At the Open Rights Group conference in London recently, one of the most popular talks -- How to wiretap the Cloud (without anybody noticing) -- was given by independent privacy and surveillance expert Caspar Bowden. Until 2011 he was Chief Privacy Adviser to Microsoft and he has a deep understanding of the extent of US and other national surveillance of the Web.
The risks related to PRISM came as no surprise to him. Indeed, earlier in the year he had co-authored a report to the European Parliament of November 2012 which was the first explanation of the problem of FISA 702, and associated loopholes in EU Data Protection law. The Q & A with Caspar that follows was prepared in February for a French publication. At that time he had no knowledge of the existence of PRISM, and the analysis was based entirely on research from open sources. As Caspar commented when I asked him this weekend, the analysis is still completely relevant.
Q: Why is the the FISA Amendment Act 2008 (FISAAA) a more dangerous law for Europeans' privacy than the PATRIOT Act?
A: Both the PATRIOT and FISAAA laws are over one hundred pages, and much more complex than corresponding European laws. Few Americans have studied them carefully, let alone experts this side of the Atlantic. Both laws allow various American intelligence and law-enforcement agencies to intercept, bug and seize data in different ways.
But in simple terms PATRIOT is mostly about demanding data in finite and defined amounts. The novelty of FISAAA (1881a) is that:
- it targets only the data of non-Americans located outside outside the US (i.e. the data belonging to the rest-of-the-world);
- it specifically applies to Cloud computing providers (not just telecommunications carriers) and
- it removed previous constraints which hindered continuous data collection and mass-surveillance FISAAA allows the National Security Agency to order the big Cloud companies to make permanent installations for continuously scanning through all the data they process from outside the US. Because they can order this is done from within the Cloud provider's data-centres, encryption of data between the Cloud and your computer is irrelevant and offers no protection.
Another recent study for the European Parliament proposed that people could just encrypt data themselves before sending to the Cloud, but this shows a fundamental misunderstanding. Such remote data storage is a very trivial aspect of Cloud computing. The Cloud provider must be able to work with decrypted data in order for the processing power of the Cloud to be useful, and the FISAAA equipment can be placed wherever this decryption occurs. This might be done with deep-packet-inspection (DPI) hardware or probably more economically at the invisible level of the software platform. There are legal and technical precedents for these concerns, and even a standards document which defines “Lawful-Intercept-as-a-Cloud-service” (LIaaS).
Two aspects I still find amazing are that firstly apparently nobody noticed that the scope of FISAAA was extended from wire-tapping telecommunications to also reach inside the data-centre - nothing was written about this for 4 years. Secondly, every news article about FISAAA since 2008 has reported it as if it was primarily a threat to Americans. The target of FISAAA is everyone who is not American - the clue is in the word "foreign"!
Q: The EU Data Protection Directive prohibits the transfer of personal data outside its territory. Why doesn't this prevent US access to data?
It's a smokescreen. The EU capitulated to US economic pressure in 2000 with the “Safe Harbor” agreement which allowed most transfers with only weak rules about commercial privacy, but even the UK chief of Microsoft has admitted offers no protection against PATRIOT (let alone FISAAA). Neither do the other mechanisms notionally provided as exceptions to the general prohibition in the Directive, which the Internet has reduced to a legal fiction. Bizarrely, a special new loophole has been concocted just for Cloud computing in the proposed new DP Regulation, called "Binding Corporate Rules for data processors".
Data Protection Authorities seem almost complicit in this charade, because they do not want the public to understand they have very little real power. The idea is that the Cloud provider gets a private-sector audit company to certify the generic Cloud system for security, producing a lot of impressive paperwork, and then massive transfers to the Cloud will become lawful without further questions asked. But no private audit company, however fancy their reputation, can discover officially secret wire-tapping ordered by the national security law of another country. When one puts this point to the audit companies they shrug and say “not my department”.
The DPA's position is that this is not supposed to happen, but if it does the BCR was fine in theory, it was just not enforced properly - and anyway such "secret squirrel" matters are for governments not DPAs. Incidentally, if anyone from inside the US government or the Cloud provider informed European authorities about this, they would be held in contempt by the special US surveillance court (FISC) and also be breaking the US Espionage Act also (which deters the disclosure of such information with a possible death penalty).
It is extraordinary that most European officials and DP regulators seem determined to ignore the problem (an exception is the consistently outstanding work of Schleswig-Holstein ULD). It reflects a rather bureaucratic attitude, which emphasises legal structure above technical reality. Also officials have been lobbied intensively by industry and are under immense pressure to find some way to legitimise Cloud computing, to keep European business competitive. But losing sovereignty over Europeans' personal data is no way to stay competitive!
Also it must be remembered, the problem is not just with data-centres on US territory. PATRIOT and FISAAA can be secretly applied anywhere in the world (even inside the EU) to any company doing business in the US, although in practice there is most risk when data physically leaves the EU. The best assurance will come from using free software (FLOSS) from top to bottom, with logging and auditing of all patches, and inspections carried out locally by experts without a vested interest or foreign allegiances.
Q: What should be done to protect against this widespread cyber-surveillance?
A: I haven't yet mentioned the most disturbing aspect. I think the reason that European authorities have been so complacent is they have believed private assurances from the US that this is all about fighting terrorism. But something that is almost never mentioned in legal or policy analysis is that the definition of "foreign intelligence information" (since the first FISA law in 1978) has included
"information with respect to a foreign-based political organization or foreign territory that relates to the conduct of the foreign affairs of the United States "
This is a true carte blanche for purely political surveillance, unrelated to criminality or genuine security threats. As we said already, 1881a offers zero protection to the data of non-Americans, and even the definition of the information which can be targeted for political reasons is broader for non-Americans, a double-discrimination by nationality.
This would be indisputably illegal under the European Convention of Human Rights (ECHR) and so it cannot be lawful for European governments to fail to protect their citizens from this risk. But European policy-makers have not understood that what is at stake is much more than the old risks of data communications being intercepted in transit. Companies such as Microsoft have the commercial ambition of winning Cloud contracts to process all data that previously would have remained inside the country - even public sector data about citizens' private lives.
I see three possibilities to solve the problem. The first is that Europe negotiates a treaty with the US giving explicit recognition of our ECHR rights. But the United States has blocked much more modest demands from the EU over the past decade. The second possibility is that Europe takes a strategic decision to build a serious and autonomous Cloud industry (think how Airbus now has equal market share with Boeing). But Neelie Kroes is investing 15 million Euros, whereas the US Cloud industry has invested tens of billions of dollars.
Finally, the third possibility, is that the EU could offer legal immunity and financial rewards for reporting surveillance which breaks EU law. They might be engineers or lawyers working for US industry or government, and they would be taking enormous risks by becoming whistleblowers, so the rewards would have to be substantial. This is the method used in many parts of the world, including the US, to fight public corruption and evasion of taxation
Why not use this method to enforce Data Protection and respect for European human rights? The rewards would be paid from fines imposed on the companies, and only this method might provide a realistic deterrent against a crime which is virtually undetectable. These three possibilities are not mutually exclusive. Used in combination we might get a flourishing European Cloud industry with a level playing field for competition, and real not illusory Data Protection.