New Rules on Data Privacy for Non-US Citizens

Last week, President Trump signed an executive order affecting the privacy rights of non-US citizens with respect to data residing in the US.

Here's the relevant text:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

At issue is the EU-US Privacy Shield, which is the voluntary agreement among the US government, US companies, and the EU that makes it possible for US companies to store Europeans' data without having to follow all EU privacy requirements.

Interpretations of what this means are all over the place: from extremely serious, to more measured, to don't worry and we still have PPD-28.

This is clearly still in flux. And, like pretty much everything so far in the Trump administration, we have no idea where this is headed.

Posted on January 30, 2017 at 6:04 AM • 85 Comments

Comments

Tim BradshawJanuary 30, 2017 6:23 AM

Here's a small-scale example of what this sort of thing will do. I run a tiny UK-based company & I've been migrating our various hosting provision from a UK company to an (excellent) US company. Except, now I won't be doing that: I'll be looking for an EU-based company instead.

Well, no-one cares or should care about what we do of course, but it's reasonably likely that other, larger, companies (perhaps even US companies!) will be doing the same thing.

It doesn't actually matter what the interpretation of the executive order ends up being: what is now extremely obvious is that the US is no longer a safe place to do business, if the security of your information matters to you at all. Rather than hoping that the ruling is interpreted in a good way, the safe thing to do is to move business to a country where this is not in doubt.

IonJanuary 30, 2017 6:24 AM

This is fear mongering. With Obama things were "clear" and that meant discretionary power to kill, secret courts, gag orders and a largish data center to store nobody knows what. IMO things are going in the same direction, only the face is different.

rJanuary 30, 2017 7:07 AM

@Tim Bradshaw,

It's alright, this is signaling through smoke. It aids the logic behind offshoring (wrt US companies), go ahead you would be right to make such a decision in the face of the unknowns on this side of the fatlantic.

rJanuary 30, 2017 7:12 AM

@Tim Bradshaw

Why would Trump want foreign companies to invest in US technologies, SaaS or more aptly Silicon Valley? They for the most part obviously don't like him and I'd think that the feeling is mutual considering. ;-)

// I'm tellin' y'all it's sabotage

Couldn'tPossiblyCommentJanuary 30, 2017 7:22 AM

I understand Bruce has his own political bias which has been aired quite a bit of late, but until this most recent administration, the blog on security matters was mostly apolitical & prepared to give credit & criticism where appropriate. The sour grapes in the last line in particular is uncalled for. Obama's administration did plenty of questionable things and we had no idea where they were headed either (the last few months proving that beyond a doubt).

It was the EU that threw out Safe Harbor courtesy of Facebook, lets' not forget. It was the NSA under Obama, Bush, and probably Clinton that decided it's ok to invade the privacy of every non-American. The clickbait articles also appear to have missed this statement from the European Commission, which is included in the 'extremely bad' link: "The US Privacy Act has never offered data protection rights to Europeans." (emphasis mine). The EU is going to continue to demand privacy protections as part of the Privacy Shield agreement, which has been under review & is not yet agreed anyway.

Here's a thought - maybe US companies that want to do business in the EU should have to follow the EU's privacy laws. Why do I imagine that, if the situation were reversed, the US would never agree to lax EU privacy laws compared to their own?

Dirk PraetJanuary 30, 2017 7:22 AM

It all depends on how "to the extent consistent with applicable law" is being interpreted, and in how far said interpretation by both administration and judiciary will be public or secret. If the temporary immigration ban provides any clue, the closed circle of Trump's advisors appears to be seriously out of its depth both about statutory law and the US Constitution, and which will only further fuel the concerns of Privacy Shield opponents.

WinterJanuary 30, 2017 7:29 AM

Two points:
1) Like r, I think part of this is blackmailing Silicon Valley companies and California/NYC.

2) This is a huge opportunity for Canada (Vancouver) and Mexico (Tijuana). Just tell Silicon Valley that they will welcome any expats needed in California/Washington State. Same for Montreal and Toronto.

keinerJanuary 30, 2017 7:29 AM

@Tim Bradshaw

Serious question (really!): Is there any kind of data protection in the UK anymore, considering anti-terror stuff and snoopers charter? Where do you wanna go nowadays with your data?

In Germany there was big outcry after Snowden, but some weeks ago they simply made all the sniffing around in any kind of traffic LEGAL by new laws. Plus Vorratsdatenspeicherung (aka storage of all kinds of metadata). So: F*cked!

Do you want to host a server on a floating ship somewhere in the North Sea? Which jurisdiction would you prefer nowadays?

WinterJanuary 30, 2017 7:36 AM

@keiner
"Which jurisdiction would you prefer nowadays?"

Iceland?

Also, a lot can be learned about "safe" hosting from cyber criminals. I would not go for "perfect" security, which is unattainable anyway, but for setting the bar high.

NileJanuary 30, 2017 7:41 AM

It's security theatre, and it makes you - in the US - rather less secure.

I would echo Tim Bradshaw's point: European companies shipping data out to the US are now legally forbidden to do so - all storage and processing of identifying personal information must remain within a legal jurisdiction complying with EU data protection law, or an agreed framework of mutually-equivalent laws.

That's gone now. And it's gone for US companies holding identifying personal data and any confidential information - personal correspondence, medical records - on EU nationals. That's an impact on Microsoft, Apple, and Google, to name a few.

The data protection framework that you *used* to have meant that you could still get at this data with a warrant, while it was within the US: data protection law does not protect a European Citizen against a targeted criminal investigation backed up with the proper judicial authority.

Nor did it protect us against a request to the United States security services - officially it did but, unofficially, they probably would go looking - and the US agencies probably would get what you wanted. Or just look it up in the existing (illegal) trawl through everyone's data.

Where it is now - or will be, soon - requires a far more demanding warrant request, to a foreign court. Officially or unofficially, an intelligence operation would require co-operation from a foreign government: they might not agree, and they might not be capable. And they might redact the data, for reasons of their own.

So: less secure, for your government.

And what will be done, unofficially, with that data? An awful lot of people will get access to it, starting with the officers and border agents in the airport.

That information will be misused. Some of those border officials will be Dominionist Christians; and transgender, gay or atheist travellers who open their address books are exposing their contacts to discrimination or real danger. Some of those Border agents, and their data propcessing staff, will be corrupt; a trade union organiser's address book will, in certain countries allied to the US, turn up in death lists used by local paramilitaries or the domestic police - there's history for that in Latin America and the problem hasn't really gone away.

And, you know, it's unpleasant for everybody. What you've got is a bunch of junior officials interacting with ordinary citizens, and thoroughly enjoying the power to intrude on their private correspondence and their contact lists. It's intimidating, and it's meant to be: entering the US now requires a deliberate and definite act of submission to the TSA and Border agents.

That's got the smell of countries where they have a fifty-foot gilded statue to the National Leader and Father to the People, and no-one ever disagrees with their wise and beneficient ruler.

tfbJanuary 30, 2017 7:56 AM

To respond to a couple of comments on my comment.

What I was trying to say was that it does not really matter whether this makes the US less safe as a home for data or not: what matters is that people (including me) will now decide that, in the presence of other options, the right decision is to take some other option so we can stop worrying and get on with our business. Not hosting data in the US is one less thing to worry about.

@keiner: no, I assume that the UK is as compromised as the US. I will be looking for an EU-based hosting company. Indeed, if anyone knows of such (we want minimal (static file) web, mail, & DNS with an orientation towards technically-literate people, from a company in a good jurisdiction) I'd be interested in knowing of them.

keinerJanuary 30, 2017 8:24 AM

@tfb

Face it, this interweb-thingy is dead. And the little orange hands are going to bury it. Modern is over, we are back to square one. Will China kill Trump as the USA killed Hyttlar and mutate to the mother of democracy? I'm a little skeptic at the moment, I must confess...

TrentJanuary 30, 2017 8:34 AM

> Interpretations of what this means are all over the place

Does *Trump* have any idea what it means? He's the creepy face on the front of this crazy train, but I'm also concerned about the conductor.

Dirk PraetJanuary 30, 2017 8:42 AM

@ keiner

Is there any kind of data protection in the UK anymore, considering anti-terror stuff and snoopers charter?

As long as the UK has not left the EU, they are bound by the EU Directives and rulings of the EUCJ governing the matter. But unless you can afford an expensive uphill legal battle, I'd move my data out of there. As Germany is getting increasingly bad too, I'd recommend Switzerland or Iceland for the time being, unless you want to take your chances with some dodgy company in Romania or Ukraine.

@ Nile

... all storage and processing of identifying personal information must remain within a legal jurisdiction complying with EU data protection law, or an agreed framework of mutually-equivalent laws.

You can still go with US companies that have or are building data centers on European soil (Google, MSFT), but I suppose it's just a matter of time before the USG works its way around the recent Microsoft Ireland ruling with exactly this sort of EO's.

@ Couldn'tPossiblyComment

The US Privacy Act has never offered data protection rights to Europeans

The specific issue on the table here is the Judicial Redress Act of 2015, not the old Privacy Act.

maybe US companies that want to do business in the EU should have to follow the EU's privacy laws

As if EU companies that want to do business in the US don't have to follow US laws. Why do some Americans keep thinking that somehow their law trumps everyone else's, even outside its jurisdiction?

ab praeceptisJanuary 30, 2017 8:48 AM

Dirk Praet

Iceland? Maybe. But Switzerland? Hey, they bent over in pretty every direction for the us-americans. Hell, they even broke their core business, banking, just at washingtons pleasure.

keinerJanuary 30, 2017 8:54 AM

Switzerland is dead, as safe haven for data. And, by the way, ALL alternatives discussed in ANY internet forum are dead... ;-)

Who?January 30, 2017 9:58 AM

Ok, Donald Trump will take the next step on this world cyberwar against privacy... let us change the rules then!

- use OpenBSD and software tools written outside the United States only;
- same about hardware, including support to fully auditable open hardware projects;
- use open source and free software only, request developers to provide "secure by default" settings on these software products;
- get your software and firmware updated;
- build firewalls everywhere, if possible based on non-Intel, non-AMD too, hardware platforms or at least supporting old, non-Intel ME and non-UEFI, firmware;
- avoid U.S. based corporations where possible;
- use strong cryptography;
- learn true OPSEC (I know some people here does not like this term, but you got the idea);
- support privacy and security either technologically (developing tools and good documentation, giving advice) and economically (e.g. donating to the OpenBSD Foundation and other non-U.S. based security related projects), if you are not technically knowledgeable;
- keep your software settings as simple as possible, understand your network and systems.

These are just a few advices that come to my mind, but I am far from being an expert on security. A lot of more knowledgeable people will provide better advice here.

Who?January 30, 2017 10:13 AM

...and, of course, airgap anything you can. We had been using "airgapped" computers for decades and they worked, right? An energy airgap is a bit overkill to avoid mass surveillance, in my humble opinion, but lots of systems should be airgapped these days. There is nothing wrong on this approach.

Grant HodgesJanuary 30, 2017 10:21 AM

Somebody noted above that Bruce has his own political viewpoints, which he has been airing out quite a bit lately. Well, we just had an election, his team lost. He probably is somewhat abashed about it. So I don't mind.

"And, like pretty much everything so far in the Trump administration, we have no idea where this is headed."

Actually we do. Trump is, amazingly enough, doing something I have not seen happen before in my lifetime. Usually the first week after the inauguration, the new president, say Bill Clinton, will right off start explaining why he isn't going to be giving that middle class tax cut he campaigned on, because things are much worse than he was led to believe at the Treasury. They all do it.

Except Trump. Never seen a president immediately start out to do what he said he would do when he was campaigning. That's not happened as far back as Reagan.

Some are complaining on the news that Trump's announcement of immigration restrictions was haphazard and Schumer said that the various government agencies didn't even know what was going on when Trump announced. LOL, that's because it was the announcement.

Obama and Bush before him telegraphed everything they did. They would tell the Taliban when it would be safe to start raping and pillaging again, announcing U.S. withdrawal dates with a straight face.

I can't explain why you would announce a cessation of immigration from terrorist countries in advance. Think about it. :)

HJohnJanuary 30, 2017 10:21 AM

We haven't had a good president in my lifetime, and may never have one. One reason is that those who would be best for the job are precisely the people who are wise enough to not subject themselves to the responsibility and scrutiny.

The natural progression of things is also problematic. After 9/11, President Bush no doubt overreached (conversely, it is unreasonable to expect someone to "connect the dots" without allowing the means to do so). Those who were okay with this simply because he was an (R) handed this power to President Obama.

Surveillance got much worse under President Obama. That isn't a swipe at him personally, it would have got worse under McCain too. Both the technology and the existing motions in place made it inevitable, and no one responsible for the safety of 300 million people is going to give up the means to "connect the dots" so to speak. Those who were comfortable with this power because he was a (D) ultimately handed this power to President Trump.

Surveillance will likely get worse under President Trump too, and just as it would likely get worse under a Hillary Clinton administration. I hope I am wrong about this, but history and human nature offers little optimism.

My wish list would be the elimination of the Department of Homeland Security and the repeal of the USA PATRIOT ACT (which, unfortunately, passed Congress with nearly unanimous bipartisan support). This would also make a dent in our ridiculous budget deficit, but that's an article for another day.

My other wish is that people would -- at any point in time -- think a little less of who happens to be in the White House, and rather envision the president being someone they do not trust. Because, inevitably, any power given to a president we trust has (and has been) given to a president we do not.


I will say, however, that one comfort I do have when an (R) is in the White House, is that the press (among others) is more likely to do their jobs. I haven't seen this much attention paid to presidential actions since Bush was president. I don't dislike President Obama personally, but it was disheartening to see people fall asleep at their news desks during his administration.

My InfoJanuary 30, 2017 11:38 AM

@Bruce Schneier

Interpretations of what this means are all over the place

That is completely understandable. The paragraph you have quoted is so muddled that it simply has no sane interpretation.

When U.S. citizens' data comes to reside in the EU or Russia, or at one of those megacorp call centers in India, we have lost all practical expectation of privacy for such data. Why should or would the situation be any different vice versa?

Mr. SmithJanuary 30, 2017 12:01 PM

I like how lately, conservatives feel validated to turn every item of news into an opportunity to shout their opinion, but as soon as someone with an opposing viewpoint dares to do the same, it is no longer an opinion, but "bias."

Obama has said a lot of questionable things related to privacy rights during his term as president, and I remember this blog being very vocal against them, most notably the whole "metadata vs. data" debacle.

Mr. Schneier may have made his political views clearly as of late, but 1) there is nothing wrong with that, and 2) he has consistently criticized attacks on privacy rights regardless of who was in power, for as long as I can remember - and I have reading this blog for many years now.

Dirk PraetJanuary 30, 2017 12:23 PM

@ Grant Hodges

I can't explain why you would announce a cessation of immigration from terrorist countries in advance. Think about it.

@Moderator permitting, I would like to ask you the same question as in a previous thread on this matter and which I never got an answer to: if the purpose is to stop terrorists, why is the Trump administration not banning immigration from countries whose nationals actually did commit acts of terrorism on US soil?

Dirk PraetJanuary 30, 2017 12:53 PM

@ Anura

Well, according to Giuliani, Trump asked him for a Muslim ban and they went to see what they could get away with legally

We both know he wants to say it. He has already done so during the campaign. His team is probably scared sh*tless he will do it again. All that is needed is probably some extremely irritating journalist pulling a Nathan Jessup on him.

Ross SniderJanuary 30, 2017 12:55 PM

Agree with other commenters: the policy under the Trump Administration does not seem to be in departure from the Obama Administration.

I think we should welcome people questioning the intentions though: the Obama Administration would have gotten away with mass surveillance. There's no reason that the Trump Administration should get away with it.

It would be nice if EU Courts officially ruled on whether the US can mass surveil Europeans - and if not - pull out from Privacy Shield unless it gets amendments that guarantee reasonable American behavior. Similarly, perhaps under the Trump Administration civil society will be brave enough to urge the Supreme Court to rule on the legality of federal mass surveillance.

Basically: Nothing new here besides that people are actually skeptical of the US federal government's intentions for the first time. Let's hope that people aren't just in panic mode and actually engage the courts to get us the legal rulings we've been needing for the past few decades of illegitimate search.

parabarbariamJanuary 30, 2017 1:07 PM

"if the purpose is to stop terrorists, why is the Trump administration not banning immigration from countries whose nationals actually did commit acts of terrorism on US soil?"

I suspect it is because the goal less solving the terrorist problems of the past as it is to solve the terrorist problems of the future. This is just Trump's first offer from whence he will negotiate to something more "reasonable". An extreme first offer gives him room to negotiate toward the middle.

Gerard van VoorenJanuary 30, 2017 1:23 PM

@ Mike A.,

"This is bad news for U.S. companies doing business in EU, or with clients from EU."

It's too early to tell but it probably is. Not that I care for GAFAM and the likes but for small businesses it's something to seriously keep an eye on.

@ Who?,

Ok, Donald Trump will take the next step on this world cyberwar against privacy... let us change the rules then!

- use OpenBSD and software tools written outside the United States only;

True, I agree, but what you need to consider is that no-one lives in an island when you use the internet (or worse, mobile phone). This is the area that needs more consideration. It would be a lot better if the basics of the internet would be encrypted and p2p. Besides that, the www/browser is unfixable and that counts for the mobile phone as well. So if you want to take action, a by default encrypted p2p network is the area to start with.

@ Ross Snider,

"I think we should welcome people questioning the intentions though: the Obama Administration would have gotten away with mass surveillance. There's no reason that the Trump Administration should get away with it."

Remember that White House joke a couple of days ago? There are a lot of areas that can hurt or even tipple Trump, but mass surveillance isn't one of them. The masses are brainwashed.

Jonathan ThornburgJanuary 30, 2017 1:33 PM

For anyone looking for a technically-literate hosting company, you might consider BS Web Services in Hamburg, Germany. (I'm not linking so as not to appear to be a link-spammer, but your favorite search engine should find their website in a few hundred milliseconds.) They're run by one of the main OpenBSD developers. I have no personal or financial interest in them.

Clive RobinsonJanuary 30, 2017 1:55 PM

@ Who?,

We had been using "airgapped" computers for decades and they worked, right? An energy airgap is a bit overkill to avoid mass surveillance, in my humble opinion, but lots of systems should be airgapped these days. There is nothing wrong on this approach.

Airgapping did work and still works in some but not all ways, and that is what you have to be aware of and why.

The problem these days as we know from mobile phones, pads tablets and some laptops is that developers have investigated "alternative revenue streams" and applications now actively spy on you and use whatever method they can to "do an ET" and phone home with what ever they can get to monetize. Likewise as others have noticed Micro$haft are living down to the same low standards via Win10. We also know that both Intel and AMD have "managment engines" that provide "channels" above and beyond the hardware owners control.

So airgapping whilst sufficient when you had control of the hardware and software is nolonger sufficient.

That's the current rub. To add further salt to the wound it will not be long befor you will not be able to get an "Offline use OS" or "Offline use applications".

It's why I talk about alternative CPU MCU solutions. There are MicroChip MCU chips that cost only $1 that have the same level of hardware in a single chip that thirty years ago could only be found in full spec PDP11's or Microvax's that ran a version of Berkley Systems Development Unix. Some people have kindly ported an earlier BSD to these chips running on a very cheap development board. With the advantage that the chip is easily removed and replaced, so you can lock the important one up in a safe etc or even put it in your pocket.

OK the BSD version is command line only and the likes of ed and vi as editors etc, but you can get real work done. All without the problems the more popular personal computing platforms now have both in hardware and software.

You can also look at x86 SBCs for industrial control like the PC104 systems these tend to not have managment engines or other nasties built in and will run earlier versions of microsoft products without issue.

If you take the precautionary aproach then yes air gapping will still work fine against "General Surveillance" but not directed surveillence. However with standard commodity systems today, you do need energy-gapping. And as I've indicated it probably won't be to long before commodity will not run in off line mode.

So people might need to start thinking about "stocking up" so they can run off line and thus gapped in the future.

My InfoJanuary 30, 2017 1:59 PM

@Mr. Smith

>>> it is no longer an opinion, but "bias." >>>

Am I one of those conservatives you are criticizing? That is not what I said or meant.

Mr. Schneier may have made his political views clearly as of late, but 1) there is nothing wrong with that,

I never said there was.

and 2) he has consistently criticized attacks on privacy rights regardless of who was in power, for as long as I can remember

I commend him for doing so. You still have not addressed my own question:

When U.S. citizens' data comes to reside in the EU or Russia, or at one of those megacorp call centers in India, we have lost all practical expectation of privacy for such data. Why should or would the situation be any different vice versa?

I feel that my privacy is not being respected when my personal information is being shipped willy-nilly across the Atlantic Ocean, outside the jurisdiction of any legal complaint I might otherwise have been able to make about it.

Why should I feel any differently?

@Jonathan Thornburg

OpenBSD developers. I have no personal or financial interest in them.

I don't either.

I just tried out an OpenBSD 6.0 installation iso on my Asus Model X540S notebook: the white-on-blue text mode during the installation was using an incorrect refresh rate that was overdriving my monitor, causing flickering horizontal blue lines everywhere, and the system froze when I pressed "i" to "install."

I am not even sure if this is an OpenBSD problem per se, because I am having BIOS and boot issues with Fedora 25. My system is corrupted and the BIOS is at the moment rather locked down to a spyware-infested Fedora installation at the moment, and behaves strangely when I try to boot anything else. I am not at all convinced that OpenBSD is "the answer" either.

HJohnJanuary 30, 2017 2:04 PM

I think you may misunderstand the point of calling out bias. No one is saying people are not entitled to their opinions. The concern about the media coverage is very real. It is a good thing the press is watching Trump like a hawk, it is a good thing they watched Bush like a hawk (although he, unfortunately, had a bit more slack after 9/11). It is a bad thing that the press largely ignored Obama in this regard.

We will no doubt have a democratic president again, probably after the 2020 election. My bet is Elizabeth Warren (that is a prediction, not an endorsement), and the press seems affectionate towards her similar to how they were towards Obama. When you couple an affectionate press with a desire to not seem weak, that is a recipe for an unchecked expansion of power.

We all have the right to our opinions, no one says otherwise. But when the news reports certain actions as "spying on American citizens" under a president they don't like, then reframes comparable actions as "maintaining the ability to reconstruct what happened after an incident" when it is under a president they do like, an important check and balance is wasted.

Bruce, though his political leanings are known, may call out both, but he does not have as much influence over national attitudes as say the Associated Press.

Clive RobinsonJanuary 30, 2017 2:11 PM

@ All,

I don't know about others but I personaly do not see an issue with Bruce's,

    And, like pretty much everything so far in the Trump administration, we have no idea where this is headed.

It's quite factual, and the Trump Administration is writing it's own "play book" as it goes along. Even though it is as unexpected as a beauty product that is actually scientificaly sound in it's "look younger" claims.

I'm notorious for not giving two plastic cents for party politics or current political behaviour, but we do appear to be in uncharted waters with all these EOs flying in all direction. I suspect there will be further legal challenges by both sides as time goes on. So saying we "have no idea where this is headed" is actually factual as well.

So can we stop the partisan view points, it does none of us credible service.

tyrJanuary 30, 2017 3:36 PM


@Clive

The good thing is that people are starting to pay
attention to government policies after decades of
slack jawed drooling and allowing the political to
get away with murder.

The only way you get bad laws off the books is to
have them enforced. The only way to get rid of bad
ideas is to see what happens when they are implemented.

The entertainment value in seeing the east and west
coast cityfolk suddenly realize that they are not
the USA and really don't run everything is a wonder
to behold.

If Bruce is biased IMHO a good thing, the idea we
all need to be some consensus driven swarmhive is a
really bad idea. Argue things out and compromise on
what is possible.

From the strict law enforcement viewpoint it makes
sense to choke off hidden data areas making it a lot
harder to hide illicit behaviors. As long as the
panoptican can see into the governments as clearly
it might not be such a bad idea.


Dirk PraetJanuary 30, 2017 3:38 PM

@ parabarbariam

I suspect it is because the goal less solving the terrorist problems of the past as it is to solve the terrorist problems of the future.

In what parallel universe does that even remotely make sense?

CassandraJanuary 30, 2017 4:29 PM

One of the things that businesses value is policy stability as it allows reasonably long term forward planning. Whether or not you agree with the Trump administration's policies, it is clear that the style appears to be one of radical change, if not always completely unexpected. As a result, I would expect businesses that have a choice to look at investing in other places that are expected to have more stable policies.

It was mentioned that Canada might be a good place to host data. Anyone familiar with Internet routing would tell you that traffic between sites in Canada will often go via the USA: and a perusal of submarine cable maps (http://submarine-cable-map-2016.telegeography.com/ ) will reveal the paucity of connections between Europe and Canada that do not go via the USA; and the complete lack of any Trans-Pacific cables landing there. The NSA will not be avoided that easily.

thesaucymugwumpJanuary 30, 2017 4:45 PM

@keiner "believe me, there will be no campaign 2020, there will be no election after this in the 'USA'"

Sigh, another youngster with no knowledge of history. I remember the last year of Bush the Younger's second term when liberals were seriously worried that George would stay in office forever. I remember the last year of Clinton's second term when the right was seriously worried that Bill would stay in office forever. People even older than myself could quote ridiculous beliefs from farther back.

@Grant Hodges

Yes, Trump is making good on his promises and liberals are having the largest cow ever. Democrats are crying a river over Trumps's closing the borders, even though Obama did it for Iraqis for six months or so and Democrats tried their best to close the borders to Vietnamese who helped us during the Vietnam War, with then-and-now-governor Jerry Brown even trying to close airports. Not to mention FDR and his gang refusing to accept Jews fleeing from the Nazis.

@HJohn

Fauxcahontas has little chance of winning a presidential election, though Democrats might very well choose her. If Democrats are wise -- and my money says they aren't, given the clowns running for DNC head -- they will choose a slightly dull, but extremely competent candidate such as Jim Webb or an up-and-coming candidate such as Tulsi Gabbard.

AnuraJanuary 30, 2017 5:29 PM

@Cassandra

Nothing you can do about the cables, just assume that all traffic sent over plaintext is publicly accessible. What countries like Iceland provide is strong legal protections from government censorship/abuse. It doesn't protect you from hacking; for that, you absolutely need strong encryption and op-sec.

MattJanuary 30, 2017 5:55 PM

I'm pretty sure we know exactly where everything this administration does is headed: as far down the road to totalitarianism as a disinterested electorate and cowardly leadership will allow.

Clive RobinsonJanuary 30, 2017 8:55 PM

@Cassandra,

As, @Anura says,

Nothing you can do about the cables, just assume that all traffic sent over plaintext is publicly accessible.

I would extend that to the servers and hard disks in the cloud.

Plaintext is not your friend ever where privacy/security is involved. Even when you think it is 100% inside your verifiable control it's possibly not (as so many password, credit card info, etc file dumps have shown over and over again).

As I am known to say from time to time, information has no physical actuality, we impress or modulate it onto physical objects (energy is mass equivalent) to do one of three discrete things,

1, Store information,
2, Communicate information,
3, Process information.

For the first two encryption is very much the low water mark of "standard practice" and if an organisation is not doing it arguably "it's floundering at sea". Which means the chances are getting quite high it has civil liabilities hanging in it's near term future.

The third is still "an area of active research". Whilst we can do some meaningful processing activities on encrypted information we can not do all.

For instance if you use certain types of "addative" stream ciphers you can add encrypted numbers together without knowing what they are. There are two versions of this both involving "dining cryptographas". The first is a bit wise protocol using the XOR function so that the cryptographas can find out if one of them paid for the meal or if it was say the NSA. Importantly it gives both the answer to the question and if it is one of them anonymity to the benefactor. The second is that the cryptographas want to find the average salary they get without revealing how much they each earn. Put simply one of the cryptographas writes a random value on a piece of paper that he folds it and puts on the table. On another piece of paper he writes down the sum of his salary and the random value. He then passes that total to the next person who adds their salary and passes on only the total to the next person. Eventually every cryptographer has added their salary and the final result along with the original random value is given to the waiter or other party who then subtracts the random value and divides the result by the number of diners and then reads out the avarage salary to the cryptographers.

Obviously there are issues with a real implementation such as "overflow" but you can see how some simple but by no means all processing can be done with encrypted values.

The first person who finds an efficient way to do all types of processing with encrypted data might get fame or fortune if... They don't get lynched by their colleagues for being a smart arse[1] ;-)

[1] See Douglas Adams humours story of the invention of the "infinite improbability drive" to see why this might be their fate.

http://hitchhikers.wikia.com/wiki/Infinite_Improbability_Drive

Jay January 30, 2017 9:44 PM

Bruce I wonder if you could link or give details on the exact Executive Order that this was attached to. I would like to read the whole order to see how it was slipped in.

Thanks

DeanJanuary 30, 2017 10:47 PM

@Couldn'tPossiblyComment The difference with this administration is that Trump is insane. As I write this he has just fired the AG and the director of US Immigration and Customs Enforcement (ICE), Daniel Ragsdale.

Wake up America, you are right in the middle of Coup d'état it;s happening. Right. Now.

FFJanuary 31, 2017 1:43 AM

Never thought I'd read the term "terrorist countries" in the comments section of this blog.

CassandraJanuary 31, 2017 1:48 AM

@Anura
@Clive Robinson

You make good points.

As ever, if you only transmit and store information that is encrypted, and the encryption is good enough, and you have sufficient control of the keys, then it doesn't matter where you host.

However, in the context of information that isn't handled to that standard, what I was trying to point out was that although Canada may have a privacy-friendly jurisdiction, you are likely to transit non-privacy friendly territory to get there.

Assuming that all traffic sent over plaintext (or inadequately encrypted) is publicly accessible is a good approach.

Clive, as always, makes an excellent point: at present, nearly all information has to be decrypted to be processed - which means that the exit point of VPN tunnels can be vulnerable; and the content of databases held in plaintext for ease of processing is also vulnerable. It is all very well sending a credit-card number and home address to a retailer over https, but it is processed in the clear. It may not be stored in plain text, but you do not know if the retailer's server has been compromised.

While Iceland might be a great place to host data from a legal point of view, from an operations point of view, it is not so good. There is not very redundant connectivity to there from the rest of the world. If you care about uptime and connectivity, the hosting centres clustered around the major Internet Exchanges in Europe would be a good bet - e.g. in the Amsterdam and Frankfurt areas.

Jurisdiction shopping is just one aspect of working out where to host data. Nothing substitutes for good security practices.

Clive RobinsonJanuary 31, 2017 4:02 AM

@ Cassandra,

Jurisdiction shopping is just one aspect of working out where to host data. Nothing substitutes for good security practices.

Even though sometimes it can be tough if not impossible to do.

With regards "where the cables go" although a good start it's only an indicator, due to the issues with the Border Gateway Protocol.

As I've indicated before an examination of physical choke points on the Internet and the Five Eyes countries can be a little unsettling for those who think the likes of Tor are going to stop the Five Eyes from performing traffic analysis. TA is not much tallked about which is odd when you consider it has been the FiveEyes primary focus untill more recent times...

As far as we know TA is performed by correlation, not just of the data in the stream, but size, tempo and directionality. Changing the packet data by multiple layes of point-to-point encryption will hide the data but not the size, tempo or directionality. You can hide the size by data stuffing and to a limited extent interleaving with other data streams. Which means your network nodes need a "store and forward" capability at some level not just buffering and switching.

I could go on but the general idea should be clear you need to do a lot more than just Onion Routing to have a chance of avoiding the TA of the FiveEyes, that sit astride the choke points.

As for BGP there have been times where traffic internal to the US or other countries has apparently taken international walks thus seen in the likes of the UK, Australia and China. As has been noted it happens so frequently that the "accident or design" question has to be thought about, which leads to questions of "Who" and "Why / What gain"...

Negative NellieJanuary 31, 2017 6:15 AM

"Privacy Act"

If the Orwellian double-think system is truly in play with our fearless leaders, the "Privacy Act" should be interpreted to mean the government has removed several more layers of privacy entitlement.

And, if the friction point appears to be American citizen privacy, you can be rest assured they are saying, again: Forget about privacy, you don't have any.

RonKJanuary 31, 2017 6:31 AM

@ tyr

> As long as the panoptican can see into the governments
> as clearly it might not be such a bad idea.

Bruce has been all over this one, the simple answer is, "it cannot (see into the governments) and it is (a bad idea)".

DroneJanuary 31, 2017 7:11 AM

B.Schneier said: "And, like pretty much everything so far in the Trump administration, we have no idea where this is headed."

To be honest Mr. Schneier, I'd rather "have no idea where this is headed" than to know for sure we were HEADED OFF A CLIFF:

Did you get to keep your health insurance? (NO)
Did you get to keep your doctor? (NO)
Did your insurance premiums go down? (NO)
Did you get to keep your full-time? job (NO)
Did you get to keep your house? (NO)
Is your family safer now than before? (NO)
Is the U.S. debt and deficit going down? (NO)
Is the decrepit U.S. Public Education System improving? (NO)
Did the U.S. Government help improve race relations? (HELL NO!)

rJanuary 31, 2017 7:29 AM

+1 drone for the single drop of metadataphysical hope.

At least, even with the bombs falling - we can always look up.

CassandraJanuary 31, 2017 8:05 AM

@Clive Robinson

I very aware of the long-standing issues with BGP routing. thankfully, I don't have to deal with it in my day-to-day work.

https://www.wired.com/2008/02/pakistans-accid/

There are, of course, proposals to ameliorate accidental routing problems:

https://www-x.antd.nist.gov/BGP_Security/publications/NIST_BGP_Robustness.pdf

https://www.nanog.org/meetings/nanog41/presentations/Karlin-talk.pdf

Protecting against deliberate re-routing of traffic is a slightly different kettle of fish.

You are quite right about traffic analysis. If your only aim is to get a verified authentic message to your bank securely, then you are probably not worried that a third party can determine that you are talking to your bank. On the other hand, if you don't want 'the authorities' to know you are accessing a particular foreign web-site, then being able to hide that becomes important. I'm not even sure it is possible to provide guaranteed anonymity on the Internet as it is currently built*, and there are plenty of interested parties with a lot of resources who would be quite happy for that situation to remain.

*the theoretical idea of an internet, and the actual built Internet are two very different things. Clive mentions 'choke points' - nice fluffy clouds don't have choke points, and have infinite capacity between and source and destination. The reality is somewhat different.

trump_be_nimble ...January 31, 2017 9:06 AM

@Matt wrote

"I'm pretty sure we know exactly where everything this administration does is headed: as far down the road to totalitarianism as a disinterested electorate and cowardly leadership will allow."

Starting about now:

"

President Trump has reorganized the National Security Council. His controversial chief strategist, Steve Bannon, joins the NSC and the president has demoted the director of National Intelligence and the chairman of the Joint Chiefs of Staff.

Steve Bannon is now part of the NSC’s principals committee, the top interagency group for discussing national security.

Former security officials from the Obama administration are incredulous at the move. Former NSC adviser Susan Rice said the appointment was “stone cold crazy.”

Former Defense Secretary Robert Gates, who served under Obama and George W. Bush, called the demotions a “big mistake” in an interview with ABC News. How big of a role is the ex-chief executive of the ‘alt-righ

"

http://the1a.org/shows/2017-01-31/president-bannon
http://wamu.org/

vas pupJanuary 31, 2017 10:12 AM

Important on decision making psychological aspects and applied to decisions in security field for sure(I love the part related to lack of imagination in particular):
http://www.bbc.com/future/story/20170131-why-wont-some-people-listen-to-reason
“The moral for making better decisions is clear: wanting to be fair and objective alone isn't enough. What is needed are practical methods for correcting our limited reasoning – and a major limitation is our imagination for how else things might be. If we're lucky, someone else will point out these alternatives, but if we're on our own we can still take advantage of crutches for the mind like the "consider the opposite" strategy.

ScottJanuary 31, 2017 10:33 AM

Correct me if I'm wrong, this would effect government agencies bound by the privacy act, not private companies as in the case of someone choosing to not do business here.

Ruedi HunkelerJanuary 31, 2017 10:33 AM

@keiner: "Switzerland is dead, as safe haven for data." Exactly. It has been decided some months ago, that all ISP providers plus all telcos must retain metadata for a period of six months.

In Switzerland, in practice not even a warrant is needed for snooping around. Just check out the story "Hacking Team" and Kantonspolizei Zürich (KaPo Zurich). The forensic institute of Zurich, BTW, is jointly run by the university of Zurich (what a disgrace!) and by the Kapo Zurich.


@ab praeceptis: "Hey, they bent over in pretty every direction for the us-americans. Hell, they even broke their core business, banking, just at washingtons pleasure." Bang on!


That is why most of my e-mail traffic goes via TOR to a small U.S. based provider.

Mic ChannelJanuary 31, 2017 12:30 PM

Tyr said yesterday:

The only way to get rid of bad
ideas is to see what happens when they are implemented.

False. I don't need to try implementing, say, genocide and bigotry to work out they're bad ideas.
I'm not saying this is what Trump is doing (cough) but it's obviously false that we have to give people a try at bad ideas to work out that they're bad ideas.

Cider WarriorJanuary 31, 2017 2:32 PM

As I wrote to that 'loser something' guy from the other thread here https://www.schneier.com/blog/archives/2017/01/security_risks_13.html#c6744815 Trump simply keeps stating with refreshing candor what has already been the state of affairs. Be it foreign policy in US' interest only (as it has always been, by any country big and small for that matter), or confirming that data have in fact no protection. How can that be bad, when we all know it was already so in practice even for US citizens? At least now there is an official statement for whoever may want to fight it. It's way better than officially protecting privacy and then screwing you in secret.

I don't know if these policies will benefit the US, and it is not my business as I'm not a US citizen. But I'm sure they benefit the rest of the world, if nothing else by setting a clear stage and sticking the truth in the face of those who would rather believe in fairy tales. In a way it's similar to Brexit: I have no idea if the UK people will benefit (hopefully) or loose, but they have taken upon themselves the risk and the pride of trying a different way and by doing so did a service for other Europeans to better assess the benefits and drawbacks of EU membership.

Dirk PraetJanuary 31, 2017 3:44 PM

@ Cider Warrior

Trump simply keeps stating with refreshing candor what has already been the state of affairs.

Exactly. Excellent post, by the way.

Jen Gold StockholmJanuary 31, 2017 8:45 PM

@ Cider Warrior

Trump simply keeps stating with refreshing candor what has already been the state of affairs.

Exactly. Excellent post, by the way.


Yes, thanks @ CW for your lucidity and candour, well written


@ loser

thanks for the entertainment value. How do they calculate your renumeration - is it per post, per response, per site or per hour? Or did you volunteer for service?


65535February 1, 2017 6:26 AM

@ keiner and others

“Is there any kind of data protection in the UK anymore, considering anti-terror stuff and snoopers charter? Where do you wanna go nowadays with your data? In Germany there was big outcry after Snowden, but some weeks ago they simply made all the sniffing around in any kind of traffic LEGAL by new laws. Plus Vorratsdatenspeicherung (aka storage of all kinds of metadata). So: F*cked!”

I don’t think there is any real data protection in the UK or the USA. There are too many "Emergency Exception" to getting a proper court order. The Three letter agencies down to local police don't need a court order with "Emergency Exceptions" and "National Security" items. I doubt the UK or the USA follows the EU's privacy policies at all.

I have said before and I will say it again [this time during a “R” administration] there has to be a show-down between the Supreme Court and the President of the USA and his “executive” orders which seem too powerful and intrusive. This must go to the US Supreme Court.

Give the UK’s Snooper’s charter I agree with other posters. I don’t see it being fully compatible with the EU privacy requirements.

See discussion on who can be spied upon and who can do the spying:

https://www.schneier.com/blog/archives/2016/12/a_50-foot_squid.html#c6739890

[Wikipedia and numerous “authorities” allowed to access data base records]

“List of authorities allowed to access Internet connection records without a warrant
• Metropolitan Police Service
• City of London Police
• Police forces maintained under section 2 of the Police Act 1996
• Police Service of Scotland
• Police Service of Northern Ireland
• British Transport Police
• Ministry of Defence Police
• Royal Navy Police
• Royal Military Police
• Royal Air Force Police
• Security Service
• Secret Intelligence Service
• GCHQ
• Ministry of Defence
• Department of Health
• Home Office
• Ministry of Justice
• National Crime Agency
• HM Revenue & Customs
• Department for Transport
• Department for Work and Pensions
• NHS trusts and foundation trusts in England that provide ambulance services
• NHS National Services Scotland
• Competition and Markets Authority
• Criminal Cases Review Commission
• Department for Communities
• Department for the Economy
• Department of Justice (Northern Ireland)
• Financial Conduct Authority
• Fire and rescue authorities under the Fire and Rescue Services Act 2004
• Food Standards Agency
• Food Standards Scotland
• Gambling Commission
• Gangmasters and Labour Abuse Authority
• Health and Safety Executive
• Independent Police Complaints Commission
• Information Commissioner
• NHS Business Services Authority
• Northern Ireland Ambulance Service
• Northern Ireland Fire and Rescue Service Board
• Health & Social Care Business Services Organisation
• Office of Communications
• Police Ombudsman for Northern Ireland
• Police Investigations and Review Commissioner
• Scottish Ambulance Service Board
• Scottish Criminal Cases Review Commission
• Serious Fraud Office
• Welsh Ambulance Services National Health Service Trust”
-Wikipedia
See

https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016#Provisions_of_the_Act

Further I don’t see the new Patriot Act, FISA court, NSL’s, EO 12333, 702, section 215, rule 41 and so on, aligning with EU-US Privacy Shield and the new Executive Order. There are too many “Emergency Provision” that allow search vast data bases with no court order[s].

See:
https://en.wikipedia.org/wiki/Patriot_Act#Controversy

and
https://en.wikipedia.org/wiki/Patriot_Act#Reauthorizations

From Bush to Obama to Trump things are getting worse.

rFebruary 1, 2017 7:48 AM

@65535,

That's why we have to involve ourselves in the debate so deeply, who's going to protect your position if not yourself?

Rail against the railroads. Promote encryption, opsec and awareness of trends and secret orders. Promote awareness of options attacks and mitigations, I don't care if it's a bank employee a police officer the medical community or a criminal, every last one of them need to be aware of the weaponization of the internet and it's devices.

rFebruary 1, 2017 7:53 AM

If you scare enough people with looking at reality squarely you never know, it might educate someone you couldn't reach directly like a battered woman or a disgruntled employee seeking to rat out some capitalist pig higher up in his team. You have to take the good with the bad, so maybe a couple sex trafficers begin to understand the need for encryption - maybe in seeing their pimps encrypt the women realize that they need to encrypt against the pimps and you reach some of their slaves.

How many hops does it take to reach the epicenter congress?

JohnFebruary 1, 2017 8:29 AM

"And, like pretty much everything so far in the Trump administration, we have no idea where this is headed."

I have a pretty damn good idea where this is headed :
Fascist dictatorship, controlled by The Oranje Führer and his army of Bible-nutters and neocon market-fanatics .

vas pupFebruary 1, 2017 12:33 PM

@all (URGENT)
Russia charges cyber-security experts with treason:
http://www.bbc.com/news/world-europe-38831233
“Ex-FSB men Sergei Mikhailov and Dmitry Dokuchayev, and an executive at the anti-virus software firm Kaspersky, Ruslan Stoyanov, are accused of working for US interests.
Russian media reports suggest Mr Mikhailov, who was formerly deputy head of the FSB's cyber-security department, was detained in dramatic style and led out of a meeting with a bag over his head.

ab praeceptisFebruary 1, 2017 1:18 PM

vas pup

bbc? That's not an acceptable source.

And indeed it is already well known that the "news" you mentioned is far from reality.

rFebruary 1, 2017 4:28 PM

@ab,

From the bag over my head it looks pretty legitimate to me, you must have different pictures draw inside the bag over yours.

RatioFebruary 1, 2017 6:49 PM

@vas pup,

From AP's story Reported treason arrests fuel Russian hacking intrigue:

In a further twist, the Interfax news agency reported Tuesday that Mikhailov and Dokuchayev are accused of passing information to the CIA. The report cited a source Interfax did not identify, making it difficult to verify its accuracy. A spokesman for the CIA declined to comment on the actions of Russian law enforcement.

Mikhailov's arrest apparently was designed to have maximum effect on fellow officers. He was detained at a gathering of FSB officials when he had a bag placed over his head and was marched out of the room, according to Novaya Gazeta and the nationalist Tsargrad network.

Another theory circulating apparently seeks to draw attention away from the U.S. hack.

News outlets Life News and Rosbalt, which has close links to the security services, reported that the FSB officers fed sensitive information to hacking group Shaltai Boltai, or Humpty Dumpty, which used it in a complex profit-making enterprise to blackmail dozens of Russian political figures.

A Moscow court confirmed Monday the arrest of Vladimir Anikeyev, reported to be one of the leaders of Shaltai Boltai, on hacking charges.

rFebruary 1, 2017 7:17 PM

What I can wrap my burlap sack around is why ab would refute something reasonably acknowledged by kaspersky labs ?

Bag or not, denialism is strong with that one.

vas pupFebruary 2, 2017 12:00 PM

@ab praeceptis • February 1, 2017 1:18 PM
I respectfully disagree with you. BBC is good for timely reporting facts(agree, not 100% but better than CNN for sure). Analysis you should do by your own tools (head/brain, other sources of information YOU personally trust).
That is why I appreciate post of Ratio • February 1, 2017 6:49 PM when additional good input was provided on the subject.
See, when you criticize something or somebody the good point is to provide more logical arguments for your vision AND your better solution for subject matter. Otherwise that is pure trolling.
This blog appreciates (as I see it for many years) respectful and positive attitude of bloggers towards each other even when disagree with point of view. I hope you agree with me on that.

ab praeceptisFebruary 2, 2017 9:11 PM

vas pup

I have no issues with you whatsoever.

I do, however, have issues with bbc being quoted. bbc is a dirt hole and worse than a chinese train toilet.

Jen Gold StockholmFebruary 2, 2017 9:57 PM


@ Ab Praeceptis

I comprehend (I believe) where you are coming from

unrelated but tangentially you reminded of the following:

the blog post is about social steganography

https://www.schneier.com/blog/archives/2010/08/social_steganog.html

Chris S • August 25, 2010 10:45 AM

A friend with nine seasons of archeological field work in the Middle East said he *always* listened to the BBC news.

He said that the local population (not English first language) would always hear ... the news. But when needed, the BBC could make make the hair on the neck stand up for a native English speaker. This was a valuable early warning signal for foreigners in the region.

MFebruary 3, 2017 5:10 AM

@65536
Wikipedia is not one of the authorities allowed to snoop on data under the UK Snoopers' Charter. But, considering some of the others, one could believe it.

GSFebruary 3, 2017 11:13 AM

What always strikes me is the following. The EU member state privacy laws and their successor, the GDPR, offer equal protection for EU citizens and everybody else alike, including US citizens. Yet each and every attempt at the US government to simply return the courtesy provokes tremendous resistance and harsh words. There's no way at all this can be called a level playing field and the imbalance has to end one way or another.

Imnot GeorgelFebruary 4, 2017 9:37 AM

This seems to me to be posturing and threats from the new administration (though uncharacteristically low key and veiled) against high tech and big business. This administration and its leader have declared the press, the intelligence community and now high tech and big business (not to mention globalization and our allies) as its opponents so it will be interesting to see how it all plays out, however, I just don't believe that they can win against such huge, powerful, wealthy and entrenched opposition. They are surely "shaking things up" as quite a few wanted them to do (however, probably not in this way for most).

On how it affects humans as a species (as opposed to Americans) in this globalized world its agreed that though there are dangerous people in this world that we need to guard against, place of birth, skin color, religion, gender and even age (to some extent, though young males are far more highly prone to violence than most others) cannot indicate the degree of danger someone poses to anyone else. I don't see how excluding all non-Americans from data protection furthers anything good.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.