Caspar Bowden forsees PRISM in October 2012
Secret access by foreign govts
in context of cloud computing:
Cloud providers are transnational companies ...
[Caspar Bowden 2012]
subject to conflicts of international public law.
Biggest threat not from Patriot Act
but from a law still largely unknown.
... the Foreign Intelligence Surveillance Amendment Act 2008
Cloud computing a grave threat
to sovereignty of European data
None of the regulatory proposals so far [2012]
appreciated the gravity of the situation.
Details of FISA unknown to Commission or data protection authorities until 2011.
... without any of the safeguards applicable to US citizens (in direct contradiction to what public told in EU Parliament).
FISAAA passed 2008 to legalise surveillance which US govt began circa 9/11, which became known as 'warrantless wiretapping'.
Mass surveillance of interl communications using super computers to trawl through data has been practised for a long time.
The system known as Echelon was itself investigated by the European Parliament in 2000.
Question that led to warrantless wiretapping scandal was: *had Americans had been caught up in intl surveillance systems?*
Note: 'warrantless wiretapping' (ie mass US surveillance) scandal = issue in 2012, prior to Snowden expose (May 2013)
Recommended: Find speech of William Binney, one of whilsteblowers @ NY conference in June & consider yourself implications.
William Binney: a crypto-mathematician & NSA senior official nearly 40 years
LINK:
Interview: June 14, 2014 https://www.youtube.com/watch?v=ErRQeQd39zw
William Binney was NSA engineer who built a vast data mining system for NSA, designed for mass surveillance, foreign & intl.
European policy makers have not understood that they were intended the targets of the surveillance system that Binney built.
Under Euro Convention of Human Rights & EU fundamental rights = illegal to discriminate protection according to nationality.
Everyone in the jurisdiction of Europe has an equal right to have their privacy protected from unjustified surveillance.
FISAAA only protects US persons. Europe
= legitimate purpose of covert surveillance
is LIMITED to combating serious crime & national or economic security.
Europe: one member state cannot lawfully spy on another member's citizens merely for some foreign policy objective/advantage.
FISAAA expressly authorises surveillance of info with respect to foreign-based political organisation (or territory) ...
[FISAAA authority] ... that relates to the affairs of the United States. [Pretty much covers everywhere - blanket authority]
FISAAA vastly broader definition than anything that is lawful under ECHR, so foreigners' data in the cloud could be scanned
ie. Given broad FISAAA authority 2008, foreign data in the cloud could be scanned by USA for purely political surveillance.
Any data that was moved to cloud that was previously processed on EU org premises has been vulnerable.
A.29 working party issued opinion on cloud computing Far from waking up to risks of mass surveillance, they endorse mechanisms
A.29 endorse mech's devised decade ago eg. outsourcing direct marketing & call centres as suitable 4 cloud computing COLOSSAL RISK
A.29 warning prohibit direct disclosures by cloud providers to non-EU govts, unless this falls within established international agreements
However, A.29 believes the real risk comes from Patriot Act & case by case demands for data. No appreciation of risk ..
A.29 no appreciation of risk of continuous & systematic mass surveillance of cloud data.
Software fabric of US cloud providers is maintained from ops centres in US, so mass surveillance possible through remote control
[Cloud providers: ops centres in US] so, USG can secretly order companies to comply to demand for access to Euro cloud data.
Any data put into clouds can be accessed directly & secretly by USA, to bypass agreements covering law enforcement sector
US can bypass:
eg
PNR & Swift Agreements etc.
A.29 fully envisage & *permit* secret disclosures of data / loopholes have already been built in.
Encrypt. data to & from cloud irrelevant b/c FISAAA lets data extraction from inside data centre after data decrypted for processing
No way EU data protect. authority can know if cloud is wiretapped, if software powering cloud controlled out EU jurisdiction
Mass surveillance of cloud would be done in software using power of cloud itself to scan & filter data for further analysis
Huge new data centres belonging to NSA are being built for this purpose.
No commercial audit process can possibly uncover secret use of national security laws of another country.
Until problem is fixed by revising US legislation or treaty, only prudent policy is a) physically confining cloud facilities ...
.. under exclusive EU jurisdiction. b) using open-source software b/c backdoor insertion risk in closed-source software.
FISAAA can order backdoor insertion into closed-source software.
Closing legal loopholes for cloud surveillance is not enough, however.
Not credible that national data protection authorities can mount effective enforcement actions v. coys size of Microsoft or Google
$1-billion fine on Microsoft for competition offences took the EU nearly 10 yrs, while Microsoft derived profits in excess.
Coys can afford to lawyer up to tie cases in knots. Same thing will happen w. fines under regulations & 2% = small cost of business.
ie. 2% = small cost of doing business to access the 5-million consumers of the EU
Need: dedicated & centrally operating prosecution authority for major cases of transnational data protection enforcement.
Also need: capacity to fight long legal battles with adequate professional resources. New Board & independence of Comm. influence.
Only in this way can enforcement become sufficiently credible to alter corporate behaviour.
Deterrent to US companies ignoring EU protection law = very substantial rewards to be offered to corporate whistleblowers
Need: corporate whitleblower rewards of sufficient size to overcome US secrecy laws & cast-iron legal protection, as well.
Such methods have been effective against tax evasion & competition cases; why not data protection?
It is not too late to wake up from the long sleepwalk towards an irreversible loss of data sovereignty.
Unless 3rd countries prepared to offer Europeans the same protections they offer own citizens, the clouds will have to part.
COMMENT
Found this very interesting and have transcribed a rough take of what was presented before the EU Parliament by Caspar Bowden, in 2012.
The current status of the proposals is unknown to me.
What was also conveyed is that:
European law prohibits state surveillance of the ordinary, lawful, democratic, political activities of individuals or groups.
Somebody ought to let the British police and authorities know about this, as they're forever conducting aggressive spying and infiltration campaigns against political activists and protesters (Oh, and mass surveillance of ordinary citizens).
|