European Court of Justice Rules Against Safe Harbor

The European Court of Justice ruled that sending personal data to the US violates their right to privacy:

The ruling, by the European Court of Justice, said the so-called safe harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans' online information. The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans' rights to privacy.

This is a big deal, because it directly affects all the large American Internet companies. If this stands, expect much more pressure on the NSA to stop their indiscriminate spying on everyone.

The judgment. The court's press release. A good summary of the decision and the issues involved. Intercept article.

EFF blog post. Commentary by Henry Farrell.

Commentary by Max Schrems, who started this proceeding. More commentary by someone involved with the proceedings.

Even more commentary.

EDITED TO ADD (10/13): Quick explanation.

EDITED TO ADD (10/15): Schrems on the decision and what it means.

Posted on October 7, 2015 at 7:27 AM • 91 Comments

Comments

Ulrich Boche • October 7, 2015 7:49 AM

What does "If this stands" mean in this context? A ruling of the European Court of Justice is like one of the US Supreme Court: there is no appeal.
(Although Americans tend to believe that a US court can judge and overrule anything.)

Peter Galbavy • October 7, 2015 8:03 AM

I still find it hard to comprehend how the general US populace do not push for their ownership and rights to personal data. There seems to be some major cultural dislocation between the EU and the US in this area. The US population seem very keen on ownership and possessions and constitutional rights but I get the impression that somehow personal data doesn't matter.

Or is this just the publicised position of the mainstream media and the political classes?

65535 • October 7, 2015 8:17 AM

The NSA is loose cannon on the deck – so to speak. They break the rules at any cost to get what they want – regardless of the damage they caused to people and business.

The NSA and the GCHQ have to be controlled. This decision comes as no surprise.

‘Sen. Ron Wyden, D-Ore., had a suggestion: reform U.S. surveillance… The decision is disastrous for U.S. companies, Wyden said in a statement. “By striking down the Safe Harbor Agreement, the European Union Court of Justice today called for open season against American businesses,” he said. “Yet, U.S. politicians who allowed the National Security Agency to secretly enact a digital dragnet of millions of phone and email records also bear responsibility. These ineffective mass surveillance programs did nothing to make our country safer, but they did grave damage to the reputations of the American tech sector.”- The Intercept

https://theintercept.com/2015/10/06/top-european-court-rules-that-nsa-spying-makes-u-s-unsafe-for-data/

I agree with that statement. Further, the NSA spied on Billions of phone and email messages - not millions.

What I don’t understand is how it took two years for the EU to come to this decision and how the EU is going to enforce it [given the length of time the EU allowed this mass spying to continue].

I would not be surprised if the NSA had the EU judges bugged. The NSA probably has some "contingency plans" to buy-off certain important politicians and make an end-run around the EU court decision. We shall see what comes next.

Winter • October 7, 2015 8:28 AM

@65535
"What I don’t understand is how it took two years for the EU to come to this decision and how the EU is going to enforce it [given the length of time the EU allowed this mass spying to continue]."

Fine companies, just as they did with MS. They can levy fines calculated in a percentage of global revenues. That is going to hurt fast.

Pulling out of Europe just leads to local competitors springing up. Just like it did in China.

Fazal Majid • October 7, 2015 8:49 AM

The wheels of justice grind slowly to their inevitable conclusion. That said, some EU nations like the UK have security services even more unaccountable and out of control.
I think Facebook must be looking at a Catch-22: where do you store data when a German is friends with a Russian, given both Russia and the EU require their citizens' data to be held on their own soil?

Rolf Weber • October 7, 2015 9:01 AM

The European Court of Justice ruled that sending personal data to the US violates their right to privacy.

This is simply wrong. The court invalidated Safe Harbor. No more, no less. Safe Harbor is or was only one of several justifications under which personal data may be sent from EU to US.

The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans' rights to privacy.

And this is simply wrong. The court didn't cite Snowden in the opinion.

You should do a better fact checking, Bruce.

Chelloveck • October 7, 2015 9:02 AM

@Peter Galbavy: It's not a misconception. The American public (and I'm speaking as one of them) generally doesn't care about privacy. Oh, we do in certain situations, such as with medical records, but for the most part it gets a big "meh". I think the reason is partly that we don't understand that there's even an alternative. For a good man-in-the-street view, watch John Oliver's interview with Edward Snowden a few months ago on his Last Week Tonight show. Nobody cares until Oliver puts privacy in terms of, "they can see your dick pics". I think the EU laws tilt too far in the other direction, but there really should be a workable middle ground in between.

Clive Robinson • October 7, 2015 9:06 AM

@ Ulrich Boche,

What does "If this stands" mean in this context?

The court only has juresdiction over the interpretation and use of existing legislation, it does not create legislation (only case law). Thus the legislative branch of the EU or of the member states can bring out new legislation to specificaly allow the US access to EU private citizens data.

Unfortunatly the "secret clauses" in the Trade Treaties Obama is trying to ram down the worlds throat could well be used to force such legislation to be put in place.

There is not a spoon ever made long enough to sup with the US Government, is the lesson from TTP.

JB • October 7, 2015 9:17 AM

@Peter Galbavy

The American public is beaten down. Regardless of our beliefs on what should be, we believe that the NSA will do whatever it wants and can't be stopped by anyone, even if the rest of the government tried (we also don't believe the rest of the government will seriously try).

Next Up: Intrusive CISPA • October 7, 2015 9:26 AM

The Safe Harbor is only the first of several laws against our freedoms, liberty and privacy. The still secret trade agreement (TPP) allows corporation’s to search personal computers and report suspicions to the USA cybersecurity authorities under the new Cyber Intelligence Sharing and Protection Act (CISPA) law. It doesn’t matter what country the citizen resides.

Before Snowden(B.S.)American corporations allowed unfettered access to the spies. When first confronted high-tech claimed not to be working in partnership with the government. Snowden proved them only capable of telling the “least untruthful lie”!

Since then American corporations have heavily advertised end-to-end encryption as their total solution. However their invasive corporate terms-of-service allow THEM to collect the same data for the gov’t before its encrypted. The latest operating system is completely instrumented to gather transfer immense mounts of locally stored personal data in real-time. (Hence the Chinese Premiere’s visit to Seattle).
These mass surveillance searches and data mining will be legally protected against all lawsuits under the proposed CISPA law. Note the scope is set extremely wide by including ALL type of ‘trafficking’.

“Amends the National Security Act of 1947 to require the Director of National Intelligence (DNI) to allow the intelligence community to share cyber threat intelligence with private-sector entities and utilities possessing appropriate certifications or security clearances.
Requires federal agencies receiving shared cyber threat information to establish procedures to: (1) ensure that real-time information is shared with appropriate national security agencies and distributed to other federal agencies; and (2) facilitate collaboration among federal, state, local, tribal, and territorial governments, cybersecurity providers, and self-protected entities.
Directs DHS, the Attorney General, the DNI, and the Department of Defense to establish procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the federal government.
Sets forth requirements for the use and protection of shared information, including: (1) anonymization or minimization procedures, (2) prohibitions on gaining a competitive advantage, (3) exemptions from public disclosure requirements if information is shared with the government, and (4) prohibitions on the use of such information for regulatory purposes. States that shared information may only be used by a non-federal recipient for a cybersecurity purpose.
Provides civil and criminal liability protections to cybersecurity providers, contracting entities, and self-protected entities acting in good faith to obtain or share threat information or to safeguard systems from threats.
Allows the federal government to use shared cyber threat information for: (1) cybersecurity purposes to ensure the integrity, confidentiality, availability, or safeguarding of a system or network; (2) cybersecurity crime investigations; or (3) protection of individuals from the danger of death or serious bodily harm and the prosecution of crimes involving such danger, including child pornography, sexual exploitation, kidnapping, and TRAFFICKING. Prohibits the federal government from affirmatively searching such information for any other purpose."

Notice the omission of terrorism and the inclusion of TRAFFICKING. Now the assumption of ANY behavior however small is reportable.
All Constitution rights are tossed (as we lie about bombing hospitals).
https://www.congress.gov/bill/114th-congress/house-bill/234
Study the many definitions of trafficking (crimes of commerce)
http://dictionary.reference.com/browse/trafficking

As bad as it is for Americans, citizens from other nations have zero legal protection. All collected data is saved to the new UTAH depository with no limits, transparancy or accountablilty.

Clive Robinson • October 7, 2015 9:42 AM

@ Rolf Weber,

This is simply wrong. The court invalidated Safe Harbor. No more, no less. Safe Harbor is or was only one of several justifications under which personal data may be sent from EU to US.

You have part of your logic inverted, and you have not understood the scope of various pieces of legislation thus your argument fails.

The safe harbour rules dealt with a fundemental difference between EU and US legislation. In the EU PII is owned by the person and they retain control over it, in the US PII belongs to who ever collects it.

The false notion in the safe harbour was the assumption that companies working through the auspices of the US would respect via self regulation the data.

If the US Government not corporations wish to gain access to EU personal data/PII etc there is a well established legal method by which it can be achived. But it requires limited individual scope and some judicial oversight, things that are an anathema to the US IC and Federal LE. Their argument is the process is to slow, to cumbersome and has a high risk of "tipping off". None of which has been a problem in the past, but it serves as a usefull "whipping boy" to hide other intensions.

The reason the USG are taking US Companies to court, is that they believe they have primacy and thus say "ALL" records kept by a US company or subsidiary no matter where located are fundementaly "business records within US jurisdiction" thus an NSL etc is all that is required for bulk access. The fact that the EU says they are not means the US companies are open to unlimited fines, that as Microsoft have found in the past EU courts are quite happy to impose with "the heavy hand of regulation". This puts the US companies in an untenable position. All the EU rulling has done is made this brutally apparent.

Thus US Companies and those working even in part through the US have a choice to make, either formally pull out compleatly from the EU or face getting fined out of the EU.

You can be sure that the likes of the UK PM David Cameron is receiving calls from US interested parties about what the "special relationship" realy means, thus he is to drop and bend over... Oh and I expect GCHQ, MI6 and one or two other UK organisations will be instructing him to do the same, but in a nicer way. It might just be make or break time on the UK being the US "backdoor into Europe", that's the danger of promising referendums...

The funny side of it is the UK via RIPA reserves the right to snoop on any part of a communications network that was at some point reachable from the UK. Thus that air gapped computer in use in Nowheresvil US because it gets updates from say Microsoft is a legitimate target under some views of RIPA, likewise any computer anywhere in the EU, including the one you typed on when posting to this blog...

TimH • October 7, 2015 9:53 AM

When UK pulls out of the EU Human Rights agreement, which they have been hinting at for a while, then they will be the siphon from Europe to US. The carrot will be the Ireland based data companies moving to UK as a result.

I also posit that Google, FB, MS et al are agnostic about privacy (despite rhetoric otherwise), but if there is going to be data flow from their resources to any government, they simply want to monetise that flow. Got that far, maximise it.

Rolf Weber • October 7, 2015 9:54 AM

@Clive Robinson

I doubt you understood my point. I said that Safe Harbor is or was not the only justification under which personal data may be transferred to th US. Eg, explicit user consent is another justification. Eg, even Facebook says it never relied on Safe Harbor, it always relied on explicit user consent.

So the claim: "The European Court of Justice ruled that sending personal data to the US violates their right to privacy" is simply wrong.

Clive Robinson • October 7, 2015 10:01 AM

@ Chellovek,

"I think the EU laws tilt too far in the other direction, but there really should be a workable middle ground in between.

Err no, any middle ground will be right royaly abused by not just Governments but Companies. Advertising is the biggest business in the world by a very long way US law puts them in a position whereby they could and did abuse way way beyond reasonable. Profit befor society is the US way and view, and it's not till someone close to a use legislator gets right royaly abused do you hear anything approaching a descenting voice in the halls of power.

Personaly I don't think EU legislation is even remotely close to being sufficient on privacy the only people who should have control on your data/PII etc is you and a fully acountable court in your home jurisdiction. Nobody and I do mean nobody should have access against your wishes except by showing sufficient cause infront of a judge experianced in privacy. There should be no short cuts around access to your possessions and papers, and absolutly no right to retain copies "just in case" anything less is oppressive abuse not compatible with a free and fair society.

Wayne Senske • October 7, 2015 10:44 AM

Extremely exciting news ... until you read the fine print, I'm afraid.

As I see it, the implications of this ruling are that the EU as a whole does nothing beyond declaring Safe Harbor null and inviting individual European nations to decide whether or not they want to act on the situation by developing their own laws. The problem is, collective action works because it carries huge momentum, but I see very few nations building up the courage to face up to google, MS or facebook on their own.

From the perspective of US businesses, a modified EULA (which nobody will read) or a new asterisk on their website (similar to the "we use cookies to improve your experience") will suffice.

I might be a bit cynical, but it looks to me like big words, little action.

Dirk Praet • October 7, 2015 10:45 AM

@ Rolf Weber

And this is simply wrong. The court didn't cite Snowden in the opinion...You should do a better fact checking, Bruce.

Actually, you should. Read the official press release of the EUCJ's decision here. More to come later. Off to the gym now.

TascoBlossom • October 7, 2015 10:47 AM

@Rolf Weber

So, then how did Schrems' lawsuit against Facebook proceed? If it's as simple as a US provider escaping this by virtue of a User Agreement.

Rolf Weber • October 7, 2015 11:00 AM

@Dirk Praet

Do you know the difference between the petitioners (Schrems) claims and the courts opinion? Again: The court never mentioned Snowden in its opinion.

@TascoBlossom

The court had to rule over Safe Harbor because the Irish data protection commissioner refused to review Schrem's complaint because of Safe Harbor. Now he has to. But Facebook never refered to Safe Harbor.

platic pancake • October 7, 2015 11:26 AM

It looks like the media are ignoring or openly mirespresenting this.

The BBC news website makes no mention of the ruling whatsoever (as far as British readers go, this has never happened). El Pais has a half-baked, poorly written column hidden on the bottom of the page with no specific details and a few weaselly insinuations about how the EU could be about to cause the derailment of trade agreements.

We need to find more efficient ways of reaching out to mainstream media and explain why these fights over privacy, surveillance and human dignity really matter (and why we need to tackle them now, before a fait-accompli policy is imposed on us).

Frank Wilhoit • October 7, 2015 11:33 AM

"...much more pressure on the NSA..."

Is there a kind or intensity of pressure that the NSA would actually be responsive to?

I am not being sarcastic, I would really like to know whether anyone thinks that question has an ansdwer.

Veggie Marrow • October 7, 2015 11:51 AM

@Frank Wilhoit

The NSA gets its budget from the US government. If their actions are demonstrated to be significantly counterproductive to the economic interests of the country, we might be getting somewhere.

Daniel • October 7, 2015 11:52 AM

I still find it hard to comprehend how the general US populace do not push for their ownership and rights to personal data. There seems to be some major cultural dislocation between the EU and the US in this area. The US population seem very keen on ownership and possessions and constitutional rights but I get the impression that somehow personal data doesn't matter.

Here's what I don't understand. I don't understand how supposedly intelligent person can make a dumbass comment like that one. Especially since this has been explained both on this blog and in the academic literature for more than a decade. This paper was published in 2003...2003!! and yet people are still asking the question.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=476041

Read. Learn. Grok.

sheeeesh.

Kai • October 7, 2015 11:53 AM

When UK pulls out of the EU Human Rights agreement, which they have been hinting at for a while, then they will be the siphon from Europe to US

They cannot without having to leave the EU, at which point they'd also no longer be allowed to keep EU citizens' PII, for the same reasons as the US. Let's hope they do, as currently have the untenable situation that the UK is considered "safe" even though they share with the Five Eyes states.

EvilKiru • October 7, 2015 12:01 PM

@Rolf Weber: Why are you blaming Bruce for things that Mark Scott of the NYTimes wrote?

Bob S. • October 7, 2015 12:18 PM

Bot issued an opinion and non-biding recommendation not having any force of law behind it whatsoever.

I don't see why FB, Google, NSA, GCHQ, etc would pay any attention to Bot whatsoever.

They've ignored bigger adversaries time and again already. For example, as I recall NSA routinely violated specific orders of the FISA court.

From two years ago: Uncontrolled by FISA court, NSA commits ‘thousands of privacy violations per year’

qwertty • October 7, 2015 12:30 PM

@platic pancake

The bbc did report this yesterday:

http://www.bbc.com/news/technology-34442618

plastic pancake • October 7, 2015 12:47 PM

@querrty

I stand corrected. I had missed it altogether, tucked away in the technology section.

Loving the spin: "more delays and expenses," "problems for administrators in small companies," "the USA might retaliate."

pup bap • October 7, 2015 12:54 PM

@plastic pancake

lol! "We could do something about the dehumanizing and unconstitutional mass surveillance state, but then again the extra paperwork is such a drag"

Who? • October 7, 2015 1:28 PM

@ Clive Robinson

Err no, any middle ground will be right royaly abused by not just Governments but Companies. Advertising is the biggest business in the world by a very long way US law puts them in a position whereby they could and did abuse way way beyond reasonable.

I completely agree with you.

As European citizen I am very unhappy with the way U.S. corporations are... trafficking (sorry, this one is the right word to me)... with our personal information.

I really wish to see our private information under our full control again. I really wish private information under control of U.S. citizens too, as I care about these american citizens that value their personal information yet.

NSA may be seen as damaging, in fact, it is highly harmful to privacy, but Google, Facebook, and so on are even worse. We know NSA databases are shared between a few thousands authorized employees; Google and Facebook do the same but share these databases with billions of Internet users.

In my humble opinion, [most] americans do not care about their own privacy. That is bad. They care, however, about their properties and their constitution, but deny the value of constitutional rights of people living outside their states. It applies to their corporations too.

It is sad to see how Google laughs about European laws when they "remove" personal information from European datacenters but leave it on their own U.S. based ones. They even note that "a user has removed some data" so anyone interested can go to the american servers and look for it. They even send notes to the organizations that provided that information (let us say, newspapers) so they can refresh the information if they want. It is an obvious violation of human rights. But, who cares? It seems european judges and journalists fear Google (even more than Facebook), so no one stops these wrongdoers.

Hope this rule will change something for the good of all of us. And hope U.S. citizens will value their own privacy at the end and get similar ruling on their country.

While here, I fear that Google will remain "owning" the information stolen from European citizens, even if a court has ruled that we, as europeans, are the owners of our own personal data.

Buck Ezell • October 7, 2015 1:30 PM

@ qwertty, platic pancake, pup bap:

Are you kidding? The best part of the article has got to be: "The case reflected a clash between two cultures: in the EU, data privacy is treated as a fundamental right; in the US, other concerns are sometimes given priority." It's like, some people prefer pepsi, some people prefer coke. Some people like to subvert global networks in order to spread malware and impose mechanisms of population control, some people don't.

Who? • October 7, 2015 1:55 PM

@ Daniel

Here's what I don't understand. I don't understand how supposedly intelligent person can make a dumbass comment like that one. Especially since this has been explained both on this blog and in the academic literature for more than a decade. This paper was published in 2003...2003!! and yet people are still asking the question.
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=476041

Sorry, Daniel. This is plain wrong.

Do you really think liberty and dignity are exclusive?

DavdM • October 7, 2015 2:00 PM

These comments are concerning the post on www.lawfareblog.com. I didn't leave the post there because they require that I log in using Facebook (which I will not do because I value my PRIVACY).

Quoted items are from "https://www.lawfareblog.com/schrems-v-data-protection-commissioner-some-inconvenient-truths-european-court-justice-ignores":

In theory "When content is located inside the United States, it cannot be collected except by order of the Foreign Intelligence Surveillance Court (FISC). The court imposes detailed oversight and auditing requirements, and has enforced those rules with threats of contempt of court."

In practice, the FISC rubber stamps nearly 100% of the requests that it sees, the NSA is known to avoid petitioning the FISC when they rationalize that the surveillance is already "approved", and the NSA routinely uses methods that require no oversight, provide no notice, and have no recourse (example, the National Security Letters).

In theory "[…] the NSA will face more legal scrutiny under US law than most intelligence services in the world, including in EU countries, ever will."

In practice, the NSA routinely ignores the highest law of the land (the Constitution of the United States), routinely invents remarkably tortured definitions of words to justify their rationalization of just why existing law allows their actions, and finally even if they are taken to court for something, hides behind the "state secrets" and other doctrines to quash all challenges to their actions.

To summarize, in theory the US provides legal protection. In practice, in the US no real protection exists for US citizens nor anyone else. The European Union's Charter provides REAL privacy protection, hence why this ruling by the European Court of Justice has important ramifications for enforcing the HUMAN RIGHT TO PRIVACY in the EU as well as (finally) here in the US.

Set012 • October 7, 2015 2:04 PM

JUDGMENT OF THE COURT (Grand Chamber)6 October 2015 http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=400526

chubby yak • October 7, 2015 2:11 PM

@DavdM

Agreed. Because it has been demonstrated that we can't rely on what they should do (based on legal framework), the balance is shifting to what they'll be able to do (based on access to data). In my opinion, this is a step in the right direction.

Daniel • October 7, 2015 3:27 PM

@Who?

Did you just read the title and stop? Because if you had read the article you would know that the author is not making a conceptual argument. The author says that as a legal matter, reflecting broader cultural differences, the EU and the USA have taken different historical paths.

Peter Galbavy asked, "Why are the USA and EU different?" and that article gives the reason why they are different.

David Leppik • October 7, 2015 3:55 PM

So what, exactly, does this ruling mean to a Facebook user? If I am an American user with a German friend, and she has set her preferences so friends (like me) can see her address, phone number, and birth date, is her information allowed to reside in the US or not? And if not, when my Facebook app queries a European server for her data, is the app allowed to cache the information on my phone? Is it allowed to synch with my address book, which in turn may be synched with iCloud or Google Contacts?

Depending on what precisely European law stipulates, I could see this as having little effect (Facebook needs to have some European servers, but no code changes) to extreme effect (Facebook needs to remove features or change their data model to silo data.)

And can Facebook get around most of these problems with an end user license agreement that stipulates that personal data may be stored in the US?

tyr • October 7, 2015 4:09 PM

This looks like a golden opportunity for the EU to discard
austerity by fining the major US tech companies enough to
fund them nicely.

I keep hearing about all that excess cash they offshored,
probably just for such an occasion.

NSA is easy to curb, just cut their budget back to some
reasonable level. The same thing works for the military.

HeWhoseNameShallNotBeTyped • October 7, 2015 4:33 PM

Ordinary citizens can fight the NSA. One good way everyone should do is penalize, by any means possible, companies known or strongly suspected to have cooperated with the NSA, willingly or not. So, Google, Microsoft, Yahoo - take your pick.

To those who say, But that isn't very nice...

No but if you know a better way to make companies want to not cooperate with the NSA, and to BITCH LIKE HELL if forced, tell us about it! Emails of outrage won't hurt them, but sticks and stones lobbed at their commecial interests will. If corporations end up feeling they've been hurt all that badly, they can afford to sue the government, unlike citizens. In the big picture, it's not unfair at all to let their anti-social actions bite them right in the ass.

It costs users in convenience, and costs more for the more connected. Here's what I've managed, without really impacting my surfing satidfaction very noticeably:

-Traded Google for DuckDuckGo (except rare reverse-image-search & maps)
-including gmail, and all other email too (I sent myself - so Google too - a "Goodbye Google" email)
-disabled Cookies except for a parsimonious Whitelist
-AdBlockPlus
-NoScript (pain to make whitelists, thankfully only once per website)
-https Everywhere
-NEVER create or log into any web account, except minimal online banking
-NEVER type my real name or anythng else except my home town, and country

My one big sin is that I use Flash for a couple of online games. But, I also use a dedicated air-gapped internet PC. If a website doesn't work after I've tried enabling the site's own scripts, I surf away. Concerned Website owners can analyze their weblogs to see how much traffic they're losing due to their own creepy practices, if they want to. They can email their logs to the NSA's Customer Service department - I'm sure they can figure out an email addresss that will work.

jones • October 7, 2015 4:35 PM

From Dan Geer's 2014 Black Hat talk, if you're not familiar with it:

10. Convergence -- DEFAULT DENY

Let me ask you a question: Are the physical and digital worlds one
world or two? Are cyberspace and meatspace converging or diverging
over time? I conclude that they are converging, but if they are
converging, then is cyberspace looking more and more like meatspace
or is meatspace looking more and more like cyberspace? That is not
so clear.

Possibility #1 is that cyberspace becomes more and more like
meatspace, ergo the re-creation of borders and jurisdictional
boundaries is what happens next. Possibility #2 is that meatspace
becomes more and more like cyberspace, ergo jurisdictional boundaries
grow increasingly irrelevant and something akin to one-world
technocratic government more or less follows. The former is
heterogeneous, the latter is the monoculture of a single nation-state.
As we all know, resiliency and freedom obtain solely from heterogeneity,
so converging meatspace to cyberspace is the unfavorable outcome,
but what can be done about it?

At the end of last year, the Pew Research Center invited 12,000
"experts" to answer a single Yes/No question:

By 2025 will there be significant changes for the worse and
hindrances to the ways in which people get and share content
online compared with the way globally networked people can operate
online today?[PEW]

Of the 12,000 invited, some 1,400 did answer. Putting aside whatever
selection bias may be reflected in who chose to answer and who did
not, Pew found four themes dominated respondent comments:

1) Actions by nation-states to maintain security and political
control will lead to more blocking, filtering, segmentation, and
balkanization of the Internet.

2) Trust will evaporate in the wake of revelations about government
and corporate surveillance and likely greater surveillance in the
future.

3) Commercial pressures affecting everything from Internet
architecture to the flow of information will endanger the open
structure of online life.

4) Efforts to fix the "too much information" problem might
over-compensate and actually thwart content sharing.

Data Exchanges Monitored by Automated Regulation • October 7, 2015 4:35 PM

The solution is to physically, electrically and optically firewall the personal data. No more going through compromised undersea cables. All data exchanged externally must go through a transparent largely automated exchange monitored by regulators. Similar to the SEC oversight for stock markets. To be able to exchange data (do business) both countries require a data transparency agreement with penalties.

Spy agencies especially MUST be brought under control. Sending unauthorized personal data to build secret dossiers should result in automatic large fines or mass surveillance espionage charges.

Give users control fine granularity control over where there data can be sent in a standardized control panel INDEPENDENT of the data-mining companies. Offer free annual transparency reports similar to Credit Reporting agencies.

The Russians are a great example taking effective countermeasures. The USA knew nothing of the new coalition to fight ISIL until it was dropped in their laps at the United Nations.
Estimates of Russian troop movements and bombing in Syria are reported as visual sighting and guesses. Effectively and embarrassing!

Dirk Praet • October 7, 2015 5:12 PM

@ Rolf Weber

Do you know the difference between the petitioners (Schrems) claims and the courts opinion? Again: The court never mentioned Snowden in its opinion.

Although the court's ruling itself does not explicitly mention Snowden, the official press release by the Curia - and which I referred to in my previous post - DOES. So unless you're just joining the discussion for another meaningless round of nitpicking - also commonly referred to as trolling - it would be really civil of you to have the intellectual honesty to at least acknowledge that fact.

While you're at it, try reading between the lines of the court's opinion. And I quote: "Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements.

Now who or what could ever have given them that idea?

even Facebook says it never relied on Safe Harbor, it always relied on explicit user consent.

Facebook is one of the 4000+ companies that have self-certified under Safe Harbour. Why would they have done so if they rely on explicit user consent only ? The simple fact is that they don't and actually have a long history of user deception and privacy violation charges being brought against them.

@ David Leppik

And can Facebook get around most of these problems with an end user license agreement that stipulates that personal data may be stored in the US?

Nope. I don't know the situation in the US, but over here in Europe, corporate EULA'S do not trump the law. So unless such a law would allow for a backdoor in the form of a user explicitly waiving his/her rights through express and well-informed consent, any company trying to do so can expect itself to get buried under an avalanche of both EU fines and private lawsuits.

@ Clive

Unfortunately the "secret clauses" in the Trade Treaties Obama is trying to ram down the worlds throat could well be used to force such legislation to be put in place.

This is of concern indeed. On a positive note, however, the lesson now learned from the Schrems case is that any such brazen (and secret) agreements could again be invalidated on the same grounds as Safe Harbour. CISA passing the Senate and US court rulings like in UCLA v. Clapper are only going to increase the EUCJ's stand on the issue, and which both the EU Commission and EU Parliament will have to take into account when proceeding with TPP.

Coyne Tibbets • October 7, 2015 9:42 PM

@Chelloveck : The American public (and I'm speaking as one of them) generally doesn't care about privacy.

What would you have the public do about it?

Go to the courts? With very few exceptions, the courts have set all past precedent that data is wholly owned by the company and the individual has no property interest in it whatsoever. There is no recourse in the courts.

Go to the companies? The companies know the courts back their interpretation that the individual's data is wholly owned by the company; property that is monetized with trivial ease to feed the profit maw. Why would the company willingly agree to constrain its own use of its own valuable property? There is no recourse in the companies.

Go to the legislature? With very few exceptions, the legislature responds to the lobbying of the corporations. The law follows the lobbying, so there is no recourse in the legislature.

Go to the executive? First of all, the executive points to law and shrugs. If pressed on any point where it might have influence, such as treaty, it is revealed that the executive is as sensitive to corporate desires as the legislature. No recourse here.

Go to the press? The press in this country is driven by its need for corporate advertising funds As a result, it has a distressing tendency to report news the way the corporations demand. In fact, we come full circle, because it is the press that reports the public has no interest in privacy; based upon its push polls, carefully designed to reach that result. Where privacy abuses do occur, they are carefully downplayed by the press to keep somnolent as much of the public as possible. No recourse in our failed fourth estate.

I think the U.S. public, the average individual, is much more interested in privacy than is implied by what is seen in the press or the various (suspect) polls. But there is nowhere their desires for privacy can be heard--no appeal. As a result, there is a fatalistic acceptance of the privacy situation...and get on with their lives as best as possible.

name.withheld.for.obvious.reasons • October 7, 2015 10:18 PM

@ Coyne Tibbets

I think the U.S. public, the average individual, is much more interested in privacy than is implied by what is seen in the press or the various (suspect) polls.

Apple's new ad-blocker API (iOS 9) and associated applications have become the most popular apps in recent weeks. Seems the uptake is amazing and does at least give a clue as to the demand if not the sentiment that privacy is considered at least relevant.

rgaff • October 8, 2015 12:13 AM

I agree with the fatalistic acceptance and "get on with life" attitude in the USA, rather than real uncaring... I mean, a few years ago Nixon was almost impeached for very minor things compared to what our last few presidents do very blatantly (killing medical responders with drone "double taps" in obvious violation of the Geneva Convention, for example)... People have fatalistically accepted that our country is hopelessly broken and there's just no way to fix it. People just hope that the inevitable resulting collapse happens in a future generation... It's also the only logical explanation for the utter madness within the government itself, and the headlong rushing toward some kind of apocalyptic disaster against all reason, squeeze everything out for "number one" (one's self) first, kind of attitude.

Rolf Weber • October 8, 2015 1:26 AM

@EvilKiru

I don't think "to blame" is the right term when I just correct wrong statements. And from the many wrong and misleading Snowden "revelations", we should have learned that it can be a bad idea to blindly repeat press assertions.

@Dirk Praet

I never said the court did not mention the name "Snowden". I said they did not *cite* Snowden in its *opinion*.

Here is how Snowden is mentioned in the press release:

Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.

This is clearly not the court's opinion, they just repeat claims of the petitioner Schrems. (And BTW, you are wrong, Snowden is *mentioned* in the ruling as well, but again only in the context of Schrems' claims)

And the part you quoted from the court's opinion, they never referred to Snowden there. They referred to the FISA laws. Nobody needs Snowden to read the FISA laws.

Regarding Facebook and Safe Harbor, you got a point. I should have better said "Facebook never relied solely om Safe Harbor". But this doesn't make a big difference for my point. Facebook said the following after the ruling:

Meanwhile, Facebook said in a statement that it "relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor".

http://www.cnbc.com/2015/10/07/eu-safe-harbor-ruling-what-is-it-and-what-does-it-mean-for-us-tech-firms.html

That's what I said, and that's what Bruce got wrong.

ianf • October 8, 2015 2:10 AM

@ David Leppik […] when my Fuckfacebook app queries a European server for her data, is the app allowed to cache the information on my phone?

No, in response to any American's attempt to access an Europeanne's data the EU Unsafe Harbour Compliance Commission will respond with a special Cachenot Smurf payload.

Is it allowed to synch with my address book, which in turn may be synched with iCloud or Google Contacts?

Yes, except payload will self-scramble immediately after the ACK, so you'll be syncing the data equivalent of random white noise (not unlike my oldie fave analog TV program after the end of day emissions).

Woo • October 8, 2015 2:29 AM

I don't think there is any way to stop the NSA from what they're doing.
By now, they've got enough money and enough dirt collected that they can either buy off or blackmail any politician into submission. If necessary, I'm sure the CIA will lend them some of their drug money.

ianf • October 8, 2015 3:58 AM

@ HeWhoseNameShallNotBeTyped Ordinary citizens can fight the NSA. […] Here's what I've managed, without really impacting my surfing satisfaction very noticeably.

Fine for laptop/ desktops, but, until iOS9 blocking came around, there was no way to prevent server-side snooping and tracking on iPhones (and still may not be, because it's a cat-n-mouse game). Need a new list for iPhone use.

[ok] Traded Google for DuckDuckGo (except rare reverse-image-search & maps)
I use https://tineye.com/ for the first instead; AppleMaps for the second
[?HOW?] including gmail, and all other email too
What did you replace it with?
[ok] disabled Cookies except for a parsimonious Whitelist
[ok] AdBlockPlus
[ok] NoScript (pain to make whitelists, thankfully only once per website)
[ok] https Everywhere
[ok] NEVER create or log into any web account, except minimal online banking
Change to a bank that has a presumably much more secure iPhone app. My bank relies on the EU-wide MobileBankID security app for ID-validation.
[ok] NEVER type my real name or anything else except my home town, and country
You need to stand above my shoulder, keep reminding me of that

BTW. the "He Whose Name Shall Not Be Typed" could well be shortened to "*" - except that it then might be mistaken for shorthand of God's email, which I am told is <*@*>

AbandonPrivacyAllWhoEnterHere • October 8, 2015 4:56 AM

"I don't think there is any way to stop the NSA from what they're doing."

That's where you are wrong.

If nation states or sufficiently skilled hacking groups can rip off the OPM for around 90% of their records, then I'm sure the same groups can take down or sufficiently damage the data centres (nerve centres) that the spooks treasure so much.

Basically, think of the data centres as the evil Everminds from the Dune Series.

Accumulating every piece of data possible, synthesising, analysing, profiling - all done illegally by innumerable breaches of international and domestic laws, including the obvious breaches of the 4th amendment.

On that basis, their illegally harvested data and ongoing breaches are fair game for deletion, corruption and so on.

Thus, if there are expert hackers who aren't just the NSA or other spy twins (Israelis, 5-eyes, 9-eyes etc) in disguise - think Equation Group - then if they stop dicking AshleyMaddison and other nobodies, then they could probably take down a data centre (something useful).

Hypothetical (for discussion purposes only of course):

1) Use the same methods NSA used to hack Belgacom and others i.e. electronically stalk and do necessary surveillance/reconnaissance on known spook network admin staff or their private contractors (take your pick) e.g. Linked In, Facebook, all reconnaissance necessary to map out key employees doing maintenance and security and the likely internal network to be attacked

2) Use the unique identifiers and IP addresses of identified staff to show when enemies of liberty connect to the net

3) Use your advanced hacking tools (we know you have them e.g. riding on the back of cookies etc) to scan any open networks. In the case of isolated data centers - use of poisoned USBs (stuxnet) style to infiltrate their network is recommended

4) If possible, MITM your chosen targets with advanced FinFisher style tactics when your identified targets hit known popular websites

5) Install Hacking Team style malware onto private contractors/spooks home computer

6) Exploit any network access security/IT engineers may have via your malware insert

7) Ultimately a successful attack on internal NSA networks is unlikely due to advanced air-gaps or similar (unless very persistent), but infection of critical systems needed to keep the major data centers from going into full meltdown is a more realistic attack vector:

Option 1 - Water requirements (Utah requires 1.7 million gallons daily to run and has multiple water storage tanks, cooling towers and a chiller plant to keep it from going critical

Option 2 - Electricity requirements (65 megawatts) - the Utah structure was damaged during construction (delayed for a year) due to power surges

Conclusion: If there is a bad ass EQUATION GROUP out there that gives a shit about the dystopian nightmare under development, then they could do the global population a HUGE favor by taking out each one of the Data Death Stars under development (or already built) by sabotaging the US Fascist infrastructure with a Stuxnet style worm that destroys electrical and/or water systems.

The global citizens would fall to their knees (at least those not blinded by propoganda) having the slate wiped clean of their multiple abusers: Yascrew, Poodle, Microsoftcock, Facefuckbook, Gestapo of all persuasions et al.

It will happen sooner or later, since if Snowden can steal all that shit, a hardened adversary can get in, or better yet, a trusted insider could poison the Evermind while pretending to care to it.

Another intelligence failure, or should I say, failure of intelligence.

Rolf Weber • October 8, 2015 5:03 AM

To each his own. I will never be so stupid and punish myself out of baseless NSA paranoia. Nobody offers as good services as Google. For example, the face recognition of Google Photos is absolutely great.

NSAWhat? • October 8, 2015 5:23 AM

"Baseless NSA paranoia".

Do your homework and pass on the glib statements.

If you don't understand what 'Sniff It All, Collect It All, Know It All, Process It All, Exploit It All' means - which is written in large letters on the NSA slides - along with the other pretty ones naming Google and the other corporate collaborators in clear text, then you are a lost cause.

Each data center stores exabytes of data or enough room for years of internet data at a time. In other words - ready to hoover up everything.

Take a Richard Stallman approach - open source, no commercial providers, no social networking, no glorified tracking devices which make phone calls (mobiles) etc, and you will be in a lot better space.

Re: Google - they are simply electronic stalkers. Use Disconnect Search instead, uses the same algorithm without the IP tracking and search results being recorded for ever.

Fraudbook is also keeping their photographs forever and really good at biometric algorithms - why else is Zuckerberg's collective data gang raped on a daily basis by the intelligence agencies?

Third party trust = zero. This is the way to operate with computing, email, properly secured communications, browsing and so on.

PS What happened to that intelligence plant Skeptical? Are you the new him?

ianf • October 8, 2015 5:50 AM

ADMINISTRIVIA @Bruce, all:

I'll ask AGAIN: is the site being under some DDoS attack, or undergoing extra heavy maintenance on the live stream? Since Tuesday afternoon GMT+1 (now Thursday) I am constantly met with half-loading pages, "server stopped responding" [MobileSafari] messages, and, above all, a frustratingly icky posting process. Then it flows for 10 minutes as usual. And then again not. Preview of new comments works fine (thus have to assume it relies on embedded JS), but when it comes to Publish-ing, mayhem… no response 4 out of 5 times. Page loads forever, or at least until I abandon the attempt.

IRRITATING DOESN'T COVER IT, NOT EVEN !CARRAMBA!

No other of my usual US/UK/EU sources exhibit this behavior. So what is happening in the House of Schneier? Or is it just me, no one else has "it" - whatever it could be.

Sorry for the interruption. Now back to the usual yadda-yadding.

Rolf Weber • October 8, 2015 5:53 AM

@NSAWhat?

With "Do your homework" you mean "read the wrong and misleading Snowden 'revelations'"?
Been there, done that.

And BTW, I always preferred open source over closed source.

Peter A. • October 8, 2015 6:26 AM

@ HeWhoseNameShallNotBeTyped, ianf re: replacing gmail

I have actually never started using gmail - I had used university-provided account initially, first as a student, then as a sysadmin, also for some time after quitting the job (as a courtesy). Then I switched to self-maintained mail server, mostly out of geekness and for the possibility to configure it as I please.

Unfortunately, since the majority of my correspondents use gmail or other big mail hubs (some global ones and some country-specific ones), it doesn't make much difference. Almost all of my email eventually lands either in Received or Sent folder of a user of some big data-mining enterprise, while also being scanned in-transit quite often.

Only a handful of emails that I exchange with like-minded and competent ex-coworker friends is seen only by them and myself - hopefully.

ianf • October 8, 2015 6:37 AM

What ARE YOU, AbandonPrivacyAllWhoEnterHere, an agent provocateur straight from the "We need to publish America-hating blogposts to puff up our budgets" @DHSgov's ad-hoc budget-justification project? Sounds like you came from there, and your "hypothetical" scenarios are A CALL TO ACTION. If so—busted.

@ NSAWhat to Rolf Weber “What happened to that intelligence plant Skeptical? Are you the new him?”

Skeptical is not a plant, but a lowly G11 pay grade assignee here to muddy the waters of impressionable youngsters' intellect—what in ancient times got Socrates tried and executed.

Bruce Schneier • October 8, 2015 7:55 AM

"What does 'If this stands' mean in this context? A ruling of the European Court of Justice is like one of the US Supreme Court: there is no appeal."

I don't think we understand the implications of this ruling. I was hedging that -- and I still don't think we understand the implications of the ruling. Reading it, it's less serious than the initial press coverage indicated.

Clive Robinson • October 8, 2015 7:57 AM

I don't think there is any way to stop the NSA from what they're doing.

Err I think there is and one way is currently legal...

The IC has decided to collect everything you do, they have not asked and thus can not say as an uninvited party to your communications "don't abuse our collection process". That is you have no contract, terms of condition, EULA or other service agreement with them express or implied, as they are not providing you with a service or benefit.

Unfortunately for them you know the way they work and thus can take advantage of that.

Specifically they keep encrypted traffic in perpetuity, which is far from a zero cost option, now or in the future. However you only pay once for each encrypted packet of data you send.

Thus if you use a a communication protocol that maxes out packets and bandwidth with padding and encrypt it you are giving them not just a self induced DoS attack but a perpetual cost.

Eventually the cost becomes unacceptable to the funding bodies and the public at which point the options open to the NSA start to diminish quite rapidly and they will have to switch their mode of operation.

At the moment the NSA is riding on a wave of fud, with no discernable output of worth strategic or practical currently. The NSA are not NASA, they can not claim there will be a compensatory spin off to justify the past or current expenditure. Thus at some point the money sink hole the NSA is will be deemed an unjustifiable waste, potentially a criminal waste, at which point an accounting will be required...

Importantly industry experts need to be ready for this eventuality, otherwise the NSA and their supporters will try to get a free ride by a data tax or similar rather than change their worthless behaviour.

However I would encourage US voters to limit the life of elected officials, if your President only gets two terms, why should others post holders have more? Doing so also limits the effect of lobbyists as any investment they make will only provide time limited returns...

Dirk Praet • October 8, 2015 8:22 AM

@ Rolf Weber

I never said the court did not mention the name "Snowden". I said they did not *cite* Snowden in its *opinion*.

Obviously a most important distinction in this debate.

They referred to the FISA laws. Nobody needs Snowden to read the FISA laws.

The assumption that the EUCJ - or anyone else outside the US administration, IC and congressional circles - pre-Snowden was aware of how certain PA and FIS(A) sections were being interpreted by the executive, implemented by the FISC and the IC, and then imposed on the US tech industry is well beyond ludicrous.

@ NSAWhat, @ ianf

Skeptical is not a plant, ...

I for one think @Skep is an added value to this forum. Without speculating about his background, I do enjoy my discussions with him because he makes fine, consistent and generally well-informed arguments without ever resorting to nitpicking or denying obvious facts. @Skep actually gives us a really good insight into the mindset of the USG, perhaps even better so than its official spokespeople and MSM outlets do. And from which a lot can be learned.

Our friend @Rolf, however, is an entirely different case. Nobody here understands the reasons behind his obsession with Ed Snowden and his almost irrational defense of the IC and Silicon Valley.

Winter • October 8, 2015 9:17 AM

The Register hits the nail on the head:

Understand 'Safe Harbor', Schrems v Facebook in under 300 words
http://www.theregister.co.uk/2015/10/08/understand_safe_harbor_ischrems_v_facebooki_in_under_300_words/

I have spoken with experts on privacy law in Europe just before the court ruled about the expected outcome. And they already told us the same as The Register writes.

The simple summary: Data of European citizens are not safe in the US under the Safe Harbor Agreement.

I think the conclusion of The Register is right:
Perhaps the time has come not for a revamped 'Safe Harbor', but for the US to adopt a Federal Data Protection Law.

Rolf Weber • October 8, 2015 9:18 AM

@Dirk Praet

The assumption that the EUCJ - or anyone else outside the US administration, IC and congressional circles - pre-Snowden was aware of how certain PA and FIS(A) sections were being interpreted by the executive, implemented by the FISC and the IC, and then imposed on the US tech industry is well beyond ludicrous.

The wording and interpretation of FISA section 702 was very clear long before Snowden. It allows to monitor foreigners abroad without showing probable cause before a judge, and that's what the ECJ objected. The ECJ did not object any implementation (that, what Ed allegedly exposed).

In any case, the court did *not* cite Snowden in its opinion, and did *not* confirm any of his wild claims. Yves Bot did this, but fortunately the court didn't adopt this.

Winter • October 8, 2015 9:23 AM

I think the conclusion of The Register is right: Perhaps the time has come not for a revamped 'Safe Harbor', but for the US to adopt a Federal Data Protection Law.

To add:
What is needed from the US lawmakers and executive is to implement laws on privacy that give us

Transparency

Accountability

Redress

Winter • October 8, 2015 9:25 AM

@Rolf Weber
"The wording and interpretation of FISA section 702 was very clear long before Snowden."

Please give citations or any other evidence for this statement.

EvilKiru • October 8, 2015 10:10 AM

@Rolf Weber: Your pull-quotes are from the NYTimes article that Scott wrote, so why are you saying that Bruce got it wrong?

Nick P • October 8, 2015 10:22 AM

@ Rolf Weber

Here's the rules for that section. Anyone studying NSA would assume they were pulling radio/satellite signals out of the air (esp w/ ECHELON) along with some sharing with foreign parties under the Many Eyes partnerships. The criteria allows quite a bit of interception capability but collection was quite targeted and minimized. NSA employees discussed how painstakingly they avoided collecting data on Americans. So, Americans assumption would be that NSA was collecting just what was sensible (very little), only had their metadata, and any further data required a specific warrant via FISA or FBI.

The Snowden leaks gave a different perspective on what was going on, showed it started with an illegal black program during Bush/Cheney, and was supported by secret interpretations of law. So, no, even those of us following their announcements didn't know they were attempting to collect everything everywhere, sucking up Americans' data, ignoring FISA much as they want without penalty, and caring little collection on Americans. It's quite the 180. After that perspective change, we saw responses like this one in Europe.

BoppingAround • October 8, 2015 11:29 AM

[Off-topic, ignore] ianf,
No problems with the blog for me. Haven't any for a while (that is, from several
days to several months).

Clive Robinson • October 8, 2015 11:47 AM

@ Bruce,

-- and I still don't think we understand the implications of the ruling.

Well there are a couple where the proverbial brown stuff is going to hit the fan...

Firstly if you are in the EU and you are in education and your institution insists you use Google or a US based "learning / examination" system then they are forcing you to divulge PII, that's now a no no, so Unis etc are going to have to find EU equivalent or unmothball their previous services... similarly employers.

Secondly there is patent and other disclosure issues. In the EU unlike the US you can not predisclose a patent application to more than a tiny handfull of people (I think it's five in the UK) otherwise you have "published" and put it in the public domain and an easy challenge in court becomes available to your competitors to have the patent revoked... Likewise other disclosure rules, you now can not pretend that using any US email or other service is confidential... Which is a problem for the very many Google, Facebook, and other social and professional networking service users in the EU.

Then of course there are services like PayPal, Uber etc with a duty of confidentiality with regards PII... Even mobile phone companies with geo-location information, in the EU business record interpretation is a lot tougher than it is in the US. Whilst a US LEO might assume geo-location information is a business record, thus available via an NSL in the US you would have to get an individual warrant issued within the EU for that information...

It's going to get messy and the US will not be able to get US Companies off the hook with US legislation (remember the retrospective immunity from the Bush administration for phone companies, it does not have any protective value outside of US jurisdiction something AT&T amongst others have been crossing their fingers about).

The dust will only start to settle once enough lawyers have chanced their arm in court to establish a sufficient base of case law, and with consumer law in the UK also having just changed to allow class actions without consumers having to sign up, it's most definitely in lawyers interests to chance their arm... which could take the next ten years to settle down...

Jim Lippard • October 8, 2015 12:31 PM

Companies operating in the U.S. and EU after the Data Protection Directive was introduced in 1995 but prior to the establishment of the Safe Harbor framework in 2000 addressed this issue by establishing contractual relationships between U.S. and EU corporate entities regarding the export of personal data from the EU, essentially guaranteeing that the U.S. entities would follow the requirements of the Directive. That mechanism was formalized with model contract provisions established by EU member nations.

The revocation of Safe Harbor appears to require a return to that prior regime.

Winter • October 8, 2015 12:42 PM

@Clive
"Firstly if you are in the EU and you are in education and your institution insists you use Google or a US based "learning / examination" system then they are forcing you to divulge PII, that's now a no no, so Unis etc are going to have to find EU equivalent or unmothball their previous services... similarly employers."

Google especially has been adamant and refusing to limit data to European data centers. This has cost them a number of government contracts (EU governments tend to require their data to remain on their soil).

However, they are already building European data centers.
http://googlepolicyeurope.blogspot.nl/2014/09/expanding-our-data-centres-in-europe.html

So, I think that the US companies have already infrastructure in place to (temporarily) limit data transport to European soil. But that would be almost impossible to check.

I think the US will have to bite the bullet and either force their lawlessness onto the rest of the world openly, or change their laws and practices.

I guess they will try to do the force thing first.

ianf • October 8, 2015 12:53 PM

@ Clive, you don't see this ruling (definitely not yet EU-wide verdict) as the beginning of … taking back the cloud, etc. Internet-services initiative? Local & state actors banding up to provide an alternative to US dominance, akin to what happened with the Airbus? [which now happens to dominate certain airframe segments globally].

Then of course there are services like PayPal…

Both they, AMZN, and Apple (or parts of it) are registered in Luxembourg [no, or next to none corporate taxes], ergo do business as European companies, but owned by US motherships. Perhaps in the future we'll see them being broken up in more than surface sense, much due to this inability to function acc. to two different privacy cultures…

Rolf Weber • October 9, 2015 1:35 AM

@Nick

Just look into the law itself:

(1) Authority With respect to an acquisition authorized under subsection (a), the Attorney General and the Director of National Intelligence may direct, in writing, an electronic communication service provider to—
(A) immediately provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition in a manner that will protect the secrecy of the acquisition and produce a minimum of interference with the services that such electronic communication service provider is providing to the target of the acquisition; and
(B) maintain under security procedures approved by the Attorney General and the Director of National Intelligence any records concerning the acquisition or the aid furnished that such electronic communication service provider wishes to maintain.

https://www.law.cornell.edu/uscode/text/50/1881a

It was always very clear that this law gave the government the authority to force providers to hand over the data of foreigners abroad. Only the implementation (with PRISM and UPSTREAM) was unclear before Snowden (however he and the media heavily misrepresented it), but the ECJ did *not* object the implementation. And again, the court did *not* cite Snowden or his "revelations" in its opinion.

I agree that before Snowden, nobody in the public could guess how section 215 was interpreted. But 215 was absolutely irrelevant for the decision. It was only about 702, and this section was always very clear.

Dirk Praet • October 9, 2015 8:47 AM

@ Rolf Weber, @ Nick P

It was only about 702, and this section was always very clear.

No, it wasn't, Rolf. What we have here is a clear case of hindsight bias on your behalf.

Pre-Snowden, there is no way in hell that the Schrems case would have held up in any court based solely on the texts of legislation you are referring to. Anyone but the tinfoil hats among us would have interpreted them as being executed in a targeted way, for cases where there was reasonable suspicion of wrongdoing, and under a rigorous regime of oversight that could have stood the test of Safe Harbour rules at any given time.

What Snowden brought in the open was a completely different beast, knowledge of which even in the US was unknown to the general public. And to most in Congress and the judicial branch too, for that matter.

There simply is no denying that the Snowden revelations - and especially those about the extent of collusion between the NSA and the US tech industry - are at the crux of the EUCJ's opinion, and were most likely used as a hidden baseline in a process of parallel reconstruction for the judges to reach their verdict, ultimately - and at least on the record - based on the same official argumentation you are using.

Rolf Weber • October 9, 2015 9:34 AM

@Dirk Praet

You confuse things.
I agree that Schrems case would likely not have been possible without Snowden. He argued his complaint before the Irish data protection commissioner with wrong and misleading press reports about the PRISM program.

But this is not what we are talking about. We are talking about the ECJ ruling, which only had to decide over Safe Harbor -- not Schrems initial complaint. And the ECJ did simply *not* invalidate Safe Harbor because of any claimed American practice, but -- beside other reasons -- because of American law.

And the court did carefully avoid to name any practice in its ruling, although Yves Bot, the Advocate General, did this in his opinion. Bot cited Snowden and his "revelations", the court not. This is remarkable.

You can speculate about the court's motivations as much as you want, the simple fact is that it did *not* cite Snowden and his "revelations" in its opinion. And this is basically all I say here, but it appears that you and others simply cannot stand this simple fact.

Nick P • October 9, 2015 9:59 AM

@ Rolf Weber

I was addressing your comment about the U.S. side. That foreign collection is fair game is long known with many specifics. You're U.S. quote was total fabrication, though, as evidenced by reaction to the specific aspects of the Snowden leaks. Most Americans had no clue what was going on or to what degree. Neither did much of Congress.

And that was basically what I said there, but it seems you simply can't stand that simple fact despite ample evidence to the contrary.

Rolf Weber • October 9, 2015 10:53 AM

@Nick P

Nobody had a clue about PRISM because nobody was interested. Likely because, yes, foreign collection is fair game. Everybody knew this long before Snowden.
Not because the wording of 702 was unclear.

Nick P • October 9, 2015 11:08 AM

@ Rolf Weber

There were many people interested in how the Patriot Act was being interpreted. There was just no way to find out. Don't extrapolate what majority of lay people think to what all people, from professionals to activists, think over here. There's quite a difference.

Rolf Weber • October 9, 2015 11:31 AM

@Nick P

Of course I can only speak for myself. I was surprised about how 215 was interpreted with the dragnet. I was not surprised at all about PRISM and UPSTREAM.

Clive Robinson • October 9, 2015 2:03 PM

@ Rolf Weber,

You can speculate about the court's motivations as much as you want, the simple fact is that it did *not* cite Snowden and his "revelations" in its opinion.

There is actually little need to speculate in it's opinion.

Neither Snowden nor his revelations were party to the action, nor was the NSA but the US Government as the agency responsible for the legislation that the action hinged on...

Most courts when they issue an opinion or ruling as opposed to a summing up or sentence stick only to "legal argument" that is, it is about the legislation it's consequences and previous opinions and rulings that form the cannon of case law and how they relate or are applied in a specific set of circumstances. If legal cases had numbers not the names of the parties involved then names would probably not make into any opinion.

Perhaps you should lookup the definition of "opinion" under English and Colonial law. You will find it is given by a "subject matter expert of the court". Mostly this is the judiciary when it's points of law, but a court will defer to an appropriately qualified accountant on tax law, a barrister or equivalent licensed to practice law in a foreign jurisdiction should it have a baring on the case. Likewise the "learned men of science" from those judged capable by their standing of offering expert opinion on the matters of the case etc. Courts have a rather conservative view on their remit, but until recent times served them well for over a thousand years.

Dirk Praet • October 12, 2015 9:13 AM

@ Rolf Weber

We're not taking issue with your statement of Snowden not being cited in the court's opinion, but with your stubborn and unreasonable denying that his revelations were at the heart of both cases.

Nobody had a clue about PRISM because nobody was interested.

Not really. Go back to pre-Snowden times on this blog. You'll find quite some discussions on NSA capabilities and suspected activities. Back then, it was just tinfoil hat theories, "hearsay" from people like Blake and Binney or vague warnings from folks like Ron Wyden. Snowden provided material proof thereof.

I was surprised about how 215 was interpreted with the dragnet. I was not surprised at all about PRISM and UPSTREAM.

What surprised everyone about both 215 and 702 was their very broad interpretation by the USG and the sheer extent of NSA progams based thereon. The only reason I can see that you were not surprised by PRISM and UPSTREAM is that contrary to most other folks here, you have consistently been downplaying them as rather harmless and narrowly targetted programs that should be of no concern to anyone but terrorists.

Jonathan Wilson • October 12, 2015 6:32 PM

To those talking about TPP, it means nothing for the EU since the EU isn't part of TPP. There are other agreements (likely just as nasty) being negotiated between EU and USA though.

Rolf Weber • October 13, 2015 8:45 AM

@Dirk Praet

We're not taking issue with your statement of Snowden not being cited in the court's opinion, but with your stubborn and unreasonable denying that his revelations were at the heart of both cases.

To remind you on how this discussion arose, Schneier did cite the NYT:

The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans' rights to privacy.

And this is simply not true. Got it?

And regarding PRISM and UPSTREAM, I was not surprised because it is just some data from foreigners abroad picked up with them. And we know from the plain numbers that the programs are not used very broad. In the meantime, Google is allowed to include FISA requests in its transparancy report. There are 30.000 to 40.000 users affected each year. According to Wikipedia, there are currently 900 million gmail users. You can do the math by your own.

Z Qin • October 13, 2015 10:02 PM

I am glad to see that the EU took a stance for protecting personal privacy. Hopefully this interferes with the U.S. Justice Departments proposal for global search warrants.

To summarize the link, the Justice Department would be able to remotely access and search electronic storage media and be able to take information.

Rolf Weber • October 14, 2015 9:35 AM

As a realitycheck to all of you who still believe in the Snowden fairy tale that the 702 programs are broad, from my latest blog post:

When you listen to Snowden and the media, and reports about the European Court of Justice ruling about SafeHarbor, you may have the impression that the NSA has an almost unfettered access to the data of European Facebook users. But what are the facts?

Fortunately, the American Internet companies are now allowed to publish transparancy reports about national security user data requests, so we have some solid data to answer this question.

According to the Facebook report[1], there are FISA requests for about 16.000 Facebook users per year. Currently Facebook has about 1.44 billion active users[2]. So the chance that the NSA collects the personal data of a Facebook user is about 0.001%. Or one of 100.000. Impressing, isn't it?

Your chances with Google are slightly better. There are FISA requests for about 32.000 user accounts per year[3]. Gmail has about 900 million users[4]. This means a chance of at least 0.0035%. Wow!

[1] https://govtrequests.facebook.com/country/United%20States/2014-H1
[2] http://investor.fb.com/releasedetail.cfm?ReleaseID=908022
[3] https://www.google.com/transparencyreport/userdatarequests/US/
[4] https://plus.google.com/+Gmail/posts/AjktcDswdKh

Clive Robinson • October 14, 2015 10:03 AM

@ Rolf Weber,

... now allowed to publish transparancy reports about national security user data requests, so we have some solid data to answer this question.
And this only gives the tip of the iceberg, as any unencrypted link is still fair game without the need to be reported to the service providers.

Dirk Praet • October 14, 2015 1:53 PM

@ Rolf Weber

As a realitycheck to all of you who still believe in the Snowden fairy tale that the 702 programs are broad, from my latest blog post

For $DEITY's sake, Rolf. If that's all they're storing, then what on earth do you think they're using Cray XC30's and yottabytes of data storage at Bluffdale for ? To store their cat videos ?

Wael • October 14, 2015 3:23 PM

@Dirk Praet, @Rolf Weber,

what on earth do you think they're using Cray XC30's and yottabytes of data storage at Bluffdale for ? To store their cat videos ?

No! It's to construct the grandmother of all rainbow tables. A table that maps every possible public key to its private key :)

Rolf Weber • October 14, 2015 3:49 PM

@Clive Robinson

Besides that the breadth of the programs you are referring to is heavily exaggerated too, what we are talking about here, and what it is about in the Schrems complaint, are the 702 programs, specifically PRISM, and the plain numbers from the transparancy reports clearly show that PRISM is simply not broad.

@Dirk Praet

How should I know? I have no knowledge at all about top secret NSA operational details. I don't know what they use the alleged equipment for. All I know is that PRISM is not broad. We know there are broad programs, like SOMALGET. But PRISM simply isn't.

@Wael

:-)
Yes, maybe Bruce was wrong and the NSA *is* made of magic. ;-)

ianf • October 14, 2015 4:47 PM

Hey @ Dirk! Watch it: no knocking down Cray XC30's full of cat videos OF WHATEVER PROVENIENCE when I'm around. You want to know when it all started to go bad, I'll tell you right this minute: when humanity stopped caring about cat videos being high-speed piped to homes alongside hot 'n cold water.

Dirk Praet • October 14, 2015 6:31 PM

@ Rolf Weber

I have no knowledge at all about top secret NSA operational details. I don't know what they use the alleged equipment for. All I know is that PRISM is not broad.

No, you don't. Unless you have knowledge about top secret NSA operational details. And narrowing down the issue to PRISM is misleading and deceptive. FISA 702 is being used for a much broader area of bulk collection programs that siphon off large portions of internet traffic directly from the internet backbone. Something you know only too well.

@ ianf

when humanity stopped caring about cat videos being high-speed piped to homes alongside hot 'n cold water.

For the record: I love Crays but I hate cats.

Rolf Weber • October 15, 2015 2:19 AM

@Dirk Praet

And narrowing down the issue to PRISM is misleading and deceptive.

I don't narrow down, I stay on topic. The Schrems case is about Facebook, and since Facebook is HTTPS, the NSA has little other options to collect Facebook user data than PRISM.

FISA 702 is being used for a much broader area of bulk collection programs that siphon off large portions of internet traffic directly from the internet backbone. Something you know only too well.

No, I don't know this. Although there are many Snowden documents published, there are so many question marks remaining, so that at least I realize that it is still very, very little known about NSA programs and operations.
PRISM and UPSTREAM (and its British counterpart TEMPORA) are somehow an exception, we know pretty much about these programs, not only because of the Snowden documents but even more because of the detailed PCLOB and ISC reports.

And I think that these programs are the most important ones, the ones they collect the most intelligence out of, simply because many of the biggest internet hubs are on British and American soil, and most of the major ISPs are located in the US, so it is very easy to compel them to hand over data.
Of course they have other options, but these other options all have seriousshortcomings. They can hack (like Belgacom), but this is risky and doesn't work on a big scale. Or they can try to partner with companies or other governments, but then they cannot demand, they have to negotiate. And at least in cases when they cooperate with other democracies (like Germany), the governments of these countries will very likely insist that data of own citizens are carefully filtered out. The German "NSA-Untersuchungsausschuss" so far clearly shows that these filters led to very limited results.

Dirk Praet • October 15, 2015 8:24 AM

@ Rolf Weber

I don't narrow down, I stay on topic. The Schrems case is about Facebook, and since Facebook is HTTPS, the NSA has little other options to collect Facebook user data than PRISM.

I believe the thread's topic here was the EUCJ's ruling against Safe Harbour, and - although tightly connected - not the Schrem's case against Facebook. Facebook completed its transition to https no earlier than July 2013, meaning that before that date significant portions of Facebook traffic could be intercepted in the clear without the need to resort to PRISM. Although long overdue, it was a good move some other (known) PRISM inductees like Yahoo waited even longer with, IIRC.

And I think that these programs (PRISM & UPSTREAM) are the most important ones, the ones they collect the most intelligence out of

Which is speculation on your behalf because you have no way of knowing. And even if true does not in any way contradict my statement of massive bulk collection under 702.

The German "NSA-Untersuchungsausschuss" so far clearly shows that these filters led to very limited results.

To the best of my knowledge, the committee still hasn't received the NSA selector list they have been asking for. In absence of which the entire investigation is a dud that will indeed reveal little to no wrongdoing by lack of formal proof thereof.

Laura | Dutch law firm AMS Advocaten • December 14, 2015 8:40 AM

Thanks for sharing the interesting links, I am wondering when the US will take on the safety of data and if the NSA will get punished in any way. What do you think?

Name (required):

E-mail Address:

URL:

Fill in the blank: the name of this blog is Schneier on ___________ (required):

Comments:

Allowed HTML: <a href="URL"> • <cite> • • • <ul> <ol> <li> • <blockquote> <pre>

← Autonomous Vehicles as Bombs Information in Your Boarding Pass's Bar Code →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.

European Court of Justice Rules Against Safe Harbor

Comments

Leave a comment