|
Permission granted for judicial review of DRIPA
|
|
|
 | 11th December 2014
|
|
| See article from
openrightsgroup.org |
A judicial review of the Data Retention and Investigatory Powers Act (DRIPA) has been granted permission by Mr Justice Lewis in the High Court today. Open Rights Group (ORG) and Privacy International (PI) intervened in the case, which was brought by Tom
Watson MP and David Davis MP, represented by Liberty. ORG and PI have now been given permission to make further submissions in advance of the next hearing. Legal Director Elizabeth Knight said: After the Court of Justice of the EU declared the Data Retention Directive invalid, the UK government had the opportunity to design new legislation that would protect human rights. It chose instead to circumvent the decision of the CJEU by introducing the Data Retention and Investigatory Powers Act (DRIPA), which is almost identical to the Data Retention Directive.
Through our submission, we hope to help demonstrate that DRIPA breaches our fundamental human right to privacy and does not comply with human rights and EU law.
ORG's submission addresses the
EU data protection regime in place before the Data Retention Directive (in particular the Data Protection Directive, the E-privacy Directive and the E-Commerce Directive) and why we consider DRIPA does not comply with the requirements of the regime in
light of the clear guidance from the CJEU.
|
|
Mass internet snooping in the UK cleared by the Investigatory Powers Tribunal
|
|
|
 | 10th December 2014
|
|
| See
article from
openrightsgroup.org |
The Investigatory Powers Tribunal (IPT) gave its judgment in a major surveillance case brought by Privacy International, Liberty and Amnesty International. Disappointingly, the IPT ruled against the NGOs and accepted the security services' position that
they may in principle carry out mass surveillance of all fibre optic cables entering or leaving the UK and that vast intelligence sharing with the NSA does not contravene the right to privacy because of the existence of secret policies.
The decision should enable the European Court of Human Rights (ECtHR) to proceed with hearing the Privacy not PRISM case brought by ORG and others. It also means that Privacy International, Liberty and Amnesty International may
join us in the ECtHR. The NGOs challenged the government's surveillance practices on the grounds that it breached our rights to privacy and freedom of expression. Read Privacy International's summary of the judgment here.
It is a disappointing decision, but not a surprising one. ORG and the other human rights groups have long argued that the IPT is unable to provide an adequate remedy. It is able to hold secret hearings (as part of the hearing in this
case was) without telling the claimant what happened at those hearings. There is no right of appeal from a decision of the IPT. In this case the government refused to divert from its neither confirm nor deny policy regarding the existence of its
surveillance programmes, which meant the case had to consider hypotheticals. ORG, Big Brother Watch, English PEN, Article 19 and Constanze Kurz have a case in the ECtHR that challenges the government's surveillance practices on
very similar grounds. Our Privacy not PRISM case questions the human rights compliance of GCHQ's TEMPORA programme, carried out under s.8(4) Regulation of Investigatory Powers Act (RIPA) and the use of information obtained from the NSA's PRISM
programme. The case has been given a priority status by the ECtHR but is currently on hold pending today's decision by the IPT. The IPT case has forced the government to disclose previously secret polices, reveal its overly broad
definition of external communications and admit that it can obtain communications from the NSA without a warrant. These disclosures will assist all of the rights groups' arguments in the ECtHR. The decision means that the
adjournment of our case is likely to be lifted soon. How soon this happens will depend on whether the claimants in the IPT decide to apply to the ECtHR and whether the court allows them to join our case. Privacy International has already indicated that
it intends to complain to the ECtHR. We await the decision of the ECtHR as to when it will re-start our case and begin its scrutiny of the government's surveillance practices. All parties will now look to the ECtHR to defend our
human rights where the IPT has failed to do so.
|
|
|
|
|
 |
7th December 2014
|
|
|
GCHQ sponsors research to analyse office emails seeking to identify rogue employees See
article from dailymail.co.uk |
|
Surveillance law allows police to act in an unacceptable way, says that Home Affairs Select committee
|
|
|
 | 6th
December 2014
|
|
| See article from
theguardian.com |
Britain's surveillance laws, which have recently been used by the police to seize journalists's phone records in the Plebgate and Huhne cases, are not fit for purpose and need urgent reform, a Commons inquiry has found. The Commons home affairs
select committee says that the level of secrecy surrounding use of the Regulation of Investigatory Powers Act (Ripa) allows the police to engage in acts which would be unacceptable in a democracy . The committee chairman, Keith Vaz, said
the surveillance law was not fit for purpose: Using Ripa to access telephone records of journalists is wrong and this practice must cease. The inevitable consequence is that this deters whistleblowers from coming
forward.
The MPs' inquiry followed claims by Sun and Daily Mail journalists that the Metropolitan and Kent police forces were secretly using the powers to trawl through thousands of phone numbers to detect their confidential sources
in high-profile stories. In response Home Office ministers have claimed they will revise the Ripa rules on communications data requests involving sensitive professions such as journalists and lawyers. Emma Carr, director of Big Brother
Watch, said: When a senior Parliamentary Committee says that the current legislation is not fit for purpose, then this simply cannot be ignored. It is now abundantly clear that the law is out of date, the oversight is
weak and the recording of how the powers are used is patchy at best. The public is right to expect better. The conclusion of the Committee that the level of secrecy surrounding the use of these powers is permitting investigations
that are deemed unacceptable in a democracy, should make the defenders of these powers sit up and take notice. At present, the inadequacy and inconsistency of the records being kept by public authorities regarding the use of these powers is woefully
inadequate. New laws would not be required to correct this. Whilst this report concentrates on targeting journalists, it is important to remember that thousands of members of the public have also been snooped on, with little
opportunity for redress. If the police fail to use the existing powers correctly then it is completely irresponsible for the Home Office to be planning on increasing those powers. Failure by the Government to address these serious
points means we can already know that there will be many more innocent members of the public who will be wrongly spied on and accused. This is intolerable.
|
|
|
|
|
 |
28th November 2014
|
|
|
And if ever there were major corporations who deserve a fall because of their puffed up vanity and self-serving ambition, it is internet giants like Facebook and their ilk. By Jack Straw See
article from
dailymail.co.uk |
|
NSA fingered as likely source of complex malware family
|
|
|
 |
25th November 2014
|
|
| See article from
theregister.co.uk
|
|
|
Government introduces new law to extend detailed logs of internet usage to mobile phones and tablets
|
|
|
 | 23rd November 2014
|
|
| See article from
theguardian.com See
article from
theregister.co.uk See Counter-Terrorism and Security Bill
from publications.parliament.uk See bill
progress from services.parliament.uk
|
Police are to get powers to force internet firms to hand over details linked to IP addresses in order to help them help snoop on people's internet use. The anti-terrorism and security bill will oblige internet service providers (ISPs) to retain
information linking IP (Internet Protocol) addresses to individual subscribers. The home secretary, Theresa May, said the measure would boost national security, but again complained that Liberal Democrats were blocking further steps.
Loss of the capabilities on which we have always relied is the great danger we face, May said. The bill provides the opportunity to resolve the very real problems that exist around IP resolution and is a step in the right
direction towards bridging the overall communications data capability gap.
However, the Lib Dems insisted that the communications data bill -- branded the snooper's charter -- was dead and buried . The party also
stressed that the deputy prime minister, Nick Clegg, had been calling for the IP measures since spring 2013. The technical details are either sparse or misleading, maybe deliberately. Home and mobile broadband users have obviously had their IP
address recorded and logged for sometime along with logs of messages and websites visited. I believe that the bill is targeted at internet access on mobile phones where an IP address is shared by many users simultaneously without retaining detailed user
records per IP message. The Register obtained a slightly getter explanation from the Home Office:
Every internet user is assigned an IP address to ensure communication service providers know which data should go to which customer and routes it accordingly. Addresses are sometimes assigned to a specific device, such as a broadband router located in a
home or company. But they are usually shared between multiple users and allocated randomly by the provider's automated systems. Many providers currently have no business reason for keeping a log of who has used each address. It is
therefore not always possible for law enforcement agencies accessing the data to identify who was using an IP address at any particular time. Such communications data is a vital tool in the investigation of terrorist and criminal
activity, and significantly contributes to the conviction of child sex offenders. The inability to link IP addresses to individuals poses serious challenges for law enforcement agencies. The proposed measures would reduce the risk
of terrorism by improving the ability of the police and other agencies to identify terror suspects who may be communicating with each other via the internet. It would also help to identify and prosecute organised criminals; cyber
bullies and computer hackers; and protect vulnerable people. For example, it can be used to identify a child who has threatened over social media to commit suicide. This legislation will not however address all the capability gaps
that the Draft Communications Data Bill aimed to fill. These gaps will continue to have a serious impact on law enforcement and intelligence agencies. For example, the provisions will not enable the retention of weblogs -- a record of information
relating to a communication between a user and the internet, including a record of websites that have been visited.
Update: Retaining MAC addresses 27th November 2014. See
article from
publicaffairs.linx.net The Counter-Terrorism and Security Bill amends the definition of relevant communications data that Internet providers are required to
retain. The apparent intention is to ensure that Internet providers retain IP port numbers or machine MAC addresses when these are necessary to distinguish users, such as when the network is employing Carrier-Grade Network Address Translation (CGN).
|
|
|
|
|
 | 23rd November 2014
|
|
|
Amnesty International has released a program that can spot spying software used by governments to monitor activists and political opponents See article from
bbc.co.uk |
|
Top musicians, actors and Nobel laureates show support for Edward Snowden, publishers and whistleblowers
|
|
|
 | 16th November 2014
|
|
| See
press release from
couragefound.org |
An international coalition of more than fifty actors, musicians and intellectuals have announced their support for Edward Snowden, WikiLeaks, whistleblowers and publishers. Some are also encouraging donations to the Courage Foundation --which runs
the official legal defense fund for Edward Snowden and other whistleblowers, as well as fights for whistleblower protections worldwide -- with tweets and social media posts.
The courage that Edward Snowden and other whistleblowers and truthtellers have shown and continue to show is truly extraordinary and necessary in helping the public have access to their historical record through media, said
Sarah Harrison, WikiLeaks Investigations Editor and Director of the Courage Foundation. WikiLeaks and Harrison ensured Edward Snowden's safe exit from Hong Kong and secured his asylum. We cannot thank these cultural icons enough for showing their
support. The announcement coincides with the expanded theatrical release of Laura Poitras' critically acclaimed documentary CitizenFour -- providing a first-hand account of Edward Snowden's disclosure of the NSA's mass
surveillance program. Signed by Susan Sarandon, Russell Brand, Peter Sarsgaard, M.I.A., Thurston Moore, David Berman, Vivienne Westwood, Alfonso Cuaròn and several other artists and intellectuals, the statement praises the
work of whistleblowers such as Snowden, highlighting the need to support these individuals as they face social and legal persecution for their revelations to the public. The statement reads: We stand in support of
those fearless whistleblowers and publishers who risk their lives and careers to stand up for truth and justice. Thanks to the courage of sources like Daniel Ellsberg, Chelsea Manning, Jeremy Hammond, and Edward Snowden, the public can finally see for
themselves the war crimes, corruption, mass surveillance, and abuses of power of the U.S. government and other governments around the world. WikiLeaks is essential for its fearless dedication in defending these sources and publishing their truths. These
bold and courageous acts spark accountability, can transform governments, and ultimately make the world a better place.
In addition to urging the public to stand in solidarity with Snowden and other whistleblowers,
many of the artists are calling on fans to watch CitizenFour, and are raising awareness of the Courage Foundation's whistleblower defense efforts, which fundraises for the legal and public defense of whistleblowers and campaigns for the protection of
truthtellers and the public's right to know generally. The statement was signed by: Udi Aloni, Pamela Anderson, Anthony Arnove, Etienne Balibar, Alexander Bard, John Perry Barlow, Radovan Baros,
David Berman, Russell Brand, Victoria Brittain, Susan Buck-Morss, Eduardo L. Cadava, Calle 13, Alex Callinicos, Robbie Charter, Noam Chomsky, Scott Cleverdon, Ben Cohen, Sadie Coles, Alfonso Cuaròn, John Deathridge, Costas Douzinas, Roddy Doyle,
Bella Freud, Leopold Froehlich, Terry Gilliam, Charlie Glass, Boris Groys, Michael Hardt, P J Harvey, Wang Hui, Fredric Jameson, Brewster Kahle, Hanif Kureishi, Engin Kurtay, Alex Taek-Gwang Lee, Nadir Lahiji, Kathy Lette, Ken Loach, Maria Dolores
Galán López, Sarah Lucas, Mairead Maguire, Tobias Menzies, M.I.A., W. J. T. Mitchell, Moby, Thurston Moore, Tom Morello, Viggo Mortensen, Jean-Luc Nancy, Bob Nastanovich, Antonio Negri, Brett Netson, Rebecca O’Brien, Joshua Oppenheimer,
John Pilger, Alexander Roesler, Avital Ronell, Pier Aldo Rovatti, Susan Sarandon, Peter Sarsgaard, Assumpta Serna, Vaughan Smith, Ahdaf Soueif, Oliver Stone, Cenk Uygur, Yanis Varoufakis, Peter Weibel, Vivienne Westwood, Tracy Worcester and Slavoj Zizek
|
|
EFF reports that US and Thai ISPs have been spotted disabling their customers from selecting STARTTLS encryption for email
|
|
|
 | 15th November 2014
|
|
| See article from
eff.org |
Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie . Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months,
researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag--called STARTTLS--from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request
encryption when talking to another server or client. 1 By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some
firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext
email over the public Internet, where it is subject to eavesdropping and interception. This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email
server 2 . STARTTLS was also relatively uncommon until late 2013 , when EFF started rating companies on whether they used it . Since then, many of the biggest email providers implemented STARTTLS to protect their customers. We continue to strongly
encourage all providers to implement STARTTLS for both outbound and inbound email. Google's Safer email transparency report and starttls.info are good resources for checking whether a particular provider does. The SMTP protocol, the underpinning
of email, was not originally designed with security in mind. But people quickly started using it for everything from shopping lists and love letters to medical advice and investigative reporting, and soon realized their mail needed to be protected from
prying eyes. In 1991, Phil Zimmerman implemented PGP , an end-to-end email encryption protocol that is still in use today. Adoption of PGP has been slow because of its highly technical interface and difficult key management. S/MIME , with similar
properties as PGP, was developed in 1995. And in 2002, STARTTLS for email was defined by RFC 3207 . While PGP and S/MIME are end-to-end encryption, STARTTLS is server-to-server. That means that the body of an email protected with, e.g. PGP, can
only be read by its intended recipient, while email protected with STARTTLS can be read by the owners of the sending server and the recipient server, plus anyone else who hacks or subpoenas access to those servers. However, STARTTLS has three big
advantages: First, it protects important metadata (subject lines and To:/From/CC: fields) that PGP and S/MIME do not. Second, mail server operators can implement STARTTLS without requiring users to change their behavior at all. And third, a
well-configured email server with STARTTLS can provide Forward Secrecy for emails. The two technologies are entirely compatible and reinforce each other. The most secure and private approach is to use PGP or S/MIME with a mail service that uses STARTTLS
for server-to-server communication. There are several weak points in the STARTTLS protocol, however. The first weakness is that the flag indicating that a server supports STARTTLS is not itself encrypted, and is therefore subject to tampering,
which can prevent that server from establishing an encrypted connection. That type of tampering is exactly what we see today. EFF is working on a set of improvements to STARTTLS, called STARTTLS Everywhere , that will make server-to-server encryption
more robust by requiring encryption for servers that are already known to support it. It is important that ISPs immediately stop this unauthorized removal of their customers' security measures. ISPs act as trusted gateways to the global Internet
and it is a violation of that trust to intercept or modify client traffic, regardless of what protocol their customers are using. It is a double violation when such modification disables security measures their customers use to protect themselves.
|
|
How the police and GCHQ work round legal requirements so as to enable secretive mass snooping
|
|
|
 | 29th October 2014
|
|
| See article from
theguardian.com |
British intelligence services can access raw material collected in bulk by the NSA and other foreign spy agencies without a warrant, the government has confirmed for the first time. GCHQ's secret arrangements for accessing
bulk material are revealed in documents submitted to the Investigatory Powers Tribunal, the UK surveillance watchdog, in response to a joint legal challenge by Privacy International, Liberty and Amnesty International. The legal action was launched in the
wake of the Edward Snowden revelations published by the Guardian and other news organisations last year. The government's submission discloses that the UK can obtain unselected -- meaning unanalysed, or raw intelligence --
information from overseas partners without a warrant if it was not technically feasible to obtain the communications under a warrant and if it is necessary and proportionate for the intelligence agencies to obtain that information.
The rules essentially permit bulk collection of material, which can include communications of UK citizens, provided the request does not amount to deliberate circumvention of the Regulation of Investigatory Powers Act (Ripa),
which governs much of the UK's surveillance activities. And the Police... From bigbrotherwatch.org.uk See Spying on phone calls
and emails has doubled under the coalition from telegraph.co.uk
Big Brother Watch has published a report highlighting the true scale of police forces' use of surveillance powers. The report comes at a time when the powers have faced serious criticism, following revelations that police have
used them to access journalists' phone records. The research focuses on the use of 'directed surveillance' contained in the controversial Regulation of Investigatory Powers Act (RIPA) by police forces; a form of covert
surveillance conducted in places other than residential premises or private vehicles which is deemed to be non-intrusive, but is still likely to result in personal information about the individual being obtained. Although the
report details how directed surveillance powers were authorised more than 27,000 times over a three year period, police forces are not compelled to record any other statistics; therefore we cannot know the exact number of individuals that these
authorisations relate to.
|
|
|