Yahoo Email Scanning May Sink EU Privacy Shield Agreement
from the nsa-fucking-things-up-again dept
After the US/EU “safe harbor” on data protection was tossed out thanks to NSA spying being incompatible with EU rights, everyone had tried to patch things up with the so-called “Privacy Shield.” As we noted at the time, as long as the NSA’s mass surveillance remained in place, the Privacy Shield agreement would fail as well. This wasn’t that difficult to predict.
And there are already some challenges to the Privacy Shield underway, including by Max Schrems, who brought the original challenge that invalidated the old safe harbor. But things may have accelerated a bit this week with the story of Yahoo scanning all emails. This news has woken up a bunch of EU politicians and data protection officials, leading to some serious questions about whether it violates the Privacy Shield agreement.
Johannes Kleis, a spokesman with BEUC, an umbrella group for European consumer organisations, called on other EU data protection authorities to investigate Yahoo.
Fabio de Masi, a German member of the European parliament with the leftist Die Linke party called on the EU high representative for external affairs Federica Mogherini to seek clarification from US authorities about the treatment of EU data.
And elsewhere as well:
“It goes far beyond what is acceptable,” said Johannes Caspar, Commissioner for Data Protection and Freedom of Information in Hamburg, Germany.
Over in the European Parliament, Dutch MEP Sophie in ‘t Veld has asked the EU Commission to investigate:
While some keep arguing that the whole idea of a safe harbor or privacy shield is a problem, that’s not really true. Enabling more easy data flows between countries on a borderless internet is really important for keeping the internet really global. This is a serious issue. The problem is the NSA’s surveillance activities undermining all of this, and continually (rightfully) freaking out people in other countries about what happens to data that flows into the US. The answer is not to dump agreements that enable the free flow of data, but to stop mass surveillance activities.
Once again, it appears that overly aggressive mass surveillance by the US intelligence community is creating massive headaches for American internet companies.
Filed Under: data flows, data protection, eu, mass surveillance, nsa, privacy shield, us
Companies: yahoo
Comments on “Yahoo Email Scanning May Sink EU Privacy Shield Agreement”
I so wish the EU would tell us developers to Nerd Harder on stopping mass surveillance, alongside protecting privacy otherwise. But I’m guessing they have their own intelligence companies who want technology to let them through.
The US alphabet agencies clearly do not care about the rights of their citizens, why would they care about foreign countries citizen rights.
Why do I get the feeling that this will become a fight between politicians about who gets to spy on which citizens.
Re: Re:
Who gets the direct feed you mean. They all can now spy on everyone’s citizens, its really just a matter of having fresh data along with mountains of prior data to sift through once targets have been identified. Remember everyone, three hops includes delivery pizza places as well as 911 calls or even 411 itself.
The eventual solution
will be to continue to allow this to continue with a “we won’t abuse it, honest!” promise (wink wink, nudge nudge), as long as they avoid “politically sensitive” targets.
Cognitive Dissonance and Glass Houses
Yahoo Email Scanning May Sink EU Privacy Shield Agreement
Some of the countries that comprise the EU are heavily involved with NSA and GCHQ mass surveillance schemes.
Highlighted paragraph below excerpted from theguardian.com report titled GCHQ and European spy agencies worked together on mass surveillance
The German, French, Spanish and Swedish intelligence services have all developed methods of mass surveillance of internet and phone traffic over the past five years in close partnership with Britain’s GCHQ eavesdropping agency.
https://www.theguardian.com/uk-news/2013/nov/01/gchq-europe-spy-agencies-mass-surveillance-snowden
Re: Cognitive Dissonance and Glass Houses
Then what we’re seeing from the EU is outrage theatre: shouting about it in public while quietly doing business as usual behind our backs — with our data.
Re: Re: Cognitive Dissonance and Glass Houses
Then what we’re seeing from the EU is outrage theatre: shouting about it in public while quietly doing business as usual behind our backs — with our data.
Yep.
Upstream action is where its at
Yahoo never even claimed to encrypt anything as google(dubiously)did so there upstream tap was always in the clear, same with outlook and all other MS domains, so whatever all of these people are not only collaborating, making up 40% of GDP they ARE the state.
lets not even talk about what they are doing they are the NSA, CIA , FBI CBP anyone you want to name. Google is looking for reasons to send a SWAT team to your house, definitely.
It's Snowden's fault
No, this would never have been a problem if nobody had ratted them out.
This really calls for a drone strike on Snowden in order to send a message that it’s inacceptable to endanger the relations of the U.S. government to other nations and its own people by indiscriminately pulling the rug out from over them. There is a reason for the rug, and everybody is aware of what is swept under it.
It’s like bakeries. Every single one has roaches and mice (mice are around anyway, and roach eggs are distributed under the boxes and containers of bakery suppliers and mills, so even a newly built bakery is populated within months). The bakers cope by keeping dough covered and making sure that anything ending up in sales is reasonably safe from access.
But that’s not the story for the customer. Blow the whistle on one bakery and people go elsewhere, shuddering in disgust. Never mind that the stuff running near the food is completely beside the point compared to meat production where the awful bits actually make up your food.
So yes, the messengers are certainly to blame here. You can’t expect people to have realistic expectations, not with what they see in TV (particularly reality TV). People have a right not to have to worry about things they are powerless to change. That’s the sole point of civilization.
Still with me? Creepy.
Re: It's Snowden's fault
Guess I’m a creeper cuz I read your entire comment, David. I learned how to read quite awhile back, so I’m not going to lose my mind if you take more than a paragraph to properly express your ideas.
Alas, I can’t agree Snowden’s to blame for the NSA’s wildly illegal behavior. Nor can I agree with your bakery analogy/apology explaining why espionage agencies should be allowed to lie and deceive and sweep highly questionable behavior under rugs so we don’t see the weevils propagating in the…sorry, dude. Can I drop your metaphor? Cuz I’m not sure there’s much difference between the icky bugs that unfriendly foreign powers place in our bread and the maggots the NSA installs there.
People have a right not to worry about things they are powerless to change? That’s a rather odd statement, my friend. Personally, I’m still clinging to this idea called “democracy” and a country whose government represents the will of the people and not the questionable actions of an unelected intelligence community that claims it can only function if it’s accountable to NO ONE AT ALL. Not even a congressional oversight committee. We are NOT powerless to change the tyrannical, belligerent behavior of an espionage community that exploits the very people it claims it’s protecting.
The sole point of civilization is not to live as sheeple, herded this way and that by lying government douchebags. You may choose that for yourself. Most do. I do not. I’m still a life, liberty and the pursuit of happiness kind of girl. Call me naïve—I’m expecting it, so no worries—but you don’t make the world safe for democracy by usurping it.
You seem to be arguing that in exchange for the illusion of security–because that’s the very best ANY intelligence agency can offer–we should allow our country’s spies to create whatever havoc they please, at home or abroad, free of skepticism, criticism, or oversight from anyone. You know, like Wall Street bankers. With respect, hell’s no. That’s just wacked. As long as the NSA continues to rape American citizens of their constitutional rights, shit all over the rule of law, perjure itself during congressional investigations, and demand the right to do so with impunity, then we have no choice but to rely on whistleblowers like Edward Snowden. Who, btw, has stacked up quite a list of humanitarian awards from pretty much everyone but the US. And don’t be thinking about dissing Sweden, cuz that’ll just make you look like some sort of imperialist throwback.
It’s James Clapper’s fault. Aided by John Kerry, King of the Message Killers.
The answer is end to end encryption for the masses
The answer is not to stop mass surveillance. That ship is out of the bag, that cat has sailed.
The answer is to encrypt all data from everyone all the time.
This protocol shows how it can be done: http://eccentric-authentication.org
Re: The answer is end to end encryption for the masses
On first glance, this sounds overly optimistic.
1. DPI will still see the initial handshake and exchange of keys, so it will still be possible to decrypt traffic with a MITM.
2. They don’t mention a key expiration or revoke system, which is always a good thing. Without that a single compromise could last indefinitely.
3. Storage of PKI keys for every site will cause issues for end users. Simply send a user to a link with links to thousands of other sites and you could DoS the users computer by negotiating so many encrypted connections and possibly overload their HD storage.
Could be many more, but I just glanced quickly through his front page.
Re: Re: The answer is end to end encryption for the masses
1) You obviously have no idea how D-H secure key exchange works. Even if there is a MitM on the key exchange, the compute power needed to derive the key would exhaust the heat energy of the entire universe.
2) You are confusing host authentication with public/private keys. They are NOT the same thing.
3) Storage of all public keys is NOT needed. That is why there is a secure exchange of keys AFTER a host has been authenticated.
Re: Re: Re: The answer is end to end encryption for the masses
https://www.a10networks.com/products/thunder-series/ssl-decryption-encryption-and-inspection-ssl-insight You only need session data usually to decrypt.
2. It didn’t state who is the private key holder. I assumed it was like SSL where the site has the private key, and the user uses the public key. It it’s like PGP, than even more so would revocation be necessary, as a lost computer or phone could lead to identity theft.
3. I’m totally confused on this last part:
“You can write one of these pseudonyms on a business card and everyone can retrieve the correct keys. People can look up the key that belongs to the name and use that to write encrypted messages. Safe against disclosure and tampering. This forms the basis for secure email, without any difficulties.”
So how do they not have a CA to verify, (think SKS, MIT for PGP) but yet have a public key infrastructure that you can look up and identify the end-user?
Re: Re: Re:2 The answer is end to end encryption for the masses
Yes, A10 does SSL interception. So does Blue Coat. So does F5. So does…..
The way A10 et al do SSL interception is that it is placed on a choke point in the network, a self signed certificate is put on the A10, GPO pushes policy to all of the clients on the domain so the self signed cert is trusted, and then it can do SSL interception by “lying” to the client.
That is NOT how SSL interception works on the open net.
PKI is designed – for the most part – for a single network of group of networks. It was never intended to be an infrastructure used globally.
I work on this stuff all day, every day. Get a clue.
Re: Re: Re:3 The answer is end to end encryption for the masses
SSLStrip MITM: https://moxie.org/software/sslstrip/
use -f for a lock fav icon, and most will think they are talking through SSL to the server.
InfoSec has a good explanation, better than I can probably:
https://www.youtube.com/watch?v=gNhyjPxuy5w
Answer is, hope that the server uses HSTS to ensure that you can’t fall back to HTTP.
Re: Re: Re:3 The answer is end to end encryption for the masses
Re: “It (PKI) was never intended to be an infrastructure used globally.”
I’m unclear on what you mean here. Certainly global infrastructure was envisioned even back in the day of the original Diffie-Hellman and Rivest-Shamir-Adelman papers, and the whole Certificate Authority thing has been a global infrastructure from the start.
There are certainly inadequacies…..
Be that as it may… I don’t do this every day all day, but I’ve done it on and off for 35 years or so, and I fully endorse your main points here. The whole point of Diffie-Hellman key exchange is to allow keys to be created such that only the two parties know what the keys are, because the keys themselves were never sent, and can’t be recreated without some information that each party holds secret.
This is basic stuff that anyone setting up a secure web server should know at least the what and why, if not the how.
I just wanted to give you a chance to clarify your point about PKI.
Your eccentric-authentication link looks interesting. Definitely going in the right direction. I do have some concerns about mischief a clever corrupt CA could pull. I think using blockchain technology could prevent those, though. (It still compares favorably with the current situation, where we’ve experienced both corrupt and stupid CAs, and the damage is then widespread and hard to contain). That would also allow for robust revocation (a complicated topic, unfortunately).
But aside from security, my big complaint with the current CA system is that its idea of “identity” can be wildly at variance with what is needed. I ran into difficulty getting a cert for a domain name I own, in the name of a character I own in a MMO. A well-established publicly-known entity that is distinct from my RL identity and to protect other people’s privacy I’d like to keep separate.
There’s a role for strong and deep verification of identity, but it needs to be layered on top of a more robust model of basic unique identity. “We have verified that the identity xxxx is associated with Chase Bank’s online banking services web site, as attested by VP of Operations Jane Opmanager on 9/12/2020, and back this certification with a $10,000 USD warranty of accuracy, insured by YYY Underwriters, Inc.”, all of which can be independently cross-checked. Instead, we have a system where each cert in the chain is a potential point of compromise, and a compromised CA root cert is a global disaster in the making.
Re: The answer is end to end encryption for the masses
That website is not even encrypted. Fail.
BEAUTIES AND THE BEAST
Your last line… I suggest!… is an UNDERSTATEMENT! And!… in numerous senses!… I could care less what “headaches” many of these companies are experiencing!… as many of these companies have their own commissions and omissions to defend against!
.
Please!… no emails!
Re: BEAUTIES AND THE BEAST
Why do you keep saying “Please!… no emails!” in comments in which you do not provide any E-mail address, and so no one reading the comment would be able to send you E-mail in any case?
Re: Re: BEAUTIES AND THE BEAST
Not to mention that since reading his horribly formatted comments gives us headaches, nobody would actually want to.
Re: Re: Re: BEAUTIES AND THE BEAST
I’ve begun habitually flagging any post of his in which he includes that tagline and omits an E-mail address (which works out to about 99% of his posts). I think I even did that with a post which I also voted insightful, once.
In other news...
Verizon is asking for a $1B discount on its Yahoo deal.
EU is more pissed off that yahoo refuse to scan emails for them as well for the same price the NSA was paying.
It’s good that it sinks because “Privacy Shield” isn’t about privacy.