Archive
NSA can read, see and hear everything you do online
Watch a YouTube video? NSA knows.
Write a Facebook private message? NSA can read it.
Skype with a friend? NSA can hear you.
We always assumed that secret services in our todays world could access our online communication if they wanted. ECHELON monitors phone calls for over half a century now, most of our emails are not encrypted and sent through any number of servers worldwide and several reports in recent years suggested that the NSA has significant powers to spy on us. However, the revelation in recent days of a vast data collection program by the NSA, that gives them unlimited access to basically all communication online, without any court order, is shocking nonetheless. Under the program called PRISM, major internet companies grant the NSA a direct interface to all user data, including emails, calls, chats, file transfers and video (and rumoured: credit card data). Companies in the program include Microsoft, Google, Yahoo, Facebook, YouTube, Skype and Apple. No court order or special request is required. And this is heavily used: Over 2.000 PRISM-based reports are generated every month.
In a first reaction after the publication of the programs existence, the White House stressed that this program is “just” targeted against non-US citizens and that no US citizens are surveilled. This is certainly not reassuring for all of us living outside the US since most of todays internet companies are based in the US. By the way, Dropbox is supposed to be added soon. So you might want to reassess your cloud storage strategy and at least add encryption to Dropbox or use providers such as SpiderOak.
In combination with major NSA efforts to operate and build data centers to automatically analyze data, this development is troublesome and should change everyones lax attitude towards online communication.
Update:
It seems like the NSAs UK counterpart GCHQ has access too!
Update 2:
TechCrunch has an interesting article suggesting that PRISM might not be as big as everybody feared.
The Biggest EU Surveillance Projects
In an earlier post I pointed out how ridiculous I find the hysteria around the INDECT project. It just acts as a good excuse for some shallow and wrong Anonymous videos. Further, I guess one has a different view on large-scale research projects after being involved in a few. However, it is interesting to see which other EU research projects are currently in progress. Heise.de compiled a nice list of the biggest ones. So I recommend reading this article (English translation) to get a good overview and also some constructive critical remarks regarding INDECT.
Twitter Fights for Occupy Protester: Data Belongs to User!
Last October an Occupy Wall Street protester was arrested for “disorderly conduct” in New York City. As part of his prosecution Twitter received a court order, requiring it to hand over 3 months of Twitter data to the court. The prosecutors obviously hoped that he sent some infringing direct messages since usual Twitter messages are public anyway. It wouldn’t have surprised anyone if Twitter would have handed over the data without complaining. However, recently the company refused! And not only that, the amazing part is that they did this because they state that the data belongs to their users! Thus, the court has to ask the user to hand over the data (who is not very willing either). This is an astounding development, given that generally Internet companies make their privacy policies stricter so they can do whatever they want with their users data.
These are the cases when companies can show how serious they take their privacy policy and, essentially, on which side they are on.
A Solution to Internet Snooping in the EU
Starting from April 1st, the so called “Vorratsdatenspeicherung” (VDS, data retention) took effect in Austria (after being sued by the EU for non-compliance in 2010). Basically, this law requires telecommunication providers (telcos, ISPs) to store all communication data (though no content of calls and emails etc.) for six months. There is much controversy about this law and a growing opposition against it. But rather than writing about VDS, which has been discussed in numerous places before, I find it much more interesting to look at the situation in other countries.
Generally, the EU Data Retention Directive requires member states to store Internet information for at least six months. Some member states, such as France, Bulgaria and the Netherlands, already implemented the directive, some resisted and got sued by the EU, such as Sweden or Austria and implement it now. Germany implemented it 2008 but stopped in 2010 following a court ruling that stated that VDS is unconstitutional.
Further, most notably, in the UK there is currently a proposal for a bill making the rounds, which would allow somewhat of an extension to VDS. The big difference to Austria is that in the UK this bill would allow real-time government surveillance and surveillance without any warrant. For the time being, no content of any messages would be surveilled, but, as this article points out, in a time of crisis this is just a small step to take. This is especially interesting since the current UK government pledged in its coalition agreement that they would stop storage of Internet data without reason! But I would have been surprised if they actually stopped it. I find it rather surprising that they didn’t manage to pass such a bill well before the Olympics 2012 for which security and surveillance systems were upgraded significantly.
I believe that generally there is no reason why ISPs and telcos should not store connection data (not content). I would be surprised if they don’t do that already anyway. And I think it is okay to use this data in criminal investigations.
However, I do see a problem if this data can be accessed at any time, without any warrant and without explaining yourself to anyone. In Austria, police does need a warrant and is only allowed to access this data if the charge for the crime committed is over two years prison time. But this is not enough, there needs to be stricter regulation. I propose an external, independent institution (ideally directly elected) that controls police who access this data. In Austria, this might be the “Datenschutzkommission” (DSK, data protection agency). The police would regularly have to report, which data they accessed and, more importantly, why. This institution would have to have the authority and political independence to stop access and inform the public. This institution in return has to publish regular public reports on their work. Of course, this institution has to be adequately funded with enough people to check and regulate. This is something that is definitely not the fact right now at the DSK. I believe it is only fair to provide more financial ressources for this since these new regulations cost the telcos and ISPs significantly more money, which they will collect from their customers.
A true democracy can only work if for every power there is an opposition. This is an ancient concept and works in Parlament and between the different powers of the state. So if one institution has the power to surveil communication data, there should be an opposition to hold the balance. This is how it works in a democracy and I think this where all of us want to live.
Digital Privacy 