United Nations Security Council Resolution 578

Transcription

CCC has grown a bit, hasn't it. I am very pleased to be here and the first thing I want to do is to apologize for my slides. I know there is far too much information on my slides. It breaks every rule of PowerPoint. So don't look at the sides maybe but more listen to what I'm saying because otherwise it won't make any sense to either of us. To get through some preliminaries. For nine years I was chief privacy adviser at Microsoft and I have to explain a bit about what that job was. I didn't have any responsibility for legal compliance thankfully I didn't do anything really in the US privacy. My job was to advise 40 national technology officiers around the world. And a Microsoft national technology officer is a guy with a very big brain often one or two PHD's able to function essentially as Microsoft's ambassador two governments around the world at a very senior level Normally citizens of their own country. In a sense see could boil down their job to if Steve Ballmer then wanted to get a prime minister on the phone in half an hour it was the NTO's job to get that done. So I didn't know about PRISM when I was at Microsoft and what I'm about to tell you I deduced from open sources and by deciding to read the american laws and nobody asked me to do this. What happened to me after that was I explained to a big Microsoft internal strategy conference about cloud computing with all of the cloud management there, all of my national technology officers there the deputy general counsel of Microsoft what I discovered and I said to my technology officers look you ought to know this if you sell Microsoft cloud computing to your own governments then this little means that the NSA can conduct unlimited massive survailance on that data. So the deputy general counsel at Microsoft turned green. I've never seen anyone turn green before but she did. There was dead silence in the room in the coffee break I was threatened with being fired and then two months later they did fire without cause. So since then I really from 2011 went around trying to tell as many people as I could about what I discovered. And I've given variance in this speech now about 20 times I suppose but I hope this brings things right up to date as about two weeks ago and also I'm gonna tell you some things which I haven't told before. So the first thing to say is this talk is not about cloud as storage. This is about parallel processing power as a commodity and in fact this photo is is just two photos crammed together the left is a modern data center and on the right there is a door, a doorway. You probably can't see the number but the number is 641A now how many people know what 641A refers to. good, okay So 641A came from the story of the first warrantless wiretapping episode from about 2005 to 2007 and I don't have time to tell that story but in fact that doorway contained a deep packet inspection box installed roundabout 2002 in one of the main AT&T switching centers in San Francisco. So in a sense you could boil down my talk to how likely is it legally or technically that there's one of those on the right in one of those on the left. So what this talk is going to be mainly about is the law underlying what we now call PRISM and it is the 2008 Foreign Intelligence Surveillance act amendment act which when it was passed have a different numbering which needn't bother us called 1881 a now everyone calls it section 702 and what it's about is obtaining foreign intelligence information. It intentionally targets only non-americans outside the US. When I say only that is a course ninety-five percent the world's population. It's a blanket authorization for one year. There's a requirement to minimize access on US persons after collection and to a certain extent before collection and the provider these services has to provide the government with all facilities and information to accomplish this acquisition in secret. So the first point I want to emphasize which will make sense when comes the next slide is this means if you're not an American you cannot really trust cryptographic services or in general software services provided by US companies because even if that software or that cryptography is sound to begin with you're going to receive software updates and if you're not an American outside the US a software update could be pushed to you targeted at you which is going to subvert your security. If you don't comply with one of these orders it's a contempt for the Foreign Intelligence Surveillance Court. If someone in american company as Marissa Mayer said last year if somebody in an American company were to tell say a foreign data Protection Authority that's potentially an offence under the Espionage Act. Twenty years in jail or worse. So the providers of the services have complete immunity from civil lawsuits and all this must be done in a manner consistent with the US Fourth Amendment and the analysis I'm giving you now his the analysis that I was giving people a year or 18 months before Snowden verbatim. These slides haven't been changed. So what is foreign intelligence information? So we have to now go back to the very first FISA act. The very first foreign intelligence surveillance act in 1978. And the definitions I am showing you, the significant part of what I'm showing you has not changed since 1978. It's been that long and the extraordinary thing is that in the legal literature the policy lecture there is absolutely nothing written about the part in the bottom in bold. Nothing at all from the perspective of a non-american. See, the print is probably too small but in the definition of foreign intelligence information you can see the sort of things that you'd expect like money laundering, sabotage, international terrorism, and then there's the section in bold and to actually get a text at the bottom you have to unwind two levels of legal definition and substitute them in. What you boil it down, foreign intelligence information can mean simply information with respect to a foreign-based political organization or foreign territory that relates to the conduct of the foreign affairs of the United States. Nothing necessarily to do with national security, nothing to do with terrorism, nothing to do with crime. Simply if it relates to the foreign policy of the US which is an incredibly broad definition. You won't find a definition as broad as that in any other law I believe. So what is also a peculiar about this definition is its conditional on nationality. If again it's slightly too small to see but if you are a United States person that is to say an American citizen or permanent resident where it says relates would read necessary. Necessary is a very high and strict legal threshold. But if you are a foreigner outside US, it's relates. very very low legal threshold trivial to pass. So this is the only law as far as I know where the very term of the surveillance information to be obtained is itself conditioned by the nationality of the person. Quite unique. So what this law did in 2008 is it combined three elements for the first time which had actually been there in previous laws. The first [INAUDIBLE] that it only targets non-us persons located outside the US had actually been there in a stopgap precursor law called the Protect America Act of 2007 but that expired after one year and then they had to do something permanent Which was this. But this idea of only targetting non US persons located outside the US began with this early law in 2007. and this earlier law of 2007 was essentially designed to cleanup the first warrantless wiretapping episode which had been raging in the US press for a couple years before that. The second thing that it did is much more significant. In the Electronic Communications Privacy Act of 1986 it defined the term called remote computing services and when you look at that definition you'll see that remote computing services even though it was defined in 1986 is a very good definition of all forms of public cloud computing that we would call today. So this new term of remote computing services was snuck in to the FISA Amendment Act. Nobody apparently noticed it had been put in and the effect of this was that all the previous such laws had dealt with telecommunication providers, an Internet service providers, providers of communication services. By expanding the scope of FISA 702 to include remote computing services it effectively then embraced all of these obligations on provides a cloud computing and as extraordinary as it may be there was no commentary on this at the time. There's nothing in the Congressional Research Service, there were no law papers commenting on it, none of the civil society activism at the time noticed this. No reference whatsoever to this edition. The third development as we discussed is coming from FISA 7 1978 it doesn't have to be about criminality as we would understand it in Europe national security. The vital interest to the state. It can purely mean political surveillance in the political and economic interests of the US and surveillance over ordinary lawful democratic activities of people in their own countries exercising their democratic rights and freedoms. So this was designed for mass surveillance of any cloud data relating to US foreign policy and it contains this extraordinary double discrimination by nationality. Firstly in the fact that in the title of the statute FISA 702 only targets non-americans outside the US but also in that conditionality in the very definition of foreign intelligence information again that structure is quite unique in the world. so you remember that all of that she had to be done with regard to the fourth amendment and although it may seem strange today back in 2012 nobody actually knew whether the fourth amendment applied to non-americans outside the US. I would go to data protection conferences year after year where a representative from the US state department would make these great [INAUDIBLE] and hymns of praise to the wonders of the Fourth Amendment and since it was directed to an international audience I think it was reasonable to suppose that the implication was that somehow the fourth amendment was protecting everybody in that room Well, there was a bit of detective story to find out that it didn't. It starts with the a 1992 Supreme Court case called [INAUDIBLE] that isn't quite a perfect fit for the cloud situation but it's sort of the best that we got and then in 2008 there was a Foreign Intelligence Surveillance Court review judgment about the Protect America Act and this is the case that we now actually know is about Yahoo. It's called [INAUDIBLE] redacted and of course a lot of information has now been declasified and come out But was actually Yahoo challenging the terms of this protect America Act and the judgment came down actually just after the FISA 702 acts had been passed so in the unredacted parts and this is very surprising because almost all references to this sort of thing are acted especially in the newly declassified [INAUDIBLE] stuff it said that there's no fourth amendment protection for foreign powers reasonably believed to be located outside the US and further probable cause as a term meaning a fifty percent likelihood that you're guilty. A fifty percent likelihood that there is sufficient evidence to show that you are the person the police are looking for in some criminal affair. When I noticed this in 2010 and it appeared on the US court service website for about six months and then disappeared but fortunately been cashed by the Federation American scientists there was there in black and white again in the unredacted parts this extraordinary idea that if you are a foreigner and outside the US, probable cause doesn't become probable cause any criminality it just becomes probable cause that you are a foreigner. And that's the sufficient trigger to begin surveillance. So what I'm going to show you next is a little short video clip It's clip primarily with Jameel Jaffer of the American Civil Liberties Union, a very fine privacy advocate at the forefront of challenging some parts of this from the point to view of Americans over the past few years and he's talking in front of the house judiciary subcommittee hearing in the middle of 2012 because then FISA 702 was expiring it needed to be renewed and this is how the dialog went. Chris rock-hard squawk lives foreign targets and foreign lands I don't think that's the question presented by [INAUDIBLE] that's my question! So call up which is right question I (laughter) Does it apply? I don't think it does. What you say you don't think it does. Well, in the circumstances of this statue I don't think it does. [INAUDIBLE] Does the fourth Amendment— -I was talking about a statue Does the Fourth Amendment apply to foreign nationals in a foreign land? It does not. Does the second amendment apply? -I don't know the law, -The First? -but I think no. -Eight? -I think we depend on circumstances. -Women sufferage, does that apply? -No -That's my point, they don't. So we are not talking about surveillance of foreign nationals of foreign lands, right? -[INAUDIBLE] constitutional -[INAUDIBLE] communications -That's my second point. So the significance of that is that Jamil Jaffer, you know, doing the best job he could as an advocate was really driven back against the wall to admit that there is no constitutional protection for foreigners in foreign lands as the charming Texas congressman put it and also that the US Congress was laughing. They were laughing at the idea that you have privacy rights. That is the plan it's a political debate in the US as anyone who's followed the coverage will know. So I had a bit of a luck I was invited to join some academics writing a report commissioned by the European Parliament on fighting cybercrime, protecting privacy in the cloud… Probably the reason this report was commissioned was to sort of increase the sort of cyber drumbeat of "we must have more intensive surveillance laws" but I explained all this to my academic colleagues and they thought it was so important they let me write the middle section of the report about all for this, pretty much the analysis I showed you and some more and this was published in um October 2012 the date's wrong actually I should say January 2013 and then of course nothing happened. Nobody reads these European parlament reports it just sort of sat there on the website for 2 or 3 months and I was actually done watching the renewal the FISA legislation I did they decide to do that, congress between Christmas and the New Year obviously So I was watching on C-span and I just got fed up so I started calling up all the journalists that I remembered from my own civil society days. Not much luck Offered the story to the Guardian no interest. To other British newspapers, to The Washington Post and The New York Times no interest and then [INAUDIBLE] who of course is now working on the intercepts with Glen Greenwald wrotes a very tight 800 word summary which then created a little bit of interest in the blogosphere about 1500 tweet in a week and then at least from Europe you know the general reaction was "how can this possibly be possible what on earth do we have data protection law for if this is going on?" the US blog reaction was much less but typically "Oh those Europeans are kind of upset that we have conspired on them. Who's gonna stop u?." and that was from a self-described American civil libertarian. So how did all this happen? How is it the case that thousands of European policymakers and data protection officials all over Europe apparently didn't understand this is happening? Well I think for almost everyone in this room what I am about o say next is going to be slightly incredible but we as technologists understand that if you want to encrypt data yourself and you control the algorithm you control the implementation of the software you control the key and then you put that take you somewhere else, that's reasonably safe but if you want to compete with that data the meaning of how cloud computing, you want to do useful work with that data in somebody else's data center thousands of miles away well there is no technical way to protect that because even if the data is encrypted on disk when it passes through the CPU it has to be in plain text to do useful work before somebody mentions homomorphic encryption, the cryptographers I talked to tell me that it's always going to be orders of magnitude too slow for general purpose computing and amazingly as far as I can see European policymakers did not understand this. They bought a whole lot of encryption blah blah blah all from the industry that said "Of course we protect you, it's encrypted, isn't it. And yes we have very good security measures and security policies Of course it's impossible. In fact the cloud is more secure." But apart from that the general structure of the lobbying from the US government particular was that US law offers very good protection to its citizens by the Fourth Amendment as good or better the many European countries which is true. Therefore don't worry about the US cloud. but of course you can see the fallacy. Once the data in Europe does to US jurisdiction, it's totally vulnerable to laws like FISA 702. What was also happening from about 2009 is a whole slew of what I call cloud wash. Various documents from the US mission to the EU and [INAUDIBLE] proxies State Department law firm deeply dubious Hogan Lovells produced number refer frankly deceptive Quays I legal analyses the pure propaganda respect for law firms like I think latest and even the European data protection supervisor at was making speeches at an event organized by one of the main US lobbyists talking about using new data protection mechanisms to streamline data to the cloud and Neysa have very inglorious role in this which I'll come back to you and then various other day a usual suspects none of those materials are so right now but a collection of 30 before snow day mentioned Faiza at all not even the original Faiza there was a lot of concern about the Patriot Act but the Patriot Act turns out not to actually be the key point to the ability account computing so so restating what I just said is cloud mass surveillance a real risk well what we know from what's been declassified by Satan so far is that so far the car companies have not been costs to as it were internalize a massive islands so far it appears that they have be presented with a particular selector I am and you will read enough about what that is vehemently got a point but what i want. do you think about for the future is this problem we agree I think that you cannot protect data in cloud computing with encryption but it's the new forms to cloud computing platforms a service you have entire a way as writing software where as well under the hood if you like the algorithm once then the platform is supposed to take care stating that in a few milliseconds from one CPU perhaps 2002 CPU's and in fact the elasticity about computing which is probably going to be one of the key competitive advantages for cloud computing in future me so imagine that you want to intercept well you have to intercept it at the level where the day to make sense which could be you note somewhere in quantity software stack so it's really not much use plugging in a deep packet inspection box onto the cables connecting the data center because you might have to have a thousand at those Dekker books on standby if the capacity of the algorithm that's actually running then scales onto the have many thousand CPU's you're going to need that much extra DPI capacity to survive it unless you use coercive powers to force the cow provider to basically build surveillance into the software you build in surveillance upper teens at the necessary levels and stack so that however that education scales the surveillance capacity is already there and software day so I don't know and it appears we have no evidence that this is being done to read a butts it seems to me the writing is on the wall that if governments going to be wanting to survey of cloud computing systematically they're going to have to exercise those sorts a palace and I guess the point i'd like to make a 702 already provides a spouts even if they have not be used to that extent already so and I want to talk more about the European site the affair and what's been happening with European data protection Regulation E as i think you must love you will know there is a new data protection regulation been hung up in I in European legislators for about two years and a course discussions continues after snowden about what form should take and one whole part of that regulation is concerned with the legal means exporting EU data outside and particularly to the US so in the current state Protection Directive third base pay these ways of doing it you can get somebody's consent you can rely on safe harbor you can formal contracts with specially approved courses with the person you want to export the data to and then there's also something newish called binding corporate rules binding corporate rules essentially allows us to corporation to make up their own scouts honor charter we really will obey this I'm will invents some sanctions on ourselves if anybody breaks the rules and this is sanctified buy Data Protection Authority and these were invented actually for fairly reasonable purposes if a global corporation want to do all that Human Resources processing in one center and therefore collect data from all around the world to do that this was sort of the template idea behind the BCL but then I think very dangerously data protection authorities in cahoots with the big fam providers for should be a very good idea to extend this idea binding corporate rules to so-called data processes state a process is being and tease which supposedly have no decision taking power over the day-to-day process they were just acting on instructions from day to control its so somebody I'm gonna shoot idea who it is had the brilliant idea well let's adapts this old-fashioned PCR idea for fairly tame hopes is to cloud computing and then we got a template which can basically be the primary vehicle for legitimizing cloud computing in Europe in terms so the rough idea is Microsoft people whether gets a their PCR-based certified once they are certified in the new regulation the Data Protection Authority must accept them they wouldn't have any discretion as they do today and that data can be transferred into particularly US control touts and then all questions a massive valence just disappear into what I call a puff audit because article 29 Working Party the committee of European data protection authorities was so naive that they imagines that somehow private security auditor if they're inspected data center and I noticed room 641 K and they said whole what's behind the neck and I have a look in there may be told no course you can't in fact is classified information that you even notice that if you tell anyone about that you go to jail for espionage well data protection authorities was a naive that they thought somehow private security audit could detect these risks a foreign mass surveillance so this diagram is supposed to show the sort of risk matrix a the you take 270 and on the left you gots three kinds information criminal law enforcement's which probably should include most terrorism cases some bona fide a national security which in European terms we think that this be the vital interests at the state's and then essentially foreign policy and political spying for national advantage and then all in terms the columns you have been shaky transfers and then euthanasia in the us: so the Reds a is not covered by the Fourth Amendment it's not covered by you data protection it's not covered by Council of Europe Convention 108 certainly not covered by the cybercrime treaty and of course it's not covered by the European Convention of Human Rights because the US doesn't recognize that so all this data for 15 or so years has been completely unprotected well the story moves on to have to accelerate a bitch Irish in January President Obama made a flagship speech to try and address these concerns and because he's in an impossible position because the one hand he has to assure the American People that 578 in particular is no threat to Americans because its design spun foreman's but then at the same time he has to find somewhere reassuring the rest of the world so what's she came up with was a very well written very well crafted speech but to meet beneath the speech was a new presidential policy directive PPD 20h and such basically there's a there's a real gotcha afoot in H so footnote 9 says this directive is not intended to alter the rules applicable to US persons an executive order toll-free tree to tree to have to mention Faiza or other applicable law just a brief digression executive order toll-free 33 was created by reagan and essentially it is a policy directive which covers an essay activities spying entirely outside United States when you basically just point and foreigners is no reason to believe americans involved you may have NSA agents infiltrating data centers in some foreign country that's what you know 12:03 few she is about its policy it's not long and was a relief map will come back to you so in other words in the small print when the footnote all of the reassurances in PBD 28 all basically worthless from the point of view establishing any kind of a quality rights they're still going to be discrimination by US nationality if you're a US person then I law enforcement authority would need a particular justified fiske orange to not hire legal standard necessity national to US person basically the NSA JustAnswer selectors to list I am man we had a report from the cycle privacy and civil liberties oversight board which essentially has no mandate to look out for the interested non-americans at all their analysis of the situation that Americans occupied five pages on 296 and frankly I think it's misleading tautology scrupulous chunk and I have been a vast amount of st. classification sense I am not sure which analyzed but basically there is this tendency that a lot of the stuff that is redacted you can tell from the context the stuff that's redacted is about the situation upon americans so who did I wore exactly I actually I first so i cant you see charm gets metres from the Open Society Foundations way back in Jan 11 ally explains a to that committee not a source in person I what school was made quite an impact on them but they didn't do anything they said they any fund existing ngos and they've done nothing in fact sources done nothing about surveillance issues in Western Europe in the entire time open society foundation has be operating anybody doubts that I also recession person in March as a conference I attended and he did tonight I also want private international in June they said they had no resources and I tried again in October instill no interest from its international and that pains me to take any since I've known the guys in price international work than 50 years and i genuinely baffled my I what's happened to practice national reach me I also in September when it actually left Microsoft's a war dead reefs and DG justice a cabinet-level the Polish state action authority um who did nothing I and basically put one footnote my slide deck I showed him an academic article he wrote a he opposes not become the deputy you European data protection supervisor a the Greens were very helpful and had nothing but praise for particular outspend rough and yeah no breasts and they are straight shooters and I'm very grateful to the help they give me in September I'm 2012 I have an opportunity to make speech at the European Academy nor where page listings was there his deputy now EDPs johnnie which read a I represents just me you counsel and the person in charge of the international transfer section from the Camille National de facto Oscar 29 and I basically explained this 54 slides with a great deal more legal analysis against on silence but title in action a different conference idea made it he said where Feliz and then had some correspondence with the head of an Acer who basically said they had no mandate attached to this is all excluded from their mandate by national security exemptions but then of course of two snowed in um it would seem to be politically impossible for any sir to say that so any second cottage really rather bogus and meritorious documents sorted implying that they had factored in the sort of risks to that pre sidon out analysis not take young tree I had an opportunity to make a speech to the European parliament since parliamentary falling for civil liberties in October 2012 against on silence the Portuguese d-pa put up the handset may have some details please and I tried to get in contact with the Polish with the Portuguese d-pa and their response and then in February 30 that was when I made the presentation he the European Parliament report but I mentioned before September and that did make an impact and immediately afterwards the lead the committee asked me to drafting amendments 4 than you data protection regulation but I'm afraid they were mostly ignored with diluted and then just a fortnight in May I digi connect in charge a policy I've been beating them up as well they finally organized the forum at the office is a bitch for europe digital Europe are essentially the trade association for electronics IT and software companies largely dominated by US and UK companies and basically DG connect several past when talking about this paper if you can convince those hard nosed past tense that digital Europe that will take you seriously I'm and basically they laughed at me just before snake so what has beeen the EU Commission's cow policy up today but was run by Neelie Kroes RDG connect and the official you policy document published around 2012 essentially rejected the idea of trying to make any pan-european clouds which was sorta safe because there was no enthusiasm for Member States basically the member states didn't really trust each other anymore in the US not sort of collapse the idea to the extent he was a pic seriously considered there was a steering board composed industry bigwigs I and then various it's a candy floss about trusted cloud Europe yada yada and and then a new of the snow menu group was set up to try and streamline cloud contracts not rejoin that for a while until I realized it was no interest whatsoever in drafting anything which would make surveillance harder will build the incident the terence that just wasn't the agenda at all it was simply about making essentially cloud less treacherous my contractual point of view which is useful work but nothing to do with stopping surveillance particularly pernicious idea is if you have a a out contract to provide a then that provider should be able to basically some contract what they've contracted with you cedric acidly so you can glue on a sub provider as a provider some fight on to that which could cause be different countries say you have absolutely no idea a where the data slowing and ahead possible 29 today protection authorities were pushing this idea and I shopping criticized fashion they said to capture you don't understand our job is not to stall any kinda processing our job is to find legal basis to allow it to happen that is the mentality still in the call parts the European data protection for it so really there's been no substantive change what so ever the EU how policy since nineteen butts when you listen to speeches certainly before the new commission ok nearly cruising the beer a day you would hear it is vital that you get a strong new data protection regulations so that we can deal with all this surveillance stuff which is completely false what department do I will after a may ask me for some amendments um when Snowden happens the Parliament for me up and said casper it's all true would you like to write briefing notes for the official European Parliament Yukari which I did and as a reference to national back the slide deck and if you want to meet one thing about all of this then I'd encourage you to read fact it's only thirty pages but I think it's one of the best piece of work done so of the Snowdon based either leave a committee disabilities committee went into a sort a perder a lockdown there was one particular politician who insisted on this barren a slut for the Liberal Democrats hooey marvelously lost a siege the last election so you don't have to worry about her anymore and not enforcing these accounts but just luck of the draw and label certain popular but anyway for reason for 22 pretty competent you now essentially lieber cut itself off from all advice any interchange really we've what they were cooking up was a compromise that cooking up and say what emerged out on this Pereda was so-called possible 43a and this is a restoration a clause which was lost from the penultimate draw after the draft is actually published by the Commission in 2012 what it said is that in the case where you put some data in the cloud and then the US for example law enforcement wants to get direct access to from thats a can provide up well the cloud provider has got to tell and get permission from the Data Protection Authority to do that so it sets up a deliberate conflict at law because you remember if somebody had done that in respect to find the law there've been a contempt the fiske or and possibly endanger themselves under the Espionage Act so that's putting the company's in a terrible terrible squeeze except well think about it on the one hand you got contempt the fiske orch very very powerful porch in the US and potentially espionage charges on the other hand he got fines and a very long dubious process and enforcement by very ponderous European data protection authorities find might get quite big and then again they might not so what she gonna chase so it's not a credible deterrent and I was key part of the advice and amendments not drafted for the parliament but they wouldn't a fresh I one beating Obama did do is they remove these PCR process but it's likely the Commission and the council and audible 29 has is that a baby we want them put back who is this is a bit outside the scope of the talk but I what to say there's a lot more apart from this with the new take protection regulations I've reluctantly come to the view from having full and his mother but nap I that this is going to be a curse on personal freedom this is going to be an irreversible bureaucratized nation in everyday life I probably will skip going through all the things which are wrong here except just maybe the plot point in the regulation which is going on four times as much text as the original direct a for 450 references to this time I thought processing processing can meet computing with tater or storing the day but as we know but they didn't know in 1981 when somebody had the bright idea to munch these two ideas together we now know that you can protect stored data encryption but you can't protect computer data with encryption so this anti-regulation his bills on conceptual sound each these 450 references is inherently ambiguous but it is conflicting to completely incumbents herbal information security situations wanna which which is tractable with technology and the other which is not that's how messed up the dates conceptually saying to come right up to date I article 29 Working Party came out just this month with that opinion 51 page opinion on the whole surveillance Fang expanding from a shorter opinion they published last year I am it's a very muddy piece a work day it's really a long letter have self expel Patito by why they couldn't reasonably be expected to do anything about this today server they do make some interesting definitive statements the exemption in the EU treaties of is no possibility to invoke the national security for the country alone in order to avoid duplicative EU law and this is a sort of ripoffs to the carve-out in the EU treaties for national security but a course that is the national security member states not a third country and DPAC may suspend day to place on their existing cuts particularly in Germany content but they haven't done so so far and they're also watching the outcome with the Mac gems case which we have got time to talk about now and but they also say article forty three-a this conflict have more the Commission's idea now put-back by the parliament after being lobbied away just before the publication of the original regulation they don't like it they say it may be a step in the right direction it's not going to be the solution to all problems but his the the bombshell right at the bottom and it's not obvious they say that's if there is any such a $43.8 they don't want the job pay basically a be the interior ministry at each country which would take that decision whether to approve or deny the transfer not the independent Data Protection Authority K they don't want the job in other words within the city complain a lot 29 they failed to reach any consensus that this problem the Foreign Intelligence Surveillance is really anything that should be done by then make maybe have a question or two about that article 29 also have AIDS their own responsibility for this mess back in 2005 in one of a working party documents dealing with all of this they said that one of the reasons they were inventing these PCR in contract structures was up so that transfers they called repeated mass for structural which was that a code for this sort of thing precisely because it is portents should somehow be carried out within these legal frameworks they're inventing but nine years later they say exactly the opposite they say that these instruments which they invented should not be the basis for these massive structural repetitive transfers some other words of 229 in the fully they got this whole ball rolling in the mid 2000's as if these preposterous legal mechanisms could possibly contain these risks and now they contradict themselves and walk away with us technology obscenity they also don't mention the discrimination by nationality in US law which I stressed and in fact 250 opinion since 9/11 they never even mention the concept a foreign intelligence at all I am the other bits and pretty have time to explain right now but what they did to YouTube a conference being a month is publish a political statement some 15 points a political beliefs which sound very light on they don't they are in fact the sort of thing that privacy activists do you say and espouse but believe this is a decoy this is a decoite to try I'm distract attention the fact they cannot achieve any solidarity amongst themselves for deciding that they actually have a responsibility to enforce the existing mall to shut down day two flights to make the United States fair price and the US is exception exception is if you look at references its financial discrimination by such citizenship and nationality rather than the Joe graffiti the communication path well as about 40 in US Small counting uprising patron fis all the first and fourth amendment special protections the UK has 0 surprising germany has one which is a profound embarrassment might have got a question about that because in ECHL human rights a space to be equal but actually part of the German G-ten little is very analogous 2702 K Canada has not to New Zealand to Australia to and I have been able to discover any others at all but the US has 40 so what ngos top arm at Brazil 9 2001 Istanbul by Jeff nobody said one word about discrimination by nationality I was tweeting like crazy kinda taking actions the subject was never even raced by anybody CDT a senior AFF and I'm very little on non-us person writes in shorter people here or chrome the about that access is done more than most s said not one word about Faiza I'm in eighteen years i've visiting the UN helping us with our privacy problems I petrie has done nothing before or after snowden and I've much price international ready is a real treaty with the US even possible supposing we got the sort of guarantees that we would like to have the criminalization of data protection fences there is a a serious fundamental problem which is that spying on foreigners aboard is an inherent presidential authority Congress cannot restraint but presidential authority so in other words if Obama today makes a promise and says we change policy against rewrites pH 0 features a much more strongly than PBT 28 you can trust that because a future president of the same president could tomorrow in secret announce that policy and just go back to business as usual so it's not even clear was a legally binding treaty is possible and the sea change the US Constitution I and generally what I've been recommending for couple years now is a three-prong strategy for him response firstly you work out essentially which data flows more valuable to the US and they are two year and he began shutting them down as in a trading secondly you need a long-term interview industrial policy to develop software and thou services and I think also critically that should include a secure operating system for individuals for much more secure operation system for individuals you might have seen on the beginning the slides were not policy adviser to the cubes aus projects might do you think if you haven't heard a cute Snoopy worried about you security for a laptop you should check it out that's all I'll say and thirdly we need whistleblower protection because its only through it which they discourage that we know that least for anyone is taking this seriously now and we don't know that the next whistleblowers going to be altruistic a snow day so we need to actually give them water tight asylum and probably some incentives promising reports I actually proposed two departments that they whistleblower should get 25 percent have any fines subcommittee exacted on a controller now that sounds an enormous amounts but you gotta remember that person is likely to be an American either somebody working for a corporation working for them for the NSA and they're going to need bodyguards protection for extraordinary rendition kidnapping back to supplant on a mod for the rest of their lives so that's why the incentives have to be enormous to provide a credible deterrent so the way but I try to summarize the political situation eyes welcome to the matter cannot Tucan it is unfortunately true that most people don't think I have anything to hide from the government butts people votes politicians and they have to have trust in public officials they have to trust the public officials acting impartially in their national interests and in their collective interest sir how now people going tonight that that is the case because any politician or official in Europe now knows that the NSA and public GCHQ as every detail of their private life every indiscretion everything rash email sent by Gmail any phone call education did you spoke to traffic analysis well a moment of brain cell and position power need you nana is that private life is and perhaps their career could be ruined with one tabloid news story order promotion ruined if a show perhaps too much anti-american bias and that comes the attention at the US and make to arrange for the other guy to get promoted well how do we know that's not going to happen because even if it doesn't happen we might reasonably suspect that may happen so that is a profoundly to race if idea for democracy but is something that we now have to deal with that we cannot deal with it by not thinking about church and as I put together a report the thoughts ahead but Snowden have put in the minds the public cannot now be on Fox thank you very much Co okay we can take a power about 10 minutes for Q&A is so if you happen to pasture hum find a microphone preferably one of those I and I also have a signal angel in the back and she is up she has a question yes hello casper so we have a ton of questions for you and me i seee and they're well are really excited about your talk and I'm I just start with one so can you name three countries whose laws are equally balance and protecting its citizens as well as far in as so which countries could to be the yeah the take as an example for laws in europe on Germany so I think one important distinctions to make is this what has been going on in reality as we now know from citing and then there is what's the law is in theory so in every European country I believe I apart from germany the laws he called there's nothing in European laws apart from germany that I discovered where it says if you are a French citizen or if you're slackin citizen with your check citizen you get better protection in respect to privacy in tonight's what almost every other countries laws say is they differentiate between purely domestic communications communications starting in beginning in one country and communications which crossed the border the backcountry so that is the way that most laws make that distinction butts he may say what doesn't make a difference yes it does for cloud computing because the stark contrast is if you have any american data in Europe then that data is equally protected by European data protection and human rights law an American to come over here and start taking a case to European data protection authorities all European courts without any trouble at all if they thought their privacy was being I'm just 25 be infringed the converse is not true all EU data as I have demonstrated in the US you have no legal rights at all and that is the asymmetry created by cloud computing before thou computing the rough assumption in the build-up in these international laws for that 50 100 years was that territory was roughly congress with jurisdiction what cloud computing does is it just like those two apart and creates this fast asymmetry um Michael their day okay so thanks for the talk of a in Germany the parliament finally decided to open up an investigation commission after snowed revelations and arm so day got witnesses from the German a.m. intelligence services but not not much came out because some all the details are classified which what hole is prove and the government also protects them and it appears that some hard intelligence services operate and some sort of room that is independent of the law know you pointed out how in the US they would be what they could do with in the boundaries of the law know my question is do they even care or more formally put Howell I likely would you think that day 50 US agencies would feel bound by the US laws at all so I think the bait they do not feel bound by the US laws there was a great a at John Oliver The Daily Show quick which is the amazing thing mister president is not may be saying that you break them or the amazing thing is that you didn't have to I am and I do think that when you read you know the texture what's NSA lawyers have said and the text to the P club reports and so forth think they are in a sense legal overlay when out getting kinda BOM with thousands and thousands of pages American release but the trouble is not it has any relevance for us it is all about because that is the only right to exist is all about protecting rights Americans and the simply on our rights to find for anybody else thank you a microphone over there please hi hi I have a question about but the broader jurisdiction in the area of cloud computing I and as I'm sure you know Microsoft is challenging a ruling in the states about access to data held in the EU and i'm just wondering what your views on that is it sorta PR snake oil or is there something like a positive role that US companies can do in sort of challenging this cycle surveillance so is a San Fran glad you asked me that arm as you can imagine getting fired from by Microsoft for trying to warn them about 70 to I am I do find it kind of amusing that now Microsoft is painting itself the champion a privacy and I'm afraid this case is not about protecting the sovereignty of European data this is about protecting some shit Microsoft but the short answer is the substance about cases only about the stored Communications Act part of the ECB 1986 nothing to any deals with criminal law enforcement so even if Microsoft one that case and actually had think I think wept because then I feel kinda shore of this rotten system that we have today but even if they won that case we do nothing to prevent surveillance under he ate of 83 of isometric its complete your fucked I will take another question from the internet so nope %uh okay am so two questions and the same direction arm the question is that I mean the at the US are quite powerful in comparison to Europe so one of your arm examples Wars 2 not give them any data anymore that they are really really wants to have something to trade up I'm so how do you think that will work arm its there any possibility that list will be the case so what but I first started to recommending this policy a couple years ago but basically everyone said I was crazy and they said there is no capacity for this in Europe we don't have enough the software houses we don't have enough people who could build investing data centers is completely crazy but what I heard from the Commission just the two weeks ago is that what they're hearing now is actually European providers particularly telcos a queuing up to now provide European based data centers and of course another constant what I said is people should not be using open source software for security because this problem actually pushing software updates and through a software update any in security infrastructure you don't being able to be taste I'm because you just don't know what's the update of course open source is no panacea butts tools like static analysis for getting the bats at Megan's or so much more effective them when we last had this debate on thirty years ago say from all points of view there is just a massive advantage now and everybody particular governments switching to open source cloud computing indigenously hosted in the EU if you do that of course the NSA can still try and break a but if you the NSA tried to break in you can at least defend by conventional means and UN essentially a totally different situation me she's handed or that data I wanna play each inspection 780 can't think we've got time for two more questions in II thanks for the speech and you claim is that for a article 43 does not work because the asymmetrical nature of the crime and punishment the punish me full of a for followed it for spying is twenty years in prison et cetera but does not apply to European citizens operating in europe certain could a article 43 not be short up by saying anyone who provides clout up services in Europe has to happen on European city a strain on American citizen working in the role of getting the information about this on that the back and forth as required by article 43 and and then then the asymmetric asymmetric see does not exist anyway if that's a word for tonight's ideas but the problems anyone here is that it's by no means clear that the Espionage Act can only be used against American citizens Australia such and the second point is that there is the scope American law extends not just to us-based companies but to any company the does business with the US so theoretically a 70 to order could be put onto deutsche telecom france telecom or whoever bus from my experience working in a very big corporation and now having my my judgment his the US would not search 702 on European company because the whole purpose would be secrecy and I think that maybe naive but the European corporations stuff in the European lawyers they would not put up with that they would ensure that essentially they were cries for help from their own government from project action churches so I think in practical terms is very substantially less risk for European company even if it is doing business in the US to be subject to this law and afraid putting responsibility just me good citizen when necessary doj and the last question dude do you think over here do you think there's and near a una mccann company can set up a cloud hovering a thats really put legally protects the Dec customers deter from a its say the US legally spying on them Shaw yeah I mean just use European company running free software physically located in the territory of Europe and you protect that as well as you can up but not fun to make and company not there is no way of an American company and something about which i'm terribly terribly sad thank you so much casper I hope bad there will be a result that is bigger than some sign in