Europe’s highest human rights court to hear challenge to UK’s bulk surveillance regime

The Grand Chamber of the European Court of Human Rights (ECHR) has agreed to hear a legal challenge to the use of bulk data collection surveillance powers by UK intelligence agencies. Last September a lower chamber of the ECHR ruled that UK surveillance practices violated human rights law but did not find bulk collection itself […]

The Grand Chamber of the European Court of Human Rights (ECHR) has agreed to hear a legal challenge to the use of bulk data collection surveillance powers by UK intelligence agencies.

Last September a lower chamber of the ECHR ruled that UK surveillance practices violated human rights law but did not find bulk collection itself to be in violation of the convention.

The civil and digital groups and charities behind the challenge, which include Liberty, Privacy International and Amnesty International, are hoping for a definitive judgement against bulk collection from Europe’s highest human rights court.

The legal challenge dates back around five years, and stems from the 2013 disclosures of government surveillance programs revealed by NSA whistleblower Edward Snowden .

The ECHR’s lower court heard an amalgam of complaints from three cases. And in a landmark judgement last fall it found the UK’s bulk interception regime had violated Article 8 of the European Convention on Human Rights (a right to respect for private and family life/communications); and Article 10 (the right to freedom of expression and information).

The court found there was insufficient oversight of the Internet infrastructure and communications selected for interception and searching; and also insufficient safeguards for journalistic material.

The court also ruled against the government’s regime for obtaining data from communications service providers, finding it violated both articles.

But the judges declined to find the state surveillance regime unlawful on the grounds that it constituted “general and indiscriminate” retention of data.

This is important because the legal framework around surveillance in the UK had already been superseded — with the Investigatory Powers Act, which was passed in 2016 — enshrining a number of bulk powers in law, alongside what the government bills as an adequate oversight framework. (Though it has since been forced by domestic courts to rework certain aspects of the legislation judged to be disproportionate.)

The groups behind the human rights challenge argue the lower court’s judgment “did not go far enough with regard to the unlawfulness of bulk interception powers and the fundamental shortcomings in inter-state intelligence sharing based on communications intercepts”.

Hence now pushing for an overarching judgement from judges in the Grand Chamber which — if it goes their way — could force the UK to radically rethink its approach to intelligence capabilities and put a check on the creeping encroachment of state surveillance.

Commenting in a statement, Caroline Wilson Palow, general counsel at Privacy International, said: “The UK Government continues to intercept enormous volumes of internet traffic flowing across its borders. And it continues to have access to similarly vast troves of information intercepted by the US Government. We call on the Court to reject these mass surveillance practices and find that they are fundamentally incompatible with the rights to privacy and freedom of expression enshrined in the European Convention on Human Rights.”

“The surveillance regime that the UK Government has built seriously undermines our freedom. Spying on vast numbers of people without suspicion of wrongdoing violates everyone’s rights to privacy and free expression, and can never be lawful,” added Megan Goulding, lawyer for Liberty, in another statement. “We welcome the opportunity from the Court to prove that indiscriminate state snooping is incompatible with our rights.  We need a rights-respecting and targeted surveillance system — not one where everyone is treated as a suspect as they go about their everyday lives.”

Also commenting in a statement, Lucy Claridge, director of strategic litigation at Amnesty International, said: “Industrial scale mass surveillance makes it incredibly difficult for organisations such as Amnesty International to carry out their vital human rights work. It’s critical that they are able to seek and receive information of public interest from their confidential sources, free from government intrusion.”

There’s little prospect of an imminent check on the UK’s current bulk-based surveillance modus operandi via this legal route, with what could be a wait of several years before the Grand Chamber even hears the case. 

Add to that, at that unknown future time it’s still anyone’s guess whether the UK — which is in the process of trying to determine how it will exit the European Union — will still be a party to the European convention on human rights or not.

While the ECHR is attached to the Council of Europe, rather than the EU itself, some elements of the Conservative Party have been pushing to pull the UK out of the convention too. Which throws a potential future spanner in the works of this rights based challenge.

Europe’s highest human rights court to hear challenge to UK’s bulk surveillance regime

The Grand Chamber of the European Court of Human Rights (ECHR) has agreed to hear a legal challenge to the use of bulk data collection surveillance powers by UK intelligence agencies. Last September a lower chamber of the ECHR ruled that UK surveillance practices violated human rights law but did not find bulk collection itself […]

The Grand Chamber of the European Court of Human Rights (ECHR) has agreed to hear a legal challenge to the use of bulk data collection surveillance powers by UK intelligence agencies.

Last September a lower chamber of the ECHR ruled that UK surveillance practices violated human rights law but did not find bulk collection itself to be in violation of the convention.

The civil and digital groups and charities behind the challenge, which include Liberty, Privacy International and Amnesty International, are hoping for a definitive judgement against bulk collection from Europe’s highest human rights court.

The legal challenge dates back around five years, and stems from the 2013 disclosures of government surveillance programs revealed by NSA whistleblower Edward Snowden .

The ECHR’s lower court heard an amalgam of complaints from three cases. And in a landmark judgement last fall it found the UK’s bulk interception regime had violated Article 8 of the European Convention on Human Rights (a right to respect for private and family life/communications); and Article 10 (the right to freedom of expression and information).

The court found there was insufficient oversight of the Internet infrastructure and communications selected for interception and searching; and also insufficient safeguards for journalistic material.

The court also ruled against the government’s regime for obtaining data from communications service providers, finding it violated both articles.

But the judges declined to find the state surveillance regime unlawful on the grounds that it constituted “general and indiscriminate” retention of data.

This is important because the legal framework around surveillance in the UK had already been superseded — with the Investigatory Powers Act, which was passed in 2016 — enshrining a number of bulk powers in law, alongside what the government bills as an adequate oversight framework. (Though it has since been forced by domestic courts to rework certain aspects of the legislation judged to be disproportionate.)

The groups behind the human rights challenge argue the lower court’s judgment “did not go far enough with regard to the unlawfulness of bulk interception powers and the fundamental shortcomings in inter-state intelligence sharing based on communications intercepts”.

Hence now pushing for an overarching judgement from judges in the Grand Chamber which — if it goes their way — could force the UK to radically rethink its approach to intelligence capabilities and put a check on the creeping encroachment of state surveillance.

Commenting in a statement, Caroline Wilson Palow, general counsel at Privacy International, said: “The UK Government continues to intercept enormous volumes of internet traffic flowing across its borders. And it continues to have access to similarly vast troves of information intercepted by the US Government. We call on the Court to reject these mass surveillance practices and find that they are fundamentally incompatible with the rights to privacy and freedom of expression enshrined in the European Convention on Human Rights.”

“The surveillance regime that the UK Government has built seriously undermines our freedom. Spying on vast numbers of people without suspicion of wrongdoing violates everyone’s rights to privacy and free expression, and can never be lawful,” added Megan Goulding, lawyer for Liberty, in another statement. “We welcome the opportunity from the Court to prove that indiscriminate state snooping is incompatible with our rights.  We need a rights-respecting and targeted surveillance system — not one where everyone is treated as a suspect as they go about their everyday lives.”

Also commenting in a statement, Lucy Claridge, director of strategic litigation at Amnesty International, said: “Industrial scale mass surveillance makes it incredibly difficult for organisations such as Amnesty International to carry out their vital human rights work. It’s critical that they are able to seek and receive information of public interest from their confidential sources, free from government intrusion.”

There’s little prospect of an imminent check on the UK’s current bulk-based surveillance modus operandi via this legal route, with what could be a wait of several years before the Grand Chamber even hears the case. 

Add to that, at that unknown future time it’s still anyone’s guess whether the UK — which is in the process of trying to determine how it will exit the European Union — will still be a party to the European convention on human rights or not.

While the ECHR is attached to the Council of Europe, rather than the EU itself, some elements of the Conservative Party have been pushing to pull the UK out of the convention too. Which throws a potential future spanner in the works of this rights based challenge.

Tor pulls in record donations as it lessens reliance on US government grants

Tor, the open source initiative which provides a more secure way to access the internet, is continuing to diversify its funding away from its long-standing reliance on U.S. government grants. The Tor Foundation — the organization behind the service which stands for ‘The Onion Router’ — announced this week that it brought in a record […]

Tor, the open source initiative which provides a more secure way to access the internet, is continuing to diversify its funding away from its long-standing reliance on U.S. government grants.

The Tor Foundation — the organization behind the service which stands for ‘The Onion Router’ — announced this week that it brought in a record $460,000 from individual donors in 2018. In addition, recently released financial information shows it raised a record $4.13 million from all sources in 2017 thanks to a growth in non-U.S. government donors.

The individual donation push represents an increase on the $400,000 it raised in 2017. A large part of that is down to Tor ally Mozilla, which once again pledged to match donations in the closing months of the year, while an anonymous individual matched all new backers who pledged up to $20,000.

Overall, the foundation said that it attracted donations from 115 countries worldwide in 2018 which reflects its importance outside of the U.S.

The record donation haul comes weeks after the Tor Foundation quietly revealed its latest financials — for 2017 — which show it has lessened its dependence on U.S. government sources. That’s been a key goal for some time, particularly after allegations that the FBI paid Carnegie Mellon researchers to help crack Tor, which served as a major motivation for the introduction of fundraising drives in 2015.

Back in 2015, U.S. government sources accounted for 80-90 percent of its financial backing, but that fell to just over 50 percent in 2017. The addition of a Swedish government agency, which provided $600,000, helped on that front as well as corporate donations from Mozilla ($520,000) and DuckDuckGo ($25,000), more than $400,000 from a range of private foundations, and, of course, those donations from individuals.

Tor is best known for being used by NSA whistleblower Edward Snowden but, with governments across the world cracking down on the internet, it is a resource that’s increasingly necessary if we are to guard the world’s right to a free internet.

Tor has certainly been busy making its technology more accessible over the last year.

It launched its first official mobile browser for Android in September and the same month it released TorBrowser 8.0, its most usable browser yet which is based on Firefox’s 2017 Quantum structure. It is also worked closely with Mozilla to bring Tor into Firefox itself as it has already done with Brave, a browser firm led by former Mozilla CEO Brendan Eich.

Beyond the browser and the Tor network itself, which is designed to minimize the potential for network surveillance, the organization also develops a range of other projects. More than two million people are estimated to use Tor, according to data from the organization.

Europe issues a deadline for US’ Privacy Shield compliance

The European Commission has finally given the U.S. a deadline related to the much criticized data transfer mechanism known as the EU-US Privacy Shield . But it’s only asking for the U.S. to nominate a permanent ombudsperson — to handle any EU citizens’ complaints — by February 28, 2019. If a permanent ombudsperson is not […]

The European Commission has finally given the U.S. a deadline related to the much criticized data transfer mechanism known as the EU-US Privacy Shield .

But it’s only asking for the U.S. to nominate a permanent ombudsperson — to handle any EU citizens’ complaints — by February 28, 2019.

If a permanent ombudsperson is not appointed by then the Commission says it will “consider taking appropriate measures, in accordance with the General Data Protection Regulation”.

So not an out-and-out threat to suspend the mechanism — which is what critics and MEPs have been calling for.

But still a fixed deadline at last.

“We now expect our American partners to nominate the Ombudsperson on a permanent basis, so we can make sure that our EU-US relations in data protection are fully trustworthy,” said Andrus Ansip, Commission VP for the Digital Single Market, in a statement.

“All elements of the Shield must be working at full speed, including the Ombudsperson,” added Věra Jourová, the commissioner for justice and consumers.

It’s the first sign the Commission is losing patience with its U.S. counterparts.

Although there’s no doubt the EC remains fully committed to the survival of the business-friendly mechanism which it spent years negotiating after the prior arrangement, Safe Harbor, was struck down by Europe’s top court following NSA whistleblower Edward Snowden’s disclosures of US government surveillance programs.

Its problem is it has to contend with Trump administration priorities — which naturally don’t align with privacy protection for non-US citizens.

While the EU-US Privacy Shield is over two years’ old at this point, president Trump has failed to nominate a permanent ombudsperson to a key oversight role.

The acting civil servant (Judith Garber, principal deputy assistant secretary for the Bureau of Oceans and International Environmental and Scientific Affairs) was also nominated as U.S. ambassador to Cyprus this summer, suggesting a hard limit to her already divided attention on EU citizens’ data privacy.

Despite this problematic wrinkle, the EU’s executive today professed itself otherwise satisfied that the mechanism is ensuring “an adequate level of protection for personal data”, announcing the conclusion of its second annual Privacy Shield review.

The data transfer mechanism is now used by more than 4,000 companies to simplify flows of EU citizens’ personal data to the US.

And the Commission clearly wants to avoid a repeat of the scramble that kicked off when, three years ago, Safe Harbor was struck down and businesses had to find alternative legal means for authorizing essential data flows.

But at the same time Privacy Shield has been under growing pressure. This summer the EU parliament called for the mechanism to be suspended until the U.S. comes into compliance.

The parliament’s Libe committee also called for better monitoring of data transfers was clearly required in light of the Cambridge Analytica Facebook data misuse scandal. (Both companies having been signed up to Privacy Shield.)

The mechanism has also been looped into a separate legal challenge to another data transfer tool after the Irish High Court referred a series of questions to the European Court of Justice — setting the stage for another high stakes legal drama if fundamental European privacy rights are again deemed incompatible with U.S. national security practices.

A decision on that referral remains for the future. But in the meanwhile the Commission looks to be doing everything it can to claim it’s ‘business as usual’ for EU-US data flows.

In a press release today, it lauds steps taken by the U.S. authorities to implement recommendations it made in last year’s Privacy Shield review — saying they have “improved the functioning of the framework”.

Albeit, the detail of these slated ‘improvements’ shows how very low its starting bar was set — with the Commission listing, for e.g.:

  • the strengthening by the Department of Commerce of the certification process and of its proactive oversight over the framework — including setting up mechanisms such as a system of spot checks (it says that 100 companies have been checked; and 21 had “issues that have now been solved” — suggesting a fifth of claimed compliance was, er, not actually compliance)
  • additional “compliance review procedures” such as analysis of Privacy Shield participants’ websites “to ensure that links to privacy policies are correct”; so previously we must assume no one in the U.S. was bothering to check
  • the Department of Commerce put in place a system to identify false claims which the Commission now claims “prevents companies from claiming their compliance with the Privacy Shield, when they have not been certified”; so again, prior to this system being set up certifications weren’t necessary worth the pixels they were painted in

The Commission also claims the Federal Trade Commission has shown “a more proactive approach” to enforcement by monitoring the principles of the Privacy Shield — noting that, for example, it has issued subpoenas to request information from participating companies.

Another change it commends — related to the sticky issue of access to personal data by U.S. public authorities for national security purposes (which is what did for Safe Harbor) — is the appointment of new members of the Privacy and Civil Liberties Oversight Board (PCLOB) — to restore the Board’s quorum.

The denuded PCLOB has been a long running bone of contention for Privacy Shield critics.

“The Board’s report on the implementation of Presidential Policy-Directive No. 28 (PPD-28, which provides for privacy protections for non-Americans) has been made publicly available,” the Commission writes, referring to a key Obama era directive that it has previously said the Shield depends upon. “It confirms that these privacy protections for non-Americans are implemented across the U.S. intelligence community.”

It says it also took into account relevant developments in the U.S. legal system in the area of privacy during the review, noting that: “The Department of Commerce launched a consultation on a federal approach to data privacy to which the Commission contributed and the US Federal Trade Commission is reflecting on its current powers in this area.”

“In the context of the Facebook/Cambridge Analytica scandal, the Commission noted the Federal Trade Commission’s confirmation that its investigation of this case is ongoing,” it adds, kicking the can down the road on that particular data scandal.

Meanwhile, as you’d expect, business groups have welcomed another green light for data to keep being passed.

In a statement responding to the conclusion of the review, the Computer & Communications Industry Association said: “We commend the European Commission for its thorough review. Privacy Shield is a robust framework, with strong data protections, that allows for the daily transfers of commercial data between the world’s two biggest trading partners.”

The Snowden Legacy, part one: What’s changed, really?

In our two-part series, Ars looks at what Snowden’s disclosures have wrought politically and institutionally.

Remember this guy?

Enlarge / Remember this guy? (credit: Pardon Snowden)

Digital privacy has come a long way since June 2013. In the five years since documents provided by Edward Snowden became the basis for a series of revelations that tore away a veil of secrecy around broad surveillance programs run by the National Security Agency, there have been shifts in both technology and policy that have changed the center of gravity for personal electronic privacy in the United States and around the world. Sadly, not all of the changes have been positive. And Snowden's true legacy is a lot more complicated than his admirers (or his critics) will admit.

Starting with that first article published by the Guardian that revealed a National Security Agency program gathering millions of phone records from Verizon—which gave the agency access to metadata about phone calls placed by or received by everyone in America—the Snowden leaks exposed the inner workings of the NSA's biggest signals intelligence programs. Coming to light next was the PRISM program, which allowed the NSA, via the FBI, to gain access directly to customer data from nine Internet companies without notifying the customers. And then came Boundless Informant, a tool for visualizing the amount of signals intelligence being collected from each country in the world. By the time the Snowden cache had been largely mined out, hundreds of files—ranging from PowerPoint presentations to dumps of Internal Wikis and Web discussion boards—had been reviewed and revealed by journalists.

"Thanks to Snowden's disclosures, people worldwide were able to engage in an extraordinary and unprecedented debate about government surveillance," the American Civil Liberties Union declared on the fifth anniversary of the Guardian article.

Read 49 remaining paragraphs | Comments

In a court filing, Edward Snowden says a report critical to an NSA lawsuit is authentic

An unexpected declaration by whistleblower Edward Snowden filed in court this week adds a new twist in a long-running lawsuit against the National Security Agency’s surveillance programs. The case, filed by the Electronic Frontier Foundation a decade ago, seeks to challenge the government’s alleged illegal and unconstitutional surveillance of Americans, who are largely covered under […]

An unexpected declaration by whistleblower Edward Snowden filed in court this week adds a new twist in a long-running lawsuit against the National Security Agency’s surveillance programs.

The case, filed by the Electronic Frontier Foundation a decade ago, seeks to challenge the government’s alleged illegal and unconstitutional surveillance of Americans, who are largely covered under the Fourth Amendment’s protections against warrantless searches and seizures.

It’s a big step forward for the case, which had stalled largely because the government refused to confirm that a leaked document was authentic or accurate.

News of the surveillance broke in 2006 when an AT&T technician Mark Klein revealed that the NSA was tapping into AT&T’s network backbone. He alleged that a secret, locked room — dubbed Room 641A — in an AT&T facility in San Francisco where he worked was one of many around the U.S. used by the government to monitor communications — domestic and overseas. President George W. Bush authorized the NSA to secretly wiretap Americans’ communications shortly after the September 11 terrorist attacks in 2001.

Much of the EFF’s complaint relied on Klein’s testimony until 2013, when Snowden, a former NSA contractor, came forward with new revelations that described and detailed the vast scope of the U.S. government’s surveillance capabilities, which included participation from other phone giants — including Verizon (TechCrunch’s parent company).

Snowden’s signed declaration, filed on October 31, confirms that one of the documents he leaked, which the EFF relied heavily on for its case, is an authentic draft document written by the then-NSA inspector general in 2009, which exposed concerns about the legality of the Bush’s warrantless surveillance program — Stellar Wind — particularly the collection of bulk email records on Americans.

The draft top-secret document was never published, and the NSA had refused to confirm or deny the authenticity of the 2009 inspector general report, ST-09-0002 — despite that it’s been public for many years.

Snowden, as one of the few former NSA staffers who can speak more freely than former government employees about the agency’s surveillance, confirmed that the document is “authentic.”

“I read its contents carefully during my employment,” he said in his declaration. “I have a specific and strong recollection of this document because it indicated to me that the government had been conducting illegal surveillance.”

Snowden left his home in Hawaii for Hong Kong in 2013 when he gave tens of thousand of documents to reporters. His passport was cancelled as he travelled to Moscow to take another onward flight. He later claimed political asylum in Russia, where he currently lives with his partner.

U.S. prosecutors charged Snowden with espionage.

EFF executive director Cindy Cohn said that the NSA’s refusal to authenticate the leaked documents “is just another step in its practice of falling back on weak technicalities to prevent the public courts from ruling on whether our Constitution allows this kind of mass surveillance of hundreds of millions of nonsuspect people.”

The EFF said in another filing that the draft report “further confirms” the participation of phone companies in the government’s surveillance programs.

The case continues — though, a court hearing has not been set.

Mozilla is matching all donations to the Tor Project

Firefox parent Mozilla is returning to back the Tor Project, its long-time ally, after it committed to matching all donations made to fund Tor, the open source initiative to improve online privacy which has just started its annual end of year funding drive. Tor announced Mozilla’s support today, extending the pair’s partnership which last year helped […]

Firefox parent Mozilla is returning to back the Tor Project, its long-time ally, after it committed to matching all donations made to fund Tor, the open source initiative to improve online privacy which has just started its annual end of year funding drive.

Tor announced Mozilla’s support today, extending the pair’s partnership which last year helped Tor raise over $400,000 from a similar campaign last year. That is a small seed round for a tech startup, but it represents an important source of income for Tor, which began soliciting ‘crowdfunded’ donations in 2015 in a bid to offset its reliance on government grants.

The company’s latest publicly available accounts cover 2015 when Tor received a record $3.3 million in donations. That’s up from $2.5 million in 2014 and it represented Tor’s highest year of income to date, but state-related grants accounted for 86 percent of the figure. That was an improvement on previous years, but Tor Research Director and President Roger Dingledine admitted that the organization has “more work to do” to change that ratio.

Tor hasn’t made its latest (2016) financials available as of yet, but the past year has seen the organization make big leaps in its product offerings, which are still best known for being used by NSA whistleblower Edward Snowden . Tor launched its first official mobile browser for Android in September and the same month it released Tor Browser 8.0, its most usable browser yet which is based on Firefox’s 2017 Quantum structure. It is also worked closely with Mozilla to bring Tor into Firefox itself as it has already done with Brave, a browser firm led by former Mozilla CEO Brendan Eich.

Beyond the browser and the Tor network itself, which is designed to minimize the potential for network surveillance, the organization also develops a range of other projects. Around two million people are estimated to use Tor, according to data from the organization.

“The Tor Project has a bold mission: to take a stand against invasive and restrictive online practices and bring privacy and freedom to internet users around the world. But we can’t do it alone,” Sarah Stevenson, who is fundraising director at the Tor Foundation, wrote in a blog post.

“Countries like Egypt and Venezuela have tightened restrictions on free expression and accessing the open web; companies like Google and Amazon are mishandling people’s data and growing the surveillance economy; and some nations are even shutting off the internet completely to quell possible dissidence,” she added.

If you feel suitably compelled, you can donate to the Tor Project’s campaign right here.

Khashoggi’s fate shows the flip side of the surveillance state

It’s been over five years since NSA whistleblower Edward Snowden lifted the lid on government mass surveillance programs, revealing, in unprecedented detail, quite how deep the rabbit hole goes thanks to the spread of commercial software and connectivity enabling a bottomless intelligence-gathering philosophy of ‘bag it all’. Yet technology’s onward march has hardly broken its stride. […]

It’s been over five years since NSA whistleblower Edward Snowden lifted the lid on government mass surveillance programs, revealing, in unprecedented detail, quite how deep the rabbit hole goes thanks to the spread of commercial software and connectivity enabling a bottomless intelligence-gathering philosophy of ‘bag it all’.

Yet technology’s onward march has hardly broken its stride.

Government spying practices are perhaps more scrutinized, as a result of awkward questions about out-of-date legal oversight regimes. Though whether the resulting legislative updates, putting an official stamp of approval on bulk and/or warrantless collection as a state spying tool, have put Snowden’s ethical concerns to bed seems doubtful — albeit, it depends on who you ask.

The UK’s post-Snowden Investigatory Powers Act continues to face legal challenges. And the government has been forced by the courts to unpick some of the powers it helped itself to vis-à-vis people’s data. But bulk collection, as an official modus operandi, has been both avowed and embraced by the state.

In the US, too, lawmakers elected to push aside controversy over a legal loophole that provides intelligence agencies with a means for the warrantless surveillance of American citizens — re-stamping Section 702 of FISA for another six years. So of course they haven’t cared a fig for non-US citizens’ privacy either.

Increasingly powerful state surveillance is seemingly here to stay, with or without adequately robust oversight. And commercial use of strong encryption remains under attack from governments.

But there’s another end to the surveillance telescope. As I wrote five years ago, those who watch us can expect to be — and indeed are being — increasingly closely watched themselves as the lens gets turned on them:

“Just as our digital interactions and online behaviour can be tracked, parsed and analysed for problematic patterns, pertinent keywords and suspicious connections, so too can the behaviour of governments. Technology is a double-edged sword – which means it’s also capable of lifting the lid on the machinery of power-holding institutions like never before.”

We’re now seeing some of the impacts of this surveillance technology cutting both ways.

With attention to detail, good connections (in all senses) and the application of digital forensics all sorts of discrete data dots can be linked — enabling official narratives to be interrogated and unpicked with technology-fuelled speed.

Witness, for example, how quickly the Kremlin’s official line on the Skripal poisonings unravelled.

After the UK released CCTV of two Russian suspects of the Novichok attack in Salisbury, last month, the speedy counter-claim from Russia, presented most obviously via an ‘interview’ with the two ‘citizens’ conducted by state mouthpiece broadcaster RT, was that the men were just tourists with a special interest in the cultural heritage of the small English town.

Nothing to see here, claimed the Russian state, even though the two unlikely tourists didn’t appear to have done much actual sightseeing on their flying visit to the UK during the tail end of a British winter (unless you count vicarious viewing of Salisbury’s wikipedia page).

But digital forensics outfit Bellingcat, partnering with investigative journalists at The Insider Russia, quickly found plenty to dig up online, and with the help of data-providing tips. (We can only speculate who those whistleblowers might be.)

Their investigation made use of a leaked database of Russian passport documents; passport scans provided by sources; publicly available online videos and selfies of the suspects; and even visual computing expertise to academically cross-match photos taken 15 years apart — to, within a few weeks, credibly unmask the ‘tourists’ as two decorated GRU agents: Anatoliy Chepiga and Dr Alexander Yevgeniyevich Mishkin.

When public opinion is faced with an official narrative already lacking credibility that’s soon set against external investigation able to closely show workings and sources (where possible), and thus demonstrate how reasonably constructed and plausible is the counter narrative, there’s little doubt where the real authority is being shown to lie.

And who the real liars are.

That the Kremlin lies is hardly news, of course. But when its lies are so painstakingly and publicly unpicked, and its veneer of untruth ripped away, there is undoubtedly reputational damage to the authority of Vladimir Putin.

The sheer depth and availability of data in the digital era supports faster-than-ever evidence-based debunking of official fictions, threatening to erode rogue regimes built on lies by pulling away the curtain that invests their leaders with power in the first place — by implying the scope and range of their capacity and competency is unknowable, and letting other players on the world stage accept such a ‘leader’ at face value.

The truth about power is often far more stupid and sordid than the fiction. So a powerful abuser, with their workings revealed, can be reduced to their baser parts — and shown for the thuggish and brutal operator they really are, as well as proved a liar.

On the stupidity front, in another recent and impressive bit of cross-referencing, Bellingcat was able to turn passport data pertaining to another four GRU agents — whose identities had been made public by Dutch and UK intelligence agencies (after they had been caught trying to hack into the network of the Organisation for the Prohibition of Chemical Weapons) — into a long list of 305 suggestively linked individuals also affiliated with the same GRU military unit, and whose personal data had been sitting in a publicly available automobile registration database… Oops.

There’s no doubt certain governments have wised up to the power of public data and are actively releasing key info into the public domain where it can be poured over by journalists and interested citizen investigators — be that CCTV imagery of suspects or actual passport scans of known agents.

A cynic might call this selective leaking. But while the choice of what to release may well be self-serving, the veracity of the data itself is far harder to dispute. Exactly because it can be cross-referenced with so many other publicly available sources and so made to speak for itself.

Right now, we’re in the midst of another fast-unfolding example of surveillance apparatus and public data standing in the way of dubious state claims — in the case of the disappearance of Washington Post journalist Jamal Khashoggi, who went into the Saudi consulate in Istanbul on October 2 for a pre-arranged appointment to collect papers for his wedding and never came out.

Saudi authorities first tried to claim Khashoggi left the consulate the same day, though did not provide any evidence to back up their claim. And CCTV clearly showed him going in.

Yesterday they finally admitted he was dead — but are now trying to claim he died quarrelling in a fistfight, attempting to spin another after-the-fact narrative to cover up and blame-shift the targeted slaying of a journalist who had written critically about the Saudi regime.

Since Khashoggi went missing, CCTV and publicly available data has also been pulled and compared to identify a group of Saudi men who flew into Istanbul just prior to his appointment at the consulate; were caught on camera outside it; and left Turkey immediately after he had vanished.

Including naming a leading Saudi forensics doctor, Dr Salah Muhammed al-Tubaigy, as being among the party that Turkish government sources also told journalists had been carrying a bone saw in their luggage.

Men in the group have also been linked to Saudi crown prince Mohammed bin Salman, via cross-referencing travel records and social media data.

“In a 2017 video published by the Saudi-owned Al Ekhbariya on YouTube, a man wearing a uniform name tag bearing the same name can be seen standing next to the crown prince. A user with the same name on the Saudi app Menom3ay is listed as a member of the royal guard,” writes the Guardian, joining the dots on another suspected henchman.

A marked element of the Khashoggi case has been the explicit descriptions of his fate leaked to journalists by Turkish government sources, who have said they have recordings of his interrogation, torture and killing inside the building — presumably via bugs either installed in the consulate itself or via intercepts placed on devices held by the individuals inside.

This surveillance material has reportedly been shared with US officials, where it must be shaping the geopolitical response — making it harder for President Trump to do what he really wants to do, and stick like glue to a regional US ally with which he has his own personal financial ties, because the arms of that state have been recorded in the literal act of cutting off the fingers and head of a critical journalist, and then sawing up and disposing of the rest of his body.

Attempts by the Saudis to construct a plausible narrative to explain what happened to Khashoggi when he stepped over its consulate threshold to pick up papers for his forthcoming wedding have failed in the face of all the contrary data.

Meanwhile, the search for a body goes on.

And attempts by the Saudis to shift blame for the heinous act away from the crown prince himself are also being discredited by the weight of data…

And while it remains to be seen what sanctions, if any, the Saudis will face from Trump’s conflicted administration, the crown prince is already being hit where it hurts by the global business community withdrawing in horror from the prospect of being tainted by bloody association.

The idea that a company as reputation-sensitive as Apple would be just fine investing billions more alongside the Saudi regime, in SoftBank’s massive Vision Fund vehicle, seems unlikely, to say the least.

Thanks to technology’s surveillance creep the world has been given a close-up view of how horrifyingly brutal the Saudi regime can be — and through the lens of an individual it can empathize with and understand.

Safe to say, supporting second acts for regimes that cut off fingers and sever heads isn’t something any CEO would want to become famous for.

The power of technology to erode privacy is clearer than ever. Down to the very teeth of the bone saw. But what’s also increasingly clear is that powerful and at times terrible capability can be turned around to debase power itself — when authorities themselves become abusers.

So the flip-side of the surveillance state can be seen in the public airing of the bloody colors of abusive regimes.

Turns out, microscopic details can make all the difference to geopolitics.

RIP Jamal Khashoggi

UK’s mass surveillance regime violated human rights law, finds ECHR

In another blow to the UK government’s record on bulk data handling for intelligence purposes the European Court of Human Rights (ECHR) has ruled that state surveillance practices violated human rights law. Arguments against the UK intelligence agencies’ bulk collection and data sharing practices were heard by the court in November last year. In today’s […]

In another blow to the UK government’s record on bulk data handling for intelligence purposes the European Court of Human Rights (ECHR) has ruled that state surveillance practices violated human rights law.

Arguments against the UK intelligence agencies’ bulk collection and data sharing practices were heard by the court in November last year.

In today’s ruling the ECHR has ruled that only some aspects of the UK’s surveillance regime violate human rights law. So it’s not all bad news for the government — which has faced a barrage of legal actions (and quite a few black marks against its spying practices in recent years) ever since its love affair with mass surveillance was revealed and denounced by NSA whistleblower Edward Snowden, back in 2013.

The judgement reinforces a sense that the government has been seeking to push as close to the legal line as possible on surveillance, and sometimes stepping over it — reinforcing earlier strikes against legislation for not setting tight enough boundaries to surveillance powers, and likely providing additional fuel for fresh challenges.

The complaints before the ECHR focused on three different surveillance regimes: 1) The bulk interception of communications (aka ‘mass surveillance’); 2) Intelligence sharing with foreign governments; and 3) The obtaining of communications data from communications service providers.

The challenge actually combines three cases, with the action brought by a coalition of civil and human rights campaigners, including the American Civil Liberties Union, Amnesty International, Big Brother Watch, Liberty, Privacy International and nine other human rights and journalism groups based in Europe, Africa, Asia and the Americas.

The Chamber judgment from the ECHR found, by a majority of five votes to two, that the UK’s bulk interception regime violates Article 8 of the European Convention on Human Rights (a right to respect for private and family life/communications) — on the grounds that “there was insufficient oversight both of the selection of Internet bearers for interception and the filtering; search and selection of intercepted communications for examination; and the safeguards governing the selection of ‘related communications data’ for examination were inadequate”.

The judges did not find bulk collection itself to be in violation of the convention but noted that such a regime must respect criteria set down in case law.

In an even more pronounced majority vote, the Chamber found by six votes to one that the UK government’s regime for obtaining data from communications service providers violated Article 8 as it was “not in accordance with the law”.

While both the bulk interception regime and the regime for obtaining communications data from communications service providers were deemed to have violated Article 10 of the Convention (the right to freedom of expression and information,) as the judges found there were insufficient safeguards in respect of confidential journalistic material.

However the Chamber did not rule against the government in two other components of the case — finding that the regime for sharing intelligence with foreign governments did not violate either Article 8 or Article 10.

While the court unanimously rejected complaints made by the third set of applicants, under Article 6 (right to a fair trial), about the domestic procedure for challenging secret surveillance measures, and under Article 14 (prohibition of discrimination).

The complaints in this case were lodged prior to the UK legislating for a new surveillance regime, the 2016 Investigatory Powers Act, so in coming to a judgement the Chamber was considering the oversight regime at the time (and in the case of points 1 and 3 above that’s the Regulation of Investigatory Powers Act 2000).

RIPA has since been superseded by IPA but, as noted above, today’s ruling will likely fuel ongoing human rights challenges to the latter — which the government has already been ordered to amend by other courts on human rights grounds.

Nor is it the only UK surveillance legislation judged to fall foul on that front. A few years ago UK judges agreed with a similar legal challenge to emergency surveillance legislation that predates IPA — ruling in 2015 that DRIPA was unlawful under human rights law. A verdict the UK Court of Appeal agreed with, earlier this year.

Also in 2015 the intelligence agencies’ own oversight court, the IPT, also found multiple violations following challenges to aspects of its historical surveillance operations, after they have been made public by the Snowden revelations.

Such judgements did not stop the government pushing on with the IPA, though — and it went on to cement bulk collection at the core of its surveillance modus operandi at the end of 2016.

Among the most controversial elements of the IPA is a requirement that communications service providers collect and retain logs on the web activity of the digital services accessed by all users for 12 months; state power to require a company to remove encryption, or limit the rollout of end-to-end encryption on a future service; and state powers to hack devices, networks and services, including bulk hacking on foreign soil. It also allows the security agencies to maintain large databases of personal information on U.K. citizens, including individuals suspected of no crime.

On the safeguards front the government legislated for what it claimed was a “double lock” authorization process for interception warrants — which loops in the judiciary to signing off intercept warrants for the first time in the U.K., along with senior ministers. However this does not regulate the collection or accessing of web activity data that’s blanket-retained on all users.

In April this shiny new surveillance regime was also dealt a blow in UK courts — with judges ordering the government to amend the legislation to narrow how and why retained metadata could be accessed, giving ministers a deadline of November 1 to make the necessary changes.

In that case the judges also did not rule against bulk collection in general — declining to find that the state’s current data retention regime is unlawful on the grounds that it constituted “general and indiscriminate” retention of data. (For its part the government has always argued its bulk collection activities do not constitute blanket retention.)

And today’s ECHR ruling further focuses attention on the safeguards placed around bulk collection programs — having found the UK regime lacked sufficient monitoring to be lawful (but not that bulk collection itself is unlawful by default).

Opponents of the current surveillance regime will be busily parsing the ruling to find fresh fronts to attack.

It’s not the first time the ECHR has looked at bulk interception. Most recently, in June 2018, it deemed Swedish legislation and practice in the field of signals intelligence did not violate EU human rights law. Among its reasoning was that it found the Swedish system to have provided “adequate and sufficient guarantees against arbitrariness and the risk of abuse”.

However it said the Big Brother Watch and Others vs United Kingdom case being ruled upon today is the first case in which it specifically considered the extent of the interference with a person’s private life that could result from the interception and examination of communications data (as opposed to content).

In a Q&A about today’s judgement, the court notes that it “expressly recognised” the severity of threats facing states, and also how advancements in technology have “made it easier for terrorists and criminals to evade detection on the Internet”.

“It therefore held that States should enjoy a broad discretion in choosing how best to protect national security. Consequently, a State may operate a bulk interception regime if it considers that it is necessary in the interests of national security. That being said, the Court could not ignore the fact that surveillance regimes have the potential to be abused, with serious consequences for individual privacy. In order to minimise this risk, the Court has previously identified six minimum safeguards which all interception regimes must have,” it writes.

“The safeguards are that the national law must clearly indicate: the nature of offences which may give rise to an interception order; a definition of the categories of people liable to have their communications intercepted; a limit on the duration of interception; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which intercepted data may or must be erased or destroyed.”

(Additional elements the court says it considered in an earlier surveillance case, Roman Zakharov v. Russia, also to determine whether legislation breached Article 8, included “arrangements for supervising the implementation of secret surveillance measures, any notification mechanisms and the remedies provided for by national law”.)

Commenting on today’s ruling in a statement, Megan Goulding, a lawyer for Liberty, said: “This is a major victory for the rights and freedom of people in the UK. It shows that there is — and should be — a limit to the extent that states can spy on their citizens.

“Police and intelligence agencies need covert surveillance powers to tackle the threats we face today — but the court has ruled that those threats do not justify spying on every citizen without adequate protections. Our government has built a surveillance regime more extreme than that of any other democratic nation, abandoning the very rights and freedoms terrorists want to attack. It can and must give us an effective, targeted system that protects our safety, data security and fundamental rights.”

A Liberty spokeswoman also told us it will continue its challenge to IPA in the UK High Court, adding: “We continue to believe that mass surveillance can never be compliant in a free, rights-respecting democracy.”

Also commenting in a statement, Silkie Carlo, director of Big Brother Watch, said: “This landmark judgment confirming that the UK’s mass spying breached fundamental rights vindicates Mr Snowden’s courageous whistleblowing and the tireless work of Big Brother Watch and others in our pursuit for justice.

“Under the guise of counter-terrorism, the UK has adopted the most authoritarian surveillance regime of any Western state, corroding democracy itself and the rights of the British public. This judgment is a vital step towards protecting millions of law-abiding citizens from unjustified intrusion. However, since the new Investigatory Powers Act arguably poses an ever greater threat to civil liberties, our work is far from over.”

A spokesperson for Privacy International told us it’s considering taking the case to the ECHR’s Grand Chamber.

Also commenting in a supporting statement, Antonia Byatt, director of English PEN, added: “This judgment confirms that the British government’s surveillance practices have violated not only our right to privacy, but our right to freedom of expression too. Excessive surveillance discourages whistle-blowing and discourages investigative journalism. The government must now take action to guarantee our freedom to write and to read freely online.”

We’ve reached out to the Home Office for comment from the UK government.

On intelligence sharing between governments, which the court had not previously considered, the judges found that the procedure for requesting either the interception or the conveyance of intercept material from foreign intelligence agencies to have been set out with “sufficient clarity in the domestic law and relevant code of practice”, noting: “In particular, material from foreign agencies could only be searched if all the requirements for searching material obtained by the UK security services were fulfilled.”

It also found “no evidence of any significant shortcomings in the application and operation of the regime, or indeed evidence of any abuse” — hence finding the intelligence sharing regime did not violate Article 8.

On the portion of the challenge concerning complaints that UK intelligence agencies’ oversight court, the IPT, lacked independence and impartiality, the court disagreed — finding that the tribunal had “extensive power to consider complaints concerning wrongful interference with communications, and those extensive powers had been employed in the applicants’ case to ensure the fairness of the proceedings”.

“Most notably, the IPT had access to open and closed material and it had appointed Counsel to the Tribunal to make submissions on behalf of the applicants in the closed proceedings,” it also writes.

In addition, it said it accepted the government’s argument that in order to ensure the efficacy of the secret surveillance regime restrictions on the applicants’ procedural rights had been “both necessary and proportionate and had not impaired the essence of their Article 6 rights”.

On the complaints under Article 14, in conjunction with Articles 8 and 10 — that those outside the UK were disproportionately likely to have their communications intercepted as the law only provided additional safeguards to people known to be in Britain — the court also disgareed, rejecting this complaint as manifestly ill-founded.

“The applicants had not substantiated their argument that people outside the UK were more likely to have their communications intercepted. In addition, any possible difference in treatment was not due to nationality but to geographic location, and was justified,” it writes. 

Update: Snowden has broken several weeks of Twitter silence to tweet a response to the ECHR judgement…

‘Five Eyes’ governments call on tech giants to build encryption backdoors — or else

A pact of five nation states dedicated to a global “collect it all” surveillance mission has issued a memo calling on their governments to demand tech companies build backdoor access to their users’ encrypted data — or face measures to force companies to comply. The international pact — the US, UK, Canada, Australia and New […]

A pact of five nation states dedicated to a global “collect it all” surveillance mission has issued a memo calling on their governments to demand tech companies build backdoor access to their users’ encrypted data — or face measures to force companies to comply.

The international pact — the US, UK, Canada, Australia and New Zealand, known as the so-called “Five Eyes” group of nations — quietly issued the memo last week demanding that providers “create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements.”

This kind of backdoor access would allow each government access to encrypted call and message data on their citizens. If the companies don’t voluntarily allow access, the nations threatened to push through new legislation that would compel their help.

“Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions,” read the memo, issued by the Australian government on behalf of the pact.

It’s the latest move in an ongoing aggression by the group of governments, which met in Australia last week.

The Five Eyes pact was born to collect and share intelligence across the five countries, using each nations’ diplomatic power and strategic locations as chokepoints to gather the rest of the world’s communications.

Since the Edward Snowden disclosures in 2013, tech companies have doubled down on their efforts to shut out government’s lawful access to data with encryption. By using end-to-end encryption — where the data is scrambled from one device to another — even the tech companies can’t read their users’ messages.

Without access, law enforcement has extensively lobbied against companies using end-to-end encryption, claiming it hinders criminal investigations.

Security researchers and other critics of encryption backdoors have long said there’s no mathematical or workable way to create a “secure backdoor” that isn’t also impervious to attack by hackers, and widely derided any backdoor effort.

In 2016, rhetoric turned to action when the FBI launched a lawsuit to force Apple to force the company to build a tool to bypass the encryption in an iPhone used by the San Bernardino shooter, who killed 14 people in a terrorist attack months earlier.

The FBI dropped the case after it found hackers able to break into the phone.

But last month, the US government renewed its effort to set legal precedent by targeting Facebook Messenger’s end-to-end encryption. The case, filed under sealed, aims to break the encryption on the messaging app to wiretap conversations on suspected criminals.

It’s not the first time the Five Eyes nations have called for encryption backdoors. An Australian government memo last year called for action against unbreakable encryption.

Although the UK’s more recent intelligence laws have been interpreted as allowing the government to compel companies to break their own encryption, wider legal efforts across the other member states have failed to pass.