Tag: Edward Snowden

Posted on

NSA call records collection ruled illegal by US appeals court

A program run by the National Security Agency that collected details on billions of Americans’ phone calls was ruled illegal by a U.S. appeals court on Thursday.

The Ninth Circuit Court of Appeals found that the NSA’s “bulk collection” of call records violated the law, but the judges fell short of ruling the program unconstitutional.

The NSA used new powers in the wake of the September 11 terror attacks — known as Section 215 for its place in the law books — to scoop up billions of phone records every year by compelling U.S. phone giants to turn over daily call logs, which the agency uses to make connections between targets of interest. Those call records include who is calling who and when — but not the contents.

Details of the program were exposed by former NSA contractor Edward Snowden in 2013.

But the call records program, beset with problems, overcollection, and questions about its legality, was shut down last year.

Patrick Toomey, senior staff attorney with the ACLU’s National Security Project, said the ruling was a “victory” for privacy rights.

“The ruling makes plain that the NSA’s bulk collection of Americans’ phone records violated the Constitution. The decision also recognizes that when the government seeks to prosecute a person, it must give notice of the secret surveillance it used to gather its evidence,” said Toomey. “This protection is a vital one given the proliferation of novel spying tools the government uses today.”

The case at the Ninth Circuit involved Basaaly Moalin and three others, who were found guilty in 2013 for sending money to the militant group, Al-Shabaab. Moalin was convicted in part through call records collected by the NSA, but the role that the data played was so small that it did not undermine their convictions, reports Politico.

The NSA has long claimed that the program was vital for protecting the U.S. homeland stopping terrorist attacks. Past administrations claimed that the program stopped more than 50 attacks. But after congressional scrutiny, that figure was revised down to one identified individual — Moalin.

Although the court did not overturn Moalin’s conviction, the three-judge panel criticized the government’s previous statements and comments about the usefulness and effectiveness of the program, which the court said were “inconsistent with the contents of the classified record.”

Julian Sanchez, a civil liberties expert and senior fellow at the Cato Institute, tweeted: “The upshot of this Ninth Circuit opinion is that the NSA’s bulk phone record collection was illegal and probably unconstitutional, but it doesn’t matter because the program was also worthless.”

When asked if the NSA stood by its earlier statements, spokesperson Mike Dusak declined to comment.

NSA improperly collected Americans’ phone records for a second time, documents reveal

Posted on

Leaked S-1 says Palantir would fight an order demanding its encryption keys

Palantir, the secretive data analytics startup founded by billionaire investor Peter Thiel, would challenge a government order seeking the company’s encryption keys, according to a leaked document.

TechCrunch has obtained a leaked copy of Palantir’s S-1, filed with U.S. regulators to take the company public. We’ve covered some ground already, including looking at Palantir’s financials, its customers, and some of the company’s self-identified risk factors.

But despite close relationships with law enforcement and government customers — including the U.S. government — Palantir indicated where it would draw the line if it was served a legal demand for its data.

From the leaked S-1 filing:

From time to time, government entities may seek our assistance with obtaining information about our customers or could request that we modify our platforms in a manner to permit access or monitoring. In light of our confidentiality and privacy commitments, we may legally challenge law enforcement or other government requests to provide information, to obtain encryption keys, or to modify or weaken encryption.

The S-1 touches on a particularly thorny issue in the U.S., given repeated efforts by the Trump administration to undermine and weaken encryption at the request of law enforcement, who say that encryption used by U.S. tech and internet giants makes it harder to investigate crimes.

But despite the close ties between Palantir co-founder Peter Thiel and the administration, Palantir’s position on encryption aligns closer with that of other Silicon Valley tech companies, which say strong encryption protects their users and customers from hackers and data theft.

In June, the government doubled down on its anti-encryption position with the introduction of two bills which, if passed, would force tech giants to build encryption backdoors into their systems.

Tech companies — including Apple, Facebook, Google, Microsoft, and Twitter — strongly opposed the bills, arguing that backdoors “would leave all Americans, businesses, and government agencies dangerously exposed to cyber threats from criminals and foreign adversaries.” (Verizon Media, which owns TechCrunch, is also a member of the coalition.)

Orders demanding a company’s encryption keys are rare but not unheard of.

In 2013 the government ordered Lavabit, an encrypted email provider, to turn over the site’s encryption keys. It was later confirmed, though long suspected, that the government wanted access to the Lavabit account belonging to NSA whistleblower Edward Snowden.

More recently, the FBI launched legal action in 2016 to compel Apple to build a custom backdoor that would have allowed federal agents access to an encrypted iPhone belonging to one of the San Bernardino shooters, Syed Rizwan Farook, who with his wife Tashfeen Malik, killed 14 people and injured 22 others. The FBI dropped the case after hiring hackers to break into the shooter’s iPhone, without Apple’s help.

Palantir did not say in the S-1 if it had received a legal order to date. But the S-1 filing said that the company risks “adverse political, business, and reputational consequences” regardless of whether or not the company challenged a legal order in court.

A Palantir spokesperson did not return a request for comment.

Palantir’s S-1 alludes to controversial work with ICE as a risk factor for its business

Posted on

Europe’s top court strikes down flagship EU-US data transfer mechanism

A highly anticipated ruling by Europe’s top court has just landed — striking down a flagship EU-US data flows arrangement called Privacy Shield.

The case — known colloquially as Schrems II (in reference to privacy activist and lawyer, Max Schrems, whose original complaints underpin the saga) — has a long and convoluted history. In a nutshell it concerns the clash of two very different legal regimes related to people’s digital data: On the one hand US surveillance law and on the other European data protection and privacy.

Putting a little more meat on the bones, the US’ prioritizing of digital surveillance — as revealed by the 2013 revelations of NSA whistleblower, Edward Snowden; and writ large in the breadth of data capture powers allowed by Section 702 of FISA (Foreign Intelligence Surveillance Act) — collides directly with European fundamental rights which give citizens rights to privacy and data protection.

The Schrems II case also directly concerns Facebook, while having much broader implications for how large scale data processing of EU citizens data can be done.

At specific issue are questions of legality around a European data transfer mechanism used by Facebook (and many other companies) for processing regional users’ data in the US — called Standard Contractual Clauses (SCCs).

Schrems challenged Facebook’s use of SCCs at the end of 2015, when he updated an earlier complaint on the same data transfer issue related to US government mass surveillance practices with Ireland’s data watchdog.

He asked the Irish Data Protection Commission (DPC) to suspend Facebook’s use of SCCs. Instead the regulator decided to take him and Facebook to court, saying it had concerns about the legality of the whole mechanism. Irish judges then referred a large number of nuanced legal questions to Europe’s top court, which brings us to today. It’s worth noting Facebook repeatedly tried and failed to block the reference to the Court of Justice.

The referral by the Irish High Court also looped in questions over a flagship European Commission data transfer agreement, called the EU-US Privacy Shield. This replaced a long standing EU-US data transfer agreement called Safe Harbor which was struck down by the CJEU in 2015 after an earlier challenge also lodged by Schrems. (Hence Schrems II.)

So part of the anticipation associated with this case has related to whether Europe’s top judges would choose to weigh in on the legality of Privacy Shield — a data transfer framework that’s being used by more than 5,300 companies at this point. And which the European Commission only put in place a handful of years ago.

Critics of the arrangement have maintained it does not resolve the fundamental clash between US surveillance and EU data protection — and in recent years, with the advent of the Trump administration, the Privacy Shield has looked increasingly precariously placed.

In the event the CJEU has sided with critics who have long maintained Privacy Shield is the equivalent of lipstick on a pig. Today is certainly not a good day for the European Commission (which also had a very bad day in court yesterday on a separate matter). We reached out to the EU executive for comment on Schrems II and a spokesman told us it will be holding a press briefing at noon.

Privacy Shield had also been under separate legal challenge — with the complainant in that case (La Quadrature du Net) arguing the mechanism breaches fundamental EU rights and does not provide adequate protection for EU citizens’ data. That case is now moot.

On SCCs, the CJEU has not taken issue with the mechanism itself — but judges impress the obligation on data controllers to carry out an assessment of the data protection afforded by the country where the data is to be taken. If the level is not equivalent to that offered by EU law then the controller has a legal obligation to suspend the data transfers.

This also means EU regulators — such as Ireland’s DPC — have a clear obligation to suspend data transfers that are taking place via SCCs to third countries where data protections are not adequate. Which was what Schrems had asked the Irish regulator to do in the first place.

It’s not immediately clear what alternative exists for companies such as Facebook that are using SCCs to take EU citizens’ data to the US, given judges have invalidated Privacy Shield on the grounds of the lack of protections afforded to EU citizens data in the country. US surveillance law is standing in the way of their data flows.

Commenting on the ruling in a statement, a jubilant Schrems said: “I am very happy about the judgment. At first sight it seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market.”

We’ve also reached out to Facebook and the Irish DPC for comment.

This is a developing story… 

Posted on

More legal uncertainty for Privacy Shield ahead of crux ruling by Europe’s top court

Facebook tried to block the referral but today an influential advisor to Europe’s top court has issued a legal opinion that could have major implications for the future of the EU-US Privacy Shield personal data transfer mechanism.

It’s a complex opinion, dealing with a fundamental clash of legal priorities around personal data in the EU and US, which does not resolve question marks hanging over the legality of Privacy Shield .

The headline take-away is that a different data transfer mechanism which is also widely used by businesses to transfer personal data out of the EU — so called Standard Contractual Clauses (SCCs) — has been deemed legally valid by the court advisor.

However the advocate general to the Court of Justice of the European Union (CJEU) is also at pains to emphasize the “obligation” of data protection authorities to step in and suspend such data transfers if they are being used to send EU citizens’ data to a place where their information cannot be adequately protected.

So while SCCs look safe — as a data transfer mechanism — per this opinion, it’s a reminder that EU data protection agencies have a duty to be on top of regulating how such tools are used.

The reason the case was referred to the CJEU was a result of Ireland’s Data Protection Commission not acting on a complaint to suspend Facebook’s use of SCCs. So one view that flows from the opinion is the DPC should have done so — instead of spending years on an expensive legal fight.

The backstory to the legal referral is long and convoluted, involving a reformulated data protection complaint filed with the Irish DPC by privacy campaigner and lawyer Max Schrems challenging Facebook’s use of SCCs. His earlier legal action, in the wake of the 2013 disclosures of US government mass surveillance programs by NSA whistleblower Edward Snowden, led to Privacy Shield’s predecessor, Safe Harbor, being struck down by the CJEU in 2015.  

On the SCCs complaint Schrems prevailed in the Irish courts but instead of acting on his request to order Facebook to suspend its SCC data flows, Ireland’s data protection watchdog took the unusual step of filing a lawsuit pertaining to the validity of the entire mechanism.

Irish courts then referred a number of legal questions to the CJEU — including looping in the wider issue of the legality of Privacy Shield. It’s on those questions that the AG has now opined.

It’s worth noting that the advocate general’s opinion is not binding on the CJEU — which will issue a ruling on the case next year. Although the court does tend to follow such opinions so it’s a strong indicator of the likely direction of travel.

The opinion, by advocate general Henrik Saugmandsgaard Øe, takes the view that the use of SCCs for the transfer of personal data to a third country — i.e. a country outside the EU that does not have a bilateral trade agreement with the bloc — is valid.

However, as noted above, the AG puts the onus on data authorities to act in instances where obligations to protect EU citizens’ data under the mechanism come into conflict with privacy-hostile laws outside the EU, such as government mass surveillance programs.

“[T[here is an obligation — placed on the data controllers and, where the latter fail to act, on the supervisory authorities — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses
cannot be complied with,” the CJEU writes in a press release on the opinion.

In a first reaction, Schrems highlights this point — writing: “The advocate general is now telling the Irish Data Protection Authority again to just do its job… After all the Irish taxpayer may have to pay up to €10M in legal costs, for the DPC delaying this case in the interest of Facebook.

“The opinion makes clear that DPC has the solution to this case in her own hands: She [Helen Dixon] can order Facebook to stop transfers tomorrow. Instead, she turned to the CJEU to invalidate the whole system. It’s like screaming for the European fire brigade, because you don’t know how to blow out a candle yourself.”

We’ve reached out to the Irish DPC and to Facebook for comment on the AG’s opinion.

“At the moment, many data protection authorities simply look the other way when they receive reports of infringements or simply do not deal with complaints. This is a huge step for the enforcement of the GDPR [the General Data Protection Regulation],” Schrems also argues.

Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo, suggests that the likelihood of EU DPAs suspending SCC personal data transfers to the US will “depend on the Court’s ultimate take on the safeguards surrounding the access to the transferred data by the United States intelligence authorities and the judicial protection available to the persons whose data are transferred”.

“The disruptive effect of a suspension of SCCs, even if partial and just for the U.S., is likely to be substantial,” he argues. “SCCs are widely used for the transfer of personal data outside the EU. They are probably the most used data transfer mechanism, including for transfers to the U.S.  Thus, even a partial suspension of the SCCs would force a significant number of organizations to explore alternative mechanisms for their transfers to the U.S. 

“However, the alternatives are limited and often difficult to apply to large-scale transfers, the main ones being the derogations allowing transfers with the consent of the data subject or necessary for the performance of a contract. These are unlikely to be suitable for all transfers currently taking place in accordance with SCCs.”

“In practice, the degree of disruption is likely to depend on the timing and duration of the suspension,” he adds. “Any suspension or other finding that data transfers to the U.S. are problematic is likely to speed up the modernization of SCCs that the European Commission is already working on but it is unclear how long it would take for the Commission to issue new SCCs.

“When the Court invalidated the Safe Harbor, it took several months for the Commission to adopt the Privacy Shield and amend the existing SCCs to take into account the Court’s judgment.”

On Privacy Shield — a newer data transfer mechanism which the European Commission claims fixes the legal issues with its predecessor — Saugmandsgaard Øe’s opinion includes some lengthy reasoning that suggests otherwise and certainly does not clear up questions around the mechanism’s legality which arise as a result of US laws that allow the state to harvest personal data for national security purposes, thereby conflicting with EU privacy rights.

Per the CJEU press release, the AG’s opinion sets out a number of reasons which it says “lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy”.

The flagship mechanism is now used by more than 5,000 entities to authorize EU-US personal data transfers.

Should it be judged invalid by the court there would be a massive scramble for businesses to find alternatives.

It remains to be seen how the court will handle these questions. But Privacy Shield remains subject to direct legal challenge — so there are other opportunities for it to weigh in, even if CJEU judges avoids doing so in this case.

Schrems clearly hopes they will weigh in soon, skewering Privacy Shield in his statement — where he writes: “After the ‘Safe Harbor’ judgment the European Commission deliberately passed an invalid decision again — knowing that it will take two or three years until the Court will have a chance to invalidate it a second time. It will be very interesting to see if the Court will take this issue on board in the final decision or wait for another case to reach the court.”

“I am also extremely happy that the AG has taken a clear view on the Privacy Shield Ombudsperson. A mere ‘postbox’ at the foreign ministry of the US cannot possibly replace a court, as required under the first judgement by the Court,” he adds.

He does take issue with the AG’s opinion in one respect — specifically its reference to what he dubs “surveillance friendly case law” under the European Convention on Human Rights — instead of what he couches as “the clear case law of the Court of Justice”.

“This is against any logic… I am doubtful that the [CJEU] judges will join that view,” he suggests.

The court typically hands down a judgement between three and six months after an AG opinion — so privacy watchers will be readying their popcorn in 2020.

Meanwhile, for thousands of businesses, the legal uncertainty and risk of future disruption should Privacy Shield come unstuck goes on.

Posted on

Messaging app Wire confirms $8.2M raise, responds to privacy concerns after moving holding company to the US

Big changes are afoot for Wire, an enterprise-focused end-to-end encrypted messaging app and service that advertises itself as “the most secure collaboration platform”. In February, Wire quietly raised $8.2 million from Morpheus Ventures and others, we’ve confirmed — the first funding amount it has ever disclosed — and alongside that external financing, it moved its holding company in the same month to the US from Luxembourg, a switch that Wire’s CEO Morten Brogger described in an interview as “simple and pragmatic.”

He also said that Wire is planning to introduce a freemium tier to its existing consumer service — which itself has half a million users — while working on a larger round of funding to fuel more growth of its enterprise business — a key reason for moving to the US, he added: There is more money to be raised there.

“We knew we needed this funding and additional to support continued growth. We made the decision that at some point in time it will be easier to get funding in North America, where there’s six times the amount of venture capital,” he said.

While Wire has moved its holding company to the US, it is keeping the rest of its operations as is. Customers are licensed and serviced from Wire Switzerland; the software development team is in Berlin, Germany; and hosting remains in Europe.

The news of Wire’s US move and the basics of its February funding — sans value, date or backers — came out this week via a blog post that raises questions about whether a company that trades on the idea of data privacy should itself be more transparent about its activities.

Specifically, the changes to Wire’s financing and legal structure were only communicated to users when news started to leak out, which brings up questions not just about transparency, but about the state of Wire’s privacy policy, given the company’s holding company now being on US soil.

It was an issue picked up and amplified by NSA whistleblower Edward Snowden . Via Twitter, he described the move to the US as “not appropriate for a company claiming to provide a secure messenger — claims a large number of human rights defenders relied on.”

The key question is whether Wire’s shift to the US puts users’ data at risk — a question that Brogger claims is straightforward to answer: “We are in Switzerland, which has the best privacy laws in the world” — it’s subject to Europe’s General Data Protection Regulation framework (GDPR) on top of its own local laws — “and Wire now belongs to a new group holding, but there no change in control.” 

In its blog post published in the wake of blowback from privacy advocates, Wire also claims it “stands by its mission to best protect communication data with state-of-the-art technology and practice” — listing several items in its defence:

  • All source code has been and will be available for inspection on GitHub (github.com/wireapp).
  • All communication through Wire is secured with end-to-end encryption — messages, conference calls, files. The decryption keys are only stored on user devices, not on our servers. It also gives companies the option to deploy their own instances of Wire in their own data centers.
  • Wire has started working on a federated protocol to connect on-premise installations and make messaging and collaboration more ubiquitous.
  • Wire believes that data protection is best achieved through state-of-the-art encryption and continues to innovate in that space with Messaging Layer Security (MLS).

But where data privacy and US law are concerned, it’s complicated. Snowden famously leaked scores of classified documents disclosing the extent of US government mass surveillance programs in 2013, including how data-harvesting was embedded in US-based messaging and technology platforms.

Six years on, the political and legal ramifications of that disclosure are still playing out — with a key judgement pending from Europe’s top court which could yet unseat the current data transfer arrangement between the EU and the US.

Privacy versus security

Wire launched at a time when interest in messaging apps was at a high watermark. The company made its debut in the middle of February 2014, and it was only one week later that Facebook acquired WhatsApp for the princely sum of $19 billion.

We described Wire’s primary selling point at the time as a “reimagining of how a communications tool like Skype should operate had it been built today” rather than in in 2003. That meant encryption and privacy protection, but also better audio tools and file compression and more.

It was a pitch that seemed especially compelling considering the background of the company. Skype co-founder Janus Friis and funds connected to him were the startup’s first backers (and they remain the largest shareholders); Wire was co-founded in by Skype alums Jonathan Christensen and Alan Duric (no longer with the company); and even new investor Morpheus has Skype roots.

Skype Co-Founder Backs Wire, A New Communications App Launching Today On iOS, Android And Mac

Yet even with that Skype pedigree, the strategy faced a big challenge.

“The consumer messaging market is lost to the Facebooks of the world, which dominate it,” Brogger said today. “However, we made a clear insight, which is the core strength of Wire: security and privacy.”

That, combined with trend around the consumerization of IT that’s brought new tools to business users, is what led Wire to the enterprise market in 2017 — a shift that’s seen it pick up a number of big names among its 700 enterprise customers, including Fortum, Aon, EY and SoftBank Robotics.

But fast forward to today, and it seems that even as security and privacy are two sides of the same coin, it may not be so simple when deciding what to optimise in terms of features and future development, which is part of the question now and what critics are concerned with.

“Wire was always for profit and planned to follow the typical venture backed route of raising rounds to accelerate growth,” one source familiar with the company told us. “However, it took time to find its niche (B2B, enterprise secure comms).

“It needed money to keep the operations going and growing. [But] the new CEO, who joined late 2017, didn’t really care about the free users, and the way I read it now, the transformation is complete: ‘If Wire works for you, fine, but we don’t really care about what you think about our ownership or funding structure as our corporate clients care about security, not about privacy.'”

And that is the message you get from Brogger, too, who describes individual consumers as “not part of our strategy”, but also not entirely removed from it, either, as the focus shifts to enterprises and their security needs.

Brogger said there are still half a million individuals on the platform, and they will come up with ways to continue to serve them under the same privacy policies and with the same kind of service as the enterprise users. “We want to give them all the same features with no limits,” he added. “We are looking to switch it into a freemium model.”

On the other side, “We are having a lot of inbound requests on how Wire can replace Skype for Business,” he said. “We are the only one who can do that with our level of security. It’s become a very interesting journey and we are super excited.”

Part of the company’s push into enterprise has also seen it make a number of hires. This has included bringing in two former Huddle C-suite execs, Brogger as CEO and Rasmus Holst as chief revenue officer — a bench that Wire expanded this week with three new hires from three other B2B businesses: a VP of EMEA sales from New Relic, a VP of finance from Contentful; and a VP of Americas sales from Xeebi.

Such growth comes with a price-tag attached to it, clearly. Which is why Wire is opening itself to more funding and more exposure in the US, but also more scrutiny and questions from those who counted on its services before the change.

Brogger said inbound interest has been strong and he expects the startup’s next round to close in the next two to three months.

Posted on

EU-US Privacy Shield passes third Commission ‘health check’ — but litigation looms

The third annual review of the EU-US Privacy Shield data transfer mechanism has once again been nodded through by Europe’s executive.

This despite the EU parliament calling last year for the mechanism to be suspended.

The European Commission also issued US counterparts with a compliance deadline last December — saying the US must appoint a permanent ombudsperson to handle EU citizens’ complaints, as required by the arrangement, and do so by February.

This summer the US senate finally confirmed Keith Krach — under secretary of state for economic growth, energy, and the environment — in the ombudsperson role.

The Privacy Shield arrangement was struck between EU and US negotiators back in 2016 — as a rushed replacement for the prior Safe Harbor data transfer pact which in fall 2015 was struck down by Europe’s top court following a legal challenge after NSA whistleblower Edward Snowden revealed US government agencies were liberally helping themselves to digital data from Internet companies.

At heart is a fundamental legal clash between EU privacy rights and US national security priorities.

The intent for the Privacy Shield framework is to paper over those cracks by devising enough checks and balances that the Commission can claim it offers adequate protection for EU citizens personal data when taken to the US for processing, despite the lack of a commensurate, comprehensive data protection region. But critics have argued from the start that the mechanism is flawed.

Even so around 5,000 companies are now signed up to use Privacy Shield to certify transfers of personal data. So there would be major disruption to businesses were it to go the way of its predecessor — as has looked likely in recent years, since Donald Trump took office as US president.

The Commission remains a staunch defender of Privacy Shield, warts and all, preferring to support data-sharing business as usual than offer a pro-active defence of EU citizens’ privacy rights.

To date it has offered little in the way of objection about how the US has implemented Privacy Shield in these annual reviews, despite some glaring flaws and failures (for example the disgraced political data firm, Cambridge Analytica, was a signatory of the framework, even after the data misuse scandal blew up).

The Commission did lay down one deadline late last year, regarding the ongoing lack of a permanent ombudsperson. So it can now check that box.

It also notes approvingly today that the final two vacancies on the US’ Privacy and Civil Liberties Oversight Board have been filled, meaning it’s fully-staffed for the first time since 2016.

Commenting in a statement, commissioner for justice, consumers and gender equality, Věra Jourová, added: “With around 5,000 participating companies, the Privacy Shield has become a success story. The annual review is an important health check for its functioning. We will continue the digital diplomacy dialogue with our U.S. counterparts to make the Shield stronger, including when it comes to oversight, enforcement and, in a longer-term, to increase convergence of our systems.”

Its press release characterizes US enforcement action related to the Privacy Shield as having “improved” — citing the Federal Trade Commission taking enforcement action in a grand total of seven cases.

It also says vaguely that “an increasing number” of EU individuals are making use of their rights under the Privacy Shield, claiming the relevant redress mechanisms are “functioning well”. (Critics have long suggested the opposite.)

The Commission is recommending further improvements too though, including that the US expand compliance checks such as concerning false claims of participation in the framework.

So presumably there’s a bunch of entirely fake compliance claims going unchecked, as well as actual compliance going under-checked…

“The Commission also expects the Federal Trade Commission to further step up its investigations into compliance with substantive requirements of the Privacy Shield and provide the Commission and the EU data protection authorities with information on ongoing investigations,” the EC adds.

All these annual Commission reviews are just fiddling around the edges, though. The real substantive test for Privacy Shield which will determine its long term survival is looming on the horizon — from a judgement expected from Europe’s top court next year.

In July a hearing took place on a key case that’s been dubbed Schrems II. This is a legal challenge which initially targeted Facebook’s use of another EU data transfer mechanism but has been broadened to include a series of legal questions over Privacy Shield — now with the Court of Justice of the European Union.

There is also a separate litigation directly targeting Privacy Shield that was brought by a French digital rights group which argues it’s incompatible with EU law on account of US government mass surveillance practices.

The Commission’s PR notes the pending litigation — writing that this “may also have an impact on the Privacy Shield”. “A hearing took place in July 2019 in case C-311/18 (Schrems II) and, once the Court’s judgement is issued, the Commission will assess its consequences for the Privacy Shield,” it adds.

So, tl;dr, today’s third annual review doesn’t mean Privacy Shield is out of the legal woods.

Posted on

NSA improperly collected Americans’ phone records for a second time, documents reveal

Newly released documents reveal the National Security Agency improperly collected Americans’ call records for a second time, just months after the agency was forced to purge hundreds of millions of collected calls and text records it unlawfully obtained.

The document, obtained by the American Civil Liberties Union, shows the NSA had collected a “larger than expected” number of call detail records from one of the U.S. phone providers, though the redacted document did not reveal which provider nor how many records were improperly collected.

The document said the erroneously collected call detail records were “not authorized” by the orders issued by the Foreign Intelligence Surveillance Court, which authorizes and oversees the U.S. government’s surveillance activities.

Greg Julian, a spokesperson for the NSA, confirmed the report in an email to TechCrunch, saying the agency “identified additional data integrity and compliance concerns caused by the unique complexities of using company-generated business records for intelligence purposes.”

NSA said the issues were “addressed and reported” to the agency’s overseers, but did not comment further on the violations as they involve operational matters.

The ACLU called on lawmakers to investigate the improper collection and to shut down the program altogether.

“These documents further confirm that this surveillance program is beyond redemption and a privacy and civil liberties disaster,” said Patrick Toomey, a staff attorney with the ACLU’s National Security Project. “The NSA’s collection of Americans’ call records is too sweeping, the compliance problems too many, and evidence of the program’s value all but nonexistent.”

“There is no justification for leaving this surveillance power in the NSA’s hands,” he said.

Under the government’s so-called Section 215 powers, the NSA collects millions of phone records every year by compelling U.S. phone giants to turn over daily records, a classified program first revealed in a secret court order compelling Verizon — which owns TechCrunch — from documents leaked by whistleblower Edward Snowden. Those call records include the phone numbers of those communicating and when — though not the contents — which the agency uses to make connections between targets of interest.

But the government was forced to curtail the phone records collection program in 2015 following the introduction of the Freedom Act, the only law passed by Congress since the Snowden revelations which successfully reined in what critics said was the NSA’s vast surveillance powers.

In recent years, the number of call records has gone down but not gone away completely. In its last transparency report, the government said it collected 434 million phone records, down 18% on the year earlier.

But the government came under fire in June 2018 after it emerged the NSA had unlawfully collected 600 million call and text logs without the proper authority. The agency said “technical irregularities” meant it received call detail records it “was not authorized to receive.”

The agency deleted the entire batch of improperly collected records from its systems.

Following the incidents, the NSA reportedly shut down the phone records collection program citing overly burdensome legal requirements imposed on the agency. In January, the agency’s spokesperson said the NSA was “carefully evaluating all aspects” of the program and its future, amid rumors that the agency would not ask Congress to reauthorized its expiring Section 215 powers, set to expire later this year.

In an email Wednesday, the NSA spokesperson didn’t comment on the future of the program, saying only that it was “a deliberative interagency process that will be decided by the Administration.”

The government’s Section 215 powers are expected to be debated by Congress in the coming months.

DEA says AT&T still provides access to billions of phone records

Posted on

Facebook fails to stop Europe’s top court weighing in on EU-US data transfers

Facebook has failed in its last ditch attempt to block a referral by Ireland’s High Court of questions over the legality of EU-US data transfer mechanisms to the region’s top court.

Ireland’s Supreme Court unanimously refused its request to appeal the decision Friday, via Reuters.

Irish law does not include a provision to appeal against referrals to the CJEU but Facebook sought to both stay and appeal the decision anyway.

It was denied the stay but granted leave to appeal last year — only for the Supreme Court to extinguish its hope of preventing Europe’s top judges from weighing in on privacy concerns attached to key data transfer mechanisms which are used by thousands of companies to authorize flows of EU citizens’ personal data to the US.

Privacy Shield now facing questions via legal challenge to Facebook data flows

The case originates in a complaint against Facebook’s use of another data transfer mechanism, Standard Contractual Clauses (SCCs), by lawyer and EU privacy campaigner, Max Schrems .

He famously brought down the prior EU-US data transfer arrangement, Safe Harbor — after successfully challenging its legality in the wake of NSA whistleblower Edward Snowden’s 2013 disclosures about US government mass surveillance programs. (Hence this follow-on challenge being referred to as ‘Schrems II‘.)

“Facebook likely again invested millions to stop this case from progressing. It is good to see that the Supreme Court has not followed Facebook’s arguments that were in total denial of all existing findings so far,” said Schrems in a statement responding to the Supreme Court’s rejection of Facebook’s appeal. “We are now looking forward to the hearing at the Court of Justice in Luxembourg next month.”

Also commenting in a statement, a Facebook spokesperson said: “We are grateful for the consideration of the Irish Court and look ahead to the Court of Justice of the European Union to now decide on these complex questions. Standard Contract Clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and are used by thousands of companies across Europe to do business.”

Schrems’ complaint to the Irish data protection regulator led, rather unusually, to the watchdog to itself refer privacy concerns to the courts — which then widened the complaint, asking for the CJEU’s opinion on a range of fine-grained points around whether EU citizens’ rights are being adequately protected by both Privacy Shield and SCCs.

It’s shaping up as to be a replay of the close CJEU scrutiny that skewered Safe Harbor — a definitive strike down that instantly left thousands of companies scrambling to put in place alternative legal arrangements to avoid illegally processing EU citizens’ data.

At the time of writing there are 4,756 organizations signed up to the replacement Privacy Shield framework.

The European data protection landscape has also evolved since 2015 — with the General Data Protection Regulation (GDPR) ramping up the size of potential fines for privacy violations.

SCCs were one of the alternative mechanisms the European Commission suggested companies use in the interim between Safe Harbor’s demise in fall 2015, and Privacy Shield getting up and running, in mid 2016, although they too are now facing legal questions, per the Schrems II case.

During renegotiations and since, the European Commission has always maintained that the Privacy Shield framework — which bakes in an annual review, and makes provision for an ombudsperson to handle any EU citizens’ complaints about how US companies handle their data — is more robust than its predecessor mechanism, claiming too that it is confident it will survive legal testing.

That confidence will soon be tested at Europe’s highest legal level.

Meanwhile both Privacy Shield and SCCs are not short of critics — including from within the EU’s institutions, with both the parliament and an influential body representing national data protection watchdogs expressing ongoing concerns

EU parliament calls for Privacy Shield to be pulled until US complies

The Trump administration’s entrenchment of privacy hostile surveillance laws targeting non-US citizens has not helped Privacy Shield’s cause.

The US under Trump has also been tardy to fulfil key posts the Commission has said are required for full functioning of privacy shield — leading even it to apply a compliance deadline earlier this year.

To a degree, all that is just fiddling round the edges, though, vs the core contention at the heart of the complaints driving challenges to Privacy Shield and SCCs — i.e. that there is a fundamental incompatibility between US law that prioritizes national security and EU law which privileges personal privacy — which Europe’s top judges will soon be weighing in on again.

It’s already been more than a year since Ireland’s High Court referred eleven questions to the CJEU. And while the court can take years to deliberate it’s worth noting that it did not do so with the original Schrems challenge. In that case judges took only a little over a year to return their landmark verdict to strike down Safe Harbor, demonstrating they are willing to move quickly to defend EU privacy rights against the threat of mass surveillance.

Now, with Facebook’s last ditch attempt to de-rail the CJEU referral kicked into touch, it’s quite possible they will could move just as quickly towards a verdict on Schrems II. Certainly if they feel EU citizens’ fundamental rights are being infringed.

Privacy Shield is also facing a legal challenge brought by French digital rights groups — who similarly argue that it breaches fundamental EU rights. That complaint will be heard by the General Court of the EU on July 1 and 2.

Posted on

EU-US Privacy Shield complaint to be heard by Europe’s top court in July

A legal challenge to the EU-US Privacy Shield, a mechanism used by thousands of companies to authorize data transfers from the European Union to the US, will be heard by Europe’s top court this summer.

The General Court of the EU has set a date of July 1 and 2 to hear the complaint brought by French digital rights group, La Quadrature du Net, against the European Commission’s renegotiated data transfer agreement which argues the arrangement is still incompatible with EU law on account of US government mass surveillance practices.

Privacy Shield was only adopted three years ago after its forerunner, Safe Harbor, was struck down by the European Court of Justice in 2015 following the 2013 exposé of US intelligence agencies’ access to personal data, revealed by NSA whistleblower Edward Snowden.

The renegotiated arrangement tightened some elements, and made the mechanism subject to annual reviews by the Commission to ensure it functions as intended. But even before it was adopted it faced fierce criticism — with data protection and privacy experts couching it as an attempt to put lipstick on the same old EU-law breaching pig.

The Shield’s continued survival has also been placed under added pressure as a consequence of the Trump administration — which has entrenched rather than rolled back privacy-hostile US laws, as well as dragging its feet on key appointments that the Commission said the arrangement’s survival depends on.

Ahead of last year’s annual Privacy Shield review the EU parliament called for the mechanism to be suspended until the US came into compliance. (The Commission ignored the calls.)

In one particularly embarrassing moment for the mechanism it emerged that disgraced political data company, Cambridge Analytica, had been signed up to self-certify its ‘compliance’ with EU privacy law…

Pressure mounts on EU-US Privacy Shield after Facebook-Cambridge Analytica data scandal

La Quadrature du Net is a long time critic of Privacy Shield, filing its complaint back in October 2016 — immediately after Privacy Shield got up and running. It argues the mechanism breaches fundamental EU rights and does not provide adequate protection for EU citizens’ data.

It subsequently made a joint petition with a French NGO for its complaint to be heard before the General Court of the EU, in November 2016. Much back and forth followed, with exchanges of writing between the two sides laying out the arguments and counter arguments.

The Commission has been supported in this process by countries including the US, France and the UK and companies including Microsoft and tech industry association, Digitaleurope, whose members include Amazon, Apple, Dropbox, Facebook, Google, Huawei, Oracle and Qualcomm (to name a few).

While La Quadrature du Net getting support from local consumer protection organisation UFC Que Choisir and the American Civil Liberties Union — which it says provided “a detailed description of the US surveillance regime”.

“The General Court of the EU has deemed our complaint serious and grave enough to open proceedings,” La Quadrature du Net says now.

It will be up to the court in Luxembourg to hear and judge the complain.

A decision on the legality of Privacy Shield will follow some time after July — perhaps in just a handful of months, as the CJEU has been known to move quickly in cases involving the defence of fundamental EU rights. Though it may also take the court longer to issue a judgement.

All companies signed up to the Privacy Shield should be aware of the risk and have contingencies in place in case the arrangement is struck down.

Nor is this complaint the only legal questions facing Privacy Shield. A challenge filed to a separate data transfer mechanism in Ireland by privacy campaigner Max Schrems — whose original challenge brought down Safe Harbor — has also now been referred by Irish courts to the CJEU, in what’s being referred to as ‘Schrems II’.

Privacy Shield now facing questions via legal challenge to Facebook data flows

In that case Facebook has attempted to block the court’s referral of questions to the CJEU — by seeking to appeal to Ireland’s Supreme Court, even though there is not normally a right to appeal a referral to the CJEU.

Facebook was granted leave to appeal — and Ireland’s Supreme Court is expected to rule on that appeal early next month. The appeals process has not stayed the referral, though. Nor does it impinge upon La Quadrature du Net’s complaint against Privacy Shield being heard later this summer.

Posted on

NSA says warrantless searches of Americans’ data rose in 2018

The intelligence community’s annual transparency report revealed a spike in the number of warrantless searches of Americans’ data in 2018.

The data, published Tuesday by the Office of the Director of National Intelligence (ODNI), revealed a 28 percent rise in the number of targeted search terms used to query massive databases of collected Americans’ communications.

Some 9,637 warrantless search queries of the contents of Americans’ calls, text messages, emails and other communications were conducted by the NSA during 2018, up from 7,512 searches on the year prior, the report said.

The figures also don’t take into account queries made by the FBI or the Drug Enforcement Administration, which also has access to the database, nor do they say exactly how many Americans had their information collected.

The NSA conducts these searches under its so-called Section 702 powers, reauthorized in 2018 despite heated opposition by a bipartisan group of pro-privacy senators. These powers allow the NSA to collect intelligence on foreigners living overseas by tapping into the phone networks and undersea cables owned by U.S. phone companies. The powers also allow the government to obtain data in secret from U.S. tech companies. But the massive data collection effort also inadvertently vacuums up Americans’ data, who are typically protected from unwarranted searches under the Fourth Amendment.

The report also noted a 27 percent increase in the number of foreigners whose communications were targeted by the NSA during the year. In total, an estimated 164,770 foreign individuals or groups were targeted with search terms used by the NSA to monitor their communications, up from 129,080 on the year prior.

It’s the largest year-over-year leap in foreign surveillance to date.

The report also said the NSA collected at most 434.2 million phone records on Americans, down from 534.3 million records on the year earlier. The government said the figures likely had duplicates.

The phone records collection program was the first classified NSA program disclosed by whistleblower Edward Snowden, which revealed a secret court order compelling Verizon — which owns TechCrunch — to turn over daily phone records on millions of Americans. The program was later curtailed following the introduction of the Freedom Act.

Earlier this month, the NSA reportedly asked the White House to end the program altogether, citing legal troubles.

Despite the apparent rollback of the program, NSA still reported 164,770 queries of Americans’ phone records, more than a five-fold increase on the year earlier.

Last week, the Trump administration revealed it had been denied 30 surveillance applications by the Foreign Intelligence Surveillance Court, a specialist closed-door court that grants the government authority to spy inside the U.S., where surveillance is typically prohibited.

Since figures were made available in 2015 following the Edward Snowden disclosures, the number of denials has trended upwards.

DEA says AT&T still provides access to billions of phone records