Liberty News

The European Commission has outlined new requirements for telecoms companies, clouds, email service providers, and operators of messaging apps, to produce snooping data on a specified individual within six hours of a rquest.

The proposed European Production Order will allow a judicial authority in one Member State to request electronic evidence (such as emails, text or messages in apps) directly from internet companies with an office in any Member State. The data may be nominally held overseas but will still have to be produced.

That super-short deadline will only be imposed in the case of an emergency. Less urgent investigations have been offered a ten-day deadline.

A European Preservation Order will also be issued to stop service providers deleting data.

The Production Orders will be applicable only to crimes punishable with a maximum sentence of at least three years, but governments have been artificially increasing maximum sentences for quite a while now to ensure that relatively minor crimes can be classed as 'serious'.

The EU Commission has cited terrorism as the justifications for the new requirements, but a 3 year maximum sentence rather suggests that the these orders will be used for more widely than just for terrorism prevention.

The use of 'mobile phone extraction' tools enables police forces to download all of the content and data from people's phones. This can apply to suspects, witnesses and even victims -- without their knowledge.

With no clear policies or guidance on the use of this technology, individuals are unaware of their legal rights in terms of:

• whether data is only taken when necessary and proportionate;

• getting the police to delete this data when there is no legal reason to retain it, particularly if they are innocent of any crime;

• ensuring data is held securely to prevent exposure of their personal data as a result of loss of records, misuse or security breach.

As the use of this technology is unregulated, we don't know how this data is used, how it is stored and secured, and if it's ever even deleted.

Privacy International is calling for:

• the use of this intrusive technology is properly regulated, with independent oversight so that abuse and misuse does not go undetected;

• a proper warrantry regime to be implemented, so that the technology cannot be used arbitrarily;

• people to be informed of their rights if the police want to search their phone.

Dutch voters have rejected a law that would give spy agencies the power to carry out mass tapping of Internet traffic.

Dubbed the 'trawling law' by opponents, the legislation would allow spy agencies to install wire taps targeting an entire geographic region or avenue of communication, store information for up to three years, and share it with allied spy agencies.

The snooping law has already been approved by both houses of parliament. Though the referendum was non-binding prime minister Mark Rutte has vowed to take the result seriously.

On Thursday, the US House approved the omnibus government spending bill, with the unscrutinised CLOUD Act attached, in a 256-167 vote. The Senate followed up late that night with a 65-32 vote in favor. All the bill requires now is the president's signature.

U.S. and foreign police will have new mechanisms to seize data across the globe. Because of this failure, your private emails, your online chats, your Facebook, Google, Flickr photos, your Snapchat videos, your private lives online, your moments shared digitally between only those you trust, will be open to foreign law enforcement without a warrant and with few restrictions on using and sharing your information. Because of this failure, U.S. laws will be bypassed on U.S. soil.

As we wrote before, the CLOUD Act is a far-reaching, privacy-upending piece of legislation that will:

Enable foreign police to collect and wiretap people's communications from U.S. companies, without obtaining a U.S. warrant.Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.Allow the U.S. president to enter executive agreements that empower police in foreign nations that have weaker privacy laws than the United States to seize data in the United States while ignoring U.S. privacy laws.Allow foreign police to collect someone's data without notifying them about it.Empower U.S. police to grab any data, regardless if it's a U.S. person's or not, no matter where it is stored.

And, as we wrote before, this is how the CLOUD Act could work in practice:

London investigators want the private Slack messages of a Londoner they suspect of bank fraud. The London police could go directly to Slack, a U.S. company, to request and collect those messages. The London police would not necessarily need prior judicial review for this request. The London police would not be required to notify U.S. law enforcement about this request. The London police would not need a probable cause warrant for this collection.

Predictably, in this request, the London police might also collect Slack messages written by U.S. persons communicating with the Londoner suspected of bank fraud. Those messages could be read, stored, and potentially shared, all without the U.S. person knowing about it. Those messages, if shared with U.S. law enforcement, could be used to criminally charge the U.S. person in a U.S. court, even though a warrant was never issued.

This bill has large privacy implications both in the U.S. and abroad. It was never given the attention it deserved in Congress.