Rina Steenkamp - Privacy and technology
[Making sense of the NSA metadata collection program | Mass surveillance of personal data by EU member states and its compatibility with EU law | The aerial gaze: regulating domestic drones in the UK | [Unmanned aircraft systems integration roadmap] | The data surveillance state in the US and Europe | What the government does with Americans' data | Defining the surveillance state | Cyber liability & data breach insurance claims - A study of actual claim payouts | Recommended cryptographic measures - Securing personal data | Meet "badBIOS," the mysterious Mac and PC malware that jumps airgaps | Towards a more dynamic transatlantic area of growth and investment | Hands off encryption! Say new amici briefs in Lavabit case | Mobile location analytics code of conduct | Ten steps you can take right now against internet surveillance | Data brokers and the federal government - A new front in the battle for privacy opens | The real privacy problem | Algorithms, key sizes and parameters report - 2013 recommendations | EU legislative process updates]
A series of blog posts by Stephen Schulhofer (Just Security).
From part I:
"As most people on the planet now know, the National Security Agency obtains detailed records of the 'metadata' of essentially every call – domestic and international – made by every person in the U.S. Metadata do not reveal the content of a call but do reveal virtually everything else about it – the numbers called, the source of incoming calls received, the time and duration of each call, comprehensive communications routing information, and other non-content details. The Agency retains that information in a comprehensive database for at least five years, and analysts dip into the data to trace suspicious patterns and links to other numbers when (but, in principle, only when) analysts have reasonable suspicion to believe that a particular phone number is associated with terrorist activity. I do not question the potential contributions of the NSA program; intelligence collection of this sort clearly can serve valuable counterterrorism purposes. But Americans who accept the usefulness of the program and give great weight to its potential payoffs must nonetheless focus their attention on the competing values implicated by a broad governmental effort to sweep up and retain this kind of information. [...] In this post, the first of a two-part series, I want to discuss the constitutional concerns about the NSA program, but highlight an area of Fourth Amendment jurisprudence often overlooked in the current debate: the Supreme Court's precedents regarding 'administrative' searches. In Part II, I will turn to several broader issues that not only inform the constitutional analysis but also are of more immediate concern because they shape public opinion and the possibilities for a legislative response in the near future. Those concerns include, most importantly, whether the NSA program (regardless of its constitutionality) (i) faces adequate oversight; (ii) is sufficiently transparent; and (iii) needlessly endangers such values as a free press, the spaces available for creativity and dissent, and the everyday effectiveness of our democracy."
Read more:
A paper by Didier Bigo, Sergei Carrera, Nicholas Hernanz, Julien Jeandesboz, Joanna Parkin, Francesco Ragazzi, and Amandine Scherrer.
From the Abstract:
"In the wake of the disclosures surrounding PRISM and other US surveillance programmes, this paper assesses the large-scale surveillance practices by a selection of EU member states: the UK, Sweden, France, Germany and the Netherlands. Given the large-scale nature of these practices, which represent a reconfiguration of traditional intelligence gathering, the paper contends that an analysis of European surveillance programmes cannot be reduced to a question of the balance between data protection versus national security, but has to be framed in terms of collective freedoms and democracy."
Read more:
A blog post by Lachlan Urquhart (SCL).
From the text:
"The emerging range of security, law enforcement and civilian applications for unmanned aerial systems (UAS) increasingly moves them beyond the confines of international military campaigns. Unarmed 'domestic drone' uses in national airspace pose a number of challenges to current state regulatory frameworks for privacy, surveillance and aviation safety. Furthermore, the aircraft vary significantly in size, technical capabilities and applications, resulting in a broad and unpredictable variety of new problems. This article seeks to anticipate a number of UK legal issues and tentatively proposes approaches that provide scope to establish a fragmented legal framework."
Read more:
See also:
Policy documents by the Federal Aviation Administration.
From the press release:
"The FAA plans to select six [unmanned aircraft systems - UAS] test sites to begin work on safely integrating UAS into the airspace. These congressionally-mandated test sites will conduct critical research into how best to safely integrate UAS systems into the national airspace over the next several years and what certification and navigation requirements will need to be established. The use of UAS, both at the designated test sites and in the national airspace generally, raises the issue of privacy and protection of civil liberties. In February, the FAA asked for public comments specifically on the draft privacy requirements for the six test sites. Today, the agency sent a final privacy policy to the Federal Register that requires test site operators to comply with federal, state, and other laws on individual privacy protection, to have a publicly available privacy plan and a written plan for data use and retention, and to conduct an annual review of privacy practices that allows for public comment."
Read more:
See also:
Media coverage:
An essay by Joel Reidenberg.
Abstract:
"The democracies on both sides of the Atlantic are trying to balance the legitimate needs of the law enforcement and intelligence communities to access online transactional data with the basic rights of citizens to be free from state intrusions on their privacy. From the recent revelations of massive collection of telecommunications data by the US government to the disclosures of the UK tapping transatlantic telecommunications cables, and of the Swedish government's warrantless wiretap rules, national data surveillance seems to have few boundaries that the law has effectively protected. American law has generally focused on access restraints for government to obtain privately held information, ignored the collection and storage of data, and granted special privileges to national security actors. By contrast, Europe emphasizes rules related to the collection and retention of data and focuses less on due process obstacles for government access, while also giving government easier access for national security. In each system, the elusive linkage between retention and access, the privatization of state surveillance activity, and flawed oversight for national security create extensive transparency of citizen's data and undermine values of democracy including the presumption of innocence, the state's monopoly on law enforcement, and the zone of individual freedom. In effect, government data surveillance law in both Europe and the United States has reached a turning point for the future of information privacy online. Three proposals can help to secure privacy that is necessary to preserve democratic values: stricter retention limits must be combined with stronger access controls; government access to personal information must be logged and transparent to citizens; and government officials must be personally liable for over-reaching behavior."
Read more:
A report by Rachel Levinson-Waldman (Brennan Center for Justice).
From 'I. Introduction':
"The attacks of September 11, 2001, and the intelligence failures preceding them, sparked a call for greater government access to information. Across a range of laws and policies, the level of suspicion required before law enforcement and intelligence agencies could collect information about U.S. persons was lowered, in some cases to zero. [...] The result is not merely the collection of large amounts of information, but a presumptive increase in the quantity of information that reflects wholly innocuous, and in some cases constitutionally protected, activity. Other publications, including reports issued by the Brennan Center, have addressed whether lowering the threshold for suspicion to collect information poses an undue risk to civil liberties. This report addresses a separate question: Regardless of whether the expansion of the government's domestic information collection activity can be expected to yield enough additional 'hits' to justify its various costs, how do federal agencies deal with the apparent 'misses' - the stores of information about Americans that are swept up under these newly expanded authorities and that do not indicate criminal or terrorist behavior?"
Read more:
Media coverage:
A blog post by Dr Gus Hosein (Privacy International).
From the text:
"Just search for the term 'surveillance state' and you'll pull up various uses of the term or news articles citing the phrase. In some respects, this newfound concern can't be a surprise; given vast new amounts of information in the public sphere since the Edward Snowden leaks began in June. However, it is critical to nail down the exact meaning of the term, so as the public and governments have the debate over State spying, we can actually know what we're talking about. Most importantly, this will help us push back against it."
Read more:
A report by Mark Greisiger (NetDiligence).
From the Introduction:
"For this study, we asked insurance underwriters about data breaches and the claim losses they sustained. We looked at the type of data exposed, the cause of loss and the business sector in which the incident occurred. For the first time, this year we also looked at the size of the affected organization. We then looked at the costs associated with Crisis Services (forensics, notification, credit monitoring, and legal counsel), Legal (defense and settlement), and Fines (PCI & regulatory). This report summarizes our findings for a sampling of 145 data breach insurance claims, 140 of which involved the exposure of sensitive data in a variety of sectors, including government, healthcare, hospitality, financial services, professional services, retail and many more."
Read more:
Media coverage:
A report by Vincent Rijmen, Daniel de Cock, and Nigel P. Smart (ENISA).
From the Executive Summary:
"This document addresses the protection measures applied to safeguard sensitive and/or personal data, which has been acquired legitimately by a data controller. In this respect it discusses how information technology users, who have a basic knowledge of information security, can employ cryptographic techniques to protect personal data. Finally, it addresses the need for a minimum level of requirements for cryptography across European Union (EU) Member States (MSs) in their effort to protect personal and/or sensitive data."
Read more:
An article by Dan Goodin (Ars Technica).
From the article:
"Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn't know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours."
Read more:
See also:
Media coverage:
A speech by Viviane Reding (European Commission).
From the speech:
"The relations between Europe and the US run very deep, both economically and politically. Our partnership has not fallen from the sky. It is the most successful commercial partnership the world has ever seen. The energy it injects into to our economies is measured in millions, billions and trillions – of jobs, trade and investment flows. The Transatlantic Trade and Investment Partnership could improve the figures and take them to new highs. But getting there will not be easy. There are challenges to get it done and there are issues that will easily derail it. One such issue is data and the protection of personal data. This is an important issue in Europe because data protection is a fundamental right. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe's fundamental values or our common understanding of a free society. This is why I warn against bringing data protection to the trade talks. Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable."
Read more:
Media coverage:
A blog post by Jennifer Granick (Just Security).
From the blog post:
"The Fourth Circuit Court of Appeals is in the process of deciding the first legal challenge to government seizure of the master encryption keys that secure our communications with web sites and email servers. The case could decide the future reliability of encryption protocols to protect all Internet communications. While the government wants these keys to decrypt user information, there is really no acceptable way for the Court to order a secure communications service to break its encryption protocol. The danger to innocent users is too great, and there are network effects that would shatter critical trust in SSL implementation as a whole."
Read more:
Media coverage:
A publication by the Future of Privacy Forum.
Preamble:
"Mobile Location Analytics (MLA) provides technological solutions for Retailers by developing aggregate reports used to reduce waiting times at check-out, to optimize store layouts and to understand consumer shopping patterns. The reports are generated by recognizing the Wi-Fi or Bluetooth MAC addresses of cellphones as they interact with store Wi-Fi networks. Given the potential benefits that Mobile Location Analytics may provide to businesses and consumers, it is important that these practices are subject to privacy controls and are used responsibly to improve the consumer shopping experience. This Code puts such data protection standards in place by requiring transparency and choice for Mobile Location Analytics."
Read more:
See also:
Media coverage:
A blog post by Danny O'Brien (EFF).
From the blog post:
"One of the trends we've seen is how, as the word of the NSA's spying has spread, more and more ordinary people want to know how (or if) they can defend themselves from surveillance online. But where to start? The bad news is: if you're being personally targeted by a powerful intelligence agency like the NSA, it's very, very difficult to defend yourself. The good news, if you can call it that, is that much of what the NSA is doing is mass surveillance on everybody. With a few small steps, you can make that kind of surveillance a lot more difficult and expensive, both against you individually, and more generally against everyone."
Read more:
A report by Robert Gellman and Pam Dixon (World Privacy Forum).
From 'Background of Report':
"This report focuses on government use of commercial data brokers, the implications for that usage, and what needs to be done to address privacy problems. The government must bring itself fully to heel in the area of privacy. If it is going to outsource its data needs to commercial data brokers, it needs to attach the privacy standards it would have been held to if it had collected the data itself. Outsourcing is not an excuse for evading privacy obligations. This report discusses new Office of Management and Budget (OMB) guidance for an initiative (Do Not Pay Initiative) that on one hand provides for expanded use of commercial data brokers by federal agencies and on the other it establishes new privacy standards for the databases used in the Initiative. Although incomplete, its extension of privacy standards to commercial databases purchased by the federal government is groundbreaking. As such, this report recommends that OMB should expand its new guidance to cover all government data purchases, bartering, and exchanges from commercial data brokers and databases containing personal information. The problems created by unregulated government use of commercial data sources need to be seen clearly and addressed directly."
Read more:
Media coverage:
An article by Evgeny Morozov (MIT Technology Review).
From the article:
"Few of us have had moral pangs about data-sharing schemes, but that could change. Before the environment became a global concern, few of us thought twice about taking public transport if we could drive. Before ethical consumption became a global concern, no one would have paid more for coffee that tasted the same but promised 'fair trade.' Consider a cheap T-shirt you see in a store. It might be perfectly legal to buy it, but after decades of hard work by activist groups, a 'Made in Bangladesh' label makes us think twice about doing so. Perhaps we fear that it was made by children or exploited adults. Or, having thought about it, maybe we actually do want to buy the T-shirt because we hope it might support the work of a child who would otherwise be forced into prostitution. What is the right thing to do here? We don't know - so we do some research. Such scrutiny can't apply to everything we buy, or we'd never leave the store. But exchanges of information - the oxygen of democratic life - should fall into the category of 'Apply more thought, not less.' It's not something to be delegated to an 'electronic butler' - not if we don't want to cleanse our life of its political dimension."
Read more:
Media coverage:
A study by Nigel P. Smart, Vincent Rijmen, Bogdan Warinschi and Gaven Watson (ENISA).
From the overview page:
"This document collates a series of recommendations for algorithms, keysizes, and parameter recommendations. It addresses the need for a minimum level of requirements for cryptography across European Union (EU) Member States (MSs) in their effort to protect personal and sensitive data of the citizens."
Read more:
Media coverage:
Overview page with links to relevant websites and documents, by Wilson Sonsini Goodrich & Rosati, LLP.
From the page:
"The Draft Regulation is currently in the ordinary legislative process and has to be approved by both the European Parliament and the Council in order to become law. The legislative process should be concluded by mid-2014, with the Regulation coming into force two years after that. Below are some relevant updates: [...]"
Read more:
Media coverage: