I. Summary of key findings

***David Guyatt*** · 09-04-2014, 09:22 AM

Quote:Edward Snowden: US government spied on human rights workers

Whistleblower tells Council of Europe NSA deliberately snooped on groups such as Human Rights Watch and Amnesty International

Luke Harding

The Guardian, Tuesday 8 April 2014 16.49 BST

Edward Snowden speaks via video link with members of the Council of Europe, in Strasbourg. Photograph: Vincent Kessler/Reuters

The US has spied on the staff of prominent human rights organisations,Edward Snowden has told the Council of Europe in Strasbourg, Europe's top human rights body.
Giving evidence via a videolink from Moscow, Snowden said the National Security Agency for which he worked as a contractor had deliberately snooped on bodies like Amnesty International and Human Rights Watch.
He told council members: "The NSA has specifically targeted either leaders or staff members in a number of civil and non-governmental organisations â€¦ including domestically within the borders of the United States." Snowden did not reveal which groups the NSA had bugged.
The assembly asked Snowden if the US spied on the "highly sensitive and confidential communications" of major rights bodies such as Amnesty and Human Rights Watch, as well as on similar smaller regional and national groups. He replied: "The answer is, without question, yes. Absolutely."
Snowden, meanwhile, dismissed NSA claims that he had swiped as many as 1.7m documents from the agency's servers in an interview with Vanity Fair. He described the number released by investigators as "simply a scare number based on an intentionally crude metric: everything that I ever digitally interacted with in my career."
He added: "Look at the language officials use in sworn testimony about these records: 'could have,' 'may have,' 'potentially.' They're prevaricating. Every single one of those officials knows I don't have 1.7m files, but what are they going to say? What senior official is going to go in front of Congress and say, 'We have no idea what he has, because the NSA's auditing of systems holding hundreds of millions of Americans' data is so negligent that any high-school dropout can walk out the door with it'?"
In live testimony to the Council of Europe, Snowden also gave a forensic account of how the NSA's powerful surveillance programs violate the EU's privacy laws. He said programs such as XKeyscore, revealed by the Guardian last July, use sophisticated data mining techniques to screen "trillions" of private communications.
"This technology represents the most significant new threat to civil liberties in modern times," he declared.
XKeyscore allows analysts to search with no prior authorisation through vast databases containing emails, online chats, and the browsing histories of millions of individuals.
Snowden said on Tuesday that he and other analysts were able to use the tool to select an individual's metadata and content "without judicial approval or prior review".
In practical terms, this meant the agency tracked citizens not involved in any nefarious activities, he stressed. The NSA operated a "de facto policy of guilt by association", he added.
Snowden said the agency, for example, monitored the travel patterns of innocent EU and other citizens not involved in terrorism or any wrongdoing.
The 30-year-old whistleblower who began his intelligence career working for the CIA in Geneva said the NSA also routinely monitored the communications of Swiss nationals "across specific routes".
Others who fell under its purview included people who accidentally followed a wrong link, downloaded the wrong file, or "simply visited an internet sex forum". French citizens who logged on to a suspected network were also targeted, he said.
The XKeyscore program amounted to an egregious form of mass surveillance, Snowden suggested, because it hoovered up data from "entire populations". Anyone using non-encrypted communications might be targeted on the basis of their "religious beliefs, sexual or political affiliations, transactions with certain businesses" and even "gun ownership", he claimed.
Snowden said he did not believe the NSA was engaged in "nightmare scenarios", such as the active compilation of a list of homosexuals "to round them up and send them into camps". But he said that the infrastructure allowing this to happen had been built. The NSA, its allies, authoritarian governments and even private organisations could all abuse this technology, he said, adding that mass surveillance was a "global problem". It led to "less liberal and safe societies", he told the council.
At times assembly members struggled to follow Snowden's rapid, sometimes technical delivery. At one point the session's chairperson begged him to slow down, so the translators could catch up.
Snowden also criticised the British spy agency GCHQ. He cited the agency's Optic Nerve program revealed by the Guardian in February. It was, he said, one of many "abusive" examples of state snooping. Under the program GCHQ bulk collects images from Yahoo webcam chats. Many of these images were "intensely private" Snowden said, depicting some form of nudity, and often taken from the "bedrooms and private homes" of people not suspected of individualised wrongdoing. "[Optic Nerve] continued even after GCHQ became aware that the vast majority had no intelligence value at all," Snowden said.
Snowden made clear he did believe in legitimate intelligence operations. "I would like to clarify I have no intention to harm the US government or strain [its] bilateral ties," he asserted, adding that he wanted to improve government, not bring it down.
The exiled American spy, however, said the NSA should abandon its electronic surveillance of entire civilian populations. Instead, he said, it should go back to the traditional model of eavesdropping against specific targets, such as "North Korea, terrorists, cyber-actors, or anyone else."
Snowden also urged members of the Council of Europe to encrypt their personal communications. He said that encryption, used properly, could still withstand "brute force attacks" from powerful spy agencies and others. "Properly implemented algorithms backed up by truly random keys of significant length â€¦ all require more energy to decrypt than exists in the universe," he said.
The international organisation defended its decision to invite Snowden to testify. In a statement on Monday, it said: "Edward Snowden has triggered a massive public debate on privacy in the internet age. We hope to ask him what his revelations mean for ordinary users and how they should protect their privacy and what kind of restrictions Europe should impose on state surveillance."
The council invited the White House to give evidence but it declined.
In the Vanity Fair interview the whistleblower said he paid the bill in the Mira Hotel using his own credit card because he wanted to demonstrate he was not working for a foreign intelligence agency. "My hope was that avoiding ambiguity would prevent spy accusations and create more room for reasonable debate," he told the magazine. "Unfortunately, a few of the less responsible members of Congress embraced the spy charges for political reasons, as they still do to this day."
The NSA says Snowden should have brought his complaints to its own internal oversight and compliance bodies. Snowden, however, insisted he did raise concerns formally, including through emails sent to the NSA's lawyers. "I directly challenge the NSA to deny that I contacted NSA oversight and compliance bodies directly via email," he stated.

.

***Peter Lemkin*** · 09-04-2014, 09:40 AM

The cumulative leaks are really devastating, if not surprising [to those of us following such things]...what I can't understand is there not being a huge outcry from the People, who now must consist only of frightened Sheeple....

Albert Doyle · 09-04-2014, 03:51 PM

Those people have been neutralized and don't exist. To place the definition of noble democracy on the American people is like putting a silk jacket on a pig. America is a delusion and truth is there's no excess or betrayal the US government could commit that would draw the displeasure of the American public to any significant degree. They are the idiotic mob you see on TV.

The bigger picture of the freedom fighter Snowden having to appear on a screen because of the threat of the military fascist American government should clue people to the score.

***David Guyatt*** · 04-05-2014, 07:32 AM

In light of all the revelations, I would've thought it almost impossible to argue in favour of continuing intelligence collection as is. And so it turned out.

But a debate like this suggests that the subject has been moved into the background eh?

Quote:Everyone is under surveillance now, says whistleblower Edward Snowden

People's privacy is violated without any suspicion of wrongdoing, former National Security Agency contractor claims

Associated Press

theguardian.com, Saturday 3 May 2014 06.27 BST

Jump to comments (822)

Edward Snowden joined a debate on surveillance, by video link from Russia. Photograph: Sunshinepress/Getty Images

The US intelligence whistleblower Edward Snowden has warned that entire populations, rather than just individuals, now live under constant surveillance.

"It's no longer based on the traditional practice of targeted taps based on some individual suspicion of wrongdoing," he said. "It covers phone calls, emails, texts, search history, what you buy, who your friends are, where you go, who you love."

Snowden made his comments in a short video that was played before a debate on the proposition that surveillance today is a euphemism for mass surveillance, in Toronto, Canada. The former US National Security Agency contractor is living in Russia, having been granted temporary asylum there in June 2013.

The video was shown as two of the debaters the former US National Security Administration director, General Michael Hayden, and the well-known civil liberties lawyer and Harvard law professor, Alan Dershowitz argued in favour of the debate statement: "Be it resolved state surveillance is a legitimate defence of our freedoms."
Opposing the motion were Glenn Greenwald, the journalist whose work based on Snowden's leaks won a Pulitzer Prize for the Guardian last month, and Alexis Ohanian, co-founder of the social media website Reddit.
The Snowden documents, first leaked to the Guardian last June, revealed that the US government has programs in place to spy on hundreds of millions of people's emails, social networking posts, online chat histories, browsing histories, telephone records, telephone calls and texts "nearly everything a typical user does on the internet", in the words of one leaked document.

Greenwald opened the debate by condemning the NSA's own slogan, which he said appears repeatedly throughout its own documents: "Collect it all."

"What is state surveillance?" Greenwald asked. "If it were about targeting in a discriminate way against those causing harm, there would be no debate.

"The actual system of state surveillance has almost nothing to do with that. What state surveillance actually is, is defended by the NSA's actual words, that phrase they use over and over again: 'Collect it all.' "
Dershowitz and Hayden spent the rest of the 90 minutes of the debate denying that the pervasive surveillance systems described by Snowden and Greenwald even exist and that surveillance programs are necessary to prevent terrorism.
"Collect it all doesn't mean collect it all!" Hayden said, drawing laughter.
Greenwald sparred with Dershowitz and Hayden about whether or not the present method of metadata collection would have prevented the terrorist attacks on 11 September, 2011.
While Hayden argued that intelligence analysts would have noticed the number of telephone calls from San Diego to the Middle East and caught the terrorists who were living illegally in the US, Greenwald argued that one of the primary reasons the US authorities failed to prevent the attacks was because they were taking in too much information to accurately sort through it all.
Before the debates began, 33% of the audience voted in favour of the debate statement and 46% voted against. It closed with 59% of the audience siding with Greenwald and Ohanian.

***Peter Lemkin*** · 06-05-2014, 07:30 AM

Report: https://www.privacyinternational.org/rep...y-findings

Surveillance Monitor 2007 - International country rankings

Chapter:

I. Summary of key findings

(Please note that "worst ranking" and "lowest ranking" denotes countries that exhibit poor privacy performance and high levels of surveillance.

The 2007 rankings indicate an overall worsening of privacy protection across the world, reflecting an increase in surveillance and a declining performance o privacy safeguards.
Concern over immigration and border control dominated the world agenda in 2007. Countries have moved swiftly to implement database, identity and fingerprinting systems, often without regard to the privacy implications for their own citizens
The 2007 rankings show an increasing trend amongst governments to archive data on the geographic, communications and financial records of all their citizens and residents. This trend leads to the conclusion that all citizens, regardless of legal status, are under suspicion.
The privacy trends have been fuelled by the emergence of a profitable surveillance industry dominated by global IT companies and the creation of numerous international treaties that frequently operate outside judicial or democratic processes.
Despite political shifts in the US Congress, surveillance initiatives in the US continue to expand, affecting visitors and citizens alike.
Surveillance initiatives initiated by Brussels have caused a substantial decline in privacy across Europe, eroding protections even in those countries that have shown a traditionally high regard for privacy.
The privacy performance of older democracies in Europe is generally failing, while the performance of newer democracies is becoming generally stronger.
The lowest ranking countries in the survey continue to be Malaysia, Russia and China. The highest-ranking countries in 2007 are Greece, Romania and Canada.
The 2006 leader, Germany, slipped significantly in the 2007 rankings, dropping from 1st to 7th place behind Portugal and Slovenia.
In terms of statutory protections and privacy enforcement, the US is the worst ranking country in the democratic world. In terms of overall privacy protection the United States has performed very poorly, being out-ranked by both India and the Philippines and falling into the "black" category, denoting endemic surveillance.
The worst ranking EU country is the United Kingdom, which again fell into the "black" category along with Russia and Singapore. However for the first time Scotland has been given its own ranking score and performed significantly better than England & Wales.
Argentina scored higher than 18 of the 27 EU countries.
Australia ranks higher than Slovakia but lower than South Africa and New Zealand.

***Peter Lemkin*** · 06-05-2014, 07:32 AM

Surveillance Monitor 2007 - International country rankings

Chapter:

IV. Summary of country results

Austria

No explicit right to privacy in constitution but there are special laws for civil rights, including one for data protection; recent Supreme Court decisions are highly problematic
Data Privacy law does not apply equally to paper files; law is considered cumbersome by experts; also sectoral laws
Data Privacy Commission can bring civil and criminal provisions against institutions; but criticised for lack of independence
Prohibits use of genetic data by insurance companies
Medical data is treated as sensitive data by law
Legal requirement permitting Austrian military to request subscriber data from telecommunications providers
Centralisation of data on students that is stored for 60 years
Social security card with unique numbers but little other information is stored; number of abandoned initiatives including health data cards, or 'citizen card' have been abandoned; e-identity management system is heavily criticised
Judicial warrants for interception for serious crimes (10 years punishment or more)
CCTV and audio surveillance is now permitted where data is stored for 48 hours; but this has not been enforced adequately
Communications data is made available to copyright industry under Supreme Court decision
Postponed data retention
Matched DNA database with Germany in December 2006

Belgium

Belgian constitution was amended in 1994 to recognise the right to privacy; Supreme Court has ruled in accordance with Article 8 of the ECHR
Comprehensive privacy law
Commission has investigatory powers, issues a number of recommendations; took a strong stance against the transfer of data from SWIFT to the U.S. government
Through negotiations a common agreement has been established to regulate workplace surveillance
Law in place to protect health privacy rights
Judicial warrants for interception of communications with limited duration; though Parliament has given authority to the 'juge d'instruction' to demand decryption
Retention period of 12 months, though there is a push for three-years
Anonymous communications was banned in 2001
Leading country for smart ID cards, issued from age 6, that may contain such data as medical files, for use in public and private sectors, despite much criticism
First European country to use RFID passports
Content industry has agreements with ISP's to monitor for copyright infringement; court case in 2007 upholds use of filtering technology on networks to prevent file-sharing

Bulgaria

Constitutional protections in articles 32, 33, 34
Comprehensive privacy law, though many changes have occurred without adequate debate; law is poorly implemented
Sectoral laws protect medical privacy
Data privacy authority is relatively large
Identity cards are required to access cybercafÅ½s, and internet service providers have to register the ID numbers of users
Court order generally required for interception, though ministry of interior has discretionary power, resulting in regular complaints of abuse and illegal bugging

Cyprus

Constitution in articles 15 and 17 protects privacy
Comprehensive privacy law, though it is not fully compliant with EU standards
Plans for e-ID smart cards
Commissioner has broader jurisdiction to cover telecommunications since 2004; issues guidelines and information campaigns
Increasing use of CCTV along border
Attorney general authorises interception
CCCTV being installed for traffic management, speed cameras, and failing to wear seatbelts or talking on mobile phones

Czech Republic

Charter providers for privacy in articles 7, 10, and 13
Comprehensive privacy law
Data Privacy Authority has issued a number of fees for breaches of the law, and rejects requests for transfer of data abroad, and has been participating in an intense set of activities for public education
Judicial warrants for interception, for up to six months; though exemptions apply for secret services and significant concern about who has access to recordings
Money laundering law limits lawyer-client privilege
Illegal for employers to read employee's email, though subject lines are permissible
Legal basis of medical registries is very contentious issue, led to Presidential veto on privacy grounds, but was over-ridden by Chamber of Deputies vote
Increasing use of CCTV, and few are registered with the Data Privacy Authority
Data Privacy Authority fined state body for scanning biometric data and fingerprints
Plans for data sharing across different government agencies

Denmark

Constitutional right to privacy depends on section 71 on personal liberty and section 72 on search and seizure
Comprehensive privacy law, and exempts security and defence services
Data privacy authority is appointed by the minister of justice, and the ministry is also responsible for the budget
Data privacy authority may enter any premise without a court order to investigate under the privacy law
Extensive interception of communications; and use of bugs on computers to monitor activity and keystrokes; and plans are in place to minimise notification
Police require list of all active mobile phones near the scene of a crime
DNA samples may be required from applicants for residency based on family ties
Implemented retention of communications data well before EU mandate, for one year
Police took the DNA of 300 youth protestors in 2007
Implementing air travel surveillance program
Parliament is over-keen to implement surveillance programs
Ratified Cybercrime convention

Estonia

1992 Constitution recognises right to privacy in Article 42, 43, and 44
Comprehensive privacy law
Inspectorate was made an independent organisation in 2007
Extensive research into Genetics and disease
Mandatory identity card for all over 15
Interception is authorised by the head of a surveillance agency, while exceptional surveillance requires judicial authorisation and only in cases of serious crime
Citizens may obtain access to information about them held by police and security agencies
Ratified Cybercrime convention

European Union

Treaty of the European Union requires compliance with the ECHR, and so protection falls under Article 8
Data protection in the first pillar is under the EU Directive 1995
Data protection under the third pillar, i.e. Justice and home affairs, is inadequate
European Data Protection Supervisor oversees the first pillar activities, and has pursued legal action when appropriate
Data sharing is set to expand significantly under the Treaty of Prum
Border plans include copying U.S.-style biometric and passenger data checks
Communications data retention directive and biometric passport directives are world-leading in their expansive surveillance goals

Finland

Constitutional protection under section 10
Much information in the public domain, including name, birth year, taxable income, property taxes, and total taxes paid
Comprehensive privacy law
Criminal and civil sanctions (including imprisonment) for unlawful processing
Data privacy authority must go through public prosecutor before taking action on a violation
Postponed retention of internet data until 2009
Judicial warrant for interception for specific crimes as listed in law, while transactional data can be obtained if suspect faces at least four months of jail; electronic surveillance only in cases if punishment is greater than four years imprisonment
Police use mobile phones to access official tax records in order to enforce traffic fines (fines are based on income)
Location data tracking of youth is widely provided service
Corporate abuse of telephone records lead to high profile scandal
Helsinki transport network monitors movements of travellers, though data privacy authority has compelled a change of policy
Specific act on workplace privacy now permits email surveillance, video surveillance, and drug testing; though ombudsman recently ruled that employers can not use search engines to assess prospective employees without consent
Identity number used extensively in public and private sectors
New identity card also includes, voluntarily, medial insurance data
Finland worked to be a pioneer in biometric passports
Sectoral laws protect medical privacy
Ratified Cybercrime convention

France

No explicit right to privacy in constitution, though constitutional court has ruled that it is implicit
Comprehensive privacy law; though the law permits intellectual property rights holders to create records of rights infringers
Data privacy authority well known for its strong stance on many issues, investigates, warns and imposes financial sanctions (the first of the latter was in 2006)
DPA has limited powers over large government systems
Tort of privacy in civil code, and sectoral laws also exist, as well as protections in the penal code
DNA database is expanding to include nearly all crime investigations, and is known to be a register of 'civil disobedience' since the protests in 2005 and 2006; compels DNA collection from immigrants if parentage is questioned
Interception authorised by investigative judge and lasts four months (renewable)
In 2007, the highest administrative court ruled that database of illegal migrants was excessive, though not on privacy grounds
Retention policy applies for up to one year; subscriber data and identifying data may only be disclosed upon judicial request
This was expanded under terrorism law allowing access without any judicial order by the police
Latest draft rules on retention requires all service providers to retain all information on users and deliver to police upon mere request, and may even require retention of passwords, and payment details; and police may then retain the data for three years
Intellectual property rights holders may monitor online activity
Individuals must be identifiable whilst online if they wish to publish content
Still maintain encryption restrictions
CCTV is spreading, and may be installed prior to any authorisation
Collects passenger data
Biometric ID scheme is still postponed
Border and visa data is now accessible to all police since 2006
No fingerprints in passports as yet
Serious lack of data protection and many security breaches identified in computerized patient records, according to data privacy authority in 2007

Germany

Basic Law protects communications privacy under article 10; but Constitutional Court ruled in 1983 that individuals have a right of informational self-determination based on Articles 1 and 2 on rights to freedom
One of the strictest privacy laws in the world
Despite calls for workplace privacy law, none exists
Federal Data Privacy Authority and Lander authorities are world leading
Interception is permitted under the G-10 law which includes warrantless automated wiretaps
One of the highest rates of interception across Europe
Despite objections, data retention law approved
Fingerprints have been included in ID cards, although not for storage on a central database
CCTV is expanding despite protests
Approved Treaty of Prum provision

Greece

Article 9 of the constitution recognises the right to privacy in the home, and data protection (since amendment), Article 19 for communications privacy
Comprehensive privacy law
Data Privacy Authority is independent, led by high ranking official, and may impose administrative or penal sanctions that include imprisonment; a history of controversial but important rulings, covering ID, CCTV, DNA, and workplace surveillance
CCTV was permitted for the Olympics on the condition that they be de-activated after the games; but this was continued for a further six months to monitor car traffic circulation, and was then extended to 2007, but also fined the police for a breach
Infamous wiretapping case involving Vodafone and ministers' communications, led to a 76m EUR fine for Vodafone

Hungary

Constitutional right in Article 59, and strong Supreme Court decisions upholding this right; in 2007 the court called on enhanced protection to the right of privacy because of poor oversight
Statutory protections are comprehensive, prohibits all-purpose identification numbers or codes; and sector-specific protections also exist, as well as Criminal Code protections
Order-making powers for Commissioner was granted in 2004
82% of CCTV deployments do not comply with the law, and may contain facial recognition capabilities
Judicial authorisation of warrants but Constitutional Court decided that there was insufficient oversight
Communications surveillance permitted in investigations where the crime may be punishable by more than five years imprisonment
Security services require approval by specially appointed judge or Minister of Justice; though there are claims of abuse by the National Security Service
Public protests led to a rejection of new data retention proposals
Famous Vodafone case where company tracked employees 24-hours per day at 15-minute increments; courts sided with employees
President of Hungary refused to sign law enabling transfer of passenger data to the U.S. unless individual consent was given
Intends to join Prum Convention; ratified Cybercrime convention

Ireland

No explicit right to privacy in constitution, Supreme Court has seen an implicit right in Article 40.3.1
Comprehensive privacy law, with broad exemptions for security, tax, and combating crime; misuse of data is also criminalised
Improvements in the law went into effect in 2007
High Court imposed safeguards on the disclosure of identity of suspected file-sharers
One of the longest data retention regimes in Europe; currently pursuing legal action on this issue to ensure the government has the ability to uphold its retention regime
Planning Automatic Number Plate Recognition
Extensive data matching and use of unique identifiers
While the Garda are prohibited from collecting personal identification numbers from nationals, they may do so in relation to non-EU nationals
A public services card is being developed
No plans for fingerprints in biometric passports

Italy

Constitution protects right to privacy in the home (article 14) and communications (article 15)
Comprehensive privacy law
Data privacy authority has extensive powers, including auditing databanks of intelligence activities
Data privacy authority has stopped two initiatives for expanding use of fingerprinting; and has regulated use of CCTV; and has run public education campaigns on television
Judicial authorisation for interception, and granted for 15 days at a time; if transcripts are not used they must be destroyed; and exceptions apply for religious ministers, lawyers, and doctors, though there are more lenient procedures for anti-mafia cases
2007 a judge ruled that planting bugging devices in a car was not an offence because the law only applies to the home
A number of abuses in communications surveillance: ÃŠin 2005 Italian police placed a backdoor into an ISP's server, and monitored all transactions of 30,000 subscribers; telecom italy collected thousands of file on stars and influential people
Data retention period were for four years, though internet traffic data is now set for 12 months, through a graduated scheme where investigations involve serious crimes are allowed to get telephone data after 2 years, or internet data after 6 months
Biometric plans for travel authorisation have been reviewed and changed by authority
Council of ministers approve law requiring every blogger to register with the state; though law is in early stages

Latvia

Constitutional right in article 96
Wide exemption in statutory protections but does apply to police sector
Inspectorate has 23 employees, and has powers of inspection and administrative penalties; considering stronger penalties; but independence is questioned
Access to data is only with judicial warrant
Abuse in interception case where TV news presenter's phone was tapped and transcripts were sold to a newspaper
Money laundering laws now require increased data sharing and disclosure
Fingerprints in passports
Workplace privacy handbook for employers and employees; inspectorate allows for interception but notification
Now has a DNA database
Mandatory ID cards since 2002 for those over the age of 15, but was postponed to 2007 for implementation
Ratified Cybercrime convention

Lithuania

Constitutional right under Article 22, with mixed Supreme Court jurisprudence
Comprehensive privacy law
Recent amendment requires public statements by companies on their websites regarding accountability
Data Privacy Authority is financed by government budget, and is accountable to the government; has not conducted review of visual surveillance
Delaying application of retention law to internet, though was an early adopter of retention for telephony
Interception warrants issued by prosecutor general or judge; and law does not include principle of proportionality; oversight is seen as weak and abuses are rife
Increasing workplace surveillance and no legal framework applies
Growing number of camera installations and great cost
Passports will include a centralised biometric database despite concerns raised at the time
Ratified Cybercrime convention

Luxembourg

Constitutional protections in article 28 only applies to communications
Comprehensive data protection law, that also covers moral persons, and contains specific provisions on medical data, and the workplace; though draft law from 2006 would have curtailed many protections
Commission is independent agency that has worked to reduce surveillance plans, e.g. Retention periods; and authorisation is required before installing video cameras or electronic tracking
Postponing implementation of retention directive, though currently has a six month retention period
Interception by judicial authorisation for serious crime (2 or more years of imprisonment), for one month periods, extendable up to a year; and individuals may be sometimes informed of the surveillance
Administrative interceptions may be authorised for national security by a special tribunal
Workplace monitoring only permitted if staff representative, joint committee, and the person being monitored have been informed, with a specific piece of legislation aimed at this activity
Banking privacy laws forbids unwarranted surveillance
No fingerprints in passport as yet, but are making plans
Approved Treaty of Prum

Malta

Constitutional right under article 38 against arbitrary searches
Comprehensive privacy law
Law is enforced by ministry, not an independent agency, though the commissioner and ombudsman investigate complaints
Sectoral laws

Netherlands

Constitutional protection in Article 10, Article 12, and 13; moves to change the constitution to be more technology neutral were postponed
Comprehensive privacy law and sectoral protections
Data Privacy Authority can apply administrative measures and impose fines; and posts advisories to government on new legislation; extensive work in the area of medical records in 2007
Growth of corporate privacy officers across the country
Court order required for interception, except for the intelligence services who are authorised by the Minister of Interior; controversies and court cases over the burden to industry
Access to traffic data by order of the public prosecutor, but for serious offences (where punishment is imprisonment for four years or more); though subscriber data can be accessed by police in case of mere suspicion. ÃŠParliament rejected proposal to notify suspects after subscriber data has been accessed.
In 2007 government moved to implement data retention directive with 18 months period, despite concerns from Authority
Continued proposals to increase power of law enforcement agencies
Plans to implement in 2008 a database of all children to record development from birth
New plans for expanded use of biometrics
DNA collected on all convicted of serious crimes
Compulsory identification for all persons from age of 14, where 5300 individuals are fined every month for not carrying ID
Passport includes fingerprints and facial images, and government proposed in 2005 that a centralised register be created
Law from 2003 makes it unlawful to use hidden cameras in public places without notification; cameras can otherwise keep images for 4 weeks for the purpose of keeping public order
Courts have ruled that subscriber data can be disclosed to copyright industry, and anonymous website owners
Ratified Cybercrime convention

Poland

Constitutional rights in Articles 47, 49, and 51, though constitutional court has mixed record limiting government surveillance
Comprehensive privacy law, and sectoral laws apply
Data Privacy Authority can impose fines and declare that a criminal activity has occurred
Large amount of interception of communications with limited oversight
Increasing use of visual surveillance; in 2007 Auschwitz installed CCTV scheme, including monitoring of schools
Draft retention law called for fifteen year retention period
ID card is controversial over its use of biometrics and the use of a unique identifier
New law requires national identifier to be used for filling prescriptions, despite protests from physicians

Portugal

Article 26 and 34 of constitution protect privacy; and in 1997 it was amended to give a right to data protection
Comprehensive privacy law
Commission regularly publishes guidelines; most recently in 2007 on workplace surveillance and recording of political convictions
History of abuse of interception of communications
Roadway video surveillance is regulated closely
Approved identity card in 2007, and data will include parentage, tax, health and social security numbers; though the numbers can not be matched or linked; stores fingerprint on the card and biometric authentication can only be compelled by police and justice officials
Mandatory reporting of HIV and AIDS
Genetic privacy is protected under strict rules, employers may not request genetic tests, even with consent

Romania

Constitutional right under Articles 26, 27 and 28
Comprehensive privacy law
Data Privacy Authority has run public education campaigns in 2006 and 2007, and issues guidelines; and issued security breach rules for telecommunications providers
Interception is authorised by General Prosecutor of the Office related to the Supreme Court, and individuals can appeal to the Commissions of Human Rights of the two Chambers of Parliament, with careful reporting schemes; though abuses still occur
Draft retention law has not yet been approved, but proposes 12 month period of retention without any explanatory reports; though access is only permitted in combating organized crime and terrorism investigations, with judicial authorisation
Ratified Cybercrime convention

Slovenia

Extensive constitutional protections
Comprehensive privacy law, and has been updated in recent years to reflect new technologies
It is against the law to use the same identifier in databases in the areas of public safety, state security, defense, judiciary and health; where connections are permitted only upon consent or if there is a legal basis
Labor law prohibits employers and candidates questions about family matters, marital status, pregnancy, etc.
Serious breach of law regarding cancer screening centre in 2006
Extensive rules on video surveillance, though abuse still occurs including in changing rooms in shopping malls though the situation is improving
Biometrics are regulated
Court order required for interception of communications, for a prescribed list of criminal offences, except for intelligence purposes where the language is broad
Law requires location data be processed only in anonymous form unless prior consent granted
24 month retention period
Failure to produce ID card when required involves fine of up to 420 euro
New electronic population register merges three separate registries
Ratified Cybercrime convention

Slovakia

Good statement in constitution from 1992; with some jurisprudence from Constitutional Court, but European court has ruled against government recently
Commissioner files biannual reports, has investigative powers
ODPD conducted preventive audits of video surveillance
Few complaints received however
There are no biometric-specific rules on collecting, using or disclosing this data
Law on interception applies to extraordinarily serious premeditated crimes, but over the years there have been many public revelations of illegal wiretapping of opposition politicians, reporters and dissidents
Continuing reports of Roma homes being entered without warrants
Plan to start fingerprinting citizens for passport in 2008
Government supports Irish Government on data retention case
Government abuses data protection law to protect police and Cabinet from oversight

Spain

Constitutional protection under Article 18
Comprehensive right to privacy with extensive court decisions
Extensive investigations and cases reviewed by Data Privacy Authority; Authority has made a number of rulings, including that IP addresses can be personal data; and on video surveillance data
Authorities exist at local levels as well
Several interception scandals over the years; including extensive access to communications without court order
Laws for preventing funding of terrorism have been applied to other crimes
Lack of debate around introduction of planned electronic ID card
Retention period for 12 months, and plan to ban anonymous pre-paid mobile phones

Sweden

Constitutional protection under Section 2 and Section 3 of the Instrument of Government Act 1974
Comprehensive privacy law, and sectoral privacy laws; though ÃŠin 2006 the Parliament amended the Personal Data Act to increase exemptions, and the requirement of gross negligence before data breaches are prosecuted
Inspection Board has powers of investigation; ruled on proposed use of biometrics in schools saying that it was neither necessary nor proportionate, but even still it is being used by schools
Medical records are regulated by sector specific law, but there is a lack of adequate organisational policies to protect access to data
2002 proposals to enhance workplace privacy has not been followed through with legislation; and few firms delete data on their employees
There are policy recommendations that DNA collection from all investigations
No fingerprints on passport, and no central register of biometrics
Non-mandatory ID card
Video surveillance is tightly regulated
Annual reporting of electronic surveillance
Proposed law to scan all communications without a court order, although it was abandoned in 2007, temporarily at least

United Kingdom

World leading surveillance schemes
Lack of accountability and data breach disclosure law
Commissioner has few powers
Interception of communications is authorised by politician, evidence not used in court, and oversight is by commissioner who reports only once a year upon reviewing a subset of applications
Hundreds of thousands of requests from government agencies to telecommunications providers for traffic data
Data retention scheme took a significant step forward with the quiet changes based on EU law
Plans are emerging regarding surveillance of communications networks for the protection of copyrighted content
Despite data breaches, 'joined-up government' initiatives continue
Identity scheme still planned to be the most invasive in the world, highly centralised and biometrics-driven; plan to issue all foreigners with cards in 2008 are continuing
E-borders plans include increased data collection on travellers

England & Wales

Inherited constitutional and statutory protections from UK Government and many of the policies
National policies are not judged, e.g. Communications surveillance, border and trans-border issues
Councils continue to spread surveillance policies, including RFID, CCTV, ID and data sharing, road user tracking
Few democratic safeguards at local government level, even though local government may be more accountable to electorate because of smaller numbers, decisions do not appear to be informed by research, prototyping

Scotland

Inherited constitutional and statutory protections from UK Government and only some of the policies
National policies are not judged, e.g. Communications surveillance, border and trans-border issues
Stronger protections on civil liberties
DNA database is not as open to abuse as policy in England and Wales
Identity policy is showing possibility of avoiding mistakes of UK Government
Scottish government appears more responsive and open to informed debate than local governments in England

NON-EU COUNTRIES

ARGENTINA

Constitutional right in Article 18 and 19, and habeas data right in Article 43; with important jurisprudence from Supreme Court
Comprehensive privacy law, and several provincial laws; jurisprudence is emerging
Data Privacy Authority has powers to investigate and intervene through both administrative and criminal sanctions; though is based in the Ministry of Justice
Only one penalty has been imposed
Data retention law previously called for 10 year retention period, but the President suspended the decree to allow for 'evaluation'
Judicial warrant required for interception, and domestic surveillance can not be conducted by military personnel; many changes in the law since the 1990s

AUSTRALIA

No right to privacy in federal constitution, though one territory now includes the right to privacy within its bill of rights
Comprehensive privacy laws at federal level and others within some states and territories, but there are broad exemptions that have precluded action by the privacy commissioner against small businesses and political parties; and does not meet international standards
Power of commissioner diminished because determinations are not legally binding
Numerous reports of data breaches, including at the taxation office, child support agency, and even amongst the police
High level of interception activity; no notification requirement to innocent participants to communications
Expanded surveillance powers in 2004
Movement towards electronic medical records but no opt-in protections as yet
De-identified medical data has been approved by the privacy commissioner for sale to pharmaceutical companies, despite protests
Expanded financial surveillance and secret reporting
DNA collection only for serious crimes at the moment
Made preliminary steps to secure passports in 2006
New government promised to abandon ID card plans; the office of access card has been closed but senior staff have moved to other department hinting at possible proposals to emerge
Document verification service for use by public and private sector is being implemented despite lack of privacy considerations
Abusive case of visa revocation of individual related to suspects in UK anti-terrorism case

BRAZIL

Constitutional protection ensured in 1988 constitution; recent court cases have resulted in a fragmented protection so that bank records are protected but databases aren't necessarily; and stored emails as well
No data privacy law but there is one under consideration
Can not force a correction of data
Civil code protects privacy, but with exemptions for law enforcement; and no regulatory commission
Protects right to privacy of children under 1990 law
Test for interception is relatively simplistic
Id law requires ID for public and private sector use, but it has not been implemented; private sector use of biometrics is growing
Recent controversy over censoring Youtube
Bank records are protected under the constitution, and warrants are required
Growing concerns about workplace surveillance, led to a labour court decision saying monitoring is illegal, unless a court order is issued, but protections do not apply to corporate email accounts; video monitoring is illegal in recent court decision
Interception for serious crime; but illegal wiretapping continues, and concerns that the content-industry is spying on Brazilian networks without warrants
Access to traffic data is not protected under privacy regulations according to the superior court of justice; and proposed law for identification for access did fail, but requires ISPs to identify illegal conduct to the police
Extensive travel surveillance on roads with RFID with poor privacy protections

CANADA

Privacy not mentioned in Charter of Rights and Freedoms, but courts have recognised the right to a reasonable expectation of privacy
Statutory rules at the federal level (public and private sectors) and provincial laws apply to sectors and governments
Federal commission is widely recognised as lacking in powers such as order-marking powers, and ability to regulate trans-border data flows
Variety of provincial privacy commissioners have made privacy-enhancing decisions and taken cases through the courts over the past year (particularly Ontario)
Court orders required for interception and there is no reasonable alternative method of investigation
Video surveillance is spreading despite guidelines from privacy commissioners
Highly controversial no-fly list, lacking legal mandate
Continues to threaten new policy on online surveillance
Increased calls for biometric documents to cater for U.S. pressure, while plans are still unclear for biometric passports

CHINA

Limited rights under constitution under articles 37, 38, 39
Chinese government acknowledges that it has room for improvement in applying laws fairly and systematically
Stricter controls are being exerted on press, internet, academics, lawyers and NGO's
Extensive surveillance schemes implemented in anticipation of the 2008 Olympics
Increased expectation of privacy amongst citizens has led to academics calling openly for stronger privacy laws
Some privacy laws
Search and interception does require warrants but they are authorised by officials and prosecutors
Increased legal activity and suits in the area of medical privacy
In 2006 China's central bank developed a database that links up information on consumer credit; and private sector initiatives are emerging that advertise access to 90 million incomes, marital status and sensitive information for 12 cents per request

ICELAND

Constitutional protection exists, and interferences only when urgent; Supreme Court has decided in favour of privacy such as in health privacy cases
An opt-out registry for marketing exists under law
Data Privacy Authority can investigate and issue rulings, issue fines and seek criminal sanctions; received 820 cases, solve 685, 8-members of staff
In late 2006 DPA's rule on surveillance went into force prohibiting workplace, schools and public areas from surveillance unless under a legal act or court order; and surveillance must comply with Data Privacy principles
ID numbers issued and widely used by public and private sector (including video rentals)
Medical and genetic databases are world-leading; health database was postponed in 2002;
Supreme court ruled in favour of the protection of health information of deceased because it could disclose information about descendants; this hints that the health database act may be unconstitutional
Since 2001 instituted facial recognition at international airport; lodging information must be retained for two years and may be accessed by the police at any time, and could apply to private homes
Six months of communications data retention, though with now limited data sets, ad no requirement to show ID to buy phone cards but surveillance still exists
Ratified the Cybercrime convention

INDIA

No explicit right to privacy, though Supreme Court sees it as implicit under article 21 on the right to liberty
General right to privacy in law, requiring warrants for searches
No comprehensive privacy law, though sectoral laws do provide some protections; though there is great pressure to implement a privacy law, little is being done
Fraud and identity theft in the outsourcing industry continues
History of abuse of wiretapping, and NGOs complain of their communications being intercepted
Law requires disclosure of encryption keys, and there are stiff penalties on anyone who fails to provide requested information to authorities

ISRAEL

Section 7 of the Basic Laws provide right to privacy, and is thus considered a 'basic right'
Comprehensive privacy law, though broad exemptions for security and police services
Amendment to privacy law in 2007 included requirement for 'conscious' consent to an invasion of privacy
Credit databases automatically share credit information
Data-sharing of criminal records amongst more than 30 government agencies
Data Privacy Authority established in 2006, with a small budget and few employees, but has been quite active
History of abuse in communications surveillance; now the President of the District Court must authorise interception for a period of three months (renewable); Prime Minister or Defense Minister may also authorise interception in cases of national security; though all in all this amounts to approximately 1000 per year
Chief Military Censor may intercept international conversations to or from Israel for purposes of censorship
DNA is taken from suspects, and is retained for 7 years if acquitted or 20 years if convicted; police have a target of 20,000 samples annually
Voluntary biometric system at border
In 2007 Ben Gurion airport installed devices that permit seeing through travelers' clothes, with unclear privacy protections
Border surveillance technology is advancing to include biometrics
A commission has proposed a number of legislative changes, in particular on trans-border data flows and data-breach legislation
Government proposed biometric authentication of adults wishing to view pornographic, violent or gambling content online, and is under consideration

JAPAN

No explicit right to privacy in constitution though Supreme Court has interpreted a substantial right as falling under Article 13 on right to life an liberty
No comprehensive privacy law, instead only guidelines for specific industries; and some legislation in some sectors
Government created a privacy seal, but serious shortcomings have been identified
Judicial warrants for interception, and warrants only last ten days initially, though application appears to be overly broad and abuses have emerged
Surveillance cameras continue to spread despite constitutional issue, though at least one ward has enacted an ordinance to limit rapid increase of cameras
Tagging and tracking of children continues
Genetic test abuses across country, and only guidelines have been released to deal with the problem
Developing DNA database though court order is required to take DNA samples
Resident registration law; extensive legal activity at the moment with court cases outstanding
Extensive data breach problems
Only second country to implement vast biometric collection at borders
Ratified convention on Cybercrime

MALAYSIA

No right to privacy in constitution
No comprehensive privacy law
Controversial internal security act allows for extensive police powers
Interception authorised by attorney general
Extensive use of identification scheme, mykad
Plan to implement citizen data hub across government departments, developed by oracle corporation, including individuals background, education, and health records
Biometric system monitors foreigners in the country
Extensive use of CCTV with no privacy safeguards

NEW ZEALAND

Article 21 of the Bill of Rights refers to searches and seizures; court of appeal has interpreted this as a right to privacy
Privacy Act and sector-specific legislation; also a law against intimate covert filming
OPC oversees compliance but is not a central data registration or notification authority; deals with complaints and reviews public sector information matching programs; power to investigate
Datasharing between law enforcement agencies is enabled by statute
Employment court allowed random drug tests on workers in safety sensitive areas, pre-employment, and on suspicion, or near accidents
Court of appeal has had some problematic decisions regarding privacy complaints
DNA database based on order from high court judge, violent crimes, and convicted burglars; though voluntary samples can be included and increasingly this is being pushed by the police, resulting in more than 80% of samples on database being given 'voluntarily'
Newborn blood spot samples and related information is collected, and this data may be used by the police but only as a last resort or with parental consent
Interception requires judicial warrants but only upon 'reasonable grounds' test; though this does not apply to security services

NORWAY

No specific constitutional protection, though Supreme Court early on decided that there is a general legal protection of 'personality'
Comprehensive privacy law, though some police databases are excluded
Mobile phones must all be registered, and retention is in place
Data Privacy Authority is within administration wing of government but is expected to be independent
Data protection tribunal has made a number of questionable decisions, e.g. Audiotape of telephone conversation does not fall under the law
Whistleblowing law in 2007 lets workers remain anonymous
Mandatory disclosure of information to Child Welfare authorities
Police certificate is required to apply for citizenship; though other safeguards were implemented
Court order for interception, for period of 4 weeks, with a supervisory board that oversees process, after years of abuses
Created a database of asylum seekers with fingerprint data, which is open to the police for criminal investigations
Government merged a number of welfare databases without implementing adequate access restrictions
Government intends to require DNA for all convicted
Ratified Cybercrime convention

PHILIPPINES

Supreme Court is optimistic that there will be a privacy law (based on habeas data) will be crafted by the SC before end of 2007, but initially only in extraordinary circumstances; though some rights are covered in sections 1, 2, and 3(1)
Protections against disclosure of journalistic sources
Two pending laws for comprehensive privacy protection, and there is a civil law right to privacy
A number of statutory rules relating to privacy including rape victims, juveniles, financial data, and at local government
Financial data protections have been undermined in recent years
Pending Cybercrime legislation and new terrorism legislation raises serious concerns
Despite constitutional protections, ID plans are being revived leading to the Supreme Court reversal of prior jurisprudence
Spread of biometric technologies continue, including in healthcare, social services, travel
Judicial authorisation for interception, and limited to serious crimes; though illegal wiretapping continues

RUSSIA

Constitutional right exists under Article 23, 24, and 25
Criminal Code imposes a penalty for violation of privacy, enforced by a court is physical or moral damages result from a violation
2006 law on personal data protection adopts Council of Europe convention, but government is given wide exemptions
Despite law coming into force in 2007 most provisions are still inactive, e.g. No data protection authority yet exists
Data Privacy Authority, when it will exist, will not be independent and will be within the Ministry of Communications
Illegal collection of data is commonplace
Court order is generally required for communications surveillance except in some circumstances including secret services; further exemptions apply to tax police, border guards, presidential security service, and ministry of internal affairs
Extensive powers and technological capabilities to access communications and communications records
ID required for all over 14, and is necessary for purchase of train and plane tickets, amongst other activities, and contains a residency stamp, and plans for a electronic ID system are emerging
Used visa-regime to prevent election monitors from entering country in time for overseeing election

SINGAPORE

No right to privacy under constitution, though the High Court has ruled that personal information may be protected under duty of confidences
No statutory protections, and has been under review for thirteen years
Judicial warrants are not necessary for surveillance
ID required for using ISP's
Data-sharing with government is not necessarily on legal basis
No workplace surveillance regulation as this is regulated under property law
Some protections for genetic testing
'Biopass' is a passport with fingerprint and facial biometrics

SWITZERLAND

Both old and new constitutions grant right to privacy
Comprehensive privacy law, with criminal penalties for violations, with recent changes enhancing privacy protections; while most cantons have their own privacy laws; and there are protections in the civil and penal codes, and special sectoral rules
Federal commissioner, though plays important consultative and educational role, has limited powers of intervention
Passports only have digital facial images, though there are plans to store biometric data on central database, though this proposal was criticised by the federal commissioner
Swiss banking law protects privacy of banking records, though international pressure is reducing this protection
Joined Schengen agreement in 2005, and now all Swiss citizens have to carry id
New policy plans for police and security services' databases; and plans for increased powers of interception of communications
Increased border surveillance for European football championships
Six month retention law for telecommunications
Federal court has ruled that individuals must be notified after surveillance of communications
2007 expanded surveillance powers of secret services, but only as a last resort, but without suspecting of criminal activity
Expanded collection of DNA since 2005
Biometrics in place for access to sports facilities, but commissioner has ensured that there are no central databases and alternative solutions are available for those who oppose biometrics
Plans to store medical information on new health insurance cards, but currently delayed
Foreigners data stored on central register, and plans in place to include biometric data
Expanded use of CCTV, and now automatic care plate recognition, and plans for these systems to be adapted to control speeding
Air force using unmanned aerial vehicles, strengthening co-operation with the police, and is now used to monitor celebrations and protests
First country to use facial recognition at border controls

SOUTH AFRICA

Constitutional right under sections 14, 32; constitutional court has delivered several judgements; and applies in private litigation
No comprehensive private law or data privacy authority
Interception law followed minimal consultation, requires intercept capability by design
All service providers must gather detailed personal data on individuals before signing contracts or selling sim cards, with no specified length of retention period, but communication-related information is stored for 12 months
New banking law came into effect in 2007, requiring court orders for access to financial information, and regulate credit bureau information
New smart ID cards began deployment in 2007, and in particular for refugees and asylum seekers

TAIWAN

Not explicitly mentioned in the constitution, but relevant rights are enshrined
1995 data protection law
Calls to strengthen law since data breaches and leaks to crime syndicates
Widespread illegal wiretapping by government; legal wiretapping is conducted for broad purposes with over 25,000 over the past year
Fingerprints are submitted for paper-based national ID card, though placed in a national fingerprint bank; and there is an electronic ID infrastructure being developed, with over a million active cards
Patient ID card includes a smartcard solution with illnesses encoded on the card
Mandatory HIV tests for foreigners who have been in Taiwan for more than three months, which could lead to deportation
Government wants to become global leader in RFID technology

THAILAND

Constitutional exception for law enforcement
Lack of law regulating industry
New law protecting the privacy of people under 18 passed in November 2007, though of course there are concerns about how this protects children's' rights to express themselves
Wiretapping is prevalent, with 'reasonable grounds' test only
Cyber crime act 2007 defines 12 internet crimes with punishments ranging from six months in jail to 20 years in jail, and requires certain internet service providers to keep logs of traffic data up to 90 days.
New passports are embedded with a microchip that contains biometric information including fingerprints and facial data. Id cards are now smartcards, and will be mandatory from birth.
ID is required to buy SIM cards
Political bugging is no less common. Politicians and human rights activists accused a political party of wiretapping political opponents and journalists.

UNITED STATES OF AMERICA

No right to privacy in constitution, though search and seizure protections exist in 4th Amendment; case law on government searches has considered new technology
No comprehensive privacy law, many sectoral laws; though tort of privacy
FTC continues to give inadequate attention to privacy issues, though issued self-regulating privacy guidelines on advertising in 2007
State-level data breach legislation has proven to be useful in identifying faults in security
REAL-ID and biometric identification programs continue to spread without adequate oversight, research, and funding structures
Extensive data-sharing programs across federal government and with private sector
Spreading use of CCTV
Congress approved presidential program of spying on foreign communications over U.S. networks, e.g. Gmail, Hotmail, etc.; and now considering immunity for telephone companies, while government claims secrecy, thus barring any legal action
No data retention law as yet, but equally no data protection law
World leading in border surveillance, mandating trans-border data flows
Weak protections of financial and medical privacy; plans spread for 'rings of steel' around cities to monitor movements of individuals
Democratic safeguards tend to be strong but new Congress and political dynamics show that immigration and terrorism continue to leave politicians scared and without principle
Lack of action on data breach legislation on the federal level while REAL-ID is still compelled upon states has shown that states can make informed decisions
Recent news regarding FBI biometric database raises particular concerns as this could lead to the largest database of biometrics around the world that is not protected by strong privacy law

***David Guyatt*** · 09-05-2014, 08:42 AM

Poor old "safe pair of hands" Malcolm Rifkind, fighting a losing battle against the rest of Parliament.

But I don't see that Parliament will get its way. Whatever the Americans want GCHQ to do, will continue to be the policy irrespective of everything else.

Quote:MPs: Snowden files are 'embarrassing indictment' of British spying oversight

All-party committee demands reforms to make security and intelligence services accountable in wake of disclosures

Alan Travis, home affairs editor

The Guardian, Friday 9 May 2014

Jump to comments (334)

The report says the current system of oversight of MI5, MI6 and GCHQ, pictured, is 'designed to scrutinise the work of George Smiley, not the 21st-century reality'. Photograph: Reuters

Edward Snowden's disclosures of the scale of mass surveillance are "an embarrassing indictment" of the weak nature of the oversight and legal accountability of Britain's security and intelligence agencies, MPs have concluded.
A highly critical report by the Commons home affairs select committeepublished on Friday calls for a radical reform of the current system of oversight of MI5, MI6 and GCHQ, arguing that the current system is so ineffective it is undermining the credibility of the intelligence agencies and parliament itself.
The MPs say the current system was designed in a pre-internet age when a person's word was accepted without question. "It is designed to scrutinise the work of George Smiley, not the 21st-century reality of the security and intelligence services," said committee chairman, Keith Vaz. "The agencies are at the cutting edge of sophistication and are owed an equally refined system of democratic scrutiny. It is an embarrassing indictment of our system that some in the media felt compelled to publish leaked information to ensure that matters were heard in parliament."
The cross-party report is the first British parliamentary acknowledgement that Snowden's disclosures of the mass harvesting of personal phone and internet data need to lead to serious improvements in the oversight and accountability of the security services.
The MPs call for radical reform of the system of oversight including the election of the membership of the intelligence and security committee, including its chairman, and an end to their exclusive oversight role. Its chairman should also be a member of the largest opposition party, the MPs say, in direct criticism of its current head, Sir Malcolm Rifkind, who is a former Conservative foreign secretary.
Rifkind, however, said he had read the report, and had concluded: "The recommendations regarding the ISC are old hat. For several years, Mr Vaz has been trying to expand the powers of his committee so that they can take evidence from MI5, MI6 and GCHQ. This is what this bit of his report is all about."
Rifkind attempted to head off some of the MPs' conclusions by announcing that the ISC would conduct its own inquiry into personal privacy and state surveillance. He also attacked Snowden and his supporters for their "insidious use of language such as mass surveillance and Orwellian" which, he argued, "blurs, unforgivably, the distinction between a system that uses the state to protect the people, and one that uses the state to protect itself against the people".
However, a complete overhaul of the "part-time" and under-resourced system of oversight commissioners is recommended by the MPs, as is an end to some of the secrecy surrounding the Investigatory Powers Tribunal the only body that is able to investigate individual complaints against the security agencies.
A parliamentary inquiry into the principal legal framework that legitimises state communications surveillance, the Regulation of Investigatory Powers Act 2000, should be launched, they say, to bring it up to date with modern technology and improve its oversight safeguards.
The committee also voices strong concerns that a data protection ruling by the European court of justice last month has left the legality of the bulk collection of communications data by the phone and internet companies in serious doubt. "It is essential that the legal position be resolved clearly and promptly," say the MPs, who reveal that the home secretary, Theresa May, has ordered urgent work into the ruling's full implications for the police and security services.
The MPs say they decided to look at the oversight of the intelligence agencies following the theft of a number of National Security Agency documents by Snowden in order to publicise the mass surveillance programmes run by a number of national intelligence agencies.
Their report says Alan Rusbridger, editor of the Guardian, responded to criticism of newspapers that decided to publish Snowden's disclosures, including the head of MI6's claim that it was "a gift to terrorists", by saying that the alternative would be that the next Snowden would just "dump the stuff on the internet".
The MPs say: "One of the reasons that Edward Snowden has cited for releasing the documents is that he believes the oversight of security and intelligence agencies is not effective. It is important to note that when we asked British civil servants the national security adviser and the head of MI5 to give evidence to us they refused. In contrast, Mr Rusbridger came before us and provided open and transparent evidence."
The report makes clear the intelligence chiefs should drop their boycott of wider parliamentary scrutiny. "Engagement with elected representatives is not, in itself, a danger to national security and to continue to insist so is hyperbole," it says.
But a move by Labour and Lib Dem MPs to congratulate the Guardian and other media outlets for "responsibly reporting" the disclosures saying they had opened a "wide and international public debate" was voted down by four Tory MPs.
SYvette Cooper, the shadow home secretary, said the report showed there was a cross-party consensus behind Labour's proposals, including reform of the commissioners system and an opposition chair of the ISC. "The government should now set out plans for oversight reforms," she said.
Nick Clegg has also outlined proposals for reforming the oversight system.
Cooper added that the select committee had added their voice to the growing number of MPs, who were calling for reform. She said that the police and security services needed to keep up with the challenges of the digital age but stronger safeguards and limits to protect personal privacy and sustain confidence in their vital were also needed: "The oversight and legal frameworks are now out of date," said the shadow home secretary.Emma Carr, of Big Brother Watch, the privacy campaign group, said: "When a senior committee of parliament says that the current oversight of our intelligence agencies is not fit for purpose, ineffective and undermines the credibility of parliament, the government cannot and must not continue to bury its head in the sand."
Last night, a statement by the Association of Chief Police Officers (Acpo) and the Terrorism and Allied Matters (TAM) Board consisting of assistant commissioner Cressida Dick, chief constable Sara Thornton, chief constable Sir Peter Fahy, chief constable Chris Sims, chief constable Mark Gilmore and chief constable Matt Baggott said they were "concerned" the committee had recommended that responsibility for counter-terrorism policing should be moved to the National Crime Agency.
The statement described it as "a decision that does not appear to supported by the evidence and is based on an apparent misunderstanding of the role played by the Metropolitan Police Service."Counter-terrorism policing is not directed through a single lead force but rather has responsibility vested in nine chief constables across the UK in areas where the threat is considered to be the greatest. These chief constables act collaboratively and effectively on behalf of all forces, while at the same time maintaining close and critical links into local policing."
The statement added: "The Home Secretary has previously confirmed that she will conduct a review of counter-terrorism structures. We welcome any such review and look forward to participating fully and constructively in it. "
The Home Office said: "Our security agencies and law enforcement agencies operate within a strict legal and policy framework and under the tightest of controls and oversight mechanisms. This represents one of the strongest systems of checks and balances and democratic accountability for secret intelligence anywhere in the world."

***David Guyatt*** · 20-09-2014, 09:21 AM

A "stand down" by the CIA - meaning a temporary suspension, and nothing by the NSA who were responsible for the largest volume of spying on allies anyway.

Quote:

CIA stops spying on friendly nations in W. Europe

AP foreign, Saturday September 20 2014

KEN DILANIAN
AP Intelligence Writer= WASHINGTON (AP) Ã¢Â€Â” Stung by the backlash over a German caught selling secrets to the U.S. and the revelations of surveillance by the National Security Agency, the CIA has stopped spying on friendly governments in Western Europe, according to current and former U.S. officials.
The pause in decades of espionage was designed to give CIA officers time to examine whether they were being careful enough and to evaluate whether spying on allies is worth running the risk of discovery, said a U.S. official who has been briefed on the situation.
Under the stand-down order, case officers in Europe largely have been forbidden from undertaking "unilateral operations" such as meeting with sources they have recruited within allied governments. Such clandestine meetings are the bedrock of spying.
CIA officers are still allowed to meet with their counterparts in the host country's intelligence service and conduct joint operations with host country services. Recently, unilateral operations targeting third country nationals Ã¢Â€Â” Russians in France, for example Ã¢Â€Â” were restarted. But meetings with independent sources in the host country remain on hold, as do new recruitments.
The CIA declined to comment.
James Clapper, the director of national intelligence, said during a public event Thursday that the U.S. is assuming more risk because it has stopped spying on "specific targets," though he didn't spell out details.
Spying stand-downs are common after an operation is compromised, but "never this long or this deep," said a former CIA official, who, like others interviewed for this article, spoke on condition of anonymity because it's illegal to discuss classified material or activities. The pause, which has been in effect for about two months, was ordered by senior CIA officials through secret cables.
The pullback comes at an inopportune time, with the U.S. worried about monitoring European extremists who have fought in Syria, Europe's response to Russian aggression and European hostility to American technology companies following revelations the companies turned over data to the NSA. While the U.S. cooperates closely with Europe against terrorism, spying can help American officials understand what their allies are planning and thinking, whether about counterterrorism or trade talks.
The current stand-down was part of the fallout from the July 2 arrest of a 31-year-old employee of the German intelligence service. Suspected of spying for Russia, he told authorities he passed 218 German intelligence documents to the CIA.
In a second case, authorities searched the home and office of a German defense official suspected of spying for the U.S., but he denied doing so, and no charges have been filed against him.
A few days later, Germany asked the CIA station chief in Berlin to leave the country, an unprecedented demand from a U.S. ally. The move demonstrated how seriously the Germans were taking the situation, having already been stung by revelations made by Edward Snowden, a former NSA systems administrator, that the agency had tapped German Chancellor Angela Merkel's mobile phone.
The NSA disclosure infuriated Merkel, who demanded explanations from President Barack Obama. It embarrassed both world leaders and has left many Germans skeptical about cooperating with the U.S.
CIA managers were worried that the incident could lead European security services to begin closely watching CIA personnel. Many agency officers in Europe, operating out of U.S. embassies, have declared their status as intelligence operatives to the host country.
The "EUR" division, as it is known within the CIA, covers Canada, Western Europe and Turkey. While spying on Western European allies is not a top priority, Turkey is considered a high-priority target Ã¢Â€Â” an Islamic country that talks to U.S. adversaries such as Iran, while sharing a border with Syria and Iraq. It was not known to what extent the stand-down affected operations in Turkey.
European countries also are used as safe venues to conduct meetings between CIA officers and their sources from the Middle East and other high-priority areas. Those meetings have been rerouted to other locales while the pause is in place.
The European Division staff has long been considered among the most risk-averse in the agency, several former case officers said, speaking on condition of anonymity because they weren't authorized to discuss secret intelligence matters by name.
A former CIA officer who worked under nonofficial cover wrote a 2008 book in which he described a number of operational "stand-downs" in Europe, including one in France in 1998 because of the World Cup soccer championship, and another in a European country in 2005, in response to unspecified security threats.
The former officer, whose real name has not be disclosed, wrote "The Human Factor: Inside the CIA's Dysfunctional Intelligence Culture," under a pseudonym, Ishmael Jones. He is a former Marine who served 15 years in the agency before resigning in 2006. The CIA acknowledged his status as a case officer when it successfully sued him for publishing the book without first submitting it for pre-publication censorship, as required under his secrecy agreement.
The CIA last faced that sort of blowback from a European ally in 1996, when several of its officers were ordered to leave France. An operation to uncover French positions on world trade talks was unraveled by French authorities because of poor CIA tactics, according to a secret CIA inspector general report, details of which were leaked to reporters.
The Paris flap left the EUR division much less willing to mount risky espionage operations, many former case officers have said.

***David Guyatt*** · 23-09-2014, 10:48 AM

From The Intercept:

Quote:

MAP OF THE STARS

THE NSA AND GCHQ CAMPAIGN AGAINST GERMAN SATELLITE COMPANIES

BY ANDY MÃœLLER-MAGUHN, LAURA POITRAS, MARCEL ROSENBACH, MICHAEL SONTHEIMER, AND CHRISTIAN GROTHOFF
09/14/2014 11:00 AM

"Fuck!" That is the word that comes to the mind of Christian Steffen, the CEO of German satellite communications company Stellar PCS. He is looking at classified documents laying out the scope of something called Treasure Map, a top secret NSA program. Steffen's firm provides internet access to remote portions of the globe via satellite, and what he is looking at tells him that the company, and some of its customers, have been penetrated by the U.S. National Security Agency and British spy agency GCHQ.
Stellar's visibly shaken chief engineer, reviewing the same documents, shares his boss' reaction. "The intelligence services could use this data to shut down the internet in entire African countries that are provided access via our satellite connections," he says.
Treasure Map is a vast NSA campaign to map the global internet. The program doesn't just seek to chart data flows in large traffic channels, such as telecommunications cables. Rather, it seeks to identify and locate every single device that is connected to the internet somewhere in the worldevery smartphone, tablet, and computer"anywhere, all the time," according to NSA documents. Its internal logo depicts a skull superimposed onto a compass, the eyeholes glowing demonic red.

The breathtaking mission is described in a document from the archive of NSA whistleblower Edward Snowden provided to The Intercept and Der Spiegel. Treasure Map's goal is to create an "interactive map of the global internet" in "almost real time." Employees of the so-called "Five Eyes" intelligence allianceEngland, Canada, Australia, and New Zealandcan install and use the program on their own computers. It evokes a kind of Google Earth for global data traffic, a bird's eye view of the planet's digital arteries.(The short film above, Chokepoint, by filmmaker Katy Scoggin and Interceptco-founder Laura Poitras, documents the reactions of Stellar engineers when confronted with evidence that their companyand they themselveshad been surveilled by GCHQ.)
The New York Times reported on the existence of Treasure Map last November. Though the NSA documents indicate that it can be used to monitor "adversaries," and for "computer attack/exploit planning"offering a kind of battlefield map for cyber warfarethey also clearly show that Treasure Map monitors traffic and devices inside the United States. Unnamed intelligence officials told the Times that the program didn't have the capacity to monitor all internet-connected devices, and was focused on foreign networks, as well as the U.S. Defense Department's own computer systems.
A slide from an NSA presentation explaining Treasure Map

The Treasure Map graphics contained in the Snowden archive don't just provide detailed views of global networksthey also note which carriers and internal service provider networks Five Eyes agencies claim to have already penetrated. In graphics generated by the program, some of the "autonomous systems"basically, networks of routers all controlled by one company, referred to by the shorthand "AS"under Treasure Map's watchful eye are marked in red. An NSA legend explains what that means: "Within these AS, there are access points for technical monitoring." In other words, they are under observation.
In one GCHQ document, an AS belonging to Stellar PCS is marked in red, as are networks that belong to two other German firms, Deutsche Telekom AG and Netcologne, which operates a fiber-optic network and provides telephone and internet services to 400,000 customers.
A Treasure Map image from a GCHQ document shows Stellar PCS and other companies marked red, meaning their networks have been penetrated

Deutsche Telekom, of which the German government owns more than 30 percent, is one of the dozen or so international telecommunications companies that operate global networksso-called Tier 1 providers. In Germany alone, Deutsche Telekom claims to provide mobile phone services, internet, and land lines to 60 million customers.
It's not clear from the documents how or where the NSA gained access to the networks. Deutsche Telekom's autonomous system, marked in red, includes several thousand routers worldwide. It has operations in the U.S. and England, and is part of a consortium that operates the TAT14 transatlantic cable system, which stretches from England to the east coast of the U.S. "The accessing of our network by foreign intelligence agencies," said a Telekom spokesperson, "would be completely unacceptable."
The fact that Netcologne is a regional provider, with no international operations, would seem to indicate that the NSA or one of its partners accessed the network from within Germany. If so, that would be a violation of German law and potentially another NSA-related case for German prosecutors, who have been investigating the monitoring of Chancellor Angela Merkel's mobile phone.
Reporters for Der Spiegel, working in collaboration with The Intercept, contacted both companies several weeks ago in order to give them an opportunity to look into the alleged security breaches themselves. The security departments of both firms say they launched intensive investigations, but failed to find any suspicious equipment or data streams leaving the network. The NSA declined to comment for this story, and GCHQ offered no response beyond its boilerplate claim that all its activities are lawful.
Deutsche Telekom and Netcologne are not the first German companies to be pinpointed by Snowden documents as having been successfully hacked by intelligence agencies. In March, Der Spiegel reported on a large-scale attack by GCHQ on German satellite operators Stellar, Cetel, and IABG, all of which offer satellite internet connections to remote regions of the world. All three companies operate their own autonomous systems. And all three are marked red in Treasure Map graphics.
Der Spiegel also contacted 11 of the international providers listed in the Treasure Map document. Four answered, all saying they examined their systems and were unable to find any irregularities. "We would be extremely concerned if a foreign government were to seek unauthorized access to our global networks and infrastructure," said a spokesperson for the Australian telecommunications company Telstra.
The case of Stellar illustrates the lengths to which GCHG and NSA have gone in making their secret map of the internet, and its users.
One document, from GCHQ's Network Analysis Center, lays out what appears to be an attack on Stellar. The document lists "central employees" at the company, and states that they should be identified and "tasked." To "task" somebody, in signals intelligence jargon, is to engage in electronic surveillance. In addition to Stellar CEO Christian Steffen, nine other employees are named in the document.
The attack on Stellar has notable similarities with the GCHQ surveillance operation targeting the Belgian provider Belgacom, which Der Spiegelreported last year. There too, the GCHQ Network Analysis department penetrated deeply into the Belgacom network and that of its subsidiary BICS by hacking employee computers. They then prepared routers for cyber attacks.
Der Spiegel reporters visited Stellar at its headquarters in HÃ¼rth, near Cologne, and presented the documents to Steffen and three of his "tasked" employees. They were able to recognize, among other things, a listing for their central server as well as the company's mail server, which the GCHQ attackers appear to have hacked.
The document also lays out the intelligence gathered from the spying efforts, including an internal table that shows which Stellar customers are being served by which specific satellite transponders. "Those are business secrets and sensitive information," said Stellar's visibly shocked IT chief, Ali Fares, who is himself cited in the document as an employee to be "tasked."
The Stellar officials expressed alarm when they saw the password for the central server of an important customer. The significance of the theft is immense, Fares said. "This is really disturbing."
Steffen, after spitting out his four-letter assessment, said he considers the documents to constitute proof that his company's systems were breached illegally. "The hacked server has always stood behind our company's own firewall," he said. "The only way of accessing it is if you first successfully break into our network." The company in question is no longer a customer with Stellar.
When asked if there are any reasons that would prompt England, a European Union partner country, to take such an aggressive approach to Stellar, Steffen shrugged his shoulders, perplexed. "Our customer traffic doesn't run across conventional fiber optic lines," he said. "In the eyes of intelligence services, we are apparently seen as difficult to access." Still, he said, "that doesn't give anyone the right to break in."
"A cyber attack of this nature is a clear criminal offense under German law," he continued. "I want to know why we were a target and exactly how the attack against us was conductedif for no other reason than to be able to protect myself and my customers from this happening again." Steffen wrote a letter to the British ambassador in Berlin asking for an explanation, but says he never received an answer.
Meanwhile, Deutsche Telekom's security division has conducted a forensic review of important routers in Germany, but has yet to detect anything. Volker Tschersich, who heads the security division, says it's possible the red dots in Treasure Map can be explained as access to the TAT14 cable, in which Telekom occupies a frequency band in England and the U.S. At the end of last week, the company informed Germany's Federal Office for Information Security of the findings of Der Speigels reporting.
The classified documents also indicate that other data from Germany contributes to keeping the global treasure map up to date. Of the 13 servers the NSA operates around the world in order to track current data flows on the open Internet, one is located somewhere in Germany.
Like the other servers, this one, which feeds data into the secret NSA network, is "covered" in an inconspicuous "data center."

***Magda Hassan*** · 23-09-2014, 10:56 AM

David Guyatt Wrote:From The Intercept:

Quote:

MAP OF THE STARS

THE NSA AND GCHQ CAMPAIGN AGAINST GERMAN SATELLITE COMPANIES

BY ANDY MÃœLLER-MAGUHN, LAURA POITRAS, MARCEL ROSENBACH, MICHAEL SONTHEIMER, AND CHRISTIAN GROTHOFF
09/14/2014 11:00 AM

"Fuck!" That is the word that comes to the mind of Christian Steffen, the CEO of German satellite communications company Stellar PCS. He is looking at classified documents laying out the scope of something called Treasure Map, a top secret NSA program. Steffen's firm provides internet access to remote portions of the globe via satellite, and what he is looking at tells him that the company, and some of its customers, have been penetrated by the U.S. National Security Agency and British spy agency GCHQ.
Stellar's visibly shaken chief engineer, reviewing the same documents, shares his boss' reaction. "The intelligence services could use this data to shut down the internet in entire African countries that are provided access via our satellite connections," he says.
Treasure Map is a vast NSA campaign to map the global internet. The program doesn't just seek to chart data flows in large traffic channels, such as telecommunications cables. Rather, it seeks to identify and locate every single device that is connected to the internet somewhere in the worldevery smartphone, tablet, and computer"anywhere, all the time," according to NSA documents. Its internal logo depicts a skull superimposed onto a compass, the eyeholes glowing demonic red.

Merkel and co really should reassess Germany's position on the Ukraine NATO thing. The USA is not Germany's friend. Never has never will be.

Login
Username:
Password:	Lost Password?
	Remember me

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Dumbo : how the CIA blind surveillance cameras	Magda Hassan	0	34,034	14-08-2017, 12:16 AM Last Post: Magda Hassan
	HR 658 Authorizes 30.000 surveillance drones over the USA - to be increased!	Peter Lemkin	8	17,474	31-01-2017, 02:50 AM Last Post: Magda Hassan
	AP Sues US Govâ€™t over Fake FBI News Article Booby Trapped with Surveillance Virus	Magda Hassan	0	5,822	06-12-2015, 02:39 PM Last Post: Magda Hassan
	Panopticon of global surveillance	Magda Hassan	179	73,127	14-02-2015, 07:26 PM Last Post: R.K. Locke
	'Five Eyes' surveillance pact should be published, Strasbourg court told	Magda Hassan	1	3,978	09-09-2014, 09:34 AM Last Post: David Guyatt
	Defensive Shift - Turning the Tables on Surveillance	Magda Hassan	0	3,595	26-08-2014, 03:14 PM Last Post: Magda Hassan
	Israeli Intelligence Eavesdropped on Kerryâ€™s Phone During Palestine-Israel Peace Talks	Magda Hassan	3	5,215	07-08-2014, 06:42 AM Last Post: Peter Lemkin
	Ministers to pass law tracking mollie phone	David Guyatt	0	3,188	07-07-2014, 09:24 AM Last Post: David Guyatt
	Surveillance Capitalism	Magda Hassan	0	3,138	05-07-2014, 02:44 AM Last Post: Magda Hassan
	Biggest anti-mass surveillance event in the U.K.	Magda Hassan	2	6,117	12-06-2014, 10:05 AM Last Post: Magda Hassan