Privacy and technology

From the blog post:

“Simply put, the National Security Agency is an intelligence agency. Its purpose is to monitor the world’s communications, which it traditionally collected by using spy satellites, taps on cables, and placing listening stations around the world. In 2008, by making changes to U.S. law, the U.S. Congress enabled the NSA to make U.S. industry complicit in its mission. No longer would the NSA have to rely only on international gathering points. It can now go to domestic companies who hold massive amounts of information on foreigners and order them to submit any information of interest to the NSA. This could include the content of communications, documents, photos, videos, or locations and other so-called metadata - any information held by the companies. No warrant is required - though there is a secret court review. But that review’s primary purpose appears to be to provide assurances that Americans won’t be targeted.”

A selection from the most recent links on PRISM:

• Daniel J. Solove: Five myths about privacy (2013-06-13)
• Moxie Marlinspike: Why ‘I have nothing to hide’ is the wrong way to think about surveillance (2013-06-13)
• Techdirt: Leaked - NSA’s talking points defending NSA surveillance (2013-06-13)
• Wired Threat Level: Yahoo supplied data to PRISM only after losing scrappy FISA fight (2013-06-14)
• Bloomberg: U.S. agencies said to swap data with thousands of firms (2013-06-15)
• EFF: An international perspective on FISA - no protections, little oversight (2013-06-15)
• EFF: U.S. foreign intelligence - from carte blanche surveillance to weak [domestic] protections (2013-06-15)
• Ars Technica: Details emerge about PRISM, big tech companies release data requests (2013-06-16)
• ArsTechnica: PRISM helped stop terrorism in US and 20-plus countries, NSA document argues (2013-06-17)
• The Guardian: GCHQ intercepted foreign politician’s communications at G20 summits (2013-06-17)
• Wired: It’s beyond ridiculous that email (but not mail) has been left out of privacy laws (2013-06-17)
• Jurel: PRISM, oude wijn in nieuwe zakken (2013-06-13)
• NetKwesties: Wilde Westen van geheime diensten en wettelijke opsporing (2013-06-16)

From the blog post:

“The web site makes a bold claim that by using the software and services listed, people can avoid the NSA from accessing their data and communications - this is completely false and as stated above, dangerously misleading. The web site lists a number of services and software provided by companies based in the United States - all US entities (whether they be global foundations like Mozilla, Tor exit node operators, non-profits or global corporations) are vulnerable to orders under Foreign Intelligence Surveillance Act (FISA) or USA PATRIOT Act via orders issued by the Foreign Intelligence Surveillance Court (FISC) or National Security Letters (NSLs).”

Note: I linked to PRISM-break last week, so I’m afraid I dropped the ball on this one.

Uit het Voorwoord:

“De PIA stimuleert organisaties om proactief na te denken over vragen als: Wat is de impact van het beoogde project op de privacy van de betrokkenen? Wat zijn de risico’s voor de betrokkenen en voor de organisatie? Is een aanpak die minder gevolgen heeft voor de privacy ook mogelijk, gegeven de doelstellingen van het project? Na het uitvoeren van de PIA kan de ‘verantwoordelijke’ gerichte opdrachten geven aan degene die het product of de dienst verder ontwikkelt opdat maatwerk kan worden geleverd en wordt voorkomen dat in een later stadium kostbare aanpassingen nodig zijn.”

(Source: accountant.nl)

From ‘I. Introduction’:

“Internet scholarship in the United States generally concentrates on how decisions made in this country about copyright law, network neutrality, and other policy areas shape cyberspace. In one important aspect of the evolving Internet, however, a comparative focus is indispensable. Legal forces outside the United States have significantly shaped the governance of information privacy, a highly important aspect of cyberspace, and one involving central issues of civil liberties. The EU has played a major role in international decisions involving information privacy, a role that has been bolstered by the authority of EU member states to block data transfers to third party nations, including the United States.”

(Source: concurringopinions.com)

From the article:

“Privacy protections create winners and losers. So does the absence of privacy protections. The distributive implications of governmental decisions regarding privacy are often very significant, but they can be subtle too. Policy and academic debates over privacy rules tend not to emphasize the distributive dimensions of those rules, and many privacy advocates mistakenly believe that all consumers and voters win when privacy is enhanced. At the same time, privacy skeptics who do discuss privacy in distributive terms sometimes score cheap rhetorical points by suggesting that only those with shameful secrets to hide benefit from privacy protections. Neither approach is appealing, and privacy scholars ought to do better. This Article reveals some of the subtleties of privacy regulation, with a particular focus on the distributive consequences of privacy rules. The Article suggests that understanding the identities of privacy law’s real winners and losers is indispensable both to clarifying existing debates in the scholarship and to helping predict which interests will prevail in the institutions that formulate privacy rules.”

(Source: concurringopinions.com)

From the front page:

“The US military has refused to release transcripts of Bradley Manning’s trial. In addition, they’ve denied press passes to 270 out of the 350 media organizations that applied. Without public transcripts or a press pass, it’s virtually impossible for media organizations to accurately cover the trial and for the public to know what the government is doing in its name. In response, Freedom of the Press Foundation has crowd-sourced funding to place a professional stenographer in the media room covering the trial. We will post full transcripts shortly after each day’s proceedings end.”

(Source: erratasec.blogspot.nl)

Uit het artikel:

“Gegevens bij de NSA verwijderd krijgen, is aan de politiek. Maar om een idee te krijgen welke gegevens dat kunnen zijn, een overzicht van tools en artikelen om je eigen gegevens in kaart te brengen, te verbergen of te verwijderen.”

(Source: privacynieuws.nl)

From the front page:

“Stop reporting your online activities to the American government with these free alternatives to proprietary software.”

Note: read a critical response to this website here.

(Source: privacynieuws.nl)

From the front page:

“The revelations about the National Security Agency’s surveillance apparatus, if true, represent a stunning abuse of our basic rights. We demand the U.S. Congress reveal the full extent of the NSA’s spying programs.”

(Source: eff.org)

This story is getting overwhelming media attention at the moment, so it’s hard to decide which sources to include. This article by the BBC gives an overview of what we know thus far, and contains this handy time line:

• 5 June: The Guardian reports that the National Security Agency (NSA) is collecting the telephone records of millions of US customers of Verizon, under a top-secret court order
• 6 June: The Guardian and the Washington Post report the NSA and the FBI are tapping into US internet companies to track online communication, in a scheme known as Prism
• 7 June: The Guardian reports President Obama has asked intelligence agencies to draw up a list of potential overseas targets for US cyber-attacks
• 7 June: President Obama defends the programmes, saying they are closely overseen by Congress and the courts
• 8 June: US director of national intelligence James Clapper calls the leaks ‘literally gut-wrenching’
• 9 June: The Guardian names former CIA technical worker Edward Snowden as the source of the leaks

A small selection from everything else that’s been published on the subject:

• Washington Post: U.S., British intelligence mining data from nine U.S. internet comanies in broad secret program (2013-06-06)
• EFF: Why metadata matters (2013-06-07)
• Privacy International: Looking at PRISM - NSA’s mass surveillance program (2013-06-07)
• The Guardian: NSA spying scandal - what we have learned (2013-06-10)
• The Guardian: NSA surveillance - is it possible to exist online without casting a digital shadow? (2013-06-10)
• Michael Geist: Report confirms Canada has its own phone meta-data and internet surveillance program (2013-06-10)
• Schneier on Security: Government secrets and the need for whistle-blowers (2013-06-10)

Abstract:

“The current regulatory approach for protecting privacy involves what I refer to as ‘privacy self-management’ - the law provides people with a set of rights to enable them to decide how to weigh the costs and benefits of the collection, use, or disclosure of their information. People’s consent legitimizes nearly any form of collection, use, and disclosure of personal data. Although privacy self-management is certainly a necessary component of any regulatory regime, I contend in this Article that it is being asked to do work beyond its capabilities. Privacy self-management does not provide meaningful control. Empirical and social science research has undermined key assumptions about how people make decisions regarding their data, assumptions that underpin and legitimize the privacy self-management model. Moreover, people cannot appropriately self-manage their privacy due to a series of structural problems. There are too many entities collecting and using personal data to make it feasible for people to manage their privacy separately with each entity. Moreover, many privacy harms are the result of an aggregation of pieces of data over a period of time by different entities. It is virtually impossible for people to weigh the costs and benefits of revealing information or permitting its use or transfer without an understanding of the potential downstream uses, further limiting the effectiveness of the privacy self-management framework. In addition, privacy self-management addresses privacy in a series of isolated transactions guided by particular individuals. Privacy costs and benefits, however, are more appropriately assessed cumulatively and holistically - not merely at the individual level. In order to advance, privacy law and policy must confront a complex and confounding dilemma with consent. Consent to collection, use, and disclosure of personal data is often not meaningful, and the most apparent solution - paternalistic measures - even more directly denies people the freedom to make consensual choices about their data. In this Article, I propose several ways privacy law can grapple with the consent dilemma and move beyond relying too heavily on privacy self-management.”

(Source: concurringopinions.com)

Uit ‘Risico’s in de 1-1-2 keten en voorbereiding op uitval’:

“Om te betrouwbaarheid van het netwerk en de continuïteit van de dienstverlening te kunnen garanderen is het noodzakelijk zicht te hebben op de risico’s in de 1-1-2 keten, zodat adequate maatregelen kunnen worden genomen om storingen en uitval te voorkomen. Uit het onderzoekt blijkt dat het ontbreekt aan een integrale risicoanalyse. De verschillende partijen hebben wel aandacht voor de risico’s, maar zij concentreren zich hierbij vooral op de eigen rol en positie. […] Voor wat betreft preventieve en impact beperkende maatregelen bestaat een zelfde beeld. Ook hier is het ‘ieder voor zich’. Er is ook geen centrale regie op de continuïteit van 1-1-2 en gezamenlijke maatregelen om (majeure) bedreigingen tegen te gaan blijven achterwege. Hiermee is niet geborgd dat 1-1-2 voldoende weerbaar is gemaakt tegen (grootschalige) calamiteiten.”

• Turkish demonstrations using social media despite censorship
• Neelie Kroes’ up-and-down evolution in the Net Neutrality issue
• Call for Action: Vote on the retention of air passenger data (PNR)
• Transborder data access: Strong critics on plans to extend CoE Cybercrime Treaty
• Macedonia: Freedom of expression endangered by new law
• Council of Europe to step up for Net Neutrality
• EDRi analysis on private copying levy
• Will the new data protection rules be even weaker than the old ones?
• EC goes after governments for not implementing data retention
• ENDitorial: Correction / Clarification regarding iCOMP
• Recommended Action
• Recommended Reading
• Agenda

From ‘Broad themes’:

“It’s hardly surprising, then, that data security (in a virtual tie with succession planning) is one of the top issues that keeps directors from resting at night, and that feeling was seconded by general counsel who also chose it as a chief area of concern, just after regulatory compliance. Accordingly, cyber risk was cited by both directors and general counsel as an issue on which the board will be spending considerable time this year, although it’s interesting that GCs don’t seem to think directors will be spending as much time on this topic as the legal department itself will.”

From the Executive Summary:

“This study assesses the potential external trade impact of the EU’s proposed General Data Privacy Regulation (GDPR), using the well-established GTAP 8 model to estimate the potential trade effects on GDP, general welfare, services sector output and trade. The assessment of the impact is associated with many uncertain assumptions due to ambiguity and unclear propositions in the proposed regulation itself, especially the controversial proposal of ‘right to be forgotten’.
The results from the modeling show that EU GDP shrinks as the degree of trade disruptions increase. The magnitude of the effects varies in accordance with the disruptions and could under some modest assumptions eradicate the estimated economic recovery for 2014, or all the estimated growth contribution from the proposed EU-U.S. Free Trade Agreement. This result holds even if GDPR comes into force in its most conservative form.”

(Source: frankwatching.com)