NSA Screws Up Another Thing: EU Court Of Justice Throws The Internet For A Loop In Ending Safe Harbor
from the well,-now-what? dept
A couple of weeks ago we wrote about the fact that it appeared that the EU Court of Justice was likely to throw out the EU-US data protection safe harbor as invalid, following a case brought over the NSA’s snooping on US tech companies — and now it has happened. The “the EU-US data protection safe harbor” may sound boring, but it’s actually been fairly important in making sure that US internet companies can operate in Europe. It’s been under attack for some time from those who feel that these American companies don’t take European privacy interests seriously enough, but it’s really the NSA and its idiotic “collect it all” mentality that has brought the whole structure crashing down. Many will celebrate this, but probably for the wrong reasons. As it stands right now, this result is undoubtedly bad for the internet. What happens next is key. If you want to blame anyone… blame the NSA. And if the US wants to fix this mess, it needs to stop mass surveillance.
The case was brought by Max Schrems, an Austrian privacy activist who argued that the NSA’s PRISM surveillance program (a program that resulted from Section 702 of the FISA Amendments Act, and enables the NSA to request certain information from internet companies, once approved by the FISA Court) violates the safe harbor. The safe harbor itself was established back in 2000 in order to allow internet companies to transfer data from Europe back to the US, with a promise that the privacy of that data would be kept at a similar level as if it were in Europe. The process for getting such safe harbor protections is something of a joke (we’ve gone through it here at Techdirt), and mostly involves throwing money at an organization that takes money to make sure your policies comply with the safe harbor requirements. Like so many regulations, it really seems to only serve to shift money to those who make sure you comply.
Still, losing those safe harbors can really shake up the internet — and not necessarily in a good way. While I’m sure some (probably short-sighted) privacy advocates will cheer on this result, it’s going to make a mess of things for the time being. Europe has been working on a new data protection directive to update the old one (which the safe harbor is based on) and early indications are that it will be a mess, and potentially hazardous to free speech rights. In addition, the US and EU have been trying to negotiate a new data protection safe harbor anyway, and that hasn’t been going smoothly, and this will continue to throw a wrench into things.
Big companies will likely be able to negotiate their way around this, but there will likely be some legal flareups in one or two countries, creating a mishmash of jurisdictional confusion over privacy rights. Smaller internet companies will now face much greater threats in doing business in Europe. Even worse, some are going to use this as an opportunity to try to fragment the internet, demanding companies keep data locally within country borders — which actually will create more targets for mass surveillance, rather than fewer. Chances are that little will change in the immediate future — as many companies will just keep right on doing what they’re doing and hoping no one really cares. But the potential for people to bring lawsuits could shake things up.
In the specific case here, the Court of Justice found that the safe harbor was invalid, and thus it did not stop Irish officials from considering Schrems’ complaint that Facebook violated his rights in making data available to the NSA. So that specific case still needs to move forward and should be interesting to watch.
In short, though, this is yet more damage directly done by the NSA and the US’s ridiculous attitude towards mass surveillance, without any concern at all to the economic costs that such mass surveillance creates for US companies. As the EFF notes in its response to the news, the US brought this on itself with its idiotic mass surveillance efforts. This end result is a mess that could lead to greater fragmentation of the internet, which won’t do anything to better protect people’s privacy (and, actually, might make it more exposed). The only logical way forward is to move away from mass surveillance and towards a more comprehensive view of privacy that takes into account the public’s rights — including the right to free expression. Danny O’Brien at EFF sums it up nicely:
That would certainly force the companies to re-think and re-engineer how they manage the vast amount of data they collect. It will not, however, protect their customers from mass surveillance. The geographic siloing of data is of little practical help against mass surveillance if each and every country feels that ordinary customer data is a legitimate target for signals intelligence. If governments continue to permit intelligence agencies to indiscriminately scoop up data, then they will find a way to do that, wherever that data may be kept. Keep your data in Ireland, and GCHQ may well target it, and pass it onto the Americans. Keep your data in your own country, and you’ll find the NSA?or other European states, or even your own government? breaking into those systems to extract it.
What will change the equation is for states, including and especially the United States, to realize that dragnet surveillance undermines their national security and the global security of our data. It has economic consequences, as regulators, companies and individuals lose trust in Internet companies and services. It has political consequences as nations vie to keep data out of the hands of other countries, while seeking to keep it trackable by their own intelligence services.
There’s only one way forward to end this battle in a way that keeps the Internet open and preserves everyone’s privacy. Countries have to make clear that mass surveillance of innocent citizens is a violation of human rights law, whether it is conducted inside their borders or outside, upon foreigners or residents. They have to bring their surveillance programs, foreign and domestic, back under control.
The ruling today is not a win for privacy. It creates a bigger mess, but it’s one that needs to be cleaned up at the source, and that’s where governments (and not just the US government) are going with mass surveillance. Unfortunately, there doesn’t seem to be any indication that this is what’s going to happen. Instead, expect the US and EU to try to paper over this by coming up with a new safe harbor plan that won’t change anything, but which may just be more expensive for companies. That’s a mistake. There’s a way to fix this mess and it’s to stop mass surveillance.
Filed Under: data protection directive, eu court of justice, eu us data protection safe harbors, eucj, mass surveillance, max schrems, nsa, prism, privacy, safe harbors, section 702, surveillance
Companies: facebook
Comments on “NSA Screws Up Another Thing: EU Court Of Justice Throws The Internet For A Loop In Ending Safe Harbor”
Full stop.
It’s impossible to say this ruling affects US businesses at the fault of the NSA.
Because to claim otherwise means there’s a terrifying consequence: The NSA can read encrypted traffic.
Safe Harbor means US companies must encrypt the data as it transfers over the Atlantic. No encryption means the law was violated to begin with, regardless if the NSA was snooping.
This has zero impact on the internet as a whole, except by those who don’t understand what’s going on, which sadly, means those who just changed the EU ruling.
You can’t have it both ways: you’re either violating the law without encryption or your not affected because of encryption.
Someone needs to sort this mess out before even more ignorance spreads.
Re: Re:
What assurance you have that the NSA isn’t infiltrating inside the servers of US companies, rendering encryption useless? There are plenty of ways the NSA can insert itself between Europe and the US.
Re: Re: Re:
Ninja,
Assuming the NSA has access, it’s still a moot point. You can bet if the NSA has access on our side, the GBHQ has access on their side, making the whole privacy issue pointless.
What’s at stake here is far more important than whether or not government agencies has access to the data.
It’s more important to focus on the ruling’s complete and utter ignorance, because it’s just a first step toward more asinine and ignorant law making.
We work with the Safe Harbor all the time, so I’m well versed on what we need to do to capture and protect EU data. Not only is our transfer encrypted, but the data itself is twice encrypted, which actually exceeds the recommendation.
If the NSA/GBHQ has access to that, everyone is fucked and no law will change that. Ever.
Re: Re: Re:
Indeed. Apple has a server room in the US and one in the EU very similiar to AT&Ts server system which directly links to the NSA.
All iCloud traffic is pumped unencrypted across this connection for later NSA analysis.
Re: Re:
I think you have a very valid point here. If the data was encrypted, then it was nominally in compliance with EU law, and generally NSA (and anyone else) couldn’t capture it and decode it at a reasonable level.
So, if NSA did in fact capture this guys data from Facebook (or some other source) then the implication is that they moved the data via insecure, un-encrypted methods, in violation of EU policy in the matter. NSA doesn’t generally have the keys to decrypt the data, someone had to do it for them.
While what NSA was doing may be deplorable, it doesn’t in any way excuse poor data handling. NSA only would obtain the data if it was moved without encryption. Proper (and compliant) data handling would have resolved the issue before it happened.
So let’s not have a rush to judgement.
Re: Re: Re:
And we have not already witnessed how the NSA forced someone via NSL to handover his encryption keys?
Re: Re:
The NSA does decrypt and read encrypted traffic, it has for a while now. And still if it didn’t in this perticular case, they still have access to facebooks servers directly (unless something has changed very recently)
Re: Re:
Because to claim otherwise means there’s a terrifying consequence: The NSA can read encrypted traffic.
This is not true. You are confusing encryption in transport with encryption of the data itself. The data is encrypted in transit, which protects it from snooping on the fly. But at rest on servers, companies like Facebook have access to it (for everything except Whatsapp, which has real end-to-end encryption).
So I think you’re jumping to conclusions.
Re: Re:
I think you’ve misunderstood. This was about PRISM which did not sit on the outside of these companies networks, but was a legally forced tap to the inside of these networks.
They were getting the information in the clear, before the outgoing was encrypted and after the incoming was decrypted. That’s why you saw companies like Google touting that they now encrypt their internal network after PRISM was revealed to the public.
PRISM was a legal order that forced compliance on these companies with an attached gag order, and there’s nothing to say this isn’t currently going on with all these big tech companies in the US.
Re: Re:
This is not true. You are assuming that the NSA is reading traffic in route. It doesn’t work this way. The NSA waits for facebook to decrypt it, store it in their server, and then asks to take a look.
Re: Re: they actually do both
If you read ANY snowden leaks,
you will find out they prefer to have the information scooped in ALL the possible ways.
In this case they would use both:
-they save, decrypt and read traffic in route
AND
-they have direct internal access to unencryptted data in the US servers
Re: duh! OF COURSE they can read most encrypted traffic
today it is very clear that they can
read most of the encrypted traffic
and are also working VERY hard to get to read the few secure schemes,
JUST IN CASE, they are even SAVING EVERYTHING encrypted they can not read now,
to read it later, after they find a way.
"There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
FTFY. Somehow you always leave out corporations as a danger.
Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
You can opt out corporations. You can’t do it when it’s the government.
Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
You can opt-out yes, but as has been shown with Windows 10 for example, they can opt not to listen to you.
This is why I’m really liking the idea that we push forward with making everything encrypted. The governments and the companies took advantage of the trusting nature of how the net was built. Now it is time that we slap their hand and make them at least have to work harder to vacuum up data.
Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
If you opt out of Windows by using Linux or one of the BSDs, then Microsoft will take not as their sales drop off.
Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
“You can opt-out yes, but as has been shown with Windows 10 for example, they can opt not to listen to you.”
You’re opting out wrong. You opt out of Windows 10 surveillance by either firewalling off Windows 10 or (preferably) not using it.
“opt out” is not asking permission from spies to not spy on you. “Opt out” is to avoid using products and services that spy on you.
Re: Re: Re:2 "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
But that’s hardly a solution.
Sure, you don’t use such products. But others do. Will you stop talking or chatting with anyone that uses Windows 10, for example? Are you sure that the hardware of the computer you’re using isn’t spying on you? And the ISP? And the VPN you’re using?
Because by spying on what they do, they spy on what you do too. Remember that a chain is as weak as the weakest link.
In the end, the reality is that you can’t opt out of corporations either, the same as governments.
Re: Re: Re:3 "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
You can still opt out once it’s revealed that the corporation is spying on you and you can take steps to educate people not to use Windows 10 for instance or at least use proper encryption. You CANNOT opt out from government surveillance even when it is revealed.
Re: Re: Re:4 "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
For starters, education tactic never works. Just try to explain your friends/lover/relatives/co-workers/whoever you may be chatting with about, uhm, something easy… how to use bookmarks, and half of them will tell you that they can’t do so.
Most people don’t care about computers and they just use the given package. Don’t expect them to learn to use Linux just because you are telling them that Windows spies on them. Or to stop using Facebook, Whatsapp, Apple or Google.
Secondly, if you can opt out from corporations using encryption, then you can do the same from governments, using the same or better encryption (it’s always a matter of using a good enough one).
Of course, no method is immune if whoever is headstrong enough. Corps tend to be a bit less, sure.
But that’s because they control the government, that does what they want to do. Easy as that. Why bother themselves when they got dogs that will do their dirty job?
So in the end, opting out from corps is as hard than doing so from the government; because in the end, they are the same.
You have already heard that the NSA has been spying on foreign citizens, not to catch terrorist, but to further the economic interests of the USA, haven’t you?
Who do you think to told them to do that? Obama? Bush?
To be honest, the “opt out” strategy isn’t the solution. For starters, because that isn’t the way the things should be.
If everyone is selling rotten meat, the solution isn’t to stop eating meat, but to forbid them from selling rotten meat.
And yeah, education is a solution. But you don’t educate a few people, you need to educate a nation.
It’s harder, but people might be more supportive to forbid people from selling rotten meat than from not eating meat at all.
Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
You can opt out corporations?
I’d say that statement is getting more outdated every day it passes.
Particularly when it’s those same corps the ones that control the governments.
Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
I don’t agree. Corporations are like food. You have to eat but at least you can choose what you want to eat. Most of the time.
Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
Yeah, well, that’s a good theory.
The reality of the case is that all the food is the same: rotten.
Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
Really? Did you miss the whole thing about Facebook’s keeping shadow profiles on people who wanted to opt out?
Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
I think it’s safe to say, anyone who uses Facebook in the first place is not someone who cares overly much about their privacy.
Re: Re: Re:2 "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
I think it’s safe to say, anyone who uses Facebook in the first place is not someone who cares overly much about their privacy.
He’s talking about people who don’t want to use Facebook, but Facebook has a profile on them anyway.
Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
I wish the government opted out of corporations.
Re: Re:
And yet when it’s to harass grandmothers for downloading porn they’ve never heard of, suddenly you’re all for mass surveillance and the destruction of privacy.
The only logical way forward is to move away from mass surveillance and towards a more comprehensive view of privacy that takes into account the public’s rights — including the right to free expression.
Not happening before real, crippling economic damage takes place. Unfortunately.
Re: Re:
As a young man I used to work w/some major tech companies in the wild and heady early days of the Internet, ~95-’05, and was absolutely amazed at what we were doing (and how much $$ was being made) and chuckled at the whole ‘This Internet thing is only a fad’ joke. Yuk yuk yuk.
Sadly, as I have grown older and seen how governments and corporations have largely perverted and thoroughly prostituted the Internet with all their tracking, surveillance, and Orwellian – and largely successful – attempts to control it all – I am closer to thinking that the ‘Internet is a fad’ people really weren’t that far off, they just didn’t understand why it was a fad.
These days I can hardly justify working in such tech companies anymore, and instead I am going completely in the other direction: tuning out, going silent, going off grid, getting debt free, unsubscribing from more and more sites and services, getting a burner phone and throwing my iPhone plan away, setting up my own solar power, harvesting my own rainwater, growing my own food.
In short, disconnecting from the sick cancer that is sweeping the US…and much of the world…in the only way I can – by disconnecting. Frankly, it wouldn’t surprise me if in a couple more years I don’t even ‘surf the web’ at all. Except, maybe at a public library every once in awhile.
To be honest, my sanity and wellness has increased immeasurably since I started disconnecting. Reading books in a cozy cabin is so relaxing. Eating food I prepared myself is healthy and tasty.
Who knows, maybe someday when things like mesh networks take over I might start venturing out into the ‘Internet’ again, but as it is currently constituted…I look upon the existing ‘Internet’ as a zone that is now essentially a Digital Concentration Camp where I am a number to be tracked, monetized, surveilled, intimidated, stomped on, imprisoned, cast aside, and otherwise folded…spindled…and mutilated…at the will and whim of our Corporate & Stasi Overlords.
What a long strange trip it’s been.
And, Jesus WEPT.
I think you got it wrong
No, not at all.
All the NSA has to do is to lie about the mass surveillance of non-U.S.-citizens like it does about that of U.S. citizens.
The official stance of the U.S. government is that Fourth Amendment protections apply only to U.S. citizens and everybody else is free game for snooping.
Now of course we all know since Snowden that obviously every U.S. citizen is equally free game for snooping. But there is a flimsy pretense that this isn’t so.
But with regard to non-U.S.-citizens the official stance is that they enjoy no legal or factual protection whatsoever from pervasive surveillance and, since they enjoy no protection, are also free game for economical espionage.
With that official stance, a safe harbour agreement is, of course, not even worth pretending to be worth the paper it is printed on.
All the U.S. government needs to do in order to fix this is to invest the same amount of lying about foreign surveillance than they do for domestic surveillance and they should be good to go.
But as long as they do not even bother lying about it, there just is no basis for even pretending anything like a safe harbour is making any sense.
Lets hope this one will not be as retarded as the cookie notification…
I doubth any serious business would be affected by this as a lot of them operate from outside the US on paper.
You cannot handle NSA by legislation as their word-play legality has proven and I am not sure it would be desirable either way since less well regulated national governments are doing as problematic, if not worse things.
It is important to be specific here: What needs to go, is the surrender of data from a trusted party towards a third party without consent or judicial recourse!
The possibility of judicial recourse will never exist for individuals in todays national sovereignty world (so much for “corporations are people”, since multinationally incorporated entities have no passport and can hold as many legal nationalities as they like, and in that way circumvent unwanted laws!), Thus consent would be the only way foreward.
Only by making people consciously consent to selling their soul they will be able to see what they give up and eventually improve the broader adoption of univeral encryption, which is the only way out of the spy-on-all conundrum! While NSA are screaming in rage about encrytion since it hurts their collect-it-all paradigm, it is perfectly possible to go back to real-time and targeted surveillance even with 100% encryption!
I’d say that this sums up this pretty nicely too:
“It’s been under attack for some time from those who feel that these American companies don’t take European privacy interests seriously enough”
To be honest, I wouldn’t say it’s only because of the NSA mass surveillance. That was just the finishing combo.
Many people from the EU are quite worried because it seems that US companies don’t take privacy seriously enough. The EU ones are bad enough, just that the perception is that US ones are worse, in part because that market is way less regulated.
Also, a question, I saw that on the 2011 PSN hacking incident, they applied the California laws even if the data were breached from users worldwide. That’s how the suit got dismissed (plus the “there is no perfect security”).
Does that mean that US laws apply and not, for example, EU ones?
If so, what are the safe harbours for? The idea is that they would be allowed to use and transfer EU citizen data if they follow the EU laws, don’t they?
Oh, and btw, this has nothing to do with encrypting in transfer or not, but what happens on their servers (and their soil) afterwards. If the NSA has any backdoor (legal or not) to those servers, no wonder anyone would be worried.
And yet, knowing what I know, I wouldn’t trust my government with my privacy, they are as bad as any other.
I guess that the difference is that I get some say (once every 4 years, lol) regarding the laws of my government, while I can’t say a thing about the laws of the US.
Re: Re:
In the U.S., you get a say about the laws of the U.S. whenever you want, and with the tally you want. You’ve probably seen the ballots. They are rectangular and carry the portrait of Ben Franklin in green and black. Well, those ballots don’t really count for much, but there are also ballots with Woodrow Wilson’s portrait and writing your wishes on those gets them some nice consideration.
Re: Re: Re:
In the EU there is more variety to those ballots, though the preferred colour is a purplish one, properly placed in Switzerland.
It’s smaller that Woodrow Wilson’s ones, but it feels better to be given a bunch of papers rather than a few smaller ones. At least you can cool yourself with them while waiting for the next vote.
I guess every country prefers the votes given in their proper ballot.
Re: Re: Re: Re:
You’ll find that the U.S. is one of the very few countries in the world where bribing politicians is completely legal as well as an essential part of the official political process. In other countries, bribes and corruption most certainly happen but usually are more awkward.
Hey, if it reduces privacy worldwide, I don’t think the NSA would consider it a screwup.
Re: Re:
Nah, it doesn’t reduce privacy worldwide.
There never was one, to begin with.
Can never trust US based internet services with sensitive data again...
As a foreign (to the US) citizen, I can never (atleast the forseeable near future) trust a US based internet company again with any kind of sensitive data.
Sorry, your government fucked up, and your corporations (the ones that we know of) played ball instead of being honest with their customers and respecting their rights.
Trust is hard earned, but easily lost!
Paradox
It’s amusing to see how EU rules that “US mass-surveillance is bad” and thus ends “safe harbor” provision… and some EU countries (eg. France) actually move towards more surveillance (including mass-surveillance), with significantly little protection and close to none when foreigners are involved.
Some people are trying to bring this to the EUCJ, so let’s see if they manage some consistency or if it all comes crashing down in a hypocritical “do as I say, not as I do”.
Re: Paradox
I think the same.
One of the positive parts of this ruling is that well, the EUCJ has grounds to repeal the mass surveillance from France, Germany and the UK at least. If it ruled the opposite, then it would have meant that it sanctioned the mass surveillance programs as being in line with EU Data Privacy Directives.
Of course, it could all end how you said.
Re: Paradox
Indeed. It seems the entire western world is obsessed with monitoring everything their citizens do. The countries are just arguing about details in how precisely it’s to be carried out, and if the public could please be kept silent or better yet oblivious.
Take Sweden for example, who happily whines about the NSA and US corporations, but when the ECJ rules the data retention directive compleely and utterly void due to it’s uncontitutional nature, does Sweden remove it? Of course not. The conservatives were not about to throw away perfectly good surveillance, and as the socialists took over in the next election, the silence on the matter was simply eerie.
The ruling today is not a win for privacy.
Well, no. The win is that the need to end mass surveillance has been exposed; and that those corporations that are complicit in it will be made to suffer one way or the other if they don’t change their ways. That’s what we’re cheering for.
Unfortunately, there doesn’t seem to be any indication that this is what’s going to happen. Instead, expect the US and EU to try to paper over this by coming up with a new safe harbor plan that won’t change anything, but which may just be more expensive for companies.
Sometimes things have to get worse before they get better. It doesn’t help that those companies that aren’t actively profiteering from surveillance are caught between a rock and a hard place; they’re damned by the courts, etc., if they DO enable surveillance, and damned by the governments involved if they don’t. Not a place I’d like to be in.
There’s a way to fix this mess and it’s to stop mass surveillance.
Follow the $$$. There’s too much money to be made from surveillance (I’m convinced the surveillance companies are selling our data on the side, or colluding with entities that do) to give it up. Ultimately, it’s not even about having all the information you’ll ever need at your fingertips; if I’m right, it’s about having all the information you can ever sell at your fingertips. Until we get the profit motive out of the equation, enjoy surveillance.
Actually, ¿doesn’t this ruling bring something interesting into the table?
Isn’t this the first time that a EU institution shows that they actually believe what Snowden leaked?
Yeah, yeah, I know. We got plenty of governments, and even the EP, making statements over the NSA surveillance and such; but they were that, mere statements, even with votes, directives and such.
Now the EUCJ has spoken. Well, it has ruled. It has applied a law regarding this issue, and believes what Snowden say.
You can gloss over what a governing body (EP, EC, Commission, national government) says or states by claiming it’s pure political speech.
But you can’t gloss over a sentence of the highest court in the EU as “political speech”. It’s a ruling.
I’d say it’s the first time that the law has been applied by believing the Snowden leaks.
I’d say it’s something to consider.