Home Tags Safe Harbour

Tag: Safe Harbour

Global Internet commission: Leave crypto alone, ditch opaque algorithms

Crypto backdoors, the overuse of opaque algorithms, turning companies into law enforcement agencies, and online attacks on critical infrastructure have all been attacked by the Global Commission on Internet Governance in a new report published on Wednesday.The body, which was set up in 2014 by UK-based Chatham House and the Canadian Centre for International Governance Innovation, has presented its 140-page-long One Internet report to provide "high-level, strategic advice and recommendations to policy makers, private industry, the technical community, and other stakeholders interested in maintaining a healthy Internet." It comes out in favour of strict legal controls on the aggregation of personal metadata, net neutrality, open standards, and the mandatory public reporting of high-threshold data breaches.

Along the way, it offers opinions on areas such as the sharing economy, blockchains, the Internet of Things, IPv6, and DNSSEC. The Global Commission was chaired by Carl Bildt, and consists of 29 members drawn from various fields and from around the world, including policy and government, academia, and civil society. On the hot topic of crypto, the report says: "Governments should not compromise or require third parties to weaken or compromise encryption standards, for example, through hidden 'backdoors' into the technology as such efforts would weaken the overall security of digital data flows and transactions." It also recognises that the aggregation of metadata poses particular challenges: "Legal thresholds for lawfully authorised access to communications data must be redefined to ensure that the aggregated collection of metadata—such as an individual’s full browsing history—are treated with the same respect for privacy as access to the actual content of a communication, and should only be made under judicial authority." Also on the subject of privacy, the report calls for "Greater respect for the privacy of foreign citizens’ data," which it believes would weaken calls for data localisation. However, it rather optimistically goes on: "One example of this is the 2016 move by the United States and Europe to negotiate new Privacy Shield principles to replace the now defunct Safe Harbour Framework." As Ars has reported, it looks increasingly likely that the Privacy Shield framework will not provide enough respect for EU citizens' data, and that it will therefore be thrown out by the Court of Justice of the European Union in due course. One novel aspect of the digital world discussed at some length by the report concerns the increasing use of algorithms: The impact of algorithms on people’s lives is becoming more and more significant.

The code that operates and governs the digital economy, access to information and other online activities is increasingly used to make decisions for us and about us.

Algorithms written by corporations that operate online can decide what content receives attention and what gets ignored or censored.

Algorithms are not necessarily neutral: they incorporate built-in values and serve business models that can lead to unintended biases, discrimination or economic harm. While many people are familiar with the role of algorithms in online searches or the curation of social media timelines, their role is expanding into areas such as hiring and finance.

Employers, for example, can now access not only the type of information contained in traditional resumes, but also personal and reputational information regarding job seekers and employees.

These are data-driven insights that could be used to reduce job discrimination or to introduce new forms of it.

The increasing use of algorithms across society comes with considerable risks that the underlying data and algorithms could lead to unexpected false results, in particular when the algorithms are used for automated decision making. The Global Commission is worried that "Most of these algorithms are proprietary—leaving them immune from public scrutiny, transparency, and accountability.

This can have chilling effects on individual rights and democracy, by impacting human behaviour and opinion, and by limiting our ability to access the full range of content available to us online." However, its solution is uncharacteristically weak: it merely suggests that "governments, private sector representatives, civil society, and technologists need to come to together to study their effects." Another area where the report is concerned about the power of companies is as private enforcers of the law.

The commission writes: "Private actors should not become the enforcement arm of governments.

Any special or secret agreements between governments and private actors to restrict or limit access to Internet content, or to limit access to communication should be made transparent.
Illegal public-private cooperation should be terminated." It also believes that network operators and Internet companies should not be held liable for any illegal use of their services. One topic where the report excels concerns what it insists on calling "cyberwar" and "cyber attacks," apparently unaware that "cyber" went out of fashion in the 1990s. Recognising the difficulties of legislating on what is a global and largely uncontrollable problem, the report offers an interesting alternative approach: "Governments should shift their efforts from trying to develop treaties that limit cyber weapons, as they cannot be verified and flounder on the issue of the indivisibility of offensive and defensive code.
Instead, negotiations between governments should focus on agreeing to restrict the list of legitimate targets that can be targeted by cyber attacks." In addition: "Consistent with the recognition that parts of the Internet constitute a global public good, the commission urges member states of the United Nations to agree not to use cyber weapons against core infrastructure of the Internet." As these practical suggestions indicate, the "One Internet" report has the great merit of being unafraid of tackling extremely thorny issues that lack obvious or easy solutions. Overuse of the prefix "cyber" aside, it's a valuable contribution to many of the key debates currently underway in the digital world. This post originated on Ars Technica UK

In “an unusual move,” US government asks to join key EU...

europe-vs-facebookThe US government has asked to be joined as a party in the Irish High Court case between the Austrian privacy activist and lawyer Max Schrems, and the social network Facebook.
In a press release, Schrems called this "an unusual move." He told Ars that there are no documents relating to the "amicus curiae"—friend of the court—request yet. "The US government simply appeared via a barrister at the first (administrative) hearing today," he said. "They will be able to file the documents until the 22nd." Schrems speculated that the US government has made this move because it wanted to defend its surveillance laws before the European Courts. "I think this move will be very interesting," he told Ars. "The US has previously maintained that we all misunderstood US surveillance." The Court of Justice of the European Union struck down the Safe Harbour agreement between the EU and the US largely because of fears that personal data sent from the EU to the US would be subject to US surveillance without sufficient safeguards.

The latest move seems to be an attempt by the US government to convince European courts that personal data is adequately protected when it is transferred to the US. But as Schrems notes in his press release, the US government's bold approach carries risks. "Compared to diplomatic talks with the EU and EU member states, as well as public statements in the United States, it will not be protected by US laws on confidentiality and be placed under oath," he wrote. "The party that gives evidence on behalf of the US government could therefore face severe consequences, if he does not truthfully answer all questions raised on US mass surveillance." Schrems told Ars that he hopes to use this unexpected opportunity to grill the US government to the maximum. "Now they have every chance to make their point, but we also have every chance to ask questions they have previously not had to respond to." The pivotal nature of the case between Schrems and Facebook is underlined by the fact that three other organisations have also asked to be joined.

According to Schrems, "The American Chamber of Commerce, Business Software Alliance, and the Irish Business and Employers Confederation also asked to join the procedure, as these organisations’ members use the same legal basis to transfer data to the United States as Facebook." Since the invalidation of the Safe Harbour framework, many companies have turned to so-called "model contracts" as a way of ensuring that the data transfers across the Atlantic comply with EU privacy laws. However, as Schrems points out, "this shift in the legal basis does not remedy the fact that Facebook is still subject to US mass surveillance laws and programs, which the CJEU already found to be conflicting with EU law." The current action in the Irish High Court will play a major role in establishing whether that is the case, which no doubt partly explains the US government's unusual intervention. This post originated on Ars Technica UK

Adobe fined by German privacy watchdog over lifeless EU-US data transfer...

Adobe Systems took a kick to the shins from a German privacy regulator, after the software maker was found to be using the defunct Safe Harbour deal to transfer data from the European Union to the US. The fine of €8,000 was levied by the office of the Hamburg Data Protection Supervisor, an organization known for its tough stance on outfits that it feels are breaching privacy laws.The supervisor's office said (PDF) it carried out tests on 35 international companies to find out if they were lawfully transferring data across the pond from the EU, following a Court of Justice ruling in October that deemed the Safe Harbour pact to be invalid. Most of the firms eyeballed had complied by changing their data transfer mechanisms within a few months of the top court's decision, Hamburg's privacy regulator said. But Adobe—along with two other corporations—failed to act in time. "The data transfer operations of these companies in the US [were] made so illegally," the German watchdog said. The Photoshop software maker has since put the correct mechanisms in place by bringing in standard contractual clauses. However, such clauses could yet be restricted by data regulators in the EU. Hamburg privacy commissioner Johannes Caspar noted that serious doubts remained about the so-called Privacy Shield—which is Safe Harbour's proposed replacement. This post originated on Ars Technica UK

Runkeeper background tracking leads to complaint from privacy watchdog

This story was written by Jennifer Baker.FitnessKeeper—the US-based outfit behind fitness app Runkeeper—will be hit with a complaint from the Norwegian Consumer Council on Friday morning, after it was found to have breached European data protection law. The council argues that the Android version of the app tracks users and transmits personal location data to a third party in the United States, even when not in use.

The move comes following an investigation into 20 apps’ terms and conditions conducted by Norway's consumer watchdog earlier this year. "We checked the apps technically, to see the data flows and to see if the apps actually do what they say they do," the council’s digital policy director Finn Myrstad told Ars. "Everyone understands that Runkeeper tracks users while they exercise, but to continue after the training has ended is not okay. Not only is it a breach of privacy laws, we are also convinced that users do not want to be tracked in this way, or for information to be shared with third party advertisers." Myrstad added: "It is clear that Runkeeper needs to have a good think about how it treats users data and privacy." As a result of its investigation, the consumer rights' watchdog has already reported dating app Tinder to Norway's data protection authority, accusing it of privacy breaches.

Elsewhere, dating app Happn has been reported to France's data regulator. Now, Norway's consumer council wants the DPA to take action over what it claims are multiple breaches of privacy.

The council said that its investigation had uncovered numerous unfair practices including a lack of clarity in what Runkeeper defines as "personal data," failure to delete personal information when an account is closed, and the right to update privacy policy at any time without prior notice. "Runkeeper, also requests unreasonably wide-ranging permissions compared with the access actually needed to deliver the service. We have also noted that many apps, Runkeeper included, demand the perpetual right to the user’s content, which includes a licence to share the user’s content to unspecified third parties," said Myrstad. FitnessKeeper—an American company based in Massachusetts—had not been registered under the now defunct Safe Harbour programme.
It was found to be transferring location data to Kiip.me, a major advertiser in the US, even when the mobile phone was idle for a period of 48 hours, according to Norway's consumer council. Sanctions the Norwegian data protection authority may be able to impose on FitnessKeeper—if it does uphold the complaint—are limited, however, because the Runkeeper app maker has no European subsidiaries. Nonetheless, Myrstad told Ars that it was worth pursuing the principle.

NHS assesses Microsoft Office 365 licensing

A licensing framework set up by Guy's and St Thomas' NHS Foundation Trust is attempting to establish a software asset management (SAM) network for rolling out products such as Office 365 across the NHS. Even though it is approved for government, Microsoft's Office 365 cloud-based software suite is only certified to IL2 (Impact Level 2), which means public sector organisations that wish to share information with other departments at IL3 or above are unable to use it. When looking at Office 365, it is not a case of can we use it or should we use it, it is a case of how we use it, because there is the question of whether it is accredited, said Andy Hill, SAM manager at Guy's and St Thomas' NHS Foundation trust, speaking at the Gartner IT Financial, Procurement & Asset Management Summit in London.  "In the public sector, there are certain rules we need to follow," he said. "Office 365 is accredited for government up to IL2, while some of us need IL3 and IL4. The question is, how does that work?"  According to Hill, Adobe is in exactly the same place: "Adobe runs its Creative Cloud on AWS, which is not accredited for the public sector." He has also tasked a technology law firm with assessing the Safe Harbour privacy agreement between the EU and the US. Managing software assets across the NHS Hill recently invited representatives from Microsoft, the Cabinet Office and the Department of Health to tour the hospital. "We showed Microsoft a qualified device, an industry device,” he said. These are the terms of reference Microsoft uses to license Office 365. “We explained that there was a cost involved in licensing the device. How can we justify this licence fee?" Another issue with the licensing of Office 365, according to Hill, is that NHS consultants work across many trusts. According to Hill, Microsoft's licensing terms stipulate that each organisation must have one licence of Office 365.  “This is madness. You have just paid for that consultant’s Office 365 licence six, seven or 10 times over," he said. Licensing Microsoft software is one of the problem areas that Hill is hoping to address through the Essentia SAM Network, an organisation wholly owned by Guy's and St Thomas' and set up to act as a separate business to generate revenue. Hill is one of only two people in the whole NHS whose role is dedicated to SAM. He said the task of tracking software assets in the NHS is huge, given it is one of the largest employers in the world, with 1.3 million staff.  There is also the added problem of mergers and acquisitions involving primary care trusts, GPs and commissioning support units, he said: “Where do the licences go when the organisation [which acquired them] no longer exists?” NHS needs software licensing standards "We have legal entities that can own licences, and we also have brands which hold funds and want to buy licences with the money they hold. When you scale up to the whole NHS, licensing poses interesting challenges,” said Hill. Licensing is also made more complicated because some software licences are acquired through government procurement frameworks.  The NHS must also abide by EU legislation, which requires NHS bodies to approach three to four organisations for quotes. "We get to see four quotes for the same thing," said Hill. "It is quite scary when one comes in significantly less or more." It is more important, according to Hill, to validate licence quotes. Look at reseller quality, transparency and visibility. Know what you are paying for – value is not about quibbling over pennies and pounds.” According to Hill, some trusts buy from a reseller because they do not have a dedicated Microsoft account manager. "We want to do things differently. There is a massive benefit, from a licensing perspective," he said. Hill hopes the approach Essentia takes to developing standards for SAM can be scaled up, allowing the NHS to benefit from economies of scale and best practices. "It is about making policies part of the DNA of the day job," he said. "Our vision is to centralise what we do, work with partners so we talk to Microsoft's public sector lead rather than a Microsoft account manager, which means a completely different approach and benefits through economies of scale," said Hill. "Let's not reinvent the wheel, let's not spend the money on policies and processes we don't absolutely need, and let's not spend that money 400 times over." Hill said the aim of the Essentia SAM network is to use its scale to influence and inform Microsoft. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Privacy group calls for halt of EU-US Safe Harbour agreement

A US consumer protection and privacy organisation has called for the suspension of the EU-US Safe Harbour agreement covering the transfer of citizens’ data from Europe to the US. The Center for Digital Democracy (CDD) said the programme should be halted pending an investigation by the US Federal Trade Commission (FTC). A complaint filed by the CDD called for the investigation of 30 US companies involved in data profiling and online targeting for allegedly failing to adhere to Safe Harbour rules. These include Adobe and Salesforce.com. The group of companies includes data brokers that have compiled sensitive information on individual consumers; providers of data management platforms that allow their corporate clients to analyse their own consumer information and combine it with outside data sources to produce detailed marketing insights; and mobile marketers that track devices and tie them to user profiles to identify the most profitable consumers for personalised advertising. The complaint comes as the US and EU wind up negotiations to revise the Safe Harbour programme in response to a call by members of the European Parliament. The call was triggered by concerns over revelations of US National Security Agency (NSA) spying made by whistleblower Edward Snowden. The CDD complaint alleges that dozens of US companies are failing to provide accurate and meaningful information to EU consumers on how to opt out and about what data is actually collected. Many of these companies are using and sharing EU consumers’ personal information without their consent, in violation of the Safe Harbour framework, the complaint said. The Safe Harbour agreement relies on a voluntary self-certification process that is supposed to be overseen by the US Department of Commerce. But according to the CDD complaint, there is a lack of oversight by the Department of Commerce and a lack of enforcement by the FTC to ensure that EU consumers’ privacy rights are respected. “The US is failing to keep its privacy promise to Europe,” said Jeff Chester, CDD’s executive director. “Instead of ensuring that the US lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC,” he said. Safe Harbour has to be overhauled to make sure it actually works; until that time, it should be suspended Hudson Kingston, CDD According to Chester, the big data-driven companies cited in the complaint use Safe Harbour as a shield to further their information-gathering practices without serious scrutiny. “Companies are relying on exceedingly brief, vague or obtuse descriptions of their data collection practices, even though Safe Harbour requires meaningful transparency and candour,” he said. The CDD investigation, he said, found that many of the companies are involved with several data broker partners which, unknown to the EU public, pool their data on individuals so they can be profiled and targeted online. Hudson Kingston, CDD legal director, said the complaint described the “systemic failure” of the Safe Harbour framework to function as it was intended. “Safe Harbour has to be overhauled to make sure it actually works; until that time, it should be suspended,” he said. Chester said the US and EU are currently negotiating a trade agreement that will enable US companies to gather even more data on Europeans. “Reform of Safe Harbour is urgently required before it becomes a ‘get out of protecting privacy’ card used by US firms under the coming Transatlantic Trade and Investment Partnership,” he said. 1. The failure of Safe Harbour declarations and required privacy policies to provide accurate and meaningful information to EU consumers. 2. A lack of candour from the companies about the nature of their data collection, including their networks of data broker partners and corporate affiliations. 3. The general failure to provide meaningful opt-out mechanisms that EU consumers can find and use to remove themselves fully from data collection and processing. 4. The myth of “anonymity” at a time when marketers – armed with vast amounts of details about consumers – do not need to know an individual’s name to be able to track and target them online. 5. The false claim made by several companies named in the complaint that they act as “data processors” on behalf of others, when in fact they play a central role in data-driven services for profiling and targeting. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Top European court to rule on NSA Facebook data privacy challenge

Europe’s top court is to rule on a case that seeks to force data protection authorities to investigate allegations that Facebook passes personal data to the US National Security Agency. The case, brought by Austrian privacy campaigner Max Schrem, was referred to the European Court of Justice (ECJ) in Luxembourg by the high court in Dublin. Schrem took the case to the high court after Ireland’s Data Protection Commissioner dismissed his application for an audit of the data whistleblower Edward Snowden alleges Facebook passes to the NSA. The Irish data protection watchdog said there were no grounds for an investigation, because Facebook's data exportation is covered by the Safe Harbour agreement. The Safe Harbour treaty provides a means for US companies to transfer personal data from the EU to the US that meets EU data protection requirements. Schrem argued that, when Facebook collects user data and exports it to the US, it is giving the NSA the opportunity to use the data for mass surveillance of personal information without probable cause. Referring the case to the ECJ, judge Desmond Hogan said evidence suggested that personal data was routinely accessed on a "mass and undifferentiated basis" by the NSA, reports the Guardian. Hogan adjourned the case in Ireland while the ECJ considers whether Ireland's Data Protection Commissioner is bound by the Safe Harbour agreement. Constitutional decision Hogan has also asked the ECJ to rule on whether an investigation can be launched in Ireland in response to Snowden’s revelations of mass internet surveillance by the NSA. He said Facebook users should have their privacy respected under the Irish constitution. He said that, for such interception of communications to be constitutionally valid, it would be necessary to demonstrate that it was justified in the interests of the suppression of crime and national security, and was attended by the appropriate and verifiable safeguards. Schrem welcomed the Irish high court’s decision. "We expected to win it in Ireland, but having a European ruling on it is more than we could have asked for,” he said. UK surveillance policy The referral of the case comes as a challenge by privacy groups forced top UK counter-terrorism official Charles Farr to reveal a secret government policy justifying mass surveillance of Facebook, Twitter, YouTube and Google users in the UK. Farr, the director general of the Office for Security and Counter Terrorism said in a witness statement that the surveillance is permitted under the law because communications via US-based online services are defined as “external communications”. Farr’s statement comprises the UK government's first explanation as to how it considers it legal to intercept communications through its Tempora programme, which Snowden alleges is closely allied to the NSA’s Prism surveillance programme.  Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Infosec 2014: Act now, but no new EU data protection law...

Expect new European Union (EU) data protection law to be enacted in 2017 at the earliest, said David Smith, deputy commissioner at the Information Commissioner’s Office. “But, get your house in order now under the current law, to ensure you are ready for the coming changes, because the principles are not very different,” Smith told attendees of Infosecurity Europe 2014 in London. By acting now, UK businesses can ensure they will not face huge challenges in future, said Smith. Giving an update on process of issuing new laws, based on the draft EU Data Protection Regulation, he said there had been some progress in the past year, but it had been at a “snail’s pace”. Smith said that, while the European Parliament had agreed on a version of the proposed regulation, members of the European Council were still working on theirs. “Optimists hope that the European Council will reach agreement on the matter by June 2104,” said Smith. Enacting final text The next step in the process is to hammer out a final text, agreed by the European Parliament, the European Council and the European Commission (EC), which proposed the original draft in 2012. Smith does not expect the tripartite negotiations to get underway before December 2014, which means the legislation is likely to be passed in 2015, followed by a two-year period of preparation for enactment. “In this time the data protection laws in the EU member states will have to be replaced with the new EU laws and each data protection authority will need to prepare for a new way of working,” said Smith. “The ICO will also have a big job to prepare guidance for UK companies on what they should prioritise to ensure they can comply with the new laws once they are enacted.” Smith said the current data protection directive took five years to get turned into law, which suggests it will take at least another two years before the proposed regulation reaches completion. Start preparation now But he emphasised that there is no need to wait, and UK businesses should start preparing now, according to the “direction of travel” of the proposed legislation. The top priority should be around the principle of obtaining explicit consent from people to gather and use their personal data, he told Computer Weekly. “Businesses that plan to collect information that will require explicit consent must ensure that, in all their processes, it is very clear what data is being collected and for what purpose,” said Smith. “It is important that the consent to collect data and use it for a specific purpose is prominent and not tucked away somewhere in a user agreement.” Data breach notification The next priority for UK businesses is to ensure they have a system in place for dealing with data breaches, and this should include processes for notifying anyone affected by a breach. Data breach notification is likely to become compulsory for all companies in the EU, so UK companies should look at what processes they have in place, said Smith. “If a company does not yet have any data breach notification process, they are lagging behind and risk incurring penalties if they are not ready by the time the new laws are enacted,” he said. Culture of privacy The third priority is to create a company culture where privacy is taken into account in every business activity and new processes are designed with privacy in mind. “Businesses should think about things like necessary data retention periods because, if privacy is not part of the design from the start, it is typically much more difficult to fix in response to complaints,” said Smith. The approach to retention is not expected to change. Organisations should ensure that personal data is not retained any longer than necessary for the purpose it was originally collected. For future data analysis purposes, only anonymised or pseudonymised data should be used, said Smith. “Businesses should not rush products and services to market without thorough testing, and they should listen to their privacy advisors before giving into pressures from the marketing department,” he said. Balancing enforcement and guidance Looking to the future, Smith expressed the hope that the final version of the revised data protection regulation is not highly prescriptive, nor too focused on enforcement. “There are different cultures and legal traditions in Europe, so hopefully there will be enough wriggle room for each member state to allow for local sensitivities,” he said. If there is too much focus on enforcement, the ICO is concerned that its educational and guidance activities may have to be curtailed. The ICO recently published a code of practice on privacy impact assessments and plans to publish guidelines about online security soon, to pass on learning from the mistakes of others. Smith said the ICO hopes that, under the new regulation, the UK will be able to make “sensible laws” that will not place “unnecessary burdens” on businesses. Powers to chase the 'crooks' The ICO is hoping for additional powers that will enable it to go after the “charlatans” and “crooked individuals” who “never pay up” and simply re-open for business under a new name, he said. “The ICO is no longer a ‘toothless tiger’ and we have used our new powers to good effect, but more imaginative powers are needed such as the ability to impose periods of mandatory audits,” he said. Smith said he believes the controversial Safe Harbour agreement does have a future, but only with tighter data protection assurances after it is revised in line with an EC review. “One of the biggest problems is the element of self-attestation because, in its current form, the system provides no way of checking or verifying that companies are abiding by the rules,” said Smith. The EC has submitted proposals for improvements to the Safe Harbour agreement. He said the US is working on those and a response is expected soon. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Civil Liberties Committee calls for tighter data protection for EU, following...

The preliminary conclusions of an inquiry by the European Parliament Civil Liberties Committee into the surveillance of EU citizens by the US National Security Agency (NSA), presented to members of European Parliament (MEPs), call for political and technology changes. The draft conclusions call for an EU cloud and proper analysis of the use of open source software, as well as political signals from the US that it understands the difference between allies and adversaries. The conclusions presented to MEPs by committee lead Claude Moraes said Parliament’s technical capabilities and options should be properly assessed, including the possible uses of open source software, cloud storage and greater use of encryption technologies. “Any of this data stored in US companies' clouds can potentially be accessed by the NSA.

An EU cloud would ensure that companies apply the high standards of EU data protection rules, and there is also a potential economic advantage for EU businesses in this field," he said. There were suggestions that changes should also be made to trade deals between Europe and the US to better protect citizen data. “We need to ensure that strong data privacy protections are achieved separately from the Transatlantic Trade and Investment Partnership (TTIP),” said Moraes.  For example, the committee said the European Commission should suspend the Safe Harbour principles regarding data protection standards that US companies should meet when transferring EU citizens’ data to the US, and instead negotiate new, appropriate data protection standards. It also urged the EU’s executive arm to suspend the Terrorist Finance Tracking Programme (TFTP) deal with the US until a “thorough investigation is carried out to restore trust in the agreement.”  In October, members of the European Parliament passed a resolution calling for the suspension of an EU agreement with the US that allows US authorities to monitor financial transactions on the Society for Worldwide Interbank Financial Telecommunications (Swift). MEPs can table amendments to the draft resolution. It will be put to the vote by the Civil Liberties Committee at the end of January 2014 and Parliament as a whole on 24-27 February. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

EU calls on US to rebuild trust in post-Snowden era

The European Commission has called on the US to provide guarantees to restore trust in the wake of revelations of mass internet surveillance by whistleblower Edward Snowden. Until now, trust has relied on the Safe Harbor Privacy Principles designed to ensure US companies respect EU citizens’ right to protection of personal data. But in the light of the Snowden revelations this year of spying on EU citizens, companies and leaders, the EC wants further guarantees and processes to rebuild trust. Mass internet surveillance by US and UK intelligence agencies violated European law, according to a study by two academics presented to the European Parliament earlier this month. The academics said MEPs should push EU countries to draft a "professional code for the transnational management of data". They also called for a permanent body to oversee intelligence matters, and new EU laws to protect whistleblowers and prevent internet firms giving data to intelligence agencies. According to EU Justice Commissioner Viviane Reding, citizens need to be reassured that their data is protected, and companies need to know existing agreements are respected and enforced. In the past 13 years, more than 3,200 companies have signed up to Safe Harbor, which limits what they can do with data transferred outside the EU, how long they can hold it, and to whom it can be transferred. The principles also give individuals the right to access personal information about them and ask for it to be corrected or deleted if it is inaccurate. Now the EC wants EU citizens to be given the right to judicial redress if a US company breaks the rules, and it wants to be able to fine companies up to 5% of their worldwide turnover, according to the BBC. In recent weeks, the EC has also raised concerns that some of the US businesses that had self-certified their compliance are not following the rules. The European Parliament also recently passed a resolution calling for the suspension of an EU agreement with the US that allows US authorities to monitor financial transactions on the Society for Worldwide Interbank Financial Telecommunications (Swift) network. MEPs want the Terrorist Finance Tracking Program (TFTP) suspended while Snowden’s allegations that the National Security Agency (NSA) tapped the Swift network are investigated. In the latest move, the EC has called for the introduction of 13 new measures, including that: Self-certified companies must publicly disclose their privacy policies; Self-certified companies must include the privacy conditions in any contract with subcontractors; A still-to-be agreed percentage of the companies should be investigated for compliance regularly; If a company is found to be breaching the rules, it should face a follow-up probe one year later; Companies should alert their customers to the fact that their data might be accessed by overseas authorities, including law enforcement agencies. The commission said it would take a decision on whether the Safe Harbour scheme could continue to operate once it had seen the US response. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Google climbs into bed with JANET, as new educational ICT infrastructure...

Google Education today announced an agreement with JANET - the organisation that provides networking services to the UK education sector - to work from a standardised framework contract when supplying Google Apps for Education. JANET, which is part of the Jisc group educational charity, has said that it sees a distinct advantage for educational institutions that "did not have the time nor resources to explore and understand contractual complexities of cloud security, data and protection".  The education body's CEO, Tim Marshall, urged educators to be "in bed with" the web services giant. Liz Sproat, head of education for EMEA at Google, said Tuesday, at the company's unveiling of the deal at its London offices, that the agreement should allow educators to "move forward with confidence". A representative of a London higher education institution told Computing that they were "impressed" with the collaboration, and said they felt, as a current Google Apps for Education customer, that the framework would make signing a new contract "significantly easier". Potential benefits to universities include saving time and money on hiring lawyers to check the small print on matters such as data privacy. Bearing in mind Google's chequered past in terms of data privacy, having been accused - and taken to court - on matters ranging from Google Mail ad-skimming to SEO-fixing in search results, Computing asked the University of Sheffield's CIO, Christine Sexton, whether the new agreement now meant Google could be trusted. "We do.

And our contract is already pretty watertight with them," said Sexton. "To be honest, I think there are some parts of the press that like to Google-bash a bit. I'd say that when there was a lot [of US Patriot Act protocol] being talked about a few years ago, Google was very open about saying, ‘We don't know where your data's stored; we know it's fragmented all over the place. We're not denying it's not going out of Europe, but we will guarantee it's stored under the following contractual obligations, safe harbour etc. I actually asked the ICO about it and they said ‘Yes, of course we are'," said Sexton. While Google promises not to share or use any data it holds on its Apps for Education customers with third parties, or use it for any kind of marketing, the question of what Google has to gain from its 25 million users is still up for debate. Sexton believes the company simply wants "exposure". "In Sheffield, they get 25,000 students who are all going to graduate and go off into the big wide world and get jobs," Sexton told Computing. "And I imagine Google hopes they will either stick with using Google Apps personally - and by then it won't be free - or they'll go into an enterprise and ask ‘Why haven't you got Google apps - it's brilliant'." JANET CEO Tim Marshall described how, in the past, there was "an incredible reticence of the partnership that exists between education and the commercial world". "There was an element of suspicion, lack of trust and, at its very worst, a thought from the commercial sector that we were the great unwashed, and they should just screw as much out of us as they can." Marshall said that he'd long "had a vision for a day like this", and said he believed the collaboration between Google and JANET would make passage to the cloud safer, especially for those who had their doubts and were holding back. "It could be more risky to stay where you are; staying in-house could be riskier," he said, asking educators: "[Google] is an innovative company. Don't you want to be in bed with them?"

Europe threatens to pull out of US data-sharing deal over NSA...

The European Parliament is threatening to pull out of a deal that allows US authorities access to European financial payment networks for tracking terrorist funding, as a result of the revelations about US internet surveillance. The US National Security Agency (NSA) stands accused of unauthorised tapping into the Swift network used for international bank transfers, based on documents leaked by whistleblower Edward Snowden. The European Union (EU) and the US have an agreement called the Terrorist Finance Tracking Programme (TFTP) that allows the US government to request data from Swift to investigate links to terrorism finance.

The agreement stipulates limits to how the US can use that data. MEPs at an inquiry held by the European Parliament’s Civil Liberties Committee heard the US has yet to give “satisfactory replies” to EU concerns about Edward Snowden's allegations. Home affairs commissioner Cecilia Malmström said she wrote to US Treasury undersecretary David Cohen on 12 September. “I am not satisfied with the answers I got so far," Malmström said. MEPs agreed that suspending the TFTP deal is a possibility. "For me the TFTP agreement is effectively dead. It is null and void," said Dutch MEP Sophie in't Veld. "Approving an international agreement is like signing a blank check.

The only reason I had to support it no longer exists." But other contributors to the inquiry pointed out there is still no concrete evidence to substantiate Snowden's claims of the NSA snooping on Swift. "We simply have no evidence of the US being in breach of the TFTP agreement, so we cannot confirm or deny any of these allegations," said Rob Wainwright, director of the European police agency Europol. Blanche Petre, general counsel for Swift added: "We have no reason to believe there has been an unauthorised access to our data.” Earlier this week, a briefing report produced for the European Parliament to support the inquiry recommended some drastic measures to put pressure on the US over alleged NSA surveillance. The report suggested all existing data-sharing agreements between Europe and the US should be revoked, and US website providers should be forced to prominently inform European citizens their data may be subject to government surveillance. The report, written by British privacy expert Caspar Bowden, said recent revelations show existing regulations such as Safe Harbour – that allow US firms to process EU data outside EU borders – are no longer sufficient. Swift has headquarters in Belgium and provides a network that sends millions of financial transaction messages every day across 209 countries. It is used by more than 8,000 finance firms. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com