Schneier on Security
A blog covering security and security technology.
« Bad Security: Everyone Does It |
| University Crypto Class Materials Available Online »
June 2, 2006
If the NSA Surveillance Happened in the European Union
Fascinating essay about how EU law would treat the NSA's collection of everyone's phone records.
Posted on June 2, 2006 at 7:20 AM
• 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The author argues that it would be illegal that such a database was created by a european government.
He mentions the data retention directive but apparently does not realize that this very directive will -once in effect- *mandate* every EU state to produce exactly such a database..! It would not only include calls but all other kinds of communications information as well such as WWW-access, email, ... (though traffic-data only, such as "who with whom when and how long").
So, while there may be limits on international sharing of this data, the collection of a call-database will soon be legal in the EU (although there is already a case at the european supreme court, AFAIK).
"Third, the interference with privacy would have to be proportional. Proportionality turns on two, related inquiries: Is there evidence that the government action can achieve the stated purpose? Is the government action necessary for accomplishing the stated purpose or are there alternative means of accomplishing the same purpose that will burden the right less?"
"in Europe, the government would have to make the case—not necessarily in public or in an ordinary court of law—that the data collection was capable of reducing the terrorist threat. The government would also have to consider other types of regulation, less invasive of the private lives of ordinary [citizens]"
It is here where the debate on data mining efficacy and its derived tradeoffs would be of interest.
"it is increasingly unlikely that the NSA will be able to get call information-- or any other private information for that matter--from European governments"
What I understand is that it would be difficult to get private information *lawfully*. Oversight is still needed to ensure that the law is upheld.
I'm fully home in such topics but what i do know as a european citizen (NL) is that it is already happening, and that all communication (data retention) is being handed over to the U.S. Our ministers already signed.
Didn't UKUSA / Eschelon do esentially that. Collect data on domestic citizens and share it with the other 5 countries?
If the argument is that the NSA's actions would not be legal in Europe, if performed by a european nation's intelligence service, I say "so what?".
What the NSA is doing is not legal in the US, under US law, either. That clearly has had little to no effect on restraining it.
Actually, if the NSA wants to collect this type of data on Europeans, I don't think there is anything in US law to prevent them from doing so - although treaties we have with the various European governments may prevent such activities.
If the NSA Surveillance Happened in the European Union ...
... it would be called "Data Retention Directive", be in effect since 2006-05-03 and force all member states to
"[retain] The following categories of data [...] with regard to fixed network telephony and mobile telephony, as well as Internet access, Internet e-mail and Internet telephony:
- data necessary to trace and identify the source of a communication;
- data necessary to trace and identify the destination of a communication;
- data necessary to identify the date, time and duration of a communication;
- data necessary to identify the type of communication;
- data necessary to identify the communication device;
- data necessary to identify the location of mobile communication equipment.
[...] Member States must ensure that the categories of data specified are retained for periods of not less than six months and not more than two years from the date of the communication. A Member State facing particular circumstances that warrant an extension for a limited period of the maximum retention period may take the necessary measures."
Sad but true.
"although treaties we have with the various European governments may prevent such activities."
- Er, um...I presume you meant to predicate this with something like 'If these activities were brought before public scrutiny.'
There is much that is hidden from the 'light of day'. "Tip of the iceberg" isn't too bad a metaphor to describe the situation.
What you describes appears to be most closely analogous to the U.S. "Communications Assistance to Law Enforcement Act" (CALEA), which mandates similar retention of data and specifies equipment and facilities that must be adopted to facilitate government surveillance activities (by _Law Enforcement_ agencies, which would not reasonably include the NSA, but that's a digression...)
Note that this regulation concerning what data is to be retained is silent about the circumstances under which the police (or the "police") may seek that data, and what use they may make of it. To be clear, it is in no sense the case that CALEA provides authorization _any_ law enforcement surveillance activity, let alone for NSA data mining efforts, the legal authorization for which appears not to exist, except as a dubious exercise of presidential prerogative.
I think it is likely that the same circumstances attend the European Directive that you cite --- it would not be the source of any legal authority to monitor private communications. The privacy laws discussed in the article would furnish that context instead.
Let this be a lesson to those that think that making laws - solves problems once and for all.
In fact it should be obvious now, as in the past, that the idea that laws to restrict government power, interpreted and enforced by the government itself is ridiculous - and in fact is used to increase the scope of government power.
"What the NSA is doing is not legal in the US, under US law, either. That clearly has had little to no effect on restraining it."
What is one going to do about it? I say the best choice is to delegitimize the state.
From reading the article, I get the sense that the Europeans have thought the issue of privacy out much more thoroughly than Americans have so far.
By that I mean that they have codified in their laws the notion of data privacy and spelled out the conditions under which that privacy can be burdened.
One of the conditions mentioned is that any law which burdens that privacy must be a PUBLIC one, as opposed to the secret executive orders and TSA rules we have in America.
Another is that any such law must be PROPORTIONAL, meaning that the expected gain must justify the degree of invasion of privacy. Subjective, but sensible.
from the point of view of a EU Citizen (IT).
the real question is: does the NSA already spy in Europe?
Of course it does! The question is the extent--is it limited to monitoring individuals and particular groups, or can they monitor whole countries, regardless as to whether those countries are ECHELON members?
Considering the effort required for the AT&T monitoring system, and the fact that there are probably more ISPs and telephone companies in the EU than in the US, it's likely that any such activities would already have been reported, though not as NSA-related. Therefore, it's unlikely that the NSA is monitoring European ISPs and telephone companies.
The major vector for widespread NSA data capturing in non-ECHELON countries is wireless communications, I would guess--anything you can capture without having to mess about with wires.
I would not call it spying, but rather monitoring information, or observing data carefully. In the end, they would get away with it even without warrants to do so. Who owns the internet backbones? and who owns them? In my country they aren't monitoring it yet, but they will because the request for it has been approved to retain data for a couple of years. Rentention has a strange aftertaste, if it is retained, the next step to access this info seems rather easy, and i am sure there is some clause which allows the U.S. to look into this data on which is being retained. Retaining data has a purpose, and to think they only going to investigate that data_after_ an attack or such thing, seems naive.
now: the contrary.
what if a federal EU institution would spy on american citizens?
(may be you can say that some european national agencies are doing it.
but a EU angency would be a completely different thing... )
There should be EU agency that does same to US that they are doing to us.
I'm going to discuss this matter with my EU Congress Delegate.
That a fascinating idea to balance the power. ;-)
I just wonder how much of this stuff is "marketing" to evil bodies. "You will be caught, don't mess with US."
the title sums it up nicely: "US wants access to retained traffic data"
Oh yeah and, although still young, the european government (eu commission and parliament) already have an incident of secretly drafting legislation and then waving it through in parliament:
"This is how we do things here. You just have to trust us"
I think looking the other way and repeat "this could never happen here" over and over again doesn't help ;-)
Everyone posting seems to be US based and have little understanding of the rest of the world.
Take a few examples of what really might be going on:
a)There is an unofficial agrrement to use UK based equipment paid for by US intelligence services operated by UK citizens to monitor US satellite communications. ie observing US citizens phoning out to the rest of the world, and the rest of the world phoning in. That does, it seems, not break US law. US law forbids Americans to monitor Americans in America .. up to a point. But then the law fails.
b)90% of the cheap maufactured goods going into most European countries and into the US come from China. China, of course would not condone Americans listening in on China. But they don't give a damn if the Americans listen in on America. So one might guess that there is more than one Satcomms and Cablecomms monitoring station in China or in neighboring poor (read US$200 a year - poor, right?) countries looking for keywords. Data storage is getting very cheap, and graduates from top universities work for US$1,000 a month or less.
c)The law in most European countries is a lot more "flexible" than the US and the UK (even in the UK's present stressed anti-terrorist mode). Under the "Code Napolean", which dates back to the battle of Trafalger or earlier, most Western European countries can slam you in the can for 6 months to a year (I've heard of 4 or more in extreme cases) "under investigation". There is no bail system! Detainees in France and some other countries get housed in a gaol with multiple murderers, not in a pussy-soft remand centre, Rumours may be circulated through unofficial routes (ie the prison governor talking to inmates he knows well - 10 to 15 year jobs) - that you are a mass rapist/pedophile/terrorist under investigation and that he wants the prison population to go easy on you.
ie You might live another week, probably not.
My feeling is.. "Get real" Whatever we imagine our goverments are capable of, reality is a lot worse, and the only way to stop them is by determined, risky, loud and noisy resistance. On the 'Net we can use every tactic under the sun and we still won't be free. Nothing we can do is as effective a a walk in the park with a friend talking in a hushed voice with grass mowers roaring away.
Got $10 of Paypal to spare? Donate to Tor or some other worthy cause. Anything to do with freedom that is in the news and is under attack. If it is being attacked then its because it is geting too close to what YOU want, and for most peaople that is the right to talk. Most places on earth don't have, and have never had that. In the US ( a tiny percentage of the world's population) it is under attack.. but there are no real reasons why it should be. It's not the terrorists they are after, its us!
At least in the US we get to choose your goverment..or the illusion of choice.
Most countries don't. Even the UK , which is close, has a system that favors silence.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.