A US government task force is drafting FBI-backed legislation that would penalize companies like Google and Facebook for refusing to comply with wiretap orders, media report.
In the new legislation being drafted by US law enforcement officials, refusal to cooperate with the FBI could cost a tech company tens of thousands of dollars in fines, the Washington Post quoted anonymous sources as saying.
The fined company would be given 90 days to comply with wiretap orders. If the organization is unable or unwilling to turn over the communications requested by the wiretap, the penalty sum would double every day.
“We don’t have the ability to go to court and say, ‘We need a court order to effectuate the intercept.’ Other countries have that. Most people assume that’s what you’re getting when you go to a court,” FBI general counsel Andrew Weissmann told the Washington Post.
If passed in Congress and signed by President Obama, the bill could become a provision of the 1968 Wiretap Act, which require companies to develop mechanisms for obtaining information requested by government investigators.
However, many companies maintain that their resistance to this and similar measures has nothing to do with an unwillingness to help investigators. Google began encrypting its email service following a major hacking attack in 2010; developing wiretap technology could make it and other companies vulnerable, creating “a way for someone to silently go in and activate a wiretap,” said Susan Landau, a former engineer at Sun Microsystems.
The proposed expansion of wiretaps into the digital frontier is the latest in a series of US government efforts to monitor online communications.
The recent Boston Marathon bombings were used by some members of Congress as a reason to push through the highly controversial Cyber Intelligence Sharing and Protect Act (CISPA), which was passed by the lower house. If CISPA is signed into law, telecommunication companies will be encouraged to share Internet data with the Departments of Homeland Security and Justice concerning national security purposes.
Tech companies, including giants like Facebook and Microsoft, have objected fiercely to the bill, citing customers’ privacy concerns. The bill is currently shelved in the Senate following President Obama’s threat to veto CISPA due to a lack of personal privacy provisions.
Earlier in April, the FBI requested an additional $41 million from the federal government for the recording and analysis of Internet communication.
The Electronic Privacy Information Center also recently obtained over 1,000 pages of documents proving that the Pentagon has secretly eavesdropped on Internet traffic for several years.
“Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws,” CNET reporter Declan McCullagh wrote.
- Obama administration bypasses CISPA by secretly allowing Internet surveillance (alethonews.wordpress.com)
When one conspires to violate federal law, it helps to have a government agency or two as one’s co-conspirators when law enforcement comes poking around, as telecom giant AT&T and others learned recently when the Defense Department (DOD) and the Department of Homeland Security (DHS) successfully pressured the Justice Department (DOJ) to agree secretly not to prosecute blatantly illegal wiretaps conducted by AT&T and other Internet service providers at the request of the agencies.
Although some press reports have termed this an authorization of activity that would otherwise be illegal, this is a misnomer. The executive branch lacks the power to retroactively declare criminal conduct to be lawful, but it can choose to ignore it by waiving prosecution pursuant to “prosecutorial discretion.”
Although the secret DOJ prosecution waiver initially applied to a cyber-security pilot project—the DIB Cyber Pilot—that allowed the military to monitor defense contractors’ Internet links, the program has since been renamed Enhanced Cybersecurity Services and is being expanded by President Obama to allow the government to snoop on the private networks of all companies operating in “critical infrastructure sectors,” including energy, healthcare, and finance starting June 12.
“The Justice Department is helping private companies evade federal wiretap laws,” warned Marc Rotenberg, executive director of the Electronic Privacy Information Center, which obtained more than 1,000 pages of government documents relating to the issue via a Freedom of Information Act request. “Alarm bells should be going off.”
The wiretap law referenced by Rotenberg is the Wiretap Act, codified at 18 USC 2511, which makes it a crime for a network operator to intercept communications carried on its networks unless the monitoring is a “necessary incident” to providing the service or it occurs with a user’s “lawful consent.” Since neither of those exceptions applied, DOD and DHS pressed DOJ attorneys to agree not to prosecute what were clearly prosecutable offenses by issuing an unknown number of “2511 letters,” which are normally used by DOJ to tell a company that its conduct fit within one of the lawful exceptions to the Act.
The purported “retroactive authorization” is similar to the “retroactive immunity” given the telecoms by Congress for their participation in illegal wiretapping and eavesdropping between 2001 and 2006. Likewise, former DHS official Paul Rosenzweig compared the case of the “2511 letters” to the CIA asking the Justice Department for legal memos justifying torture a decade ago. “If you think of it poorly, it’s a CYA [“cover your ass] function,” Rosenzweig says. “If you think well of it, it’s an effort to secure advance authorization for an action that may not be clearly legal.” Or may be clearly illegal.
In any event, Obama’s own expansion by mid-June of the snooping “to all critical infrastructure sectors,” defined as companies providing services whose disruption would harm national economic security or “national public health or safety” will proceed.
- Obama administration bypasses CISPA by secretly allowing Internet surveillance (alethonews.wordpress.com)
- To Ease Internet Snooping, Feds Promise To Ignore Privacy Violations (reason.com)
Australians are fending off threats to their right to privacy from all directions. First, there was Australian Attorney General Nicola Roxon’s push to expand government online surveillance powers, submitted to Parliament in a package of reforms sought in a National Security Inquiry.
Then, on Aug. 22, the Australian Senate approved the Cybercrime Legislation Amendment Bill 2011, granting authorities the power to require phone and Internet providers to store up to 180 days worth of personal communications data. The purpose is to aid in investigations by both foreign and domestic law enforcement agencies, making it especially controversial since it can result in granting foreign governments access to Australian citizens’ communications data. The legislation only allows for data retention in the cases of specifically targeted individuals.
The bill is based on the Council of Europe Convention on Cybercrime – which we’ve flagged in the past as one of the world’s worst Internet law treaties – and the passage of the bill opens the door for Australia to join the Convention.
At least we can welcome the news that one of the most controversial aspects of Roxon’s National Security Inquiry proposal, a vague mandatory data retention provision that would have required service providers to retain all users’ communications data for up to two full years, seems to have been placed on hold – for now, anyway.
Yet at the same time, the newly approved Cybercrime Legislation Amendment Bill 2011 is viewed by some in Australia as a kind of “data retention lite,” and a precursor to the mass, untargeted surveillance that the more extreme proposal may yet usher in. An outcome of the approval of this bill, after all, is that providers will now have to install systems enabling data retention for up to 180 days – and pay for it themselves.
Public Fights Back
Despite the steady march toward expanded online snooping powers for law enforcement in the name of “national security,” a hefty pile of submissions landed in Parliamentary chambers last week, reflecting strong public opposition to the proposed reforms. A total of 177 submissions, representing thousands of individuals and organizations, flowed in to the Joint Parliamentary Committee on Intelligence and Security even though the government allowed only a brief time frame for comment.
Below, we collected some reactions of various Australian stakeholders who drafted lengthy submissions to convey their serious concerns. Civil liberties advocates aren’t the only ones worried about where this is going. The Australian Mobile Telecommunications Association and Communications Alliance, a telecom industry group, also chimed in to express concerns about costly new requirements for telecoms that would come attached to these surveillance measures. Since data retention disproportionately burdens smaller ISPs affected by requiring expensive equipment upgrades, the measure has the potential to hamper innovation by discouraging new startups from entering the market.
Re: Making it a Crime to Refuse to Aid in Decryption
One of the worst ideas contained in the National Security Inquiry package is the creation of a new crime under the Telecommunications (Interception and Access) Act of 1979: Refusing to aid law enforcement in the decryption of communications. That interception law granted law enforcement agencies, such as the Australian Federal Police (AFP) and the Australian Crime Commission (ACC), the ability to legally intercept communications for the first time. Reactions to the proposal hinged on the threat it poses to Australians’ right to silence.
Senator Scott Ludlam, speaking on behalf of the Australian Green Party, had this to say:
While the integrity of Australianʹs right to silence has been damaged by the anti‐terrorism laws, with regard to other criminal offences it remains intact. This proposal further degrades the right to silence, presumably to pre‐trial investigations and undermines the privilege against self incrimination. … The Committee should oppose this proposal as a serious erosion of the legal and human rights of Australians.
Electronic Frontiers Australia, a digital civil liberties organization (which is not formally affiliated with EFF), pointed out a number of problems with this idea:
EFA is concerned about the possible creation of an offence for failing to assist in the decryption of communications for the following reasons:
- it undermines the right of individuals to not cooperate with an investigation
- it poses a threat to the independence of journalists and their sources, particularly in circumstances involving whistle-blowing activity related to cases of official corruption
- it could undermine the principles of doctor-patient and lawyer-client confidentiality and other trusted relationships
- there are foreseeable and entirely legitimate circumstances in which decryption of data is not possible, such as where a password has been forgotten and is unrecoverable.
EFA therefore believes that the Committee should reject this proposal.
Re: Extending the Regulatory Regime to “Ancillary Service Providers”
A discussion paper submitted as part of the National Security Inquiry proposal makes it clear that the Australian government is “considering the need for a new interception regime that better reflects the contemporary communications environment,” i.e. a total overhaul of existing legislation to allow law enforcement to pry into communications taking place over platforms like Facebook or Twitter. The discussion paper defines “ancillary service providers” as “Telecommunications industry participants who are not carriers or carriage service providers.” Ultimately, this suggests the government is angling to bring all forms of online communications into the reach of interception laws.
The Australian Privacy Foundation cited the privacy concerns inherent in this proposal.
Telecommunications legislation already goes much further than regulation in most other sectors in mandating a role for private sector businesses as agents of the state in surveillance and law enforcement (banking and finance is the other main area where this has happened). These proposals would see a further significant extension of this role. Online intermediaries in particular host our communications with our friends, relatives, co-workers etc. They host a vast amount of information, the volume and scope of which is growing exponentially as we move to the cloud, use social networks, etc. Using online intermediaries as an agent of the State dramatically impacts on the state’s surveillance capabilities. Even minor changes in what they are required to do on behalf of government agencies can have very broad implications for people’s privacy.
Ludlam, of the Australian Greens, also blasted the idea.
The Attorney Generalʹs paper does not explain how covering ʹancillary service providersʹ – the many and ever increasing forms of social media – in legislation will address ʹcurrent potential vulnerabilities in the interception regime that are capable of being manipulated by criminalsʹ. The Greens believe it is excessive to extend the reach of surveillance into the retention of all social media exchanges. Does this include all business exchanges on video conferencing platforms?
And EFA pointed out that this proposal could expose anyone to law enforcement scrutiny, not just people suspected of wrongdoing.
Central to many of the services that Australians deliberately sign-up for— e.g. Facebook, Twitter, Pinterest, Apple iCloud, etc.—is the concept of sharing across networks. In surveilling a target’s activities in such services, shared friends or media objects connect target and non-target individuals such that following one surveillance target inescapably involves collateral surveillance necessarily breaching the privacy of non-targets. …. Indeed, “cloud computing” itself underlies “social networking”. As such, the information flows pertaining to individuals cross and recross such services to the point where, again, separating surveillance of a particular target is almost inevitably going to encounter that of other individuals, but in this case in ways that cannot be anticipated and very deeply undermine Australians’ reasonable expectation of privacy.
- Roxon edges towards keeping online data for two years (smh.com.au)
- Roxon backs new online data powers (theage.com.au)
- Australian Government Moves to Expand Surveillance Powers (alethonews.wordpress.com)
- Australian customers could pay for govt spying (zdnet.com)
Europe Already Has Draft Standard For Real-Time Government Snooping On Services Like Facebook And Gmail
From the not-that-we’d-ever-use-it department
As the old joke goes, standards are wonderful things, that’s why we have so many of them. But who would have thought that ETSI, the European Telecommunications Standards Institute, has already produced a draft standard on how European governments can snoop on cloud-based services like Facebook and Gmail — even when encrypted connections are used?
ETSI DTR 101 567, to give it the full title, was pointed out to us by Erich Moechel, who has written an excellent exploration of its elements (original in German). Here’s the summary from the draft standard (Microsoft Word format):
The present document provides an overview on requests for handover and delivery of real-time information associated with cloud/virtual services. The report identifies Lawful Interception needs and requirements in the converged cloud/virtual service environment, the challenges and obstacles of complying with those requirements, what implementations can be achieved under existing ETSI LI [Lawful Interception] standards, and what new work may be required to achieve needed Lawful Interception capabilities. Cloud Services in whichever forms they take (Infrastructure, Software, Platform or combinations of these) are often trans border in nature and the information required to maintain Lawful Interception (LI) capability or sufficient coverage for LI support may vary in different countries, or within platforms of different security assurance levels. This work aims to ensure capabilities can be maintained while allowing business to utilise the advantages and innovations of Cloud Services and was undertaken cooperatively with relevant cloud security technical bodies.
As that makes clear, this is being presented as “maintaining” interception capabilities in a world where cloud computing makes previous approaches inapplicable. The new standard specifically mentions social networking, file sharing and video conferencing as new areas that need to be addressed.
One key section spells out how this is to be achieved:
If the traffic is encrypted, the entity responsible for key management must ensure it can be decrypted by the CSP [Communication Service Provider] or LEA [Law Enforcement Agency].
In order to maintain LI coverage the cloud service provider must implement a Cloud Lawful Interception Function (CLIF). This can be by way of Applications Programming Interface (API) or more likely ensuring presentation of information in a format recognisable to interception mechanisms. Deep packet inspection is likely to be a constituent part of this system.
As this makes clear, along with the intercepted information, the standard envisages encryption keys being handed over routinely. Just to make things complete, DPI — deep packet inspection — is also regarded as a likely element of the system.
Since this is currently a draft, the threat it represents might be seen as purely theoretical; but a recent article in the Guardian confirms that the UK government “quietly agreed to measures that could increase the ability of the security services to intercept online communication” — a reference to the ETSI draft. The Guardian also provides us with some explanation of why this draft just happens to be available at precisely the moment when the UK government is announcing a plan that seems likely to use it:
Etsi has faced criticism in the past for the pre-emptive inclusion of wiretapping capabilities, a decision that critics say encouraged European governments to pass their wiretapping laws accordingly. According to Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, the institute has strong links with the intelligence agencies and has a significant British contingent, along with a number of US government advisers.
It’s a classic case of policy laundering; here’s how it will probably work.
The British government insists now that it will “only” gather communications data, and not content. At the same time, it will require that ISPs adopt the new ETSI cloud interception standard (once it’s been finalized) in the “black boxes” that they must install under the proposed snooping legislation. That will put in place all the capabilities needed for accessing encrypted streams — since those providing cloud services will be required to hand over the encryption keys — and hence the content. The UK government may not intend accessing content today, but thanks to the wonders of function creep, when it decides to do it tomorrow the facility will be there waiting for it.
Meanwhile, European governments will be able to point to the UK’s adoption of the ETSI standard as just “good practice”; they will ask their own ISPs to implement it, while insisting that they too have no intention of accessing the contents of people’s Internet streams either. Until, that is, the day comes — probably in the wake of some terrorist attack or pedophile scandal — when the governments will note that since the capability is available, it would be “irresponsible” not to use it to tackle these terrible crimes. The US government will then bemoan the fact that Europe is taking better care of its citizens than it can, and will therefore pass laws requiring US ISPs to install similar real-time access to their systems, and for cloud-based services to hand over the encryption keys. Luckily, there will be a well-tried European standard that can serve as a model….
Our movie industry has created some memorable monsters on screen. But Hollywood, and the major music labels, also helped create a very real kind of monster – copyright trolls who coerce settlements from Internet subscribers using intimidation and our out-of-whack copyright laws. Last Friday, EFF Senior Staff Technologist Seth Schoen took the witness stand in AF Holdings v. Does to explain to a federal judge why BitTorrent users should be able to hold on to their constitutional rights when targeted by trolls. Although some courts have put the brakes on the trolls’ schemes, there’s no Hollywood ending in sight yet. As the entertainment industries continue to push for ever-stronger copyright through treaties, private agreements, Congress and state legislatures, it’s time to ask – how will Hollywood help protect us from the trolls?
The current crop of copyright trolls sue anywhere from 20 to 5,000 “John Doe” defendants in a single lawsuit, pinned to a list of Internet Protocol addresses that they claim to have seen downloading copyrighted movies using BitTorrent. Then, with the courts’ permission, they send subpoenas to Internet service providers for the names and addresses of subscribers. The trolls then send threatening letters, demanding settlement payments to “make this go away” or face being dragged into court – often in a faraway state. Over 200,000 U.S. residents have been caught up in these suits, with many undoubtedly settling simply to end the harassment.
The trolls are, of course, following a trail blazed by the major music labels through the Recording Industry Association of America. Beginning around 2003, they sued about 35,000 people, using the courts’ subpoena powers as a private investigation service to find names and addresses. The RIAA ended its lawsuit campaign in 2008, apparently realizing the damage that suing its own fans had done to the industry’s image.
It was perhaps inevitable that the vacuum would be filled by opportunists with no public image to protect. Since 2008, troll lawyers have sued about six times more people than the RIAA ever did, and pursued them even more aggressively, probably netting millions in settlements. Some have faced court settlements for cutting corners in court procedure, and one was even caught practicing law without a license. But this scheme wouldn’t be a viable business model without the draconian imbalances of U.S. copyright law and legal precedent that the entertainment industries and their lobbyists have pushed through Congress and the courts.
For starters, the statutory penalty for sharing even one copyrighted work – say one song – is as much as $150,000. It’s no surprise that many people choose to settle for several thousand dollars rather than risk a bankrupting court judgment – even if they broke no law. The entertainment industries insist that we need these gargantuan penalties to deter infringement, but the same “statutory damages” provisions are the knobby club in the hands of the trolls.
Then there’s the legal doctrine of “secondary liability.” The movie and recording industries are constantly pressing for broader liability for intermediaries, Internet sites and services, and makers of tools and software. Copyright trolls use these concepts to disregard actual copyright infringers and instead go after the owners of Internet accounts, who are often easier to find. The trolls suggest, using the rhetoric of secondary liability, that merely allowing others to use one’s Internet connection, or operating an open Wi-Fi node, makes one liable for any copyright infringement. This isn’t the law, but the trolls don’t warn their marks about that. Often, even those who understand secondary liability, or can afford hiring a lawyer, choose to pay a settlement for someone else’s alleged infringement rather than risk a lengthy and expensive trial, even if they would prevail.
Then there’s the very concept of lawsuits aimed at dozens or thousands of “John Doe” Internet account holders. Plaintiffs in these suits often group together Internet users from all over the country and obtain their identities from ISPs by court order. Doing this requires trampling on jurisdiction rules that keep people from being unfairly forced to defend themselves far from home, joinder rules that guarantee every defendant is treated as an individual, and the First Amendment, which gives us a right to communicate anonymously. The RIAA’s lawsuit campaign also disregarded these legal safeguards. After the RIAA opened this door, the trolls lumbered in.
Finally, the entertainment industries have spent decades, and millions of lobbying and advertising dollars, to promote the simple but flawed idea that if copyright law promotes creativity, then ever-more-extreme copyright law will promote even more. According to this philosophy, the importance of preventing even the most inconsequential copyright infringement justifies chilling free speech, unmasking anonymous Internet users, wholesale regulation of the Internet … and setting loose the trolls. This worldview was on full display at a hearing last week in the D.C. federal district court, when ISPs, assisted by the EFF, tried to quash subpoenas for Internet users’ identities. EFF’s Seth Schoen matched wits with pornography financier AF Holdings’s expert on the workings of BitTorrent and Internet forensics, and the plaintiff’s attorney defended his litigation tactics as an acceptable way to “stop piracy.”
Although there will always be people willing to use the legal system as part of a shakedown, copyright trolls are a monster created in Hollywood. Naturally, the entertainment industry’s spokespeople, lobbyists, and other mouthpieces don’t discuss how the laws, treaties, court precedents, and private enforcement agreements they spend millions to promote will be misused by opportunists. But when the next SOPA, PIPA, ACTA, TPP, graduated response agreement, or state-level copyright bill comes along, let’s ask Hollywood and its allies how they plan to keep trolls confined to the big screen.
- ISPs Ask Judge To Quash Subpoena In Troll Case — Or Let Them Appeal (eff.org)
- EFF Backs ISPs in Battle to Quash Copyright Troll Subpoenas (eff.org)
- Copyright-trolls: mind your own extra-judicial business, court says (arstechnica.com)
- Die, Troll, Die (wired.com)
- Judge rejects copyright trolls’ BitTorrent conspiracy theory (arstechnica.com)
In a report published last week, members of the United Kingdom Parliament concluded that the Internet plays a major role in the radicalization of terrorists and called on the government to pressure Internet Service Providers in Britain and abroad to censor online speech. The Roots of Violent Radicalisation places the Internet ahead of prisons, universities, and religious establishments in propagating radical beliefs and ultimately recommends that the government “develop a code of practice for the removal of material which promotes violent extremism” binding ISPs.
While the Terrorism Act 2006 authorizes British law enforcement agencies to order certain material to be removed from websites, lawmakers on the Home Affairs Committee stated that “service providers themselves should be more active in monitoring the material they host.” Their report raises serious concerns that political and religious speech will be suppressed. Security expert Peter Neumann who testified before the Committee asked why websites like YouTube and Facebook can’t be as “effective at removing . . . extremist Islamist or extremist right-wing content” as they are at removing sexually explicit content or copyrighted material that violates their own terms of service.
Citing “persuasive evidence about the potential threat from extreme far-right terrorism” and lauding the recent conviction of four London men who used the Internet to plot a bombing of the London Stock Exchange, Parliament Members commended the report saying, “[it] tackles the threat from home-grown terrorism on and off line.” A spokesman for the House of Commons Home Office stated that the Committee would continue to “work closely with police and internet service providers to take Internet hate off the web.”
In an interview with the International Business Times, Trend Micro security director Rik Ferguson criticized the Committee’s recommendations and argued that making ISPs “judge, jury and executioner” imposes responsibilities on ISPs that rightfully belong to law enforcement. “Material of a political or religious nature is by definition much more difficult to define and much more difficult to police without crossing the line to impact on freedom of expression,” Ferguson stated.
The Committee issued its recommendations in the midst of reports that Google India had taken down online content deemed offensive to Indian political and religious leaders in response to a lawsuit. The Washington Post points out that Google Transparency Reports indicate that the UK removed nearly as much content as India from January to June 2011. Google complied with more than 80% of requests from the UK to remove content from its services.
EFF believes that it is not the role of intermediaries to serve as gatekeepers for law enforcement. Fortunately, we’re not alone: the UK’s Internet Service Providers’ Association argues that “ISPs are not best placed to determine what constitutes violent extremism and where the line should be drawn. This is particularly true of a sensitive area like radicalisation, with differing views on what may constitute violent extremist.” Indeed–the strategy set forth by the Committee defines extremism as “vocal or active opposition to fundamental British values.” ISPs and other intermediaries must not be charged with determining what constitutes extremism, particularly when the definition of such is so vague. This type of state-mandated online censorship is inherently corruptible, especially when it is justified to combat national security threats.
This January 28 marks International Privacy Day, the day that the first legally binding international privacy treaty was opened for signature to Member States in January 28, 1981. Different countries around the world are celebrating this day with their own events. This year, we are honoring the day by calling attention to recent privacy threats around the world and describing a few of the available tools that allow individuals to protect their privacy and anonymity.
Today, we are calling on governments to repeal mandatory data retention schemes. Mandatory data retention harms individuals’ anonymity, which is crucial for whistle-blowers, investigators, journalists, and for political speech. It creates huge potential for abuse and should be rejected as a serious infringement on the rights and freedoms of all individuals.
It has been six years since the highly controversial Data Retention Directive (DRD) was adopted in the European Union. Conceived in the EU and steamrolled by powerful U.S. and U.K. government lobbies, this mass-surveillance law compels EU-based Internet service providers to collect and retain traffic data revealing who communicates with whom by email, phone, and SMS, including the duration of the communication and the locations of the users. This data is often made available to law enforcement. Europeans have widely criticized the DRD, and year after year, it has inspired some of the largest-ever street protests against excessive surveillance.
The European Commission has begun mounting a defense for this highly controversial mass-surveillance scheme, though they have thus far been unable to show that the DRD is necessary or proportionate. For the DRD to be legal in the EU, any limitation to the right to privacy mustbe “necessary” to achieve an objective of general interest and “proportionate” to the desired aim. This requirement is important to ensure that the government does not adopt severe measures to address a problem that could be otherwise solved in a way that is less harmful to civil liberties. But the Commission has been arguing that all uses of retained data illustrate that the Directive is “valuable.” This doesn’t meet the legal standard. Instead, the Commission should provide evidence that in the absence of a mandatory data retention law, traffic data crucial to the investigation of “serious crime” would not have been available to law enforcement.
Despite the European Commission’s efforts to preserve the Directive as-is, a leaked letter confirms that the Commission has been scrambling to conjure evidence for the “need” of a DRD scheme in the European Union. It also underscores the fact that there is no system of oversight that would allow citizens to monitor the impact of the proposed program on their privacy rights. Perhaps the most disquieting detail that has been confirmed by the letter is that service providers have already been storing instant messages, chats, uploads, and downloads. This type of data collection falls outside the scope of the DRD. Moreover, the letter indicates that “unnamed” players seek to broaden the uses of the DRD to include prosecution of copyright infringement including “illegally downloading.” Since this is not a serious crime, this legally falls outside the scope of the DRD.
In response to this leak, EDRI stated, “The leaked document however shows that the Commission can neither prove necessity nor proportionality of the Data Retention Directive – but still wants to keep the Directive.” The leaked letter also disclosed that the EU Commission is evaluating the possibility of amending the Directive. The Commission has commissioned a study into data preservation in the EU and around the world. According to the letter, this exercise is to be completed by May 2012.
Ending Data Retention: Constitutional Challenges
Constitutional courts have begun weighing in on the legality of this mass-surveillance scheme. In a decision celebrated by privacy advocates, the Czech Constitutional Court declared in March 2011 that the Czech data retention law was unconstitutional. Earlier this month, the same Court dealt another blow to data retention by annulling part of the Criminal Procedure Code, which would have enabled law enforcement access to data stored voluntarily by operators. Most importantly, the Czech Court used compelling language in articulating the importance of the protection of traffic data. The Court stated that the collection of traffic data and communication data warranted identical legal safeguards since both have the same “intensity of interference”.
We couldn’t agree more. Sensitive data of this nature demands stronger protection, not an all-access pass. Individuals should not have to worry whether one sort of private information has less protection than another.
I believe that both decisions will help ensure that new legislation enforces the same restrictions as exist for use of wiretap. These include strong privacy safeguards for government access to citizen’s data, the obligation to inform individuals about the use of their data, and so on.
Several other courts in EU member states have also ruled on the illegality of data retention laws. Earlier in 2009, the Romanian constitutional Court rejected the imposition of an ongoing, sweeping traffic data retention program. The Court rightly emphasized that mandatory data retention overturns the presumption of innocence in a way that treats all Romanians like potential suspects. Despite this court decision, a new draft data retention bill was introduced in the Parliament, but the Senate finally rejected it at the end of 2011.
In March 2010, the German Court declared unconstitutional the German mandatory data retention law. The Court ordered the deletion of the collected data and affirmed that data retention could “cause a diffusely threatening feeling of being under observation that can diminish an unprejudiced perception of one’s basic rights in many areas.” The lawsuit was brought on by 34,000 citizens through the initiative of AK Vorrat, the German working group against data retention.
Over in Ireland, the Court is referring to the European Court of Justice the case challenging the legality of the DRD, thanks to the complaint brought by Digital Rights Ireland. The Irish Court acknowledged the importance of defining “the legitimate legal limits of surveillance techniques used by governments”, and rightly emphasized that “without sufficient legal safeguards the potential for abuse and unwarranted invasion of privacy is obvious”. The Courtsin Cyprus and Bulgaria have also declared their mandatory data retention laws unconstitutional.
The DRD compels EU member countries to implement the Directive into national law. Fortunately, many member states have not yet done so. The Czech Republic, Germany, Greece, Romania, and Sweden have not adopted this piece of legislation, despite pressure from the European Commission to do so. In Austria, the data protection law will take effect in April 2012. AK Vorrat Austria plans to use all legal means to challenge the legality of the DRD. They have also handed over a petition to the Austrian Parliament asking the government to fight against the DRD at the EU level and to review all existing anti-terror legislation. (If you are Austrian, sign the petition today at zeichnemit.at.) In Slovakia, the NGO European Information Society Institute is opposing the Slovakian data retention implementation law.
Meanwhile, civil society groups are resisting and campaigning against this oppressive data retention law. EDRI, along with EFF and AK Vorrat, has fought to repeal the DRD in favor of targeted collection of traffic data. EDRI has previously reported that Deutsche Telekom, a German telco, illegally used telecommunications traffic and location data to spy on roughly 60 individuals including journalists, managers, and union leaders. They also reported that two major intelligence agencies in Poland used retained traffic and subscriber data to illegally disclose journalistic sources without any judicial oversight. These are only a few examples in which data retention policies have directly threatened individuals’ expression and privacy rights.
The DRD is a threat to Internet privacy and anonymity, and has been proven to violate the privacy rights of 500 million Europeans. EFF, together with EDRI, will keep fighting to repeal the DRD in favor of targeted collection of traffic data.
Mandatory Data Retention in the United States
Two bills introduced in the U.S. Congress in 2009 would have required all Internet providers and operators of WiFi access points to keep records on Internet users for at least two years to assist police investigations. Neither bill became law. Some legislators and law enforcement officials continue to argue, however, that mandatory data retention is necessary to investigate online child pornography and other Internet crimes. In January 2011, the U.S. House of Representatives Judiciary Subcommittee on Crime, Terrorism, and Homeland Security held a hearing that discussed whether Congress should pass legislation that would force ISPs and telecom providers to log Internet user traffic data. In May 2011, H.R. 1981, which would require retention of such traffic data, was introduced in the House of Representatives. This bill is still alive and continues to be a threat to the privacy and anonymity of all Americans. EFF has joined civil liberties and consumer organizations in publicly opposing H.R. 1981. Please join EFF, and help us defeat this bill before it is made law. Contact your Representative now.