hint that while the old DRIPA might possibly be okay, the new Investigatory Powers bill probably is not. Of course, a lot of this depends on how you read the opinion and how certain key phrases are interpreted.

Many of those responding to Tuesday’s opinion emphasised the main finding that “solely the fight against serious crime is an objective in the general interest that is capable of justifying a general obligation to retain data, whereas combating ordinary offences and the smooth conduct of proceedings other than criminal proceedings are not.”

Basically, it appears that while it may be possible to twist DRIPA into shape so that it’s not violating the court’s required safeguards, the same cannot be said for the new bill. Whether or not that actually stops forward progress on that bill is another story altogether. And, of course, if the UK really is going to go through with its plan to leave the EU entirely, none of this may matter at all. Well, except for the privacy of everyone in the UK.

Filed Under: data retention, dripa, eu court of justice, eucj, investigatory powers bill, ipbill, snooper's charter, surveillance

Putin Says All Encryption Must Be Backdoored In Two Weeks

(Mis)Uses of Technology

from the make-it-snappy dept

A few weeks ago, we wrote about the push by the Russian Duma to pass a massive new surveillance bill that would mandate backdoors to encryption as well as massive data retention requirements for service providers, including saying that they need to store recordings of phone calls. As you may have heard, earlier this week, Russian President Vladimir Putin signed the bill into law. And apparently to prove that he’s serious about all of this, Putin has also signed an executive order telling the FSB (the modern version of the KGB) to make sure it gets encryption keys to unlock everything within the next two weeks.

After signing controversial anti-terrorist legislation earlier today, President Putin ordered the Federal Security Service (the FSB, the post-Soviet successor to the KGB) to produce encryption keys to decrypt all data on the Internet. According to the executive order, the FSB has two weeks to do it. Responsibility for carrying out Putin’s instructions falls on Alexander Bortnikov, the head of the FSB.

As the article notes, there’s a lot of uncertainty here, because in many cases, when things are encrypted locally or where there are private keys, there isn’t any way for service providers to turn over any keys.

What happens next is a little unclear. But it seems likely that the Russian government will use this to attack certain encrypted communications services, and potentially block and/or fine them for failing to comply with the new law. There has been a lot of talk about how Ed Snowden has been speaking out against this law, as he should. Considering that he uses a number of different encryption systems to communicate with the world, this law puts him very directly in danger. But it also puts lots of other people at risk as well. As we’ve been pointing out for a while, encryption does much more to protect everyday citizens than it does to hide the communications of “terrorists.” Undermining that puts a lot more people at risk of people hacking into their stuff than being a victim of a terrorist attack.

Filed Under: backdoors, data retention, ed snowden, encryption, fsb, mass surveillance, russia, surveillance, vladimir putin

When You Crack Open The Surveillance Door, The Food Police Will Want Your Metadata

Privacy

from the food-for-thought dept

As you may recall, late last year Australia put into effect a wonderfully ambitious data retention law that required ISPs in the country to do… well… something involving data retention. The problems began immediately, with ISPs unsure of exactly when they were supposed to start collecting all of this data, as the law allowed for some to petition to delay implementing the data collection, but the government hadn’t bothered to get back to many of them. Never mind what would happen once this same inept government actually received the mountains of data it had requested.

But those concerns are all about the practical utility of such a law, not the larger concerns over whether this kind of data collection ought to be happening to begin with. To see an example of why a free people shouldn’t allow the government to crack open this door, however, one needs only look again at the law in Australia. What was supposed to be collection chiefly to combat major criminal actions is now a collection that even the food police are trying to get in on. And, yes, I really do mean the food police.

If you are in the business of selling lamb chops, make sure you are weighing them properly: the National Measurement Institute wants warrantless access to Australians’ metadata to help them hunt down supermarkets skimping on portions. The NMI is one of 61 agencies that has applied to the attorney general, George Brandis, to be classed as a “criminal law-enforcement agency” in order to gain warrantless access to telecommunications data.

As part of the government’s assurances that there would be sufficient privacy safeguards, it reduced the number of agencies that could access the data. But agencies could reapply, with the permission of the attorney general, if they were involved in enforcing “serious contraventions” of criminal laws.

Now, this is still in the application phase, so the NMI, a government group tasked with investigating retailers to make sure they’re packaging their goods properly, doesn’t yet have access to Australian’s metadata, but its petition did have to be approved by the attorney general as being relevant to even get that far. This is what happens when you crack open the door: the bulk of government will try to force its way in. Keep in mind that the efficacy of bulk collection practices for combating even terrorism and serious criminal actions is debatable, but now we’re dealing with the food and retail packaging police wanting in on the action? This really should tell you everything you need to know.

Greens senator Scott Ludlam said: “The only saving grace the government was able to claim when they passed it was that they were narrowing the range of agencies that could access the data. On the face of it that was true, and obviously that’s just been blown to pieces.”

Just because slippery slope arguments are almost always lame, that doesn’t mean they don’t occasionally apply. It seems on bulk surveillance, they certainly do.

Filed Under: australia, data retention, food, lamb chops, measurements, metadata, surveillance

UK Home Secretary Wants Everyone's Metadata; But If You Ask For Hers, Gov't Says You're Being Vexatious

Failures

from the funny-how-that-works dept

Theresa May, the UK Home Secretary who seems like a comic book version of a government authoritarian, is leading the charge in the UK for its new Snooper’s Charter, officially called the “Investigatory Powers Bill,” that is filled with all kinds of nasty stuff for making it easier for the government to spy on everyone. Among the many problematic elements is the demand for basically everyone’s metadata. May dismissed the concerns about this by saying it’s nothing more than “an itemised phone bill.” Given that, Member of Parliament Keith Vaz noted to May that people might be interested to see May’s itemized phone bill.

Soon after that, we noted that UK resident Chris Gilmour sent in a FOIA request for May’s metadata. Specifically, he asked for the following:

1) The date, time, and recipient of every email sent by the Home Secretary during October 2015.

2) The date, time, and sender of every email received by the Home Secretary during October 2015.

3) The date, time, and recipient of every internet telephony call (e.g. “Skype” call) made by the Home Secretary during October 2015.

4) The date, time, and sender of every internet telephony call (e.g. “Skype” call) received by the Home Secretary during October 2015.

5) The date, time, and domain address of every website visited by the Home Secretary during October 2015.

Not surprisingly, it appears he was not the only one to do so. UK newspaper The Independent sent in a FOIA request asking for:

… the web browser history of all web browsers on the Home Secretary Theresa May’s GSI network account for the week beginning Monday 26 October. Feel free to redact any web addresses relating to security matters.”

There may be other such requests as well — but both of these requests got back the same basic response from the UK government. In both cases, the government rejected the requests, claiming they were “vexatious.” Here’s the response to Gilmour’s:

We have considered your requests and we believe them to be vexatious. Section 14(1) of the Act provides that the Home Office is not obliged to comply with a request for information of this nature. We have decided that your request is vexatious because it places an unreasonable burden on the department, because it has adopted a scattergun approach and seems solely designed for the purpose of ?fishing? for information without any idea of what might be revealed.

The requests are similar in nature to a request the Home Office received in 2014 that the Information Commissioners Office (ICO) agreed was vexatious. The decision notice in question can be found at this link: https://search.ico.org.uk/ico/search/decisionnotice?keywords=FS50544833

Guidance issued by the ICO on vexatious requests can be found at this link: https://ico.org.uk/media/for-organisations/documents/1198/dealing-with-vexatious- requests.pdf

It appears that The Independent got an identical response (word for word). The folks at The Independent seem reasonably annoyed by this.

While the Government is widening its own powers to access the information of citizens, it is watering down the public?s right to access the Government?s information.

Either way, there seems to be a legitimate question to ask Theresa May: if there’s no big deal about having the government go through your metadata and it’s “just like an itemised phone bill,” then why is it so “vexatious” for the public to ask for May’s metadata?

Filed Under: data retention, foia, freedom of information, home secretary, investigatory powers bill, ipbill, metadata, public records, snooper's charter, surveillance, theresa may, uk, vexatious

Senators Call For Mandatory Data Retention For Telcos Following The Section 215 Shutdown

Politics

from the quick,-before-the-Man-has-it-stuck-to-him-by-reprobate-corporate-giants! dept

Now that the NSA’s bulk phone metadata collection has actually ceased to exist (in this particular form, anyway…), low-level panic has begun to set in. With the NSA no longer able to obtain and store phone records in bulk, some legislators are now concerned telcos will use their control of these records to thwart the intelligence agency.

Sens. Tom Cotton (R-Ark.) and Angus King (I-Maine) on Thursday introduced a bill requiring telephone companies to notify the government if they plan on altering their policies for storing consumers’ phone data.

[…]

The new bill from King and Cotton would force companies to give the Justice Department at least 180 days notice if they plan to retain the call records for less than 18 months. The bill is called the Private Sector Call Record Retention Act.

“Our legislation would simply require that U.S. officials are provided with adequate warning if a company decides it no longer will hold these vital records, allowing time to ensure that we don’t lose a potentially valuable tool in the battle against terrorism,” King said in a statement.

This is Cotton’s baby. After all, he’s been trying to block the implementation of the USA Freedom Act’s surveillance reforms since the terrorist attacks in Paris, after months of being a vocal opponent of the legislation.

Critics of the new process — where the NSA takes its reasonable suspicion-supported court orders to telephone companies to obtain call data — somehow believe these companies, which historically have been enthusiastic enablers of dragnet surveillance, will suddenly decide to start deleting records just to screw with the government.

Beyond the fact that telcos tend to be proactive in their “assistance” of intelligence and law enforcement agencies is the fact that these companies have never before expressed a desire to hastily delete phone records. They’ve held onto them for indefinite periods of time — not out of deference to the NSA, FBI, et al, but because extended retention is obviously of some value to these companies. It makes no sense to assume they’ll suddenly alter their retention tactics just because they no longer need to produce all phone records in rolling three-month blocks.

That’s not the only ridiculous fear being voiced. The other asinine assertion is that the program is somehow integral to combating terrorism. Over the past couple of years, the debate has raged and supporters of the program have insisted the program has paid its debt to the Fourth Amendment several times over with all the terrorism it’s stopped… all without presenting any evidence that backs these statements up.

This sort of legislation does nothing but impose additional government requirements on data retention. This is no different than what was (temporarily) put in place in the UK — legislative demands for the onsite storage of records companies may not even need, simply because the government has decided it does. This isn’t an idea our legislators should be emulating, but unsurprisingly, the stoutest supporters of domestic surveillance are using a terrorist attack in another country to make a play for expanded government power.

Filed Under: angus king, data retention, nsa, privacy, section 215, surveillance, telcos, tom cotton

UK Releases Snooping Bill, Attempts To Mislead Everyone

Privacy

from the and-off-we-go dept

Earlier today we reported on a story in the Telegraph, claiming that the upcoming “Investigatory Powers Bill” in the UK would mandate encryption backdoors. The full draft of the bill has been released and the UK government is prattling on about how it doesn’t “ban” encryption. But note the subtle difference in language here. No one expected a ban on encryption: they expected backdoors. The bill is actually stupidly vague on this point. Here’s what the explanation says about “communication service providers in the UK and overseas.”

First it notes that under RIPA (the Regulation of Investigatory Powers Act), “CSPs” are already required to maintain “the ability to remove any encryption applied by the CSP to whom the notice relates.” In other words, the government is already claiming mandates to backdoor encryption, and then goes on to note:

The Investigatory Powers Bill will bring together these obligations in a single, comprehensive piece of legislation. It will provide an explicit obligation on CSPs to assist in giving effect to equipment interference warrants. Only intercepting agencies will have the ability to serve such warrants, which must be authorised by the Secretary of State. The draft Bill will not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA.

The draft Bill will provide for the Secretary of State to require CSPs to maintain permanent capabilities relating to the powers under the draft Bill. This will replace the current obligation to maintain a permanent interception capability and will provide a clear basis in law for CSPs to maintain infrastructure and facilities to give effect to interception and other warrants.

The new power will also require CSPs to provide wider assistance to law enforcement and the security and intelligence agencies in the interests of national security. This will replace the general power of direction under the Telecommunications Act 1984. The new power will be subject to strict safeguards that will prevent it from being used to authorise any activity for the purpose of interference with privacy, such as authorising or requiring the disclosure of communications data.

So… is that mandating backdoors? It seems pretty likely that the government will use this combination of factors to do exactly that, but claiming that such backdoors are already required under RIPA — and thus it’s not “expanding” those powers, even as it also says that the new bill requires providing “wider assistance to law enforcement” and “intelligence agencies.” The explanation does note that “overseas” companies may have some exceptions, but again it’s vague. First it notes that “the draft Bill places the same obligations on all companies providing services to the UK or in control of communications systems in the UK” but then the vague exception: “the draft Bill will include explicit provision to take account of any potential conflict of laws that overseas companies may face.”

Right. Clears everything up.

Meanwhile the draft bill has tons of other problematic language, including requirements for data retention for your web browsing history. Also, it broadens GCHQ’s ability to hack into computers around the globe, with the innocuous sounding phrase “authorisations to interfere with property.” Specifically with regards to the GCHQ, the bill states:

GCHQ can ‘make use of’ as well as ‘monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material’. This clarifies that GCHQ may, in the performance of its functions, make use of communications services in the manner in which it was intended they would be used. This could be used for public communications as well as for investigative purposes.

Home Secretary Theresa May’s introduction to the draft claims that:

Powers to intercept communications, acquire communications data and interfere with equipment are essential to tackle child sexual exploitation, to dismantle serious crime cartels, take drugs and guns off our streets and prevent terrorist attacks.

In fact, the draft is weirdly peppered with “case studies” about gangs, criminals, exploited children and more as if to scream out “WE’RE SPYING ON YOU FOR YOUR OWN GOOD AND THE CHILDREN, SO SUBMIT.” This bill is not about protecting the public. It’s about giving much more surveillance and spying power to the government. It’s about fearmongering to get you to give up your privacy and safety so that the government can have more powers over the general public.

Filed Under: data retention, encryption, gchq, going dark, mass surveillance, snooper's charter, surveillance, uk

UK Gov't Pretends That It's 'Backed Down' On Snooper's Charter

Politics

from the but-it-still-looks-bad dept

Back in May, we noted that the UK government had decided to go totally Orwellian in pushing for a ridiculous “Snooper’s Charter” that gave the government incredible snooping powers. David Cameron’s speech in support of this contained a few incredible statements, including this: “For too long, we have been a passively tolerant society, saying to our citizens: as long as you obey the law, we will leave you alone.” Message read loud and clear: tolerance is over, Big Brother is here to smack you down for anything you say or do that it doesn’t like.

Now, with the details finally set to come out, it appears that UK Home Secretary Theresa May is trying to soft pedal them, claiming that the government has been “forced to backtrack” on the plan, because they agreed to remove just a few of the most ridiculous aspects of the original plan.

In a statement, senior sources said that rather than increasing intrusive surveillance, the bill would bar police and security services from accessing people?s browsing histories ? a power demanded by the security services ? and that ?any access to internet connection records will be strictly limited and targeted?.

They also revealed that ministers had ruled out plans to restrict or ban companies from encrypting material on the internet that had alarmed privacy and technology campaigners.

In what they said was a further change, ministers would not, as they had previously suggested, demand that UK communication service providers (CSPs) should capture and store internet traffic from companies based in the United States.

These are welcome changes, but they’re fairly limited. “Restricting or banning” encryption was always a non-starter. The much bigger concern is requiring backdoors. And, also, as the Intercept’s Ryan Gallagher points out, the claim of not keeping web browsing data is laughable, since GCHQ already does it.

Wired UK has an article detailing many of the other expected problems with the UK’s proposal, so don’t fall for the claim that the government is “backing down” on surveillance. It sounds like they just realized people were going to be pissed off and decided to pretend they had “backed down” by dropping a few of the really crazy aspects of the plan, while still planning to push through the rest.

Filed Under: data retention, encryption, snooper's charter, surveillance, theresa may, uk