The niner noteworthy and the 12 recaps of 2016 (day 11)

In a day and age that everything has a digital side to it, intelligence agencies want a piece of that pie too. However, more and more of us are, because it is done for us, using encrypted devices and communication making the job of law enforcement and intelligence agencies more difficult or so they claim.
And then there is world wide terrorism too which politicians are gladly using to reduce privacy and data protection in exchange for security and safety, at least that is what they constantly are promising us yet at the same time scaring society in to agreement.
With all that going on it is no surprise that online surveillance is on the rise, either because we finally found out about it as in the Snowden case or by the virtue of new laws like the UK’s investigatory powers act or snoopers charter.
Today in the final instalment of this series that looks back at 2016, I will be focusing on surveillance from the NSA getting hacked itself, to France and the UK’s attempt at surveillance laws and databases, intelligence agencies who kept too much data and EU politicians wanting a piece of the surveillance pie as well.

In chronological order:

EU votes on sharing air passenger data in wake of Paris, Brussels attacks

The goal is to detect, for example, individuals who have not been flagged by authorities as presenting a threat but whose travel patterns raise suspicions.

in effect all of us or anyone traveling to and from the EU block is a potential target. Essentially this means that all your travel movements by air are being stored for five years, after six months some stuff is masked but still can be accessed upon request. Which in my opinion means that the data effectively is stored for five years period.
with this in place in the next two years we will know one thing for certain, all potential terrorist and criminals will switch from using planes to using trains or cars. It may take more time, but at least you are less trackable via this database of indiscriminate data gathering.
Will this really make us safer? I seriously doubt it, but what it will do is another breakdown of our fundamental right of privacy. And with several countries opting to implement more and more dragnet surveillance laws, I am worried for where this ultimately may end.
source: France 24 (external link)

Regulating the use of passenger name record (PNR) data

Or is the reason for this PNR database actually something more childish? Something like, those countries like the US, Canada and Australia already want our data, now we want their’s as well?
Anyway, we will know soon enough (about 15 months max) how fragmented the implementations across the EU member states will become.
source: European Council – Council of the European Union (external link)

China’s proposed cybersecurity laws spark concerns among businesses


Are these laws that weaken the information security of companies and give China more control over it’s IT infrastructure really only meant to squash international competition? Or is there something else behind these moves?
With China you never know, the only thing that is pretty obvious is that if security measures are weekend the Chinese government itself can access a lot more data as well including possible company secrets but also private data of citizens.
So I’m sceptical on the point that this is purely a trade issue, yes it will have impact on international trade and competition but there is more to this then meets the eye for sure.
source: International Business Times UK (external link)

The NSA Hack — What, When, Where, How, Who & Why?


If this indeed was an insider job then it simply would prove the NSA is vulnerable as is every other branch of government or company. The problem with this hack is not directly the involvement of the Russian government, I am confident that the US government can spill enough beans on Moscow to make this NSA breach look tiny, but if these tools come in to the hands of hackers either state or criminal, it may give them access to a lot more then the NSA insider tool repository.
If these tools have been used in the wild, and who will ever believe a statement they were not, then potentially they can be used again to regain access to previous targets of the NSA with foreign governments as well as companies or private individuals. That is if the exploits still work and the leaks they are for are not patched by now, considering the level of patch management I have seen over the last 8 years I can easily state that this may still be a threat today.
source: The Hacker News (external link)

Everything you need to know about the NSA hack (but were afraid to Google)

The most worrying bit for the NSA will be the fact that a lot of breaches can now more easily be contributed to that organisation with some level of certainty.
As the breach seems to be from 2013, these are older tools. However, that doesn’t mean they were not used after that anymore.
For the general picture this only confirms what we already knew or have suspected to be the capabilities of the NSA and even then this is probably the tip of the iceberg.
source: TechCrunch (external link)

EU ministers look to tighten up privacy – JUST KIDDING – surveillance laws


So apparently it isn’t only the UK government that is trying to get indiscriminate bulk surveillance powers voted in to law, okay they for now have pretty much succeeded in doing that, but the remaining EU is also thinking about destroying the fundamental rights of privacy which have been the stable bedrock of European data protection thinking for the last decades. All in the name of fighting terrorism and fuelled by law enforcement and intelligence agencies saying they need more data to catch terrorists.
However, what a lot of attacks over the last decades have shown is that nearly all information was already available, either in bits and pieces or not fully complete though. Would more information have stopped the 9/11 attacks? Would lone wolves with trucks have been discovered by the agencies and therefore the attacks in Nice and Berlin would have been stopped? Most of the times after these attacks you will hear that the agencies already had them in their crosshairs, either from the country the attack took place in or foreign agencies having them on a watchlist.
We are living in dangerous times, but is doing away with encryption the answer and golden key or silver bullet we are looking for? I say no to that question, the only thing it does is weakening a fundamental human right by destroying the information security of our data, companies and society in the process. Because if we destroy all that, we destroy the free and open society we are which means ultimately the terrorists win without having to do anything. And that is not even factoring in cyber criminals who ultimately will benefit the most from weakening or limiting the use of encrypted communications.
source: The Register (external link)

Una Mullally: Edward Snowden’s warnings fall on deaf ears


Did we really give up our privacy voluntarily or did that happen ever so so slightly one bit at the time? An who are we giving that privacy up to, is it only governments with extreme dragnet surveillance techniques or are we inentfurtently doing this in exchange for some online freebees? Or maybe both?
The fact that the world after Snowden factually hasn’t changed at all, except for some stuff that we can now find in laws like the UK’s investigatory powers act and some changes by the outgoing US president Obama on reducing the dragnet programs by the NSA, we may need another Snowden to find out how cosmetic they were or not, is evidence on how complex these issues really are. Couple this to politicians constantly shouting that we need to give up our privacy for security and safety against the current wave of terrorist attacks, specifically in Europe, and you may understand why this is happening too.
On the other hand the European Union is trying to bulster our data protection laws and therefore is safeguarding our privacy, but will this really help if some governments put out draft laws that aren’t even compliant to the new law? I am obviously referring to Germany’s GDPR implementation which I wrote about yesterday.
As for Obama pardoning Snowden, I doubt it will happen but we know soon enough with only just over 2 weeks left in his presidency. Although I must admit, and that’s my advice to mr. Obama, just do it even if you don’t agree. It would be the most enjoyable present you can give the Donald for his start in office to which he doesn’t agree of course.
source: the Irish Times (external link)

UK security agencies unlawfully collected data for 17 years, court rules


If you would think from a conspiracy perspective you would probably come to the conclusion that the investigatory powers act is an attempt from the UK government to legalise something the security agencies have been doing for nearly 2 decades already. And in all honesty I wouldn’t blame you for that conclusion as it certainly would look like that is indeed what has been happening.
Certainly if you look at this from a wider perspective and add the data retention and investigatory powers act from 2014 which was struck down by the ECJ last month (see below) and the apparent drive of more governments to broaden the powers the intelligence agencies have and it’s not hard to see that this smells like the UK government is indeed trying to legalise something they have been doing all along. If this is indeed the case I will leave up to you, the reader, to decide for yourself.
One thing is entirely clear, it breaks all fundamental principles we hold on data protection in Europe set forth in article 8 of the European charter of human rights (ECHR).
source: The Guardian (external link)

France Creates Big Brother Data File Raising Privacy Concerns


Some countries lack behind apparently. A couple of years ago the Netherlands tried this same approach by wanting to create a national database holding the fingerprints of all Dutch nationals. Since we had to hand them over for a new passport as well as the European identity card, they thought they could simply keep that data and store it centrally. They were wrong.
In the end the national database hasn’t materialised and the fingerprint requirement for the identity cart has been dropped as well.
Now France wants to try this stunt too. I would not be surprised if this in the end will be overturned either by the French parliament or otherwise in a long lasting legal battle ending at the ECJ in Luxemburg or the human rights court in Straatsburg.
source: Bloomberg (external link)

Sharing’s caring? Not when you spread data across gov willy-nilly


Sharing data with other branches of government as well as private companies without the consent of the data subject? I don’t think so, even despite all the issues with poor data housekeeping, data breaches this is a very very bad idea. And if I link this to the data retention and slurping powers in the snooper’s charter, you probably will guess where this is going.
Maybe we should be glad that a country that is blatantly ignoring the fundamental human rights on data privacy (ECHR article 8) is leaving the European Union or shouldn’t we?
In any case, this is one to be watched.
source: The Register (external link)
And an editorial by The Guardian outlining the issues with this move by the UK government.

Investigatory Powers law setback: Blanket data slurp is illegal—top EU court


I have written about this topic before in the niner noteworthy series in week 21 and week 22 when the investigatory powers act or snoopers charter was still in draft and not voted in to law yet. Which did happen in the fall of 2016.
Whilst this court ruling is about the 2014 data retention and investigatory powers act which was due to be retired, it will have it’s effect on the snoopers charter as well as the broad and indiscriminate data access rights from the DRIPA have been moved in to the snoopers charter to maintain or even expand that level of access and retention.
It is extremely painful for the UK that this ruling comes after the country voted for brexit and puzzling too because of the fact that one politician who started this case is now brexiter-in-chief appointed by Theresa may who as secretary of the home office was responsible for the investigatory powers act in that previous role. Interesting to see how quick politicians drop their ethics in exchange for a top job.
For privacy campaigners though this ruling is a welcome one as it seems more and more countries are setting data protection laws aside in exchange for sweeping powers for law enforcement.
source: Ars Technica UK (external link)

Other articles in this series