Group items tagged

In a seminal decision updating and consolidating its previous jurisprudence on surveillance, the Grand Chamber of the European Court of Human Rights took a sideways swing at mass surveillance programs last week, reiterating the centrality of “reasonable suspicion” to the authorization process and the need to ensure interception warrants are targeted to an individual or premises. The decision in Zakharov v. Russia — coming on the heels of the European Court of Justice’s strongly-worded condemnation in Schrems of interception systems that provide States with “generalised access” to the content of communications — is another blow to governments across Europe and the United States that continue to argue for the legitimacy and lawfulness of bulk collection programs. It also provoked the ire of the Russian government, prompting an immediate legislative move to give the Russian constitution precedence over Strasbourg judgments. The Grand Chamber’s judgment in Zakharov is especially notable because its subject matter — the Russian SORM system of interception, which includes the installation of equipment on telecommunications networks that subsequently enables the State direct access to the communications transiting through those networks — is similar in many ways to the interception systems currently enjoying public and judicial scrutiny in the United States, France, and the United Kingdom. Zakharov also provides a timely opportunity to compare the differences between UK and Russian law: Namely, Russian law requires prior independent authorization of interception measures, whereas neither the proposed UK law nor the existing legislative framework do.

The decision is lengthy and comprises a useful restatement and harmonization of the Court’s approach to standing (which it calls “victim status”) in surveillance cases, which is markedly different from that taken by the US Supreme Court. (Indeed, Judge Dedov’s separate but concurring opinion notes the contrast with Clapper v. Amnesty International.) It also addresses at length issues of supervision and oversight, as well as the role played by notification in ensuring the effectiveness of remedies. (Marko Milanovic discusses many of these issues here.) For the purpose of the ongoing debate around the legitimacy of bulk surveillance regimes under international human rights law, however, three particular conclusions of the Court are critical.

The Court took issue with legislation permitting the interception of communications for broad national, military, or economic security purposes (as well as for “ecological security” in the Russian case), absent any indication of the particular circumstances under which an individual’s communications may be intercepted. It said that such broadly worded statutes confer an “almost unlimited degree of discretion in determining which events or acts constitute such a threat and whether that threat is serious enough to justify secret surveillance” (para. 248). Such discretion cannot be unbounded. It can be limited through the requirement for prior judicial authorization of interception measures (para. 249). Non-judicial authorities may also be competent to authorize interception, provided they are sufficiently independent from the executive (para. 258). What is important, the Court said, is that the entity authorizing interception must be “capable of verifying the existence of a reasonable suspicion against the person concerned, in particular, whether there are factual indications for suspecting that person of planning, committing or having committed criminal acts or other acts that may give rise to secret surveillance measures, such as, for example, acts endangering national security” (para. 260). This finding clearly constitutes a significant threshold which a number of existing and pending European surveillance laws would not meet. For example, the existence of individualized reasonable suspicion runs contrary to the premise of signals intelligence programs where communications are intercepted in bulk; by definition, those programs collect information without any consideration of individualized suspicion. Yet the Court was clearly articulating the principle with national security-driven surveillance in mind, and with the knowledge that interception of communications in Russia is conducted by Russian intelligence on behalf of law enforcement agencies.

The European Commission, on January 24, published its guidance aimed to facilitate a direct and smooth application of the European Union’s new data protection rules across the EU as of 25 May. The Commission also launches a new online tool dedicated to SMEs.

With just over 100 days left before the application of the new law, the guidance outlines what the European Commission, national data protection authorities and national administrations, according to the Commission, should still do to bring the preparation to a successful completion. The Commission notes that while the new regulation provides for a single set of rules directly applicable in all Member States, it will still require significant adjustments in certain aspects, like amending existing laws by EU governments or setting up the European Data Protection Board by data protection authorities. The Commission states that the guidance recalls the main innovations, opportunities opened up by the new rules, takes stock of the preparatory work already undertaken and outlines the work still ahead of the European Commission, national data protection authorities and national administrations. Andrus Ansip, European Commission Vice-President for the Digital Single Market, said: “Our digital future can only be built on trust. Everyone’s privacy has to be protected. Strengthened EU data protection rules will become a reality on 25 May. It is a major step forward and we are committed to making it a success for everyone.” Vĕra Jourová, Commissioner for Justice, Consumers and Gender Equality, added:” In today’s world, the way we handle data will determine to a large extent our economic future and personal safety. We need modern rules to respond to new risks, so we call on EU governments, authorities and businesses to use the remaining time efficiently and fulfil their roles in the preparations for the big day.”

The guidance recalls the main elements of the new data protection rules: One set of rules across the continent, guaranteeing legal certainty for businesses and the same data protection level across the EU for citizens. Same rules apply to all companies offering services in the EU, even if these companies are based outside the EU. Stronger and new rights for citizens: the right to information, access and the right to be forgotten are strengthened. A new right to data portability allows citizens to move their data from one company to the other. This will give companies new business opportunities. Stronger protection against data breaches: a company experiencing a data breach, which put individuals at risk, has to notify the data protection authority within 72 hours. Rules with teeth and deterrent fines: all data protection authorities will have the power to impose fines for up to EUR 20 million or, in the case of a company, 4% of the worldwide annual turnover.

The escalating trade war is starting to damage Apple's brand in China, according to a new survey of Chinese consumer trends.  The brand consultancy Prophet surveyed 13,500 Chinese consumers and discovered that a wave of nationalism is sweeping across the country, deterring many from using US brands.  Apple plunged in the company's latest brand-relevance index, published Wednesday, which asked respondents which brands they liked the most. Apple crashed to No.24 in the index, falling from No. 11 last year. Before the trade war began, Apple was No. 5. Rivals like Huawei soared in the index to the No. 2 spot, just behind Chinese payment service Alipay.

While everyone was focused on the release of the Mueller report Thursday, Facebook quietly notified the public that the passwords of "millions of Instagram users" were stored in an unencrypted format on an internal server, and searchable by any employee.

In March, security expert Brian Krebs of KrebsonSecurity noted:  The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012. My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords. -KrebsonSecurity In short, if you believe Facebook that the passwords were not improperly accessed, rest well. If you don't believe them, and you use your Instagram password for other things, perhaps it's time to think of a new one.  

Though we doubt the broader public needed convincing, this is a significant milestone nonetheless, also after last month Trump shocked reporters by suggesting he could take a look at pardoning Edward Snowden:  Seven years after former National Security Agency contractor Edward Snowden blew the whistle on the mass surveillance of Americans’ telephone records, an appeals court has found the program was unlawful - and that the U.S. intelligence leaders who publicly defended it were not telling the truth.

And the ACLU said “Today’s ruling is a victory for our privacy rights,” adding that it “makes plain that the NSA’s bulk collection of Americans’ phone records violated the Constitution.” Crucially, the three judge panel on the 9th Circuit specifically credited Edward Snowden for exposing it, as Politico notes: Judge Marsha Berzon's opinion, which contains a half-dozen references to the role of former NSA contractor and whistleblower Edward Snowden in disclosing the NSA metadata program, concludes that the "bulk collection" of such data violated the Foreign Intelligence Surveillance Act.

The much anticipated iPhone 5G - and the next obvious cash cow for smartphone technology company Apple in its long line of smartphone cash cows - may be put on hold due to spillover effects from the coronavirus. Bank of America put out a note on Friday morning, citing a conversation with an expert on the company's supply chain, that said the product launch may wind up being pushed back.  The expert said that  “the iPhone 5G launch in the fall could see a month of delay.” He also warned that the launch of the iPhone SE2 would be delayed by "a few months" due to supply issues and weaker demand as a result of coronavirus.