How the US Is Playing Both Ends on Data Privacy

There's an excellent article in Foreign Affairs on how the European insistence on data privacy -- most recently illustrated by their invalidation of the "safe harbor" agreement -- is really about the US talking out of both sides of its mouth on the issue: championing privacy in public, but spying on everyone in private. As long as the US keeps this up, the authors argue, this issue will get worse.

From the conclusion:

The United States faces a profound choice. It can continue to work in a world of blurred lines and unilateral demands, making no concessions on surveillance and denouncing privacy rights as protectionism in disguise. Yet if it does so, it is U.S. companies that will suffer.

Alternatively, it can recognize that globalization comes in different flavors and that Europeans have real and legitimate problems with ubiquitous U.S. surveillance and unilateralism. An ambitious strategy would seek to reform EU and U.S. privacy rules so as to put in place a comprehensive institutional infrastructure that could protect the privacy rights of European and U.S. citizens alike, creating rules and institutions to restrict general surveillance to uses that are genuinely in the security interests of all the countries.

More broadly, the United States needs to disentangle the power of a U.S.-led order from the temptations of manipulating that order to its national security advantage. If it wants globalization to continue working as it has in the past, the United States is going to have to stop thinking of flows of goods and information as weapons and start seeing them as public goods that need to be maintained and nurtured. Ultimately, it is U.S. firms and the American economy that stand to benefit most.

EDITED TO ADD (1/13): Stewart Baker on the same topic.

Posted on January 6, 2016 at 6:14 AM • 46 Comments

Comments

ronysJanuary 6, 2016 7:15 AM

Is there a precedent for the US (or any nation) taking the global perspective and choosing the long-term good over "national security"?

WinterJanuary 6, 2016 7:43 AM

@ronys
"Is there a precedent for the US (or any nation) taking the global perspective and choosing the long-term good over "national security"?"

In the EU, privacy is a human right. Human rights protect every human, irrespective of nationality and place or residence.

So, at least for the EU courts, the right to privacy is applied in a global perspective. As for EU practice, I would not bet on it.

Ollorwi OsaroJanuary 6, 2016 8:29 AM

Deception and Selfishness are dangerous weapons of cold war. America favours fraud instead of force to manipulate, dominate, and control the world.
When American policy strategists invented GLOBALIZATION and adorned her with the beautiful attire called DEMOCRACY and she charmed the world and immediately became center of attraction and nations rushed to embraced her, many did not see the man behind the Masquerade and his intentions.
Today, the freedom, security, wealth, welfare and other goodies she promised are elusive.
Freedom and Security are two sides of the same coin.Both can't be on the same side at the same time. One diminishes as the other emerges.
America's attempt to place them equally together in whatever guise is responsible for her double standards, double speeches, rising deception and selfishness. And this is challenging sovereignties, destroying cultures, killing industries, suffocating economies, toppling governments, installing stooges and is attempting to imprison the world.
The balance between Freedom and Security must be well defined and established. America should be encouraged to abandon its selfish and deceptive tendencies in its efforts to police the world. Nations should learn to come out clear and straight when dealing with their citizens and other nations to ensure a peaceful world.

Rolf WeberJanuary 6, 2016 8:31 AM

The conclusion is based on wrong prerequisites.

From the very beginning of the article:

In invalidating the agreement, the ECJ found that the blurry relationship between private-sector data collection and national security in the United States violates the privacy rights of EU citizens whose data travel overseas.

This is simply not true and a common misconception of the ruling, caused by inaccurate media coverage.

The ECJ did not find any violations. The ECJ did not rule at all about U.S. surveillance law or practice. The ECJ just invalidated SafeHarbor because the EU commission blew it, because they neither checked nor monitored WHETHER the U.S. is compliant with EU data protection.

The Schrems complaint is now back at the Irish Data Protection Commissioner. They will now examine if the U.S. has an adequate level of protection. And whatever the Irish DPC finds, it will most likely be challenged before courts. It is no more than a wet dream to believe the ECJ did acknowledge any Snowden-based claims. In contrary, the moment of truth for the Snowden-lies has now struck.

Clive RobinsonJanuary 6, 2016 9:42 AM

@ AnonymousKiwi,

With regards Chaum's PrivaTegrity, it apoears to have certain similaritirs with the dinning cryptographers proble.

Howevet the comment that it,

    "is meant to be both more secure than existing online anonymity systems like Tor or I2P and also more efficient"

Gives me concerns over a number of things along the lines of "metadata" from "traffic analysis".

ianfJanuary 6, 2016 10:03 AM


ATTENTION! ATTENTION! ATTENTION!

Rolf Weber is back. Hide the silver.

NO! wait! Count pieces first, record the integer sums in safely encrypted form on a Hello Kitty! USB stick, THEN hide the silver.

WinterJanuary 6, 2016 10:04 AM

@Clive
"Gives me concerns over a number of things along the lines of "metadata" from "traffic analysis"."

If we look at another quote somewhat lower:


That ambitious privacy toolset aside, Chaum is also building into PrivaTegrity another feature that’s sure to be far more controversial: a carefully controlled backdoor that allows anyone doing something “generally recognized as evil” to have their anonymity and privacy stripped altogether.

Then I think you already spotted the backdoor.

DanielJanuary 6, 2016 10:43 AM

@AnonymousKiwi

Remember when I said some time ago that encryption itself has become a honeypot? This new PrivaTegrity is exactly what I mean. The article writes, "So he’s given the task to a sort of council system. When PrivaTegrity’s setup is complete, nine server administrators in nine different countries would all need to cooperate to trace criminals within the network and decrypt their communications."

It doesn't break the cryptowars, lol. Does anyone think those nine people will in any way be independent? Of course not. So what is he doing? He's turning the allure of encryption into a honeypot. The same thing that Tor has done and that Freenet has done. What better way to get those who one perceives as "evil" (a constantly changing definition) to self-select than by engaging in a massive bait and switch.

blakeJanuary 6, 2016 11:19 AM

@Rolf
> the EU commission blew it, because they neither checked nor monitored WHETHER the U.S. is compliant with EU data protection.

Would you say the US non-compliance with the agreement was A) accidental or B) deliberate?

Bonus question: if the US says "we haven't secretly deployed a bulk data collection program", how much of the blame sits on the EU commission for believing it?


From the Stewart Baker article via @Daniel:

> The intelligence tools that protect us from terrorism are under attack

As in, the intelligence tools that weren't even compatible with the international agreements which enabled them?

WinterJanuary 6, 2016 12:20 PM

A "curiosity":


Dutch Government Backs Uncrackable Encryption
http://fortune.com/2016/01/05/dutch-government-encryption-no-backdoors/

Why is this interesting?

The Amsterdam Exchange is the second largest internet hub in the world. This generates a sizeable economic impuls. The Dutch government does not want anything to damage its reputation.

Even though I wouldn't trust the two ministers mentioned to have much in the line of morals, they are defending economic self interest here. That gives us some hope.

Note that Dutch law enforcement are the ones who have found out how to break into union darknet servers to identify criminals. Not much need to break encryption here.

tyrJanuary 6, 2016 12:52 PM


In the ancient parlance of Usenet.

> The intelligence tools that protect us from terrorism are under attack

Post proof or retract.

I haven't seen any evidence of intelligence tools
protecting anyone from anything. It cost the US
taxpayer 52 billion dollars to stop a Somali
cabdriver from sending money to his family. The
latest epic was to entrap a retarded kid.

I guess the dictionary definition of protect us
has mutated under Orwellian doublespeechy.

Rolf WeberJanuary 6, 2016 1:20 PM

@blake

Your first question: There is no "US non-compliance" at all.

Your bonus question: The "Schrems v. Facebook" case is only about programs under which Facebook is compelled to hand over data. So it's only about PRISM.

GweihirJanuary 6, 2016 2:25 PM

@AnonymousKiwi:

On a quick glance, "lawful" access rests on 9 people agreeing. I would be very surprised if this works. For one thing, law enforcement can always cry "Child pornography!" or "Terrorism!" without giving good proof or with faked proof. These people will simply get overwhelmed. For another, coercing/corrupting/convincing 9 people is not that hard a problem, and neither is selecting 9 people that do whatever law enforcement want in the first place. This just moves the attack-space from technology to people. The human race has a _lot_ of experience on how to attack people that act as gate-keepers.

My take is this is just as much doomed to fail as all other systems studied so far that had "lawful" interception in it. It is disappointing to see somebody like Chaum to fall for such an idea though.

ianfJanuary 6, 2016 2:54 PM


@ WinterNote that Dutch law enforcement are the ones who have found out how to break into union darknet servers to identify criminals. Not much need to break encryption here.”

Noted. Only… what are those "union darknet servers" and ?how? did the Dutch police accomplished that?

Philippe De RidderJanuary 6, 2016 5:37 PM

@Winter:
Another article backing this up: http://www.theregister.co.uk/2016/01/04/dutch_government_says_no_to_backdoors/

I wouldn't call it a curiosity but more something promising !
As Bruce pointed out numerous times, the fact that trust is no longer possible is actually arming security as a whole. What seemed as inevitable with US gov agencies might come out just as an economic and social imperative in the end, as long as some governments discover that the "sieged" approach defeats the whole purpose.

Dirk PraetJanuary 6, 2016 5:57 PM

@ Rolf Weber

The ECJ just invalidated SafeHarbor because the EU commission blew it, because they neither checked nor monitored WHETHER the U.S. is compliant with EU data protection.

The ECJ did indeed rule that the EU Commission’s 2000 decision was invalid because, among other things, it only examined the Commerce Department’s Safe Harbor Privacy Principles, rather than the broader protections and statutory scheme in the US.

The DPD directive, however, required the Commission to assess the adequacy of the US’s protections more fully, not merely examine a single self-certification program, which - truth be said - was a ridiculous assumption. Given the range of national security-based justifications for the US gaining access to transferred data and the difficulty Europeans face in obtaining legal redress under US law, the ECJ said the Commission’s previous decision that the US’s scheme was presumptively adequate was invalid.

Although said ruling did not directly invalidate Safe Harbor itself, it indirectly reduced it to an empty shell that had its foundation knocked out from under its feet.

The Schrems complaint is now back at the Irish Data Protection Commissioner. They will now examine if the U.S. has an adequate level of protection.

Which seems doubtful to say the least. I don't see how the EU DPD, GDPR and certain selections of the ECHR are compatible in any way with known USG mass surveillance under FISAA 702 (and the like) or "data sharing" under CISA. And even if the Irish DPC rules it does, it does not affect any other EU member state that rules otherwise. Even with Facebook and other US companies claiming that they fall under Irish jurisdiction only since that's where their EU HQ's are, several other member states have already replied that in providing services on their territory, they have to comply with their laws too.

Which is why on December 2nd of last year, Schrems filed additional complaints against Facebook with Data Protection Authorities in Belgium and Germany.

Until such a time that the EU Commission and the US negotiate a mutually acceptable replacement for Safe Harbor and which is held up by the ECJ, the short term future is a messy patchwork of different member state rulings and regulations that are going to be a nightmare to comply with for US companies, and with law suits galore.

@ Daniel

Stewart Baker is the typical imperialist American who believes that US legislation, surveillance and business practices by definition trump those of dominions like the EU and yet again uses the terrorist argument to validate his claims. These terrorists really do come in handy for types like him.

@ AnonymousKiwi

Re. Chaum

In theory, it's an interesting idea. In practice, these would be 9 people every TLA in the world would be after. So, no thanks.

unbobJanuary 6, 2016 7:51 PM

Regarding Chaum:

1: Remind me how we are going to get criminals to opt-in to this scheme?

2: With the distributed encryption scheme, it seems like taking out a single server and its backups would render all the data unreadable.

Dirk PraetJanuary 6, 2016 8:55 PM

@ unbob

Re. Chaum

It may of course be entirely coincidental, but Nine Server Administrators = NSA .

BuckJanuary 6, 2016 10:11 PM

What if, instead of 9 highly vulnerable endpoints, we instead chose some practically reasonable number (9,000? I dunno, totally arbitrary...) of 'randomly' selected people to make the decision within a time period limited enough to avoid widespread coercion..?

Obviously, if the jurors' keys have been assigned from top->down in some sort of hierarchical structure, the very same vulnerability would remain above... Is there not a type of distributed hash-based notary-like solution that could potentially solve this particular issue?? Could we then possibly assume that our keys can solely be issued in a verifiable physical format, and then they would not normally be digitized by careless/clueless caretakers/users?

However, deciding on an acceptable (non-tampered-with) hash function has a quite similar problem as with our original 9 (or other small number)... Not even to mention the randomness - is there no way to agree upon this property enough without any specific party being able to easily manipulate it?

Full disclosure: I think this is a shitty idea with far too many intrinsic loopholes to succeed...

In my dream-world, all 'collected' data ('relevant' or 'incidental' - examined or not) would be immediately released as part of the public record upon conclusion of every trial. (With the common understanding that today's prosecution and police forces are subject to the same rules in the future without privilege)

In my perceived-world, there's no stopping the inevitable exponential snooping expansion via feel-good legal-niceties... :-\

WinterJanuary 7, 2016 1:55 AM

@ianf
"Only… what are those "union darknet servers" and ?how? did the Dutch police accomplished that? "

Sorry, typo. The web sites with .onion TLD for anonymous hidden service reachable via the Tor network.
https://en.wikipedia.org/wiki/.onion

They did it in the most obvious way. Every active web site has bugs. They simply look to break in by way of the web site just like you do with ordinary web sites.

They do it for child porn rings and have done it for bot nets.

https://lists.torproject.org/pipermail/tor-talk/2011-September/021305.html

Rolf WeberJanuary 7, 2016 2:07 AM

@Dirk Praet

The DPD directive, however, required the Commission to assess the adequacy of the US’s protections more fully, not merely examine a single self-certification program, which - truth be said - was a ridiculous assumption.
That's correct.



Given the range of national security-based justifications for the US gaining access to transferred data and the difficulty Europeans face in obtaining legal redress under US law, the ECJ said the Commission’s previous decision that the US’s scheme was presumptively adequate was invalid.

That's incorrect. Again, the ECJ didn't deal at all with U.S. law or practices.

I don't see how the EU DPD, GDPR and certain selections of the ECHR are compatible in any way with known USG mass surveillance under FISAA 702 (and the like) or "data sharing" under CISA.
This "mass surveillance" is no more than your humble opinion. It is important to keep in mind that the ECJ didn't say this at all.



Which is why on December 2nd of last year, Schrems filed additional complaints against Facebook with Data Protection Authorities in Belgium and Germany.

Yes. And the Belgians did something nobody else did so far: They asked an expert about how U.S. surveillance law and practices really looks like. And believe me, neither the Belgium, Irish nor the German DPAs can ignore Peter Swire's bold facts:

https://fpf.org/wp-content/uploads/2015/12/White-Paper-Swire-US-EU-Surveillance.pdf

In short: 702 is lawful, targeted surveillance, under strict oversight, and a very, very small number of Facebook users are affected.

Until such a time that the EU Commission and the US negotiate a mutually acceptable replacement for Safe Harbor and which is held up by the ECJ, the short term future is a messy patchwork of different member state rulings and regulations that are going to be a nightmare to comply with for US companies, and with law suits galore.
Yes, it's an ugly mess the EU-Commission caused. I'm pretty sure they now badly regret that they repeated the unproven Snowden-claims so carelessly.

Wesley ParishJanuary 7, 2016 2:36 AM

Yet the EU may have found a way to force the United States to pay a price for its dominance. Although the ECJ has no jurisdiction over the U.S. National Security Agency (NSA), it does have jurisdiction over the European operations of American firms. Its ruling demonstrates that the more Washington tries to leverage the interdependence of the global system for its own security goals, the more other states and their courts will actively resist a U.S.-centered global economy.
New Zealand, 1984, Fourth Labour Government, deja vu. That's how New Zealand's Nuclear Weapons Free Bill worked. People worldwide were sick of the US working unilaterally and demanding everybody else clock in to Washington hours, so the US found itself working the hustings against Mikhail Sergeievich when he put the Arms Control talks under perestroika, each trying to win the public's support.

I don't think Washington's very good at understanding history.

One of the great luxuries of hegemony is the ability to take the world for granted.

The Republicans still believe that it was all due to the Gipper.

Under Section 311 of the U.S.A. Patriot Act, the U.S. Treasury Department has the ability to classify a foreign financial institution as a “primary money laundering concern.”
I wonder if Washington realizes that most "Western" countries consider the method of raising election finances in the US - dark money in return for influence - makes the US's PAC institution a money-laundering concern? I'm also wondering if the EU might decide to consider US elections invalid and thus the US incapable of entering into valid treaties because of widespread money laundering and political corruption in the US election process? It's not impossible.

Dirk PraetJanuary 7, 2016 7:56 AM

@ Rolf Weber

Again, the ECJ didn't deal at all with U.S. law or practices.

Although technically the ECJ ruled invalid the Commission's decision on grounds of failing to properly assess adequacy of US protections, it's pretty obvious that Snowden's revelations were the underlying reason for suddenly questioning these protections in the first place. And which Irish High Court Justice Hogan had also explicitly and abundantly done in his June 2014 ruling, giving Schrems legal standing, overruling the Irish DPC and referring the case to the ECJ. Something you consistently and conveniently fail to mention.

This "mass surveillance" is no more than your humble opinion.

It's neither humble or mine alone, but the well documented view on the matter by security professionals, legal scholars, privacy and civil liberties organisations and activists all over the globe.

neither the Belgium, Irish nor the German DPAs can ignore Peter Swire's bold facts:

This is Swire's opinion. Whether or not it's factual and well founded will be up to the courts to decide. Note that he also extensively points at all the remedial actions the US has undertaken since 2013 and which would never have happened if it hadn't been for Snowden. He may however still have to re-do his home work now that CISA has become law, and which doesn't seem to get mentioned anywhere in his paper.

As to Facebook, they're losing battle after battle in Belgium. In November last year, they were ordered to stop tracking non FB users. And yesterday, a US judge has given Belgian KBC Asset Management and other groups of investors a green light to start several class action suits against Facebook.

I'm pretty sure they now badly regret that they repeated the unproven Snowden-claims so carelessly.

Don't be daft, Rolf. The EU Commission's decision on adequacy of US protections goes back to 2000. That's 13 years before Snowden.

keinerJanuary 7, 2016 8:57 AM

Wow, the BND has a sock puppet for this forum? Un-be-lievable!

Verfassungsschutz pays all the Nazi-Gangs in this land, BND sells data from European "partners" to the US for obtaining data on Germans in return. Idiotic times we live in! An nobody cares, as long as there is a new Apple trash, some soccer and cheap alcohol...

Rolf WeberJanuary 7, 2016 9:17 AM

@Dirk Praet


Although technically the ECJ ruled invalid the Commission's decision on grounds of failing to properly assess adequacy of US protections, it's pretty obvious that Snowden's revelations were the underlying reason for suddenly questioning these protections in the first place.

I don't deny this. I only deny that the court acknowledged any of Snowden's "revelations" or ruled that the USA violated anything.


And which Irish High Court Justice Hogan had also explicitly and abundantly done in his June 2014 ruling, giving Schrems legal standing, overruling the Irish DPC and referring the case to the ECJ. Something you consistently and conveniently fail to mention.

Did you watch Schrems' talk at 32C3? He himself described how the court rushed over Snowden's "revelations" in 15 minutes or so. Nobody can take this for serious. This was just not what the court had to decide about (and you find this in the ruling too, if you read it mindfully.


This is Swire's opinion. Whether or not it's factual and well founded will be up to the courts to decide.

Exactly! That's what my main point is: The game did just began. Now, when the Snowden "revelations" are really challenged before courts, we will experience how much they are really worth.


Note that he also extensively points at all the remedial actions the US has undertaken since 2013 and which would never have happened if it hadn't been for Snowden.

It is alway possible to improve a system. And Swire mainly wrote about it because the Europeans completely ignored the fact that there were a lot of changes after Snowden.

And isn't it that people like you say that these changes are minor and cosmetical?


He may however still have to re-do his home work now that CISA has become law, and which doesn't seem to get mentioned anywhere in his paper.

Why should he mention absurd conspiracy theories?


Don't be daft, Rolf. The EU Commission's decision on adequacy of US protections goes back to 2000. That's 13 years before Snowden.

I mean COM(2013) 846 and COM(2013) 847. Snowden-inspired hysteria.

The ECJ explicitely referred to this statements. And even I say that it should not be possible that the EU-Commission on the one side accuses the U.S. to conduct "mass surveillance", but on the other side, for pure pragmatic reasons, wants to maintain SafeHarbor.

Dirk PraetJanuary 7, 2016 10:29 AM

@ Rolf Weber

This was just not what the court had to decide about (and you find this in the ruling too, if you read it mindfully.

For $DEITY's sake, Rolf: read the ruling. The Irish High Court overruled the DPC because of serious questions about adequacy of US protections and legal redress raised by Snowden's revelations, and which they thoroughly argumented. If you want to interpret it any other way, feel free to do so but then go find yourself another forum to troll.

That's what my main point is: The game did just began.

No, Rolf. It's been going on for several years. The ECJ's decision was final and whatever the Irish DPC finds on the essence of the matter no longer has any bearing on other EU member states. Safe Harbour today is dead, and from what I hear no significant progress has been made on a replacement since both sides are deeply entrenched in their own positions. And from which US companies stand to lose the most. This has nothing to do with protectionism, as is often claimed by the US, but everything with the fact that world and dog are fed up with US unilateralism and the mistaken belief that they can globally impose their own rule books.

And Swire mainly wrote about it because the Europeans completely ignored the fact that there were a lot of changes after Snowden.

No, they didn't. Just like most other analysts they considered most of these "improvements" purely cosmetical. The fact they happened at all also completely undermines your thesis that Snowden's revelations were nothing but felgerkarb, but that they were in fact a major embarassment they couldn't just swipe under the table or ridicule the way you do.

Why should he mention absurd conspiracy theories?

You obviously fail to understand the implications of CISA on the privacy of EU data US companies can now share at will with the USG. And CISA became law AFTER Swire wrote his paper.

I say that it should not be possible that the EU-Commission on the one side accuses the U.S. to conduct "mass surveillance", but on the other side, for pure pragmatic reasons, wants to maintain SafeHarbor.

From a pure economic perspective, Safe Harbour makes sense for both parties. What doesn't make sense to the Commission is the USG weaponising the hegemony of its technology industry for national security purposes, in the process trumping other nations' privacy, civil liberties and human rights legislation. So there really is nothing wrong or contradictory to its stand.

Rolf WeberJanuary 7, 2016 3:22 PM

@Dirk Praet


The Irish High Court overruled the DPC because of serious questions about adequacy of US protections and legal redress raised by Snowden's revelations, and which they thoroughly argumented. If you want to interpret it any other way, feel free to do so but then go find yourself another forum to troll.

I just repeated what Schrems "explained" at his 32C3 talk. Blame him, not me.


No, Rolf. It's been going on for several years.

I spoke about the interpretation of the so-called Snowden "revelations". This has just begun. From now we will see what they are worth before courts.


You obviously fail to understand the implications of CISA on the privacy of EU data US companies can now share at will with the USG.

Priceless.
Aren't you one of the few lovely folks who still believe in the Snowden tale that all major U.S. internet companies already grant the U.S. government a "direct access" to all of their backend servers? So if this wild Snowden claim is true, what could CISA make worse? LOL.

Dirk PraetJanuary 7, 2016 6:19 PM

@ Rolf Weber

Consider your contributions noted. I have no further desire to reply to your condescending and irritating ramblings. You may have noted that nobody else bothered to do so. Most people here have given up on your endless spinning and regurgitating a long time ago.

ianfJanuary 7, 2016 7:18 PM


@ Winter

union darknet servers = .onion anon hidden services accessible via TOR

A–OK. Thought I missed emergence of some [European?] union DarkNet or something. I still remember the hoopla surrounding the c:a 1998? sudden appearance of the Hotline p2p distributed BBS followed by blooming and just as sudden decline. Nice to hear it's still around if in skeletal form (imagine: an entire parallel email+web not relying on either SMTP or HTTP protocols, NSA must've had to write an extra, special client to weed out its TCP/IP packets from the firehose ;-))

Thanks for the heads up of the 2011 Dutch police apparently breaking in to specific hidden web servers, but not breaching the onion skins of the TOR transport layer. Initially, it sounded as if they've gone after the .exit nodes, but apparently not.

Rolf Weber January 8, 2016 12:36 AM

@Dirk Praet

I understand it is pretty embarrasing to answer this simple question:

Why is it necessary to spin absurd conspiracy theories about CISA when the U.S. government already has a "direct access" to the backend servers of all major U.S. internet companies (like your hero Snowden claimed, and you repeated)?

Nick PJanuary 8, 2016 1:07 AM

@ Rolf Weber

Ultra-easy to answer: those programs are highly classified with their deliverables only supposed to be used with parallel construction. They're still classified after the Snowden leaks. Prior protocols remain in place albeit with more security. So, an excuse to cover up the use of intelligence capabilities against domestic parties is still desirable. Better to say an online service provider reported them than NSA dodged Constitution.

Interestingly enough, these same tricks showed up in DEA leaks and in Stingray-related advice to law enforcement.

Clive RobinsonJanuary 8, 2016 2:35 AM

@ Rolf Weber,

You appear to have a blind spot to recent history.

Do you remember that various phone companies had quite illegally alowed representatives of the USG to place equipment on their premises to siphon of not just call daya but calls as well? And that the Bush Administation had to pass retrospective legislation to protect them from being sued?

Further have you any idea how much equiping and running those rooms cost, both the USG and the telco's, especialy in the game of "catch up with the technology"?

CISA is in effect a way of "outsourcing" the issue entirely onto the telcos, and in turn the price is paid in more ways than one by the customers. It also kicks away an argument that privacy concious companies have tried using to stop the secret court orders and NSL's, that of "forced liability"

I could go on with other "obvious to others" aspects, but I don't need to.

You have some kind of "reverse conspiracy theory mania" about the Ed Snowden document trove, where you appear to be in significant denial and consistantly try to raise points that either get shot down or have been shot down in the past.

So an easy question for you "Why do you persist in your ideas, that do not pass the 'sniff test', and keep pushing them to have them shown to be wrong?"

Others here have tried in the past to politely point out to you that you have issues you need to address in this respect, but you persist. Most for some time have just ignored you, but you persist, and now I can see some of the comments are nolonger polite, they are mocking, which is never a good sign.

Thus you have failed to get what you believe across to others, primarily because they can easily find opposing evidence. You continue to "reboil your cabbage" and they nolonger see the point of engaging with you as you fail to listen to them, thus some now mock you, can you see this is unlikely to get better if you keep "reboiling"?

Rolf WeberJanuary 8, 2016 2:41 AM

@Nick P

1. You didn't disappoint me. :-)

2. We compare here FISA section 702 with CISA, and it is very clear that CISA is much more limited on how the government is authorized to use the collected data than 702. And in both cases, at the end of the day the data comes from private companies. So your explanation makes no sense for me.

3. We are discussing here in the context of data from Europeans, not U.S. citizens or residents, where fears of "misuses" like "parallel construction" do not apply anyway (in the U.S., like in virtually all other countries too, data of foreigners abroad is fair game anyway).

Dirk PraetJanuary 8, 2016 5:23 AM

@ Rolf Weber

I understand it is pretty embarrasing to answer this simple question

No, more like irritating and as pointles as a pencil withoud lead. But anyway:

Look into my eyes, look into my eyes, the eyes, the eyes, not around the eyes, don't look around my eyes, look into my eyes, you're under ...

OK, Rolf. This forum has nothing to do with IT security, technology or whatever. You're in the wrong place. Nobody here has ever heard about Snowden or has a clue what you're talking about. Bruce Schneier is a world famous cook. We discuss vegetarian recipes and stuff here. You hate vegetarian food. You're absolutely disgusted by it. The foul stench of cauliflower and potato curry here makes you want to throw up. You don't ever want to visit this forum again.

Three, two, one... You're back in the room.

Clive RobinsonJanuary 8, 2016 6:04 AM

@ Rolf Weber,

Sorry like many other security concious people these days I don't use Google "plus spy on you" services whenever I can avoid them.

Or for that matter others like Facebook, linkedin, News International rags and now all of Micro$haft's current products and older ones that are not on "energy gapped" systems. But you should be aware of that from my many previous comments to that effect, or others responding to them over the years (I won't claim I saw this exact current mess arising, but I am on record of predicting similar, due to past experiences in employment etc, focusing my point of view in that direction).

Therefore like increasing numbers of Europeans, I don't frequent US and other Corp data logging sites. Or for that matter any where with a paywall, login, etc or that requires the use of java, javascript, flash, etc, etc. Oh and perhaps more radicaly also regard most Internet "security" such as TLS/IPSec/Tor/etc as anything but secure or trustworthy.

It's not just to deny the Corps the data by which they will profit at my expense, but also in part I'm mindful of a comment atributed to a French Cardinal with dire political aspirations. But also in part because in the past for some reason people on this blog --for reasons they did not specify-- have tried to track me down in "Real Life".

Further and perhaps more importantly as some of this blog readers are aware I've designed, manufactured and sold targeted surveillance equipment, some considerably more advanced than in the TAO catalogue, so have a knowledge of the capabilities of surveillance in specific and general.

Which is why I try not to needlessly do things which might compromise my profesional or personal wellbeing.

Look on it if you will as justified segregation of roles between asspects of my proffesional life that employers amongst others get lawyers involved in to word into contracts etc etc (layer seven and up in the computing stack).

Which brings me back to my previous comment here and why it's only fair that I judge you here by only what you have posted here. That as you and others can see people here have also judged you by and repeatedly shot you down for.

That said, from what I've seen in comments made here and in other places about Google Plus, etc, etc you may probably have revealed rather more about yourself professionally and personaly than is wise. Given the increasing use of doxing and employers coming down heavily on employees that are of independent opinion, it's something that many are becoming cautious about, hence articles about "chilling effects" on free speach etc. I guess that's one of lifes many choices you have decided to take --that a more cautious person would consider-- a needless risk...

Rolf WeberJanuary 8, 2016 7:32 AM

@Clive Robinson

Can you link to any example where someone "did shot me down" here on this site?

And I absolutely deliberately chose to make it quite easy to "track me down in real live". If this will somwhow or somewhen backfire at me, then it will be. Que sera, sera. I don't care when others chose to post "anonymously", but I never did and never will.

Clive RobinsonJanuary 8, 2016 8:42 AM

@ Dirk,

Gerard van Vorren made a suggestion about feeding.

Therefor, a constructive use of my time would be to make a vegi curry, and swap the recipe. Mind you I need to cut out the Vitamin K green vegies if I don't want to make a clot of myself...

anonJanuary 10, 2016 4:06 AM

@everyone: in your natural concern to secure privacy and security, regrettably most of you (including the trolls) have followed Max Schrems' script and missed the point. The Court very properly declined to make findings of fact as to mass surveillance, leaving those to lower courts. The reasoning in the CJEU Schrems ruling ultimately is about who's in charge of deciding whether transferee data protection is equivalent to protection in Europe: the regulators, Courts, and Treaty; or the Commission.The Court decided the former. Safe Harbor was struck down merely as a logically and legally necessary consequence of that decision. It can hardly be put better than the final judgment itself:

"1. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.

2. Decision 2000/520 is invalid."

Some consequences: this is the tip of the iceberg. For instance Safe Harbor 2.0, whatever it says, necessarily will be struck down by the Courts for the same legal reasons (and therefore left to the regulators). All the other EC protection adequacy decisions, such as BCRs, SCCs, Seals, and the approved nation list, are likewise questionable by the regulators, who already are challenging them. Schleswig-Holstein is even challenging consent as an adequacy mechanism.

As to what the regulators think, the Congressional activity at the moment can achieve nothing until and unless Congress awards EU data subjects similar rights to those afforded them in Europe, which currently translates to far better rights against US companies and governments than are afforded US citizens. Reality check: never going to happen.

By the way, it's not a citizenship or residence thing. European privacy law has always been about location. So US tourists, etc, are protected by EU privacy law, even in the foreign cases in which I've interfered...

Rolf WeberJanuary 10, 2016 3:43 PM

@anon


The Court very properly declined to make findings of fact as to mass surveillance, leaving those to lower courts.

Exactly. This is my main point here, and this is why the Foreign Affairs article is not as excellent as Bruce Schneier advertises, because the article's conclusions are build upon wrong facts.


For instance Safe Harbor 2.0, whatever it says, necessarily will be struck down by the Courts for the same legal reasons (and therefore left to the regulators).

Nope. The ECJ explicitely left the door wide open for the EU-commission to agree with the U.S. to another SafeHarbor deal. Of course the EU-commission had to do their homework. But I'm sure this approach would work:

1. Sorry, our Snowden-inspired statements COM(2013) 846 and 847 were bullshit.
2. The U.S. grants an adequate level of data protection. We carefully reviewed the U.S. surveillance regime and can confirm that it is lawful with strict constraints, under strict oversight and thus absolutely comparable with European standards.
3. We will carefully monitor the U.S. surveillance regime and shut down or stall SafeHarbor if there are serious doubts that the U.S. grants an adequate level of data protection.

Boom. That's it. Of course local authorities could then still challenge specific data exchanges, but you seem to fail to realize that then these local authorities would carry the burden of proof.


All the other EC protection adequacy decisions, such as BCRs, SCCs, Seals, and the approved nation list, are likewise questionable by the regulators, who already are challenging them. Schleswig-Holstein is even challenging consent as an adequacy mechanism.

Schleswig-Holstein. Sorry, but LOL.


By the way, it's not a citizenship or residence thing. European privacy law has always been about location. So US tourists, etc, are protected by EU privacy law, even in the foreign cases in which I've interfered...

The same is true for EU tourists in the U.S.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.