Tag Archives: Edward Snowden

Who Controls Peoples’ Data?

The McKinsey Global Institute estimates that cross-border flows of goods, services and data added 10 per cent to global gross domestic product in the decade to 2015, with data providing a third of that increase. That share of the contribution seems likely to rise: conventional trade has slowed sharply, while digital flows have surged. Yet as the whole economy becomes more information-intensive — even heavy industries such as oil and gas are becoming data-driven — the cost of blocking those flows increases…

Yet that is precisely what is happening. Governments have sharply increased “data localisation” measures requiring information to be held in servers inside individual countries. The European Centre for International Political Economy, a think-tank, calculates that in the decade to 2016, the number of significant data localisation measures in the world’s large economies nearly tripled from 31 to 84.

Even in advanced economies, exporting data on individuals is heavily restricted because of privacy concerns, which have been highlighted by the Facebook/ Cambridge Analytica scandal. Many EU countries have curbs on moving personal data even to other member states. Studies for the Global Commission on Internet Governance, an independent research project, estimates that current constraints — such as restrictions on moving data on banking, gambling and tax records — reduces EU GDP by half a per cent.

In China, the champion data localiser, restrictions are even more severe. As well as long-established controls over technology transfer and state surveillance of the population, such measures form part of its interventionist “ Made in China 2025 ” industrial strategy, designed to make it a world leader in tech-heavy sectors such as artificial intelligence and robotics.

China’s Great Firewall has long blocked most foreign web applications, and a cyber security law passed in 2016 also imposed rules against exporting personal information, forcing companies including Apple and LinkedIn to hold information on Chinese users on local servers. Beijing has also given itself a variety of powers to block the export of “important data” on grounds of reducing vaguely defined economic, scientific or technological risks to national security or the public interest.   “The likelihood that any company operating in China will find itself in a legal blind spot where it can freely transfer commercial or business data outside the country is less than 1 per cent,” says ECIPE director Hosuk Lee-Makiyama….

Other emerging markets, such as Russia, India, Indonesia and Vietnam, are also leading data localisers. Russia has blocked LinkedIn from operating there after it refused to transfer data on Russian users to local servers.

Business organisations including the US Chamber of Commerce want rules to restrain what they call “digital protectionism”. But data trade experts point to a serious hole in global governance, with a coherent approach prevented by different philosophies between the big trading powers. Susan Aaronson, a trade academic at George Washington University in Washington, DC, says: “There are currently three powers — the EU, the US and China — in the process of creating separate data realms.”

The most obvious way to protect international flows of data is in trade deals — whether multilateral, regional or bilateral. Yet only the World Trade Organization laws governing data flows predate the internet and have not been thoroughly tested through litigation. It recently recruited Alibaba co-founder Jack Ma to front an ecommerce initiative, but officials involved admit it is unlikely to produce anything concrete for a long time. In any case, Prof Aaronson says: “While data has traditionally been addressed in trade deals as an ecommerce issue, it goes far wider than that.”

The internet has always been regarded by pioneers and campaigners as a decentralised, self-regulating community. Activists have tended to regard government intervention with suspicion, except for its role in protecting personal data, and many are wary of legislation to enable data flows.  “While we support the approach of preventing data localisation, we need to balance that against other rights such as data protection, cyber security and consumer rights,” says Jeremy Malcolm, senior global policy analyst at the Electronic Frontier Foundation, a campaign for internet freedom…

Europe has traditionally had a very different philosophy towards data and privacy than the US. In Germany, for instance, public opinion tends to support strict privacy laws — usually attributed to lingering memories of surveillance by the Stasi secret police in East Germany. The EU’s new General Data Protection Regulation (GDPR), which comes into force on May 25, 2018 imposes a long list of requirements on companies processing personal data on pain of fines that could total as much as 4 per cent of annual turnover….But trade experts warn that the GDPR is very cautiously written, with a blanket exemption for measures claiming to protect privacy. Mr Lee-Makiyama says: “The EU text will essentially provide no meaningful restriction on countries wanting to practice data localisation.”

Against this political backdrop, the prospects for broad and binding international rules on data flow are dim. …In the battle for dominance over setting rules for commerce, the EU and US often adopt contrasting approaches.  While the US often tries to export its product standards in trade diplomacy, the EU tends to write rules for itself and let the gravity of its huge market pull other economies into its regulatory orbit. Businesses faced with multiple regulatory regimes will tend to work to the highest standard, known widely as the “Brussels effect”.  Companies such as Facebook have promised to follow GDPR throughout their global operations as the price of operating in Europe.

Excerpts from   Data protectionism: the growing menace to global business, Financial Times, May 13, 2018

Drone Strikes: How to Deal with Surgically Implanted Explosive Devices

Menwith Hill  a Royal Air Force station near Harrogate, North Yorkshire, England has been described as the largest electronic monitoring station in the world.

The documents, provided to the Guardian by NSA whistleblower Edward Snowden and reported in partnership with the New York Times, discuss how a joint US, UK and Australian programme codenamed Overhead supported the strike in Yemen in 2012….

British officials and ministers follow a strict policy of refusing to confirm or deny any support to the targeted killing programme, and evidence has been so scant that legal challenges have been launched on the basis of single paragraphs in news stories.

The new documents include a regular series of newsletters – titled Comet News – which are used to update GCHQ personnel on the work of Overhead, an operation based on satellite, radio and some phone collection of intelligence. Overhead began as a US operation but has operated for decades as a partnership with GCHQ and, more recently, Australian intelligence.

The GCHQ memos, which span a two-year period, set out how Yemen became a surveillance priority for Overhead in 2010, in part at the urging of the NSA, shortly after the failed 2009 Christmas Day bomb plot in which Umar Farouk Abdulmutallab attempted to detonate explosives hidden in his underpants on a transatlantic flight.  Ten months later a sophisticated plot to smuggle explosives on to aircraft concealed in printer cartridges was foiled at East Midlands airport. Both plots were the work of al-Qaida in the Arabian Peninsula (AQAP), the Yemen-based al-Qaida offshoot.

One Comet News update reveals how Overhead’s surveillance networks supported an air strike in Yemen that killed two men on 30 March 2012. The men are both described as AQAP members.  In the memo, one of the dead men is identified as Khalid Usama – who has never before been publicly named – a “doctor who pioneered using surgically implanted explosives”. The other is not identified…

US officials confirmed to Reuters in 2012 that there had been a single drone strike in Yemen on 30 March of that year. According to a database of drone strikes maintained by the not-for-profit Bureau of Investigative Journalism, the only incident in Yemen on that date targeted AQAP militants, causing between six and nine civilian casualties, including six children wounded by shrapnel.  Asked whether the strike described in the GCHQ documents was the same one as recorded in the Bureau’s database, GCHQ declined to comment.

The incident is one of more than 500 covert drone strikes and other attacks launched by the CIA and US special forces since 2002 in Pakistan, Yemen and Somalia – which are not internationally recognised battlefields.  The GCHQ documents also suggest the UK was working to build similar location-tracking capabilities in Pakistan, the country that has seen the majority of covert strikes, to support military operations “in-theatre”.

A June 2009 document indicates that GCHQ appeared to accept the expanded US definition of combat zones, referring to the agency’s ability to provide “tactical and strategic SIGINT [signals intelligence] support to military operations in-theatre, notably Iraq and Afghanistan, but increasingly Pakistan”. The document adds that in Pakistan, “new requirements are yet to be confirmed, but are both imminent and high priority”….

By this point NSA and GCHQ staff working within the UK had already prioritised surveillance of Pakistan’s tribal areas, where the majority of US covert drone strikes have been carried out. A 2008 memo lists surveillance of two specific sites and an overview of satellite-phone communications of the Federally Administered Tribal Areas, in which nearly all Pakistan drone strikes have taken place, among its key projects.

British intelligence-gathering in Pakistan is likely to have taken place for a number of reasons, not least because UK troops in Afghanistan were based in Helmand, on the Pakistani border.One of the teams involved in the geo-location of surveillance targets was codenamed “Widowmaker”, whose task was to “discover communications intelligence gaps in support of the global war on terror”, a note explains.

Illustrating the close links between the UK, US and Australian intelligence services, Widowmaker personnel are based at Menwith Hill RAF base in Yorkshire, in the north of England, in Denver, Colorado, and in Alice Springs in Australia’s Northern Territory.

Other Snowden documents discuss the difficult legal issues raised by intelligence sharing with the US….The UK has faced previous legal challenges over the issue. In 2012, the family of a tribal elder killed in Pakistan, Noor Khan, launched a court case in England in which barristers claimed GCHQ agents who shared targeting intelligence for covert strikes could be “accessory to murder”. Judges twice refused to rule on the issue on the grounds it could harm the UK’s international relations.

Excerpts from Alice Ross and James Ball,  GCHQ documents raise fresh questions over UK complicity in US drone strikes,  Guardian, June 24, 2015

The Cyber-Intelligence Ruling Class

INSA logo. image from wikipedia

...[The] Intelligence National Security Alliance. INSA is a powerful but 
little-known coalition established in 2005 by companies working for the National Security Agency. In recent years, it has become the premier organization for the men and women who run the massive cyberintelligence-industrial complex that encircles Washington, DC…[One such company is founded by]  former Navy SEAL named Melchior Baltazar, the CEO of an up-and-coming company called SDL Government. Its niche, an eager young flack explained, is providing software that military agencies can use to translate hundreds of thousands of Twitter and Facebook postings into English and then search them rapidly for potential clues to terrorist plots or cybercrime.

It sounded like the ideal tool for the NSA. Just a few months earlier, Snowden had leaked documents revealing a secret program called PRISM, which gave the NSA direct access to the servers of tech firms, including Facebook and Google. He had also revealed that the NSA and its British counterpart, the GCHQ, had special units focused on cracking encryption codes for social media globally….

This small company, and INSA itself, are vivid examples of the rise of a new class in America: the cyberintelligence ruling class.  These are the people—often referred to as “intelligence professionals”—who do the actual analytical and targeting work of the NSA and other agencies in America’s secret government. Over the last 15 years, thousands of former high-ranking intelligence officials and operatives have left their government posts and taken up senior positions at military contractors, consultancies, law firms, and private-equity firms. In their new jobs, they replicate what they did in government—often for the same agencies they left. But this time, their mission is strictly for-profit.

Take Olsen, who served as general counsel for the NSA and as a top lawyer for the Justice Department before joining the National Counter-Terrorism Center (NCTC). He is now the president for consulting services of IronNet Cybersecurity, the company founded last year by Army Gen. Keith Alexander, the longest-
serving director in the history of the NSA. The  firm is paid up to $1 million a month to consult with major banks and financial institutions in a “cyber war council” that will work with the NSA, the Treasury Department, and other agencies to deter cyberattacks that “could trigger financial panic,” Bloomberg reported last July 2014.

Some members of this unique class are household names. Most cable-news viewers, for example, are familiar with Michael Chertoff and Michael Hayden, two of the top national-security officials in the Bush administration. In 2009, they left their positions at the Justice Department and the NSA, respectively, and created the Chertoff Group, one of Washington’s largest consulting firms, with a major emphasis on security..

Well, enough, you might say: Isn’t this simply a continuation of Washington’s historic revolving door? The answer is no. As I see it, the cyberintelligence- industrial complex is qualitatively different from—and more dangerous than—the military-industrial complex identified by President Eisenhower in his famous farewell address. This is because its implications for democracy, inequality, and secrecy are far more insidious….To confront the surveillance state, we also have to confront the cyberintelligence ruling class and expose it for what it really is: a joint venture of government officials and private-sector opportunists with massive power and zero accountability.

Excerpts from Tim Shorrock, How Private Contractors Have Created a Shadow NSA, Nation, May  27, 2015.

A Naked World

prism

Were it not for Edward Snowden or someone like him, the N.S.A. would likely still be collecting the records of almost every phone call made in the United States, and no one outside of government would know it. A handful of civil-liberties-minded representatives and senators might drop hints in hearings and ask more pointed questions in classified settings. Members of the public would continue making phone calls, unaware that they were contributing to a massive government database that was supposedly intended to make their lives safer but had not prevented a single terrorist attack. And, on Monday June 1, 2015  the government’s Section 215 powers, used to acquire records from hundred of billions of phone calls, among other “tangible things,” would be quietly renewed.

Snowden shouldn’t have been necessary. The Foreign Intelligence Surveillance Court (or FISA Court), which evaluates Section 215 requests, is supposed to be interpreting the law to make sure that government surveillance doesn’t go outside of it. Congressional intelligence committees, which review the activities of the N.S.A., are supposed to be providing some oversight. The N.S.A. itself reports to the Department of Defense, which reports to the White House, all of which have dozens of lawyers, who are all supposed to apply the law. The government, in other words, is supposed to be watching itself…

The government enshrouds the details of its surveillance programs in a technical vocabulary (“reasonable articulable suspicion,” “seeds,” “queries,” “identifiers”) that renders them too dull and opaque for substantive discussion by civilians. …Little is known about how other authorities, including Executive Order 12333, which some consider the intelligence community’s most essential charter, are being interpreted to permit spying on Americans. And a redacted report, released last week by the Department of Justice’s Office of the Inspector General, hints at how much we still don’t know about Section 215. Nearly two years into the congressional debate over the use and legality of Section 215, the report provides the first official confirmation that the “tangible things” obtained by the F.B.I. through Section 215 include not just phone metadata but “email transactional records” and two full lines of other uses, all of which the F.B.I. saw fit to redact.

Excerpts from MATTATHIAS SCHWARTZ, Who Needs Edward Snowden?,  New Yorker, MAY 28, 2015

Iceland as a Privacy Haven?

Nesjavellir Geothermal Power Plant, Iceland. Image from wikipedia

A former NATO airbase in Iceland  looks  like nothing more than a huge warehouse from the outside.  But the barbed-wire fence surrounding it and surveillance cameras atop its gates betray  its importance.  This facility, which began operating in February 2012, is one of several data centres in Iceland. It’s run by Verne Global, a company that allows its customers to store data on servers here.

Tate Cantrell, the company’s chief technical officer, explained why Verne Global favoured this tiny Nordic nation of all places. “In Iceland, you’ve got this ideal situation: energy, excellent connectivity for data, and a constant cool climate. So Iceland was an obvious choice.”  Iceland’s abundant renewable energy from geothermal and hydroelectric plants means the costs of running these data centres are low. And the Gulf Stream current keeps the temperature in Iceland more or less stable throughout the year, avoiding the need to provide cooling for the servers and computers.

Data centres based here have another advantage, too: Iceland is in the initial stage of implementing the most progressive data-privacy laws in the world, a major selling point especially after whistleblower Edward Snowden’s revelations regarding widespread surveillance by the United States’ National Security Agency (NSA).  A recent paper published by Verne Global stated that Iceland was “uniquely positioned as a data privacy haven” because of the new regulations.

The International Modern Media Institute (IMMI), a non-profit organisation, has played an instrumental role in designing and promoting the legal framework for Iceland’s new data privacy laws….Birgitta Jónsdóttir is IMMI’s spokeswoman and now represents the Pirate Party in the Icelandic parliament.  In 2010, the IMMI, then known as the Icelandic Modern Media Initiative, proposed a resolution to change Icelandic law to ensure data privacy and freedom of speech. The proposal includes protection for whistleblowers and journalists’ sources, as well as an “ultra-modern Freedom of Information Act” based on elements from existing laws in Estonia, the United Kingdom, and Norway.  The data centres would benefit from a clause in the law that ensures the protection of intermediaries such as internet service providers and telecommunications carriers.The resolution was passed by the Icelandic parliament that same year, and is now being implemented into law, piece by piece.  “A bit more than half of what IMMI proposed has been made into law – somewhere between 50 and 70 percent,” Jonsdottir said…

Despite the new measures, Icelandic journalist Jón Bjarki Magnusson said he thinks his country still has a long way to go when it comes to media freedom.  “IMMI for me is a bit like a fairy tale, reality on the ground is different from the idea,” he told Al Jazeera at a café in downtown Reykjavik. “I like the idea but Iceland is far from being a haven for free journalism.”Earlier this year, Magnusson worked on an investigative story for DV newspaper, in which he wrongly identified an assistant to Iceland’s interior minister as being under police investigation.  Magnusson and his colleagues quickly realised their mistake and issued an apology within a few hours of publishing. But that didn’t stop the official from pressing criminal libel charges against Magnusson and a colleague of his, Johann Pall Johannsson, demanding a sentence of up to two years in prison.

Watchdog group Reporters Without Borders (RSF) has issued a statement condemning the steps against the reporters as disproportionate. The group said that freedom of information in Iceland has declined over the past two years, citing the libel case and budget cuts for public broadcasters.

Excerpt from Felix Gaedtke, Can Iceland become the ‘Switzerland of data’?, Al Jazeera, Dec. 28, 2014

The Equinet: decentralization v. enclosure of internet

Internet, image from wikipedia

“The Internet governance should be multilateral, transparent, democratic,and representative, with the participation of governments, private sector, civil society, and international organizations, in their respective roles. This should be one of the foundational principles of Internet governance,” the external affairs ministry says in its initial submission to the April 23-24 Global Multistakeholder Meeting on the Future of Internet Governance, also referred as NETmundial, in Sao Paulo, Brazil.  The proposal for a decentralised Internet is significant in view of Edward Snowden’s Wikileaks revelations of mass surveillance in recent months.

“The structures that manage and regulate the core Internet resources need to be internationalized, and made representative and democratic. The governance of the Internet should also be sensitive to the cultures and national interests of all nations.”The mechanism for governance of the Internet should therefore be transparent and should address all related issues. The Internet must be owned by the global community for mutual benefit and be rendered impervious to possible manipulation or misuse by any particular stake holder, whether state or non-state,” the ministry note says.  NETmundial will see representatives from nearly 180 countries participating to debate the future of Internet…

The US announced last month of its intent to relinquish control of a vital part of Internet Corporation for Assigned Names and Numbers (ICANN) – the Internet Assigned Numbers Authority (IANA).  “Many nations still think that a multilateral role might be more suitable than a multistakeholder approach and two years back India had proposed a 50-nation ‘Committee of Internet Related Policies’ (CIRP) for global internet governance,” Bhattacharjee added.

The concept of Equinet was first floated by Communications Minister Kapil Sibal in 2012 at the Internet Governance Forum in Baku, Azerbaijan.  Dr. Govind, chief executive officer, National Internet Exchange of India, is hopeful that Equinet is achievable. “Equinet is a concept of the Internet as a powerful medium benefiting people across the spectrum. It is all the more significant for India as we have 220 million Internet users, standing third globally after China and the US.”  “Moreover, by the year-end India’s number of Internet users are expected to surpass that of the US. The word Equinet means an equitable Internet which plays the role of an equaliser in the society and not limited only to the privileged people.”

He said the role of government in Internet management is important as far as policy, security and privacy of the cyber space is concerned, but the roles of the private sector, civil society and other stakeholders are no less. “Internet needs to be managed in a more collaborative, cooperative, consultative and consensual manner.”  Talking about the global strategy of renaming Internet as Equinet, he said: “Globally the US has the largest control over the management of the Internet, which is understandable since everything about Internet started there. Developing countries have still not much say over the global management of the Internet. But it is important that the Internet management be more decentralised and globalised so that the developing countries have more participation, have a say in the management where their consent be taken as well.”  The ministry note said: “A mechanism for accountability should be put in place in respect of crimes committed in cyberspace, such that the Internet is a free and secure space for universal benefaction. A ‘new cyber jurisprudence’ needs to be evolved to deal with cyber crime, without being limited by political boundaries and cyber-justice can be delivered in near real time.”

But other experts doubt the possibility of an Equinet or equalising the Internet globally.  Sivasubramanian Muthusamy, president, Internet Society India, Chennai, who is also a participant in the NETmundial, told IANS that the idea of Equinet is not achievable.  “Totally wrong idea. Internet provides a level playing field already. It is designed and operated to be universally accessible, free and open. Internet as it is operated today offers the greatest hope for developing countries to access global markets and prosper.”  “The idea of proposing to rename the Internet as Equinet has a political motive, that would pave way for telecom companies to have a bigger role to bring in harmful commercial models that would destabilize the open architecture of the Internet. If India is considering such a proposal, it would be severely criticized. The proposal does not make any sense. It is wrong advice or misplaced input that must have prompted the government of India to think of such a strange idea,” he said.

Excerpt from India wants Internet to become Equinet, Business Standard, Apr. 20, 2014

The Nationalization of Internet: example 1

emergency switch at nuclear power plant Switzerland. Image from wikipedia

The Swiss government has ordered tighter security for its own computer and telephone systems that could block foreign companies from key technology and communications contracts.  The governing Federal Council’s decision Wednesday cited concerns about foreign spies targeting Switzerland.

National Security Agency leaker Edward Snowden, who worked for the CIA at the U.S. mission to the U.N. in Geneva from 2007 to 2009, has released documents indicating that large American and British IT companies cooperated with those countries’ intelligence services.According to a Swiss government statement, contracts for critical IT infrastructure will “where possible, only be given to companies that act exclusively according to Swiss law, where a majority of the ownership is in Switzerland and which provides all of its services from within Switzerland’s borders.”

Swiss govt tightens tech security over NSA spying, Associated Press, Feb. 5, 2014