EU puts its foot down against eavesdropping– again

In 2000, the European Commission negotiated an agreement with the United States. All personal data sent from countries in Europe across the Atlantic to the US would have the same legal protection as if it were within the EU. If American companies lived up to seven principles, they could join the agreement and freely send data from Europe to the US. However, the European Commission had made an agreement that was not compatible with EU law. Today, a decision came from the European Court of Justice: Safe Harbor is invalidated because the personal data sent to the US is not protected from US Intelligence.

Läs den här bloggposten på svenska.

For many, it has sounded a little like science fiction that the NSA, National Security Agency eavesdrops on phones and e-mail and follows the traffic patterns and surfing habits of people in the entire world, but when Edward Snowden’s revelations came out in the open, it was no longer possible to sweep the facts under the rug. But was it the first time? No. I have one thing to say: Echelon.

With the great success of World War 2’s interception project Ultra it’s perhaps unsurprising that the West was trying to repeat its success in the postwar period, especially during the 1990s. Echelon was a project aimed at intercepting all electronic communications. More or less all international telephone traffic, telex, and fax traffic, e-mail and other data traffic on the internet was intercepted.

But while the Second World War’s large Ultra project was actually ultra-secret, the knowledge of Echelon was relatively widespread, not to mention a very irritated EU that published several studies on the subject, but also several investigative journalists who made information about Echelon available on the internet for everyone to take note of and consider.

It was a dark time in Europe. Echelon was jointly run by the US and Great Britain with the support of other countries such as Canada, Australia, and New Zealand. For a long time, there was a discussion about whether Sweden was involved or not, possibly secretly. The question of restrictions on the export and import of cryptographic products were discussed extensively and restrictions and regulations hung in the air.

On the other hand, Germany took a strong position in the issue and by June 2, 1999, publicly urged their citizens and companies to immediately begin using strong encryption for all digital services, while at the same time, thousands of Echelon employees worked on German soil.

Every little bit helps…

For example, it was known that the tapping switches were in nine so-called IX (Internet Exchange Points) in the US: FIX East, FIX West, MAE East, New York NAP, SWAB, Chicago NAP, San Francisco NAP, MAE West, and CIX. All the information that was drawn from the submarine cables, satellites, digital switches connected to the internet and more were gathered to one central stream. Interception of fiber optic cables was difficult for a long time but in 1999, a development of a prototype for fiber extraction had succeeded.

A special listening device was inserted in the optical fiber cable as a box that could virtually be placed anywhere. Whether it came into general use, I don’t know. When it came to voice traffic, it had come so far in its technical development that a person’s voice could be found by searching a “voice print” and identified within one-half to one second. Considerably more difficult was to distinguish explicit keywords from conversations, something that was trivial in text communication.

All parties in Echelon worked together to fight strong encryption even if it hurt their own country’s businesses.

Swedish encryption policy

In October of 1997, a report was released from the government offices’ reference group for encryption issues with the title Encryption Policy – a possible Swedish line of action as the first step in the process of designing a Swedish policy for the area of encryption. Efforts to discuss the possible need for regulation of encryption had then been ongoing in this reference group since the beginning of 1996. In the Foreign Affairs Committee’s report 1999/2000:UU3 about encryption, the Committee stressed that it shared the government’s view concerning the use of encrypted transmission and storage of information in electronic form as well when it came to dealing with encrypted products.

The Committee’s proposal was an announcement to the effect that the government should promote a liberal application of the existing export control regime and that Sweden, through the so-called Wassenaar Arrangement would act to change the existing rules toward a direction of further liberalization, even in other countries.

They also stated that everyone has the right to use and choose cryptographic technology in Sweden.

The European irritation

As I mentioned earlier, the EU published several studies on the issue, including a report with the title, “Report on the existence of a global system for the interception of communication from private individuals and companies (the ECHELON interception system)” which discussed and described aspects of a large-scale surveillance system. Among other things, the report tried to answer:

  • whether this system actually existed
  • what was truth and what was myth
  • what effects such a system would have
  • if it was legal and consistent with human rights, international laws and European common directives.

The 186 page report that was published in all official EU languages at the time, was the result of a time of investigation and thinking about questions regarding what would happen with surveillance and the effect of monitoring.

In the beginning of the report, under the headline, “The existence of a global system for intercepting private and commercial communications (ECHELON interception system)” it said:

whereas the existence of a global system for intercepting communications, operating by means of cooperation proportionate to their capabilities among the USA, the UK, Canada, Australia and New Zealand under the UKUSA Agreement, is no longer in doubt; whereas it seems likely, in view of the evidence and the consistent pattern of statements from a very wide range of individuals and organizations, including American sources, that its name is in fact ECHELON. ”

Interception of this caliber was already then recognized as an invasion of privacy and a violation of the international agreements related to human rights, for example, in the convention the European Convention on Human Rights (EHCR).

One of the recommendations in the report was: ”Security for companies can only be achieved if the entire work environment is secured along with all communication channels that may be eligible for the transmission of sensitive information.”

What is the Safe Harbor agreement?

On the Swedish Data Protection Authority’s website, we find that Safe Harbor is a set of voluntary rules regarding privacy and data protection that has been developed and approved by the US Department of Commerce – DoC. Organizations in the US can notify the department that they adhere to these rules. The European Commission has decided that the rules (with accompanying questions and answers) constitute an adequate level of protection. It is therefore permitted to transfer personal data from the EU/EAA to organizations in the US who have acceded to the rules.

Now, here we stand, 15 years later. The European Commission has removed the Commission’s agreement on the possibility to transfer data over the Atlantic. The elimination of the Commission’s agreement also means that it is no longer automatically OK to lean on Safe Harbor. It says, however, nothing about how a real examination according to 33 §, second section of the Privacy Act would hold up in the specific case.

The consequences of annulment will certainly be kicked around for many rounds, including the data controllers who use services that leaned on Safe Harbor. Although many reacted negatively to the decision, claiming that it leads to enormous costs, chaos and hassles as a consequence, I am satisfied with the decision. The important point is that a registered person can get the protection that the Data Protection Directive provides, given that they can pursue their claims regardless of where the information is located.

I happily concur with the EDRi organization’s laconic statement in its press release:

Businesses that were using Safe Harbor could have done more than hope that a case would never be brought to the Court, businesses could have done more than pluck absurd numbers out of thin air as to the cost of abandoning this unsustainable agreement. Their choice was to take the risk that this unsustainable agreement could be sustained. They were wrong.

Tags: , , , Photo: CCTV by Alexandre Dulaunoy (CC BY-SA 2.0 )

About the blogger

Anne-Marie Eklund Löwinder Anne-Marie Eklund Löwinder Head of Security at IIS Ranked as one of Sweden’s foremost IT security experts. One of a select few in the world to participate in the key generation for DNSSEC in the root zone for the Internet. Board member on several boards and commenter for official government reports regarding the Internet and security.