Group items matching

in title, tags, annotations or url

The High Court in Ireland has referred a review of a complaint against Facebook to Europe's top court. The complaint alleges the social network shared EU users' data with the US National Security Agency.The European Court of Justice is to assess whether EU law needs to be updated in light of the PRISM revelations, which could have a knock-on effect on tech firms from Facebook to Google. <a href="http://pubads.g.doubleclick.net/gampad/jump?iu=/6978/reg_policy/government&sz=300x250%7C300x600&tile=3&c=33U6KvJawQrMoAAAUTy6EAAAJ5&t=ct%3Dns%26unitnum%3D3%26unitname%3Dwww_top_mpu%26pos%3Dtop%26test%3D0" target="_blank"> <img src="http://pubads.g.doubleclick.net/gampad/ad?iu=/6978/reg_policy/government&sz=300x250%7C300x600&tile=3&c=33U6KvJawQrMoAAAUTy6EAAAJ5&t=ct%3Dns%26unitnum%3D3%26unitname%3Dwww_top_mpu%26pos%3Dtop%26test%3D0" alt=""></a> Austrian law student Maximillian Schrems took Facebook to court in Ireland, where the social network’s European HQ is located, over the revelations from NSA whistleblower Edward Snowden that personal data held by tech firms like Facebook was routinely being slurped by US spooks.

Schrems first asked the Irish Data Commissioner to investigate the legality of Facebook Ireland sending his info over to the States, where it could be seen by the security services, but when the commissioner refused to investigate, he sought a judicial review at the High Court.The Commissioner had ruled that Schrems didn’t have a case because he couldn’t prove that anyone had slurped his data in particular and anyway, the EU has an agreement with the US under the “Safe Harbour” principle decided way back in 2000. This principle governs data flow from Europe to United States and allows US firms to self-certify themselves as respectful of European data protection rules.High Court Justice Gerard Hogan said Schrems did not need to prove that his own data had been spied upon to make a complaint.“Quite obviously, Mr Schrems cannot say whether his own personal data has ever been accessed or whether it would ever be accessed by the US authorities,” he wrote in his ruling.

“But even if this were considered to be unlikely, he is nonetheless certainly entitled to object to a state of affairs where his data are transferred to a jurisdiction which, to all intents and purposes, appears to provide only a limited protection against any interference with that private data by the US security authorities.”However, he said that only the European Court of Justice could decide that individual member states were allowed to look past the Safe Harbour principle or reinterpret its meaning. Hogan said that Schrems, who had filed on behalf of the Europe-v-Facebook group, really had a problem with this principle and acknowledged that there may be an argument for the idea that the rule was outdated.“The Safe Harbour Regime… may reflect a somewhat more innocent age in terms of data protection,” he said. “This Regime came into force prior to the advent of social media and, of course, before the massive terrorist attacks on American soil which took place on September 11th, 2001.”

The European data protection activists behind the Europe v Facebook (evf) campaign group, that has long been a thorn in Facebook’s side in Europe, have filed new complaints under regional data protection law targeting Facebook, Apple, Microsoft, Skype and Yahoo for their alleged collaboration with the NSA’s Prism data collection program. The student activist organisation is targeting the European subsidiaries of these five U.S. companies, arguing that their corporate structure means they fall fully under European privacy laws despite being U.S. headquartered companies. And yet, being as they are U.S. companies, they are required to comply with U.S. surveillance laws — putting them in the “tricky” situation of having to comply with potentially conflicting legal requirements. It’s that legal conflict evf is now probing.

Evf takes the view that the law needs clarifying — and it using these new data protection complaints as the vehicle to obtain clarification from the various regional data protection agencies. Facebook and Apple; Microsoft and Skype; and Yahoo have subsidiaries in Ireland, Luxembourg and Germany respectively. ”We want a clear statement by the authorities if a European company may simply give foreign intelligence agencies access to its customer data. If this turns out to be legal, then we might have to change the laws,” noted evf speaker, Max Schrems, in a statement. The key question, as evf sees it, is whether “mass transfer” of personal data from to a foreign intelligence agency is legal under European law.  ”Many journalists have asked us in recent weeks if PRISM is legal from a EU perspective. We have looked at that a little closer. The result was – after consulting with legal experts – that it is very likely illegal under EU data protection laws, because of the corporate structure of the companies,” added Schrems. Google and YouTube have not been included in this first round of evf complaints being as they have a different corporate structure that does not include European subsidiaries. However it notes they do have datacenters in European countries, which will give evf a route to filing Prism-related data protection complaints against both at a later date.

Writing in a press notice announcing its new action, evf added: If a European subsidiary sends user data to the American parent company, this is considered an “export” of personal data. Under EU law, an export of data is only allowed if the European subsidiary can ensure an “adequate level or protection” in the foreign country. After the recent disclosures on the “PRISM” program such trust in an “adequate level of protection” by the involved companies can hardly be upheld. There can in no way be an adequate level of protection if they cooperate with the NSA on the other end of the line. Right now an export of data to the US must be seen as illegal if the involved companies cannot disprove the reports on the PRISM program. According to evf, the subsidiaries being targeted by these complaints have “the burden of proof” — to either “credibly assure” that the Prism program is a hoax, or “explain how mass access by a foreign intelligence agency interplays with EU data protection laws”. Evf cites a 2006 case precedent involving payment processor SWIFT which had forwarded transaction details to U.S. authorities. In that case it says a group of EU data protection authorities decided that such a mass data transfer is illegal under EU law, leading to SWIFT to move European data to a server in Switzerland. The case also led to an agreement between the U.S. and the EU on the use of payment data to combat crime.

New documents released this week via the National Security Agency whistleblower Edward Snowden outline how Irish subsea telecommunications cables have been targeted by British intelligence. The documents detail a whole series of underwater cables – essentially the backbone that connects Ireland to the globe – that are being tapped. A document titled “Partner Cables” list the cables that Britain’s Government Communications Headquarters (GCHQ) has accessed or sought to access. The commercial owners of the cables are identified by codenames.

The cables include the Solas undersea cable, which extends from the Wexford coast to southern Wales. The owner of the cable is listed as “GERONTIC”, the password for Cable & Wireless, which is now part of Vodafone. The method of access is described as “DCO” or Direct Cable Ownership.

British intelligence also access the Hibernia cable, which connects Ireland to the US and Canada from Dublin to Halifax, Nova Scotia. It loops to the UK via Southport, on the other side of the Irish Sea. It is listed as a cable to which GCHQ does not “currently have good access”. According to the documents, the only providers assisting GCHQ with access to the Hibernia cable are called “VITREOUS” and “LITTLE”. They provide what’s called IRU/LC or “Indefeasible Rights of Use/Lit Capacity” access. An Irish company linked to the VITREOUS codename last night denied involvement.

It wasn’t ever seriously in doubt, but the FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors. Freedom Hosting’s operator, Eric Eoin Marques, had rented the servers from an unnamed commercial hosting provider in France, and paid for them from a bank account in Las Vegas. It’s not clear how the FBI took over the servers in late July, but the bureau was temporarily thwarted when Marques somehow regained access and changed the passwords, briefly locking out the FBI until it gained back control. The new details emerged in local press reports from a Thursday bail hearing in Dublin, Ireland, where Marques, 28, is fighting extradition to America on charges that Freedom Hosting facilitated child pornography on a massive scale. He was denied bail today for the second time since his arrest in July. Freedom Hosting was a provider of turnkey “Tor hidden service” sites — special sites, with addresses ending in .onion, that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network. Tor hidden services are used by sites that need to evade surveillance or protect users’ privacy to an extraordinary degree – including human rights groups and journalists. But they also appeal to serious criminal elements, child-pornography traders among them.

On August 4, all the sites hosted by Freedom Hosting — some with no connection to child porn — began serving an error message with hidden code embedded in the page. Security researchers dissected the code and found it exploited a security hole in Firefox to identify users of the Tor Browser Bundle, reporting back to a mysterious server in Northern Virginia. The FBI was the obvious suspect, but declined to comment on the incident. The FBI also didn’t respond to inquiries from WIRED today. But FBI Supervisory Special Agent J. Brooke Donahue was more forthcoming when he appeared in the Irish court yesterday to bolster the case for keeping Marques behind bars, according to local press reports. Among the many arguments Donahue and an Irish police inspector offered was that Marques might reestablish contact with co-conspirators, and further complicate the FBI probe. In addition to the wrestling match over Freedom Hosting’s servers, Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.

The apparent FBI-malware attack was first noticed on August 4, when all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included at least some lawful websites, such as the secure email provider TorMail. Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address. By midday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploited a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser. Though many older revisions of Firefox were vulnerable to that bug, the malware only targeted Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user-friendly package for using the Tor anonymity network. That made it clear early on that the attack was focused specifically on de-anonymizing Tor users. Tor Browser Bundle users who installed or manually updated after June 26 were safe from the exploit, according to the Tor Project’s security advisory on the hack.

BRUSSELS — Amid a growing outcry over American snooping on foreigners that threatens to cloud European-U.S. trade talks and President Barack Obama’s visit to Berlin, the European Union’s top justice official has demanded in unusually sharp terms that the United States reveal what its intelligence is doing with personal information of Europeans gathered under the Prism surveillance program revealed last week.

Viviane Reding, the Union’s combative commissioner of justice, told Attorney General Eric Holder in a letter sent on Monday evening that individual citizens of European countries had the right to know whether their personal information had been part of intelligence gathering “on a large scale.” In the letter, seen Tuesday by the International Herald Tribune, she also asked what avenues were available to Europeans to find out whether they had been spied on, and whether they would be treated similarly to U.S. citizens in such cases. “Given the gravity of the situation and the serious concerns expressed in public opinion on this side of the Atlantic, you will understand that I will expect swift and concrete answers,” Mrs. Reding wrote.

Speaking for a continent where snooping carries ghastly echoes of fascist or communist regimes, Mrs. Reding challenged Mr. Holder to answer a list of detailed questions by Friday, when they are expected to speak face-to-face in Dublin at a ministerial meeting scheduled before the Prism spy operation came to light. In Berlin, where Mr. Obama will speak next week before the Brandenburg Gate, privacy is a highly sensitive political issue and the Prism revelations have stirred a furor. “You can be sure that this will be one of the things the chancellor addresses when President Obama is in Germany,” said Steffen Seibert, spokesman for Angela Merkel, who grew up in the former Communist East.