Galia Mancheva's blog

LIBE hearing on electronic mass surveillance of EU citizens

Galia Mancheva — Thu, 05 Dec 2013 18:54:52 +0000

Language English

So what happened at the LIBE hearing on mass e-surveillance of EU citizens?

All in all as in most of the cases, The Commission came to present their reports and analytics, and took a good amount of bulling from the Parliament for the insufficient work. That is, of course, very summarized overview of what happened.

One of the major topics was the effect Snowden’s revelations had on the relationship between EU and US and more specifically what is the impact of his disclosures on some of the agreements EU has signed with US, such as the safe-harbor, the TFTP and the PNR agreement for exchanging data. Their usefulness for EU was questioned and one main point was made from a lot of MEPs. Should we completely suspend those agreements and review the statuses of all the transatlantic agreements EU currently participates in, together with US, or should we keep on doing nothing about it, as the Commission’s report suggest by stating that no damages have been detected by the mass surveillance.

Outrageous, isn’t it?

So, European Parliament represented by the MEPs was reminding that the safe-harbor agreement puts in place compatible amount of data to be transferred and how the basic clauses have to be respected, which should mean that personal data related to citizens of the Member States have to be protected accordingly. Personally I believe that the proposed approaches by the Commission are not satisfactory and the Parliament already feels the safe-harbor agreement is no longer safe. There mining data possibilities have 2 negatives: the illegal possibilities, and data mining through companies themselves that already have stored data. Companies are keeping and mining data for different commercial purposes. The majority of the MEPs at the EU Parliament agree the safe harbor agreement should be suspended and replaced by a new one. But the other, also reasonable argument, the Commission has against the suspension of the agreement, is the fact that the suspension of any agreement would also have economic consequences, and not just political: “If we were to suspend the agreement or recall it, there will be quite an impact on the companies involved in that agreement. In the long term we have to ensure the citizens are better protected in a more serious way.”- The Commission’s representative says.

The second agreement a lot of MEPs expressed desire to be suspended is the TFTP agreement. It is about the relations between EU and US and the payments and transactions data from one country to another, and its initial purpose is fighting terrorism. Here I would like to directly quote one of the Parliament’s representatives: “American authorities said there is no justification for the suspending of this agreement. However, if we look at the implications of the terrorist attack of the 9/11 and the financial flows running related to those activities, we have to come with a proposal of legal and technical document that is focusing on that field. We have to make sure this agreement is shaped in a way that we have ensured protection of privacy. At the moment the agreement doesn’t target that particular goal. On one hand we have the security of the citizens, but on the other hand we need to clarify how to enter an agreement with US knowing the situation is not the one we would like it to be. So how do we do that? The agreement says that when there is a breach of the agreement it can be suspended, but there is no indication of what should happen when a misuse of data is detected. If we suspend safe harbor, that may boost the credibility of EU authority and help us restore the trust and confidence in our actions. It could also increase the protection level of personal data and will give European authorities the ability to react when there is a misuse of data.”

Having said that I wonder in case safe-harbor agreement is suspended, is there a need for creating a new one, and for what purposes? The legal consequences form NSA affair should also be taken under consideration. Normally it should be in the power of the European Parliament to decide to call for the suspension of this agreement. Since the agreement has existed many have questioned its nature. What is also very interesting to know is that The Commission hasn’t introduced any report on what and how many data has been collected in violation of this agreement.

Others also questioned the existence of the PNR data protection. And additional reasons for its suspension are the budget the member states involved are currently paying and would continue doing so. Because, to be honest, why a country should dedicate budget for something which existence is under question to begin with? Since its initial concept to be used for fighting terrorism is beyond doubtful, shouldn’t it be canceled immediately? We heard how effective this mass surveillance has been numerous times, while there are no records of actual attacks that have prevented/detected thanks to it. The TFTP has also affected exactly 0 attacks. The same would apply to PNR. It seems like those programs are not having any positive effect at all.

Sophie in’t Veld said something very important that we should all have in our minds: “If we allow the massive collection of personal data, then the other side of the coin is transparency. If we give powers to authorities, then we need to give powers to the citizens, as well, against mistakes, abuse and misuse of powers. In practice those agreements are useless, because every time there is any kind of impact of relations, any document related to those relations, those documents are automatically classified as secret.”

to be continued...

Letter of complaint regarding Octopus Cyber Crime Conference

Galia Mancheva — Mon, 02 Dec 2013 14:45:16 +0000

Language English

The Council of Europe is holding a Conference under the name “Octopus Conference Cooperation against Cybercrime” between 4 – 6 December 2013 in Strasbourg, France as its main focus would be on building safeguards and data protection tools and policies. The Conference is also hosting few workshops on policies and initiatives on cybercrime of international and private sector organisations; transborder access to data; protecting children against sexual exploatation; international cooperation for data preservation and cybercrime legislation in Asia/Pacific region.

Amelia wanted to participate and in particular she wanted to attend the discussions regarding the Budapest Cybercrime Convention, and so she registered for the event in her capacity of MEP especially active in that particular field, but she was rejected participation.

As a response to her rejection, she wrote the following Letter of Complaint to the organizers, the Council of Europe, COE (not to be confused with European Council)

Letter of complaint regarding Octopus Cyber Crime Conference

Dear Honourable Secretary-General Mr Thorbjørn Jagland,

The Budapest Cyber Crime Convention has been defining for Internet development and opportunities for industry for more than 10 years. It's an important issue, and concerns both the trust and the confidence for the markets of the European Union.

The Convention has been controversial and caused concern for both human rights and industry in every country where it is implemented. As a Member of the European Parliament following closely issues of industry and market developments in the online environment, I have inquired in various places about the Convention but was given the impression that no revision process was upcoming due to its controversial nature.

It was a a surprise when I learned that the Council of Europe is indeed organizing regular conferences in Strasbourg to establish additional protocols to the Convention.
Unfortunately, those initiatives do not seem to assess the importance of the recent revelations of mass surveillance and their harmful impact on human rights. They rather seem to fail putting those human rights as well as a friendly environment for European business at the centre of the internet reforms

To further my concerns, the Council of Europe has rejected my participation in this meeting. It is disappointing to learn that the Octopus conference restricts the access of democratically elected European representatives to its proceedings. It is also my concern that this undermines the democratic legitimacy of the process.

With strong concerns raised by both European citizens, civil society and European industries on the topics addressed at the Octopus Conference, it seems both appropriate and relevant to ensure the participation of democratically elected representatives from the European level.

It is my expectation that the Secretary-General will take a personal interest in this issue, and ensure a fair and balanced participation of many different parties in discussions leading towards a Cyber Crime Convention reform from now on.

I would like to thank you, Mr Secretary General, for the attention you will give to my letter.

Sincerely Yours,

Amelia Andersdotter
Member of the European Parliament
Piratpartiet, Sweden

SAAB Annual Seminar: Virtual Integrity and e-espionage. Can we tame the internet?

Galia Mancheva — Thu, 21 Nov 2013 18:32:18 +0000

Language English

Yesterday I went to an interesting SAAB seminar "Virtual Integrity and e-espionage. Can we tame the internet?" with very intriguing guest speakers.

Paul Nemitz, Director Fundamental Rights & Union Citizenship at the European Commission was having an intense discussion with Dorothee Belz, Associate General Counsel for Europe at Microsoft, over why the cyber space is insecure and who, and how should tame it and ensure its security.

From one side Mr. Nemitz was defending the rule of law position, stating that policy makers determine the direction nowadays technology takes and industry should follow (the rule of democracy) and from the opposite side, Mrs Belz defending the position that since current laws are lagging behind with the so needed amendments, the “wild, wild west” principle, naturally turns technologies into law makers.

Some curious questions about how to establish a balance between the technological development and democratic lawmaking without damaging techno progress, derived from their argumentations. Statements that current rules obviously need moderation and transformation to deliver real protection was also heard, and how industry and legislators can work together towards building stable long term protection policies was one of the main topics.

Since technological development is outrunning and therefore changing the rules, and as Mrs Belz also accurately pointed, personal data has become the currency in the business-citizen relationship, is cyber security governable at all? Were the so called “customers” aware they are using services free of charge, only because they are paying them with their very personal information, before the NSA scandals? But is that the real question, at all?

A lot was also said by Mr. Nemitz, following the thesis that the industry is usually opposing potential regulations by lobbing their proposals in favor of their own businesses, of course, and by often requesting postponements when the final results are not what they wanted.

And he was speaking the truth.

In 2002 The European Commission issued a Directive, adopted by the member states, where tracking online user’s activity (like installing cookies) without their consent, is not allowed. Since then, a working group has been set for defining the technical mechanisms. Representatives of the advertising industry as well as the software industry are also part of this group. It is 2013 and there are still no mechanism negotiated. This is the type of postponing Mr Nemitz was talking about.

In the meantime thanks to whistleblowers like Chelsea Manning, Edward Snowden and others that delivered to the public knowledge information about the dimensions of the biggest massive collection of personal data in human history, we realized what really was going on. Companies delivering their customers’ data to the secret services. Companies, deliberately building up backdoors in their own systems, softwares and hardwares, allowing undisturbed monitoring of common citizens, politicians, ministers, policy makers, entrepreneurs … simplified: everyone.

Of course, the Microsoft representative denied it all. But if Linus Torvalds, the developer of Linux, was approached by NSA and asked to build backdoors into GNU/Linux, why would Microsoft be an exception?

I should also mention that just 12 hours later (not too long after) the French newspaper Mediapart published a list with names of MEPs whose emails have been hacked, thanks to the mare fact that since Microsoft system does not allow encryption, their emails can never be entirely secure. And European Parliament is barely the only European Institution using Microsoft products and services.

It was just few months ago, when another spying scandal shook EU – GCHQ has hacked Belgacom’s system, successfully installing a malware and mining data for at least 6 months. Belgacom is Belgium's largest telecom operator and all Brussels-based EU institutions are its clients, hence the majority of people working in those institutions.

Of course, Belgacom denied having enough evidences that UK secret services were involved, but they very clearly pointed out, “the people that developed the software used for the attack have very detailed, deep and broad knowledge, with highly sophisticated knowledge base and technology. And obviously the hackers have the kind of a solid financial power behind them, that only governments can posses.”

Belgacom could not point GCHQ as the perpetrator, but the documents leaked by Snowden provide us with enough evidences that not only UK secret services were involved in this cyber attack, but once again they played the Trojan horse in the European Union by serving NSA and US interests with anything they want.

Wrapping it up: Member States spy on each other, selling data to 3^rd parties (secret services); Secret services blackmailing corporations for purposely building insecure services; Industry collecting people’s online activity for “advertising and marketing” purposes also ends up selling it to the secret services…

In those circumstances, is building a real adequate policy protecting citizen’s data a goal at all?

The real question is, is there anybody that really wants protected data?

Do governments want it? Does the industry want it?

And who is ruling the world? The secret services?