Cover Foto

Piratenpartei - News

piratenpartei_news@social.piratenpartei.koeln

Privacy Shield: the American Lobbying Invasion

 
Privacy Shield: the American Lobbying Invasion

Bild/Foto
It is difficult to know the true extent to which American corporate interests and the US government continue to lobby the European Union and its member states on the US-EU Privacy Shield agreement. In March of this year, public records requests about Privacy Shield were sent to data protection authorities across the European Union. To date, the vast majority of EU data protection authorities have failed to release public records on Privacy Shield.

Lobbying by American Corporate Interests

American corporations, such as Google, Microsoft, Facebook, Amazon, and Twitter, use the Privacy Shield framework as the legal basis to transfer personal data from the European Union to the United States. Civil society groups [1, 2, 3, 4] have criticized the Privacy Shield’s many flaws and lack of basic protection for personal data. Even the EU’s own parliament has been critical of the agreement. The Article 29 Working Party, the group of EU data protection authorities, has also expressed serious concern and doubt about Privacy Shield. Perhaps the most glaring inadequacy of the Privacy Shield agreement is that it allows for NSA mass surveillance, in violation of EU law.

The European Union has a voluntary lobbying register. Google, Microsoft, BusinessEurope, and DigitalEurope are four of the top eight lobbying organizations by number of meetings with EU officials, according to Integrity Watch. The transparency register lists Google and Microsoft as being members of BusinessEurope and DigitalEurope. The transparency register also lists Google and Microsoft estimating their annual spending on EU lobbying as between €4 and €5 million Euros each. BusinessEurope lists its estimated annual spending on the low side of €4 million Euros, while DigitalEurope is spending approximately €1.9 million Euros a year.

There has been a massive lobbying campaign by American corporate interests on Privacy Shield in the EU. In addition to spending on lobbying, the transparency register also lists meetings between EU officials and lobbyists. In January of 2016, a couple months after the EU Court of Justice struck down Safe Harbor (the framework before Privacy Shield), Microsoft met separately with EU Commission Vice President Andrus Ansip and Commissioner Vera Jourova on the issue.

American technology companies such as Adobe, Apple, Amazon. AT&T, Cisco, Facebook (subsidiary in Ireland), General Electric, Google, Hewlett-Packard, IBM, Symantec, and Yahoo! have lobbied EU officials on the EU’s data protection standards. Several American financial services companies, including Citigroup, JP Morgan Chase, and Mastercard, have also lobbied EU officials on data protection standards. Trade industry groups representing American corporate interests have also partaken in this lobbying effort. The American Chamber of Commerce, the Business Software Alliance, BusinessEurope, and DigitalEurope are also listed as meeting with and lobbying EU officials on Privacy Shield.

Since the EU’s transparency registry is completely voluntary and there are few sanctions for violations, some meetings with EU officials and additional spending on lobbying may have never been registered. The American lobbying invasion may actually be much larger than the records on the EU’s transparency register suggest.

US Embassy Gets Involved

The US government is also engaged in lobbying EU member states to accept the Privacy Shield agreement. In January of 2016, the US embassy sent the Danish data protection authority (Datatilsynet) an email warning that legal uncertainty about personal data transfers from the EU to the US could harm business. The US embassy goes on to state that the EU should not solve the problem by hosting servers and storing data in the EU. The email also rather comically insinuates a denial of some aspects of NSA spying by stating, “The allegations underlying the Schrems case about U.S. privacy law and intelligence practices were based on mistaken assumptions and outdated information.” The Datatilsynet confirms that there was a meeting in May 2016 between their office, the Danish Ministry of Justice, the US embassy, and the US Department of Commerce about the Privacy Shield agreement.

In January of last year, the US embassy sent an email thanking the Slovenian data protection authority (IPRS) for meeting the week earlier. Several days later, the US embassy sent IPRS and the Slovenian Ministry of Justice a rather ominous email. The email warns, “It is imperative to conclude a revised U.S.-EU Safe Harbor agreement now, or risk harm to economic growth and job creation on both sides of the Atlantic, as well as damage to the broader transatlantic relationship.” The email also pressures Slovenia to direct EU Commissioner Vera Jourova to approve a new agreement to replace Safe Harbor. The US embassy also sent documents to the IPRS, which the IPRS is refusing to release.

The data protection authority of Italy confirms receiving communication from the US embassy about Privacy Shield. The data protection authorities in Finland, Germany, Latvia, Romania, and Sweden deny receiving emails from the US embassy about Privacy Shield. The data protection authority of Austria refuses to confirm or deny if it ever received emails. In response to questions about the possible existence of emails, the data protection authority of Luxembourg (CNPD) had a rather bizarre reply. The CNPD stated that Luxembourg does not have a freedom of information law. In addition, the CNPD refused to answer questions about the US embassy by citing Luxembourg data protection laws.

For now, the true extent of American lobbying remains behind closed doors.

The text of this article is released into the public domain. You are free to translate and republish the text of this article. Featured picture is obtained from the US Department of Commerce.

Bild/Foto
 Pirate Topic  EU  lobbying  Privacy shield
Swiss Privacy Shield Down!

 
Swiss Privacy Shield Down!

Bild/Foto
The so-called “shield” protecting Swiss data has no legal basis in the US.

After several weeks of research and analysis of the US-Privacy Shield agreement and its implementation, this morning, the Swiss Pirate Party (PPS) notified the Federal Data Protection and Information Commissioner (FDPIC) of a discrepancy challenging the very existence of the agreement.

According to the information we have reviewed, it appears that the US government failed to publish the agreement in the US equivalent of the Swiss Federal Gazette.

In effect, this means that Swiss data is not protected under the Privacy Shield agreement.

In fact, from our research, it appears that the US government has no legal basis for approving the agreement with Switzerland. While the agreement was approved on January 11, 2017 by the Swiss Federal Council, the US government has not officially published the agreement; however, the US government has published US-EU Privacy Shield agreement. The US government’s failure to publish the agreement is in violation of the Administrative Procedures Act and the Federal Register Act, in addition to the case law as described by Larry Becraft, Esq., in the legal brief entitled, “Statutory Foundation for Federal Register Publication”.

It is widely known that President Trump seeks to undermine the Privacy Shield agreement, and as far as Switzerland is concerned, he has succeeded!

Guillaume Saouli, PPS Co-President, said:
“This situation shows once again the little effort that the Swiss authorities are expending to protect the data of Swiss citizens and our interests in this rapidly expanding global digital society!” and “The Swiss are once again left to fend for themselves against large American corporations. This situation is dangerous and unacceptable for the privacy of Swiss citizens, and also creates an extreme competitive disadvantage for Swiss companies. Swiss citizens’ privacy is not protected by commercial competitors established in the US.”

The Swiss Pirate Party demands that measures be taken to protect the interests of Swiss citizens and the business community in dismantled and scattered to the four winds due to lack of fortitude and absence of means, as already revealed in communications with the FDPIC.

Today, as the consultation on the reform of the data protection law has just ended, these two cases highlight the necessity for the FDPIC to have the ability and means to implement this mandate and guarantee protection for all of the Swiss!

Copy of Letter to Commissioner

Subject: Existence of agreements between Switzerland and the United States on Privacy Shield

Dear Commissioner,

From research conducted on Privacy Shield by the Pirate Party in the US and Switzerland, we have discovered several issues of great concern. We request that you take a position on these issues and clarify an essential question.

Does the Swiss-US Privacy Shield agreement actually exist?

In fact, during our research, it appears that the US government has no legal basis for approving the agreement with Switzerland. While the agreement was approved on January 11, 2017 by the Swiss Federal Council, the US government has not officially published the agreement; however, the US government has published US-EU Privacy Shield agreement. The US government’s failure to publish the agreement is in violation of the Administrative Procedures Act and the Federal Register Act, in addition to the case law as described by Larry Becraft, Esq., in the legal brief entitled, “Statutory Foundation for Federal Register Publication”.

http://www.lexrex.com/jml/index.php/articles-documents-and-archives/laws-writings-documents/200-statutory-foundation-for-federal-register-publication

Since the Safe Harbour agreement is no longer in force, what are the “provisional” measures you propose in order to ensure the continuity of data protection for Swiss natural and legal persons?

One of the main objects of our research was the proper functioning of the Ombudsperson at the US State Department and its various designated counterparts. We would like your views on the issues mentioned in the letter sent to the US Government Accountability Office (GAO) concerning the legal authority of the Ombudsperson and its durability. A copy of the letter sent to the GAO is attached.

Link: https://diycivics.wordpress.com/2017/04/24/letter-usgao-must-investigate-privacyshield-vacancy/

In light of the situation described in the letter sent to the GAO, can the FDPIC explain the current situation and describe the legal process in the US?

In summary, does the agreement approved on January 11, 2017 actually exist? Does its implementation have a sufficient legal basis for the protection of Swiss data?

In anticipation of your prompt reply, Commissioner, I send you my salutations,

Guillaume Saouli
Co-Chairman
Pirate Party of Switzerland

CC:

Delegation of the Swiss Parliament’s Management Committees

Swiss Federal Department of Foreign Affairs

Swiss Federal Department of Economics, Education, and Research

—————–

This article and letter were translated from French. The original French version is https://www.partipirate.ch/2017/04/27/privacy-shield-down/

Bild/Foto
 Pirate Party News  Guillaume Sauli  PPCH  Privacy shield
NSA Contractors Join Privacy Shield

 
NSA Contractors Join Privacy Shield

Bild/Foto
Did you really think that the European Union would protect your privacy? Don’t be so naive.

The US-EU Privacy Shield program is supposed to give EU citizens greater data protections. As I wrote previously, the Privacy Shield program has several legal loopholes, which makes it look a bit like a block of Swiss cheese.

To add insult to injury, not only does the Privacy Shield fail to protect people’s private data, even NSA contractors are invited to join the party! The Privacy Shield program gives these NSA contractors the ability to transfer personal data stored in the EU to the US. From watching international news over the past few years, you may remember how Edward Snowden blew the whistle on the NSA’s mass surveillance programs. Snowden exposed how the US government had access to read your emails and to listen in on your phone calls.

Including NSA contractors on the list of Privacy Shield is a bit like letting the fox guard your henhouse. While some of the NSA contractors are signed up only to share human resources data, their inclusion in the program does nothing to improve Privacy Shield’s already dismal public image. The companies on the list are allowed to submit a self-assessment to ensure their compliance with Privacy Shield. In practice, this means that these companies have little or no independent oversight.

The following NSA contractors have joined the Privacy Shield program: BAE Systems, Boeing, General Dynamics, Lockheed Martin, Northrop Grumman, and Raytheon.

With the inclusion of NSA contractors in the Privacy Shield program, it is rather obvious that the US government cares nothing for data protection. While Europeans are lulled into a false sense of security with Privacy Shield, the US continues to build its surveillance state.

Bild/Foto
BAE Systems

In 2013, BAE Systems won a multi-year contract with the NSA for high performance computing. The contract is valued at $127 million. A leaked top-secret document outlines the NSA’s surveillance priorities for 2012-2016. One of the NSA’s stated goals is to use high performance computing to crack encryption. As a goal, the document states that the NSA plans to “Dynamically integrate endpoint, midpoint, industrial-enabled, and cryptanalytic capabilities to reach previously inaccessible targets in support of exploitation, cyber defense, and cyber operations.” In other words, the NSA plans to use its high performance computing program to broaden its surveillance capabilities, and BAE Systems is helping.

Boeing

The American telecom, AT&T, built a secret room in one of its centers to facilitate NSA spying. In 2006, an AT&T technician blew the whistle and revealed the NSA’s massive spying operations. The NSA used a device to sift through massive amounts of data from the internet’s backbone. The device was made by a company called Narus. In 2010, Boeing acquired Narus.

In 2008, Boeing acquired Digital Receiver Technology (DRT). The NSA used DRT equipment to track people’s locations by their cellphone signals. Some DRT devices also have the ability to listen in on cellphone conversations and jam cellphone signals. Several DRT devices appear in the NSA’s surveillance catalog.

General Dynamics

In 2014, the Intercept revealed that the NSA was recording virtually every phone call in the Bahamas. The program is called SOMALGET, which is part of a broader surveillance program called MYSTIC. The broader surveillance program, MYSTIC, collects phone call metadata from several countries including Mexico, Kenya, and the Phillipines. General Dynamics had an 8 year contract valued at $51 million to process data for the MYSTIC program.

Lockheed Martin

In 1988, Margaret Newsham, a software engineer for Lockheed Martin, blew the whistle on a massive NSA spying program. The NSA was intercepting phone calls and electronic data in a surveillance program called ECHELON. While working for Lockheed Martin, Newsham was helping to create software that ran the ECHELON program. Newsham also revealed that the NSA was listening to phone calls of a US Congressman.

The US military’s research arm, DARPA, awarded contracts for the Total Information Awareness (TIA) program. The TIA program would collect massive amounts of data and use a predictive policing model. In other words, TIA used automated analysis to identify people as potential terrorists. In a very eery sense, it was the film Minority Report becoming reality. DARPA gave Lockheed Martin 23 contracts valued at $27 million for the TIA program. Several branches of the US government were involved in the TIA program, including the NSA. In 2012, the New York Times revealed that the NSA was running a program very similar to the TIA. The full extent of the TIA’s legacy would not be revealed until the Snowden leaks in 2013.

Northrop Grumman

In 2000, the NSA launched the Trailblazer project. The aim of Trailblazer was to update the old Cold War era interception technology employed by the NSA. The Trailblazer project was mired in scandal. The NSA had wasted over a billion dollars for a program that did not work. Northrop Grumman was one of the contractors working on the failed Trailblazer project.

The Trailblazer project was terminated in 2006. The next year, the NSA awarded Northrop Grumman a $220 million contract. The contract was to help the NSA manage the vast amounts of data it collected from its surveillance programs.

Raytheon

In 2009, the NSA founded the US Cyber Command. The new command center would focus on defensive as well as offensive cyber warfare. Raytheon posted job advertisements for “cyber warriors” to work at locations near known NSA sites.

In 2010, the NSA awarded Raytheon a classified $100 million contract for the Perfect Citizen program. The program would place sensors, to detect cyber attacks, in the backbone infrastructure of public utilities. A Raytheon employee criticized the program with the following words in an email: “Perfect Citizen is Big Brother.” The NSA rather comically claimed that Perfect Citizen would not be used for spying; however, privacy advocates were worried that the program would be used for domestic surveillance.

The text of this article is released into the public domain. You are free to translate and republish the text of this article. Featured picture is CC BY-NC-ND 2.0 Flicker user jrothphotos. Secondary picture CC by EFF.

Printouts from PrivacyShield.gov website, link.

Bild/Foto
 Pirate Topic  BAE Systems  Boeing  General Dynamics  Lockheed Martin  Northrop Grumman  NSA  Privacy shield  Raytheon  Snowden
Privacy Shield: More Holes than Swiss Cheese

 
Privacy Shield: More Holes than Swiss Cheese

Bild/Foto
What if your most intimate and private information was for sale to anyone in the world? What if anyone could find out your political beliefs, religious affiliation, sexual orientation, or even your medical history? In the US, it is legal for the private sector to collect and sell these types of personal information, and the government is powerless to stop it. Due to the US’ lack of general data protection laws, Europeans’ personal information could wind up in the hands of unscrupulous data brokers and for sale on the global market. Data transfers from the EU to the US is cause for on-going controversy, because the EU considers data protection to be a fundamental right.

In testimony before the US Congress, Pam Dixon of the World Privacy Forum detailed abuses by data brokers. MEDbase200 sold personal information on rape survivors and people with an HIV positive status for $79.00 per thousand names. Addresses of domestic violence shelters are supposed to be kept secret, but FirstMark sold lists of these shelters online. DMDatabases sold comprehensive databases detailing patients’ medical conditions and which prescription medications they were taking.

Data brokers obtain personal information from various sources. Many US companies rather shamelessly sell information on their customers. Data brokers can also collect information online through tracking cookies, mobile app data, social media postings, and online surveys. Data brokers also sell each other vast amounts of data, making it virtually impossible to figure out who originally collected the information.

EU regulators should have pause for concern that social media sites are now partnering with American data brokers. Especially controversial is Facebook’s partnership with data broker Acxiom. After the 9/11 terror acts, Acxiom lobbied the US government to weaken the few and limited federal privacy protections in the US. In 2001, Acxiom proposed to establish a government surveillance programs to crawl the internet and gather intelligence from websites. The US Department of Defense also considered partnering with Acxiom to build a large surveillance database. In 2003, Acxiom was embroiled in controversy when it worked with the US Department of Homeland Security on a proposed system to give airline passengers color-coded ratings based on the likelihood of being a terrorist. Despite holding vast amounts of personal data, Acxiom has been the victim of numerous data breaches, with computer hackers stealing large amounts of information.

Starting in 2000, the US-EU Safe Harbor agreement allowed companies in the EU to send personal data to the US. In 2015, the EU Court of Justice struck down the legal basis for the Safe Harbor agreement, because the agreement failed to provide adequate data protections. The US and the EU quickly negotiated a new agreement called Privacy Shield to allow the continued flow of data from the EU to the US.

The new US-EU Privacy Shield agreement is a complete disaster. The agreement’s greatest weakness is that the Privacy Shield program is completely voluntary. An American company with no subsidiaries in the EU could refuse to sign up for Privacy Shield and can ignore EU data protection authorities. The US government is powerless to stop data collection over the internet, which is completely legal in the US.

Even when a company voluntary signs up for the Privacy Shield program, it requires the US Federal Trade Commission (FTC) to enforce the rules. This year, President Trump has the authority to nominate four FTC commissioners (out of five commissioners total). Considering President Trump’s history, his nominations for the FTC will be extremely business-friendly, and the new commissioners may do everything in their power to stop any consumer protections (including Privacy Shield). On the rare instance that the FTC would actually investigate a company for failing to comply with the Privacy Shield framework, the FTC would have to prove that the data is covered under Privacy Shield.  In the US, data brokers repackage and sell data so many times that it may be difficult or impossible for the FTC to ever prove where the data originally came from.

Recently, President Trump named Maureen Ohlhausen as acting Chair for the FTC. Ohlhausen has previously criticized the FCC (Federal Communications Commission) proposal to require ISP (internet service providers) to obtain consent before sharing customers’ private data with data brokers and other third parties. Ohlhausen argued that the FCC’s proposal would harm consumers by offering too many privacy protections. With Ohlhausen as acting Chair, the FTC will likely fail to enforce the Privacy Shield framework.

The Privacy Shield framework does nothing to stop the US government’s mass surveillance and bulk collection of data. In a letter included in the Privacy Shield notice, the former Secretary of State, John Kerry, promises to establish an ombudsperson to take complaints regarding US government surveillance practices. A close reading of the memorandum reveals that the Privacy Shield ombudsperson has no legal authority to investigate or provide independent oversight. The memorandum also mentions several OIGs (Office of Inspector Generals) and the PCLOB (Privacy and Civil Liberties Oversight Board), which are the same mechanisms that failed to protect people from the NSA’s mass surveillance in the first place.

The Privacy Shield notice also includes a letter from the Office of the Director of National Intelligence (ODNI). The letter cites PPD-28 (Presidential Policy Directive-28) as limiting the US government’s surveillance efforts. It is difficult to independently verify what PPD-28 actually contains, since some portions of the directive are classified. The PPD-28 was signed by President Obama, who is no longer in office. President Trump is not required to follow PPD-28, and he can secretly overturn the directive at any time without any public notice.

The US government has no international legal obligations to enforce Privacy Shield. The Privacy Shield framework is a voluntary program, operated by the US Department of Commerce, which could be rescinded at any time. It is hard to imagine how the EU ever approved an agreement so dreadful as Privacy Shield. I cringe thinking that the EU completely lacks an understanding of the US Constitution and how the American government operates. Before ever entering another agreement with the US, the EU needs to first hire some extremely well-read American lawyers as advisors.

As it stands, the Privacy Shield framework leaves EU consumers’ personal data open to abuse, with few or no rights to recourse and redress. If the EU is serious about data protection, it should immediately suspend the Privacy Shield framework. Access to the EU market is of paramount importance to many American businesses. Using its economic leverage, the EU should pressure the US to reform its legal code to ensure better data protection.

For further reading:

GAO report on data brokers, link

FTC report on data brokers, link

Featured image: CC-BY-NC-ND, thenoodleator

Bild/Foto
 Pirate Topic  Privacy  Privacy shield