NSA Screws Up Another Thing: EU Court Of Justice Throws The Internet For A Loop In Ending Safe Harbor
from the well,-now-what? dept
A couple of weeks ago we wrote about the fact that it appeared that the EU Court of Justice was likely to throw out the EU-US data protection safe harbor as invalid, following a case brought over the NSA's snooping on US tech companies -- and now it has happened. The "the EU-US data protection safe harbor" may sound boring, but it's actually been fairly important in making sure that US internet companies can operate in Europe. It's been under attack for some time from those who feel that these American companies don't take European privacy interests seriously enough, but it's really the NSA and its idiotic "collect it all" mentality that has brought the whole structure crashing down. Many will celebrate this, but probably for the wrong reasons. As it stands right now, this result is undoubtedly bad for the internet. What happens next is key. If you want to blame anyone... blame the NSA. And if the US wants to fix this mess, it needs to stop mass surveillance.The case was brought by Max Schrems, an Austrian privacy activist who argued that the NSA's PRISM surveillance program (a program that resulted from Section 702 of the FISA Amendments Act, and enables the NSA to request certain information from internet companies, once approved by the FISA Court) violates the safe harbor. The safe harbor itself was established back in 2000 in order to allow internet companies to transfer data from Europe back to the US, with a promise that the privacy of that data would be kept at a similar level as if it were in Europe. The process for getting such safe harbor protections is something of a joke (we've gone through it here at Techdirt), and mostly involves throwing money at an organization that takes money to make sure your policies comply with the safe harbor requirements. Like so many regulations, it really seems to only serve to shift money to those who make sure you comply.
Still, losing those safe harbors can really shake up the internet -- and not necessarily in a good way. While I'm sure some (probably short-sighted) privacy advocates will cheer on this result, it's going to make a mess of things for the time being. Europe has been working on a new data protection directive to update the old one (which the safe harbor is based on) and early indications are that it will be a mess, and potentially hazardous to free speech rights. In addition, the US and EU have been trying to negotiate a new data protection safe harbor anyway, and that hasn't been going smoothly, and this will continue to throw a wrench into things.
Big companies will likely be able to negotiate their way around this, but there will likely be some legal flareups in one or two countries, creating a mishmash of jurisdictional confusion over privacy rights. Smaller internet companies will now face much greater threats in doing business in Europe. Even worse, some are going to use this as an opportunity to try to fragment the internet, demanding companies keep data locally within country borders -- which actually will create more targets for mass surveillance, rather than fewer. Chances are that little will change in the immediate future -- as many companies will just keep right on doing what they're doing and hoping no one really cares. But the potential for people to bring lawsuits could shake things up.
In the specific case here, the Court of Justice found that the safe harbor was invalid, and thus it did not stop Irish officials from considering Schrems' complaint that Facebook violated his rights in making data available to the NSA. So that specific case still needs to move forward and should be interesting to watch.
In short, though, this is yet more damage directly done by the NSA and the US's ridiculous attitude towards mass surveillance, without any concern at all to the economic costs that such mass surveillance creates for US companies. As the EFF notes in its response to the news, the US brought this on itself with its idiotic mass surveillance efforts. This end result is a mess that could lead to greater fragmentation of the internet, which won't do anything to better protect people's privacy (and, actually, might make it more exposed). The only logical way forward is to move away from mass surveillance and towards a more comprehensive view of privacy that takes into account the public's rights -- including the right to free expression. Danny O'Brien at EFF sums it up nicely:
That would certainly force the companies to re-think and re-engineer how they manage the vast amount of data they collect. It will not, however, protect their customers from mass surveillance. The geographic siloing of data is of little practical help against mass surveillance if each and every country feels that ordinary customer data is a legitimate target for signals intelligence. If governments continue to permit intelligence agencies to indiscriminately scoop up data, then they will find a way to do that, wherever that data may be kept. Keep your data in Ireland, and GCHQ may well target it, and pass it onto the Americans. Keep your data in your own country, and you'll find the NSA—or other European states, or even your own government— breaking into those systems to extract it.The ruling today is not a win for privacy. It creates a bigger mess, but it's one that needs to be cleaned up at the source, and that's where governments (and not just the US government) are going with mass surveillance. Unfortunately, there doesn't seem to be any indication that this is what's going to happen. Instead, expect the US and EU to try to paper over this by coming up with a new safe harbor plan that won't change anything, but which may just be more expensive for companies. That's a mistake. There's a way to fix this mess and it's to stop mass surveillance.
What will change the equation is for states, including and especially the United States, to realize that dragnet surveillance undermines their national security and the global security of our data. It has economic consequences, as regulators, companies and individuals lose trust in Internet companies and services. It has political consequences as nations vie to keep data out of the hands of other countries, while seeking to keep it trackable by their own intelligence services.
There's only one way forward to end this battle in a way that keeps the Internet open and preserves everyone's privacy. Countries have to make clear that mass surveillance of innocent citizens is a violation of human rights law, whether it is conducted inside their borders or outside, upon foreigners or residents. They have to bring their surveillance programs, foreign and domestic, back under control.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data protection directive, eu court of justice, eu us data protection safe harbors, eucj, mass surveillance, max schrems, nsa, prism, privacy, safe harbors, section 702, surveillance
Companies: facebook
Reader Comments
Subscribe: RSS
View by: Time | Thread
It's impossible to say this ruling affects US businesses at the fault of the NSA.
Because to claim otherwise means there's a terrifying consequence: The NSA can read encrypted traffic.
Safe Harbor means US companies must encrypt the data as it transfers over the Atlantic. No encryption means the law was violated to begin with, regardless if the NSA was snooping.
This has zero impact on the internet as a whole, except by those who don't understand what's going on, which sadly, means those who just changed the EU ruling.
You can't have it both ways: you're either violating the law without encryption or your not affected because of encryption.
Someone needs to sort this mess out before even more ignorance spreads.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Assuming the NSA has access, it's still a moot point. You can bet if the NSA has access on our side, the GBHQ has access on their side, making the whole privacy issue pointless.
What's at stake here is far more important than whether or not government agencies has access to the data.
It's more important to focus on the ruling's complete and utter ignorance, because it's just a first step toward more asinine and ignorant law making.
We work with the Safe Harbor all the time, so I'm well versed on what we need to do to capture and protect EU data. Not only is our transfer encrypted, but the data itself is twice encrypted, which actually exceeds the recommendation.
If the NSA/GBHQ has access to that, everyone is fucked and no law will change that. Ever.
[ link to this | view in chronology ]
Re: Re:
All iCloud traffic is pumped unencrypted across this connection for later NSA analysis.
[ link to this | view in chronology ]
Re:
So, if NSA did in fact capture this guys data from Facebook (or some other source) then the implication is that they moved the data via insecure, un-encrypted methods, in violation of EU policy in the matter. NSA doesn't generally have the keys to decrypt the data, someone had to do it for them.
While what NSA was doing may be deplorable, it doesn't in any way excuse poor data handling. NSA only would obtain the data if it was moved without encryption. Proper (and compliant) data handling would have resolved the issue before it happened.
So let's not have a rush to judgement.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
This is not true. You are confusing encryption in transport with encryption of the data itself. The data is encrypted in transit, which protects it from snooping on the fly. But at rest on servers, companies like Facebook have access to it (for everything except Whatsapp, which has real end-to-end encryption).
So I think you're jumping to conclusions.
[ link to this | view in chronology ]
Re:
They were getting the information in the clear, before the outgoing was encrypted and after the incoming was decrypted. That's why you saw companies like Google touting that they now encrypt their internal network after PRISM was revealed to the public.
PRISM was a legal order that forced compliance on these companies with an attached gag order, and there's nothing to say this isn't currently going on with all these big tech companies in the US.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re: they actually do both
you will find out they prefer to have the information scooped in ALL the possible ways.
In this case they would use both:
-they save, decrypt and read traffic in route
AND
-they have direct internal access to unencryptted data in the US servers
[ link to this | view in chronology ]
Re: duh! OF COURSE they can read most encrypted traffic
read most of the encrypted traffic
and are also working VERY hard to get to read the few secure schemes,
JUST IN CASE, they are even SAVING EVERYTHING encrypted they can not read now,
to read it later, after they find a way.
[ link to this | view in chronology ]
"There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
[ link to this | view in chronology ]
Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
[ link to this | view in chronology ]
Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
This is why I'm really liking the idea that we push forward with making everything encrypted. The governments and the companies took advantage of the trusting nature of how the net was built. Now it is time that we slap their hand and make them at least have to work harder to vacuum up data.
[ link to this | view in chronology ]
Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
If you opt out of Windows by using Linux or one of the BSDs, then Microsoft will take not as their sales drop off.
[ link to this | view in chronology ]
Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
You're opting out wrong. You opt out of Windows 10 surveillance by either firewalling off Windows 10 or (preferably) not using it.
"opt out" is not asking permission from spies to not spy on you. "Opt out" is to avoid using products and services that spy on you.
[ link to this | view in chronology ]
Re: Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
Sure, you don't use such products. But others do. Will you stop talking or chatting with anyone that uses Windows 10, for example? Are you sure that the hardware of the computer you're using isn't spying on you? And the ISP? And the VPN you're using?
Because by spying on what they do, they spy on what you do too. Remember that a chain is as weak as the weakest link.
In the end, the reality is that you can't opt out of corporations either, the same as governments.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
Most people don't care about computers and they just use the given package. Don't expect them to learn to use Linux just because you are telling them that Windows spies on them. Or to stop using Facebook, Whatsapp, Apple or Google.
Secondly, if you can opt out from corporations using encryption, then you can do the same from governments, using the same or better encryption (it's always a matter of using a good enough one).
Of course, no method is immune if whoever is headstrong enough. Corps tend to be a bit less, sure.
But that's because they control the government, that does what they want to do. Easy as that. Why bother themselves when they got dogs that will do their dirty job?
So in the end, opting out from corps is as hard than doing so from the government; because in the end, they are the same.
You have already heard that the NSA has been spying on foreign citizens, not to catch terrorist, but to further the economic interests of the USA, haven't you?
Who do you think to told them to do that? Obama? Bush?
To be honest, the "opt out" strategy isn't the solution. For starters, because that isn't the way the things should be.
If everyone is selling rotten meat, the solution isn't to stop eating meat, but to forbid them from selling rotten meat.
And yeah, education is a solution. But you don't educate a few people, you need to educate a nation.
It's harder, but people might be more supportive to forbid people from selling rotten meat than from not eating meat at all.
[ link to this | view in chronology ]
Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
I'd say that statement is getting more outdated every day it passes.
Particularly when it's those same corps the ones that control the governments.
[ link to this | view in chronology ]
Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
[ link to this | view in chronology ]
Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
The reality of the case is that all the food is the same: rotten.
[ link to this | view in chronology ]
Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
Really? Did you miss the whole thing about Facebook's keeping shadow profiles on people who wanted to opt out?
[ link to this | view in chronology ]
Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
[ link to this | view in chronology ]
Re: Re: Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
He's talking about people who don't want to use Facebook, but Facebook has a profile on them anyway.
[ link to this | view in chronology ]
Re: Re: "There's a way to fix this mess and it's to stop mass surveillance" -- WHETHER BY GOVERNMENTS OR CORPORATIONS.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Not happening before real, crippling economic damage takes place. Unfortunately.
[ link to this | view in chronology ]
Re:
Sadly, as I have grown older and seen how governments and corporations have largely perverted and thoroughly prostituted the Internet with all their tracking, surveillance, and Orwellian - and largely successful - attempts to control it all - I am closer to thinking that the 'Internet is a fad' people really weren't that far off, they just didn't understand *why* it was a fad.
These days I can hardly justify working in such tech companies anymore, and instead I am going completely in the other direction: tuning out, going silent, going off grid, getting debt free, unsubscribing from more and more sites and services, getting a burner phone and throwing my iPhone plan away, setting up my own solar power, harvesting my own rainwater, growing my own food.
In short, disconnecting from the sick cancer that is sweeping the US...and much of the world...in the only way I can - by disconnecting. Frankly, it wouldn't surprise me if in a couple more years I don’t even 'surf the web' at all. Except, maybe at a public library every once in awhile.
To be honest, my sanity and wellness has increased immeasurably since I started disconnecting. Reading books in a cozy cabin is so relaxing. Eating food I prepared myself is healthy and tasty.
Who knows, maybe someday when things like mesh networks take over I might start venturing out into the 'Internet' again, but as it is currently constituted...I look upon the existing 'Internet' as a zone that is now essentially a Digital Concentration Camp where I am a number to be tracked, monetized, surveilled, intimidated, stomped on, imprisoned, cast aside, and otherwise folded...spindled...and mutilated...at the will and whim of our Corporate & Stasi Overlords.
What a long strange trip it’s been.
And, Jesus WEPT.
[ link to this | view in chronology ]
I think you got it wrong
No, not at all.
All the NSA has to do is to lie about the mass surveillance of non-U.S.-citizens like it does about that of U.S. citizens.
The official stance of the U.S. government is that Fourth Amendment protections apply only to U.S. citizens and everybody else is free game for snooping.
Now of course we all know since Snowden that obviously every U.S. citizen is equally free game for snooping. But there is a flimsy pretense that this isn't so.
But with regard to non-U.S.-citizens the official stance is that they enjoy no legal or factual protection whatsoever from pervasive surveillance and, since they enjoy no protection, are also free game for economical espionage.
With that official stance, a safe harbour agreement is, of course, not even worth pretending to be worth the paper it is printed on.
All the U.S. government needs to do in order to fix this is to invest the same amount of lying about foreign surveillance than they do for domestic surveillance and they should be good to go.
But as long as they do not even bother lying about it, there just is no basis for even pretending anything like a safe harbour is making any sense.
[ link to this | view in chronology ]
I doubth any serious business would be affected by this as a lot of them operate from outside the US on paper.
[ link to this | view in chronology ]
It is important to be specific here: What needs to go, is the surrender of data from a trusted party towards a third party without consent or judicial recourse!
The possibility of judicial recourse will never exist for individuals in todays national sovereignty world (so much for "corporations are people", since multinationally incorporated entities have no passport and can hold as many legal nationalities as they like, and in that way circumvent unwanted laws!), Thus consent would be the only way foreward.
Only by making people consciously consent to selling their soul they will be able to see what they give up and eventually improve the broader adoption of univeral encryption, which is the only way out of the spy-on-all conundrum! While NSA are screaming in rage about encrytion since it hurts their collect-it-all paradigm, it is perfectly possible to go back to real-time and targeted surveillance even with 100% encryption!
[ link to this | view in chronology ]
"It's been under attack for some time from those who feel that these American companies don't take European privacy interests seriously enough"
To be honest, I wouldn't say it's only because of the NSA mass surveillance. That was just the finishing combo.
Many people from the EU are quite worried because it seems that US companies don't take privacy seriously enough. The EU ones are bad enough, just that the perception is that US ones are worse, in part because that market is way less regulated.
Also, a question, I saw that on the 2011 PSN hacking incident, they applied the California laws even if the data were breached from users worldwide. That's how the suit got dismissed (plus the "there is no perfect security").
Does that mean that US laws apply and not, for example, EU ones?
If so, what are the safe harbours for? The idea is that they would be allowed to use and transfer EU citizen data if they follow the EU laws, don't they?
Oh, and btw, this has nothing to do with encrypting in transfer or not, but what happens on their servers (and their soil) afterwards. If the NSA has any backdoor (legal or not) to those servers, no wonder anyone would be worried.
And yet, knowing what I know, I wouldn't trust my government with my privacy, they are as bad as any other.
I guess that the difference is that I get some say (once every 4 years, lol) regarding the laws of my government, while I can't say a thing about the laws of the US.
[ link to this | view in chronology ]
Re:
In the U.S., you get a say about the laws of the U.S. whenever you want, and with the tally you want. You've probably seen the ballots. They are rectangular and carry the portrait of Ben Franklin in green and black. Well, those ballots don't really count for much, but there are also ballots with Woodrow Wilson's portrait and writing your wishes on those gets them some nice consideration.
[ link to this | view in chronology ]
Re: Re:
It's smaller that Woodrow Wilson's ones, but it feels better to be given a bunch of papers rather than a few smaller ones. At least you can cool yourself with them while waiting for the next vote.
I guess every country prefers the votes given in their proper ballot.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
There never was one, to begin with.
[ link to this | view in chronology ]
Can never trust US based internet services with sensitive data again...
Sorry, your government fucked up, and your corporations (the ones that we know of) played ball instead of being honest with their customers and respecting their rights.
Trust is hard earned, but easily lost!
[ link to this | view in chronology ]
Paradox
Some people are trying to bring this to the EUCJ, so let's see if they manage some consistency or if it all comes crashing down in a hypocritical "do as I say, not as I do".
[ link to this | view in chronology ]
Re: Paradox
One of the positive parts of this ruling is that well, the EUCJ has grounds to repeal the mass surveillance from France, Germany and the UK at least. If it ruled the opposite, then it would have meant that it sanctioned the mass surveillance programs as being in line with EU Data Privacy Directives.
Of course, it could all end how you said.
[ link to this | view in chronology ]
Re: Paradox
Take Sweden for example, who happily whines about the NSA and US corporations, but when the ECJ rules the data retention directive compleely and utterly void due to it's uncontitutional nature, does Sweden remove it? Of course not. The conservatives were not about to throw away perfectly good surveillance, and as the socialists took over in the next election, the silence on the matter was simply eerie.
[ link to this | view in chronology ]
Well, no. The win is that the need to end mass surveillance has been exposed; and that those corporations that are complicit in it will be made to suffer one way or the other if they don't change their ways. That's what we're cheering for.
Unfortunately, there doesn't seem to be any indication that this is what's going to happen. Instead, expect the US and EU to try to paper over this by coming up with a new safe harbor plan that won't change anything, but which may just be more expensive for companies.
Sometimes things have to get worse before they get better. It doesn't help that those companies that aren't actively profiteering from surveillance are caught between a rock and a hard place; they're damned by the courts, etc., if they DO enable surveillance, and damned by the governments involved if they don't. Not a place I'd like to be in.
There's a way to fix this mess and it's to stop mass surveillance.
Follow the $$$. There's too much money to be made from surveillance (I'm convinced the surveillance companies are selling our data on the side, or colluding with entities that do) to give it up. Ultimately, it's not even about having all the information you'll ever need at your fingertips; if I'm right, it's about having all the information you can ever sell at your fingertips. Until we get the profit motive out of the equation, enjoy surveillance.
[ link to this | view in chronology ]
Isn't this the first time that a EU institution shows that they actually believe what Snowden leaked?
Yeah, yeah, I know. We got plenty of governments, and even the EP, making statements over the NSA surveillance and such; but they were that, mere statements, even with votes, directives and such.
Now the EUCJ has spoken. Well, it has ruled. It has applied a law regarding this issue, and believes what Snowden say.
You can gloss over what a governing body (EP, EC, Commission, national government) says or states by claiming it's pure political speech.
But you can't gloss over a sentence of the highest court in the EU as "political speech". It's a ruling.
I'd say it's the first time that the law has been applied by believing the Snowden leaks.
I'd say it's something to consider.
[ link to this | view in chronology ]