lambda 7.03
June, 2001
Jerome Thorel, Paris
Update June 29

Contents:

+ Short-circuits: Supreme Court case and Carnivore; Bug hunters unveil special weapon

+ Euro cops challenge privacy guidelines, forbid anonymous access to advanced networks - strong lobbying from the US

+ Echelon spotted by European Parliament - US trade policy link-up with intelligence services

 

Short-circuits

http://www.bugnosis.org/

This month the Privacy Foundation unveiled a new software to keep an eye and eliminate "spyware" and "webbugs" that send private data to unwanted sources
(works only for a Windows PC and IE-5.0 browser)

 

From EPIC newsletter, June 15, 2001.

Supreme Court Rules on Thermal Imaging Case - Carnivore email collection system under attack.

In a 5-4 opinion written by Justice Scalia, the U.S. Supreme Court held in Kyllo v. United States that the warrantless use of a thermal imaging device to detect heat emanating from a person's residence constituted an illegal search under the Fourth Amendment.

In 1992, Danny Lee Kyllo was arrested after Oregon police searched his home and found more than 100 marijuana plants growing inside. The search warrant was obtained after the police scanned the roofs and walls of Kyllo's home with a thermal imager to detect the infrared rays radiating from the halide lamps typically used to grow marijuana. Kyllo pleaded guilty to the charges, conditioned on his ability to challenge the constitutionality of the search. Although the District Court and Ninth Circuit rejected his Fourth Amendment claim, the Supreme Court reversed, stating that "[w]here, as here, the government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a 'search' and is presumptively unreasonable without a warrant." (...)

On June 14, House Majority Leader Dick Armey (R-TX) sent a letter to Attorney General John Ashcroft drawing a parallel between the Supreme Court's majority opinion in Kyllo v. United States and the FBI's controversial continued use of the Carnivore Internet surveillance system. In the letter, Rep. Armey asks whether, similar to thermal imaging, Carnivore "undermines the minimum expectation that individuals have that their personal electronic communications will not be examined by law enforcement devices unless a specific court warrant has been issued."

+ Kyllo v. United States, No. 99-8508:
http://www.supremecourtus.gov/opinions/00pdf/99-8508.pdf

June 14 Letter from House Majority Leader Armey to Attorney General Ashcroft regarding Carnivore (DCS-1000):
http://www.freedom.gov/library/technology/ashcroftletter.asp

"Armey to Press Opposition to Net Wiretaps", By JOHN SCHWARTZ, The New York Times:
http://dailynews.yahoo.com/h/nyt/20010615/tc/
armey_to_press_opposition_to_net_wiretaps_1.html

 

ENFOPOL LOBBY CHALLENGES EU PRIVACY LAWS


- Foreword -

 

" Evidence obtained with the aid of Internet traffic data

" The following example shows how traffic data can be used in an investigation into a classic crime. A woman had been found dead in the basement of her house. In her computer, numerous e-mails and some information on newsgroups were found. The content of these messages guided the police towards a person whom it was possible to identify thanks to the traffic data on the messages. However, no formal evidence made it possible to link the man to the crime. During a search at the man's home, investigators found other messages that appeared in the victim's computer. They also discovered some texts in the attacker's computer that showed how the crime had been premeditated. The man was sentenced to death. (...)"

From "ENFOPOL 71, ECO 316, REV 1 LIMITE - COUNCIL OF THE EUROPEAN UNION Brussels, 27 November 2000" (emphasis added)

http://www.statewatch.org/news/2001/apr/12855.1.00.htm
 
 

Paris, June 15, 2001. -- This curious apology for the death penalty appeared in a restricted "ENFOPOL" document from the Council of the European Union, published on May 16 by the British civil rights group Statewatch. This so-called "Enfopol" group is the Police Cooperation Working Party, formed by police experts of every member. To prevent cybercrime they want to oblige operators of "advanced networks" (IP, GSM, GPRS, UMTS...) to keep regular reports of traffic logs in order to identify users prior to any investigation.

While Britain was said to ask for a period of 7 years of storage, the majority claim now 12 months could be enough, while privacy officials favor 3 months, not more.

The ENFOPOL requirements were supposed to be cleared by EU Justice and Home Affairs ministers during their May 28 and 29 meeting in Brussels. But they dropped the case --for now*.

Too hot to handle? Or bad timing? At the same time, European policy makers were busy to condemn privacy threats by the US-led Echelon spying network: on May 18 the European Parliament's Temporary Committee published a draft report after 11 months of investigation (see details below), in which Britain and Germany were officially criticized for breaching European laws on privacy.

 

[UPDATE JUNE 29]

EU COUNCIL APPROVES DATA RETENTION PRINCIPLE DESPITE COMMISSION'S FIERCE OPPOSITION

From a Statewatch news alert, June 28, 2001

At the Telecommunications Council in Brussels on Wednesday, 27 June, the Council of the EU (the 15 EU governments) agreed, unanimously, a position on the new Directive on data protection and privacy in the telecommunications sector. This would mean inserting a "Recital" which will allow Member States to adopt laws at national level to require network and services providers to retain traffic data for use by the law enforcement agencies.

The European Commission maintained its opposition to the move which will completely undermine current EU law which says that traffic data may only be kept for billing purposes (ie: to meet the needs of the customer). The Commission now hopes that the European Parliament will defend the existing law which protect citizens from surveillance. Under the co-decision procedure all three EU institutions have to agree on the new measure.

The Council could not agree on a formulation to change the substantive text in Article 6.1 on traffic data but the strength of lobby by some Member States, led by the UK, to breach current privacy and data protection rights in the interests of "law 'n order" carried the day.

This was despite the declared opposition of the European Commision and the EU's Data Protection Working Party which declared that such a move would fundamentally undermines peoples' rights under the European Convention of Human Rights and threaten democracy itself.

+ Special Report / Statewatch
http://www.statewatch.org/soseurope.htm

+ (June 26) Background documents about the telecoms' ministers meeting
http://www.statewatch.org/news/2001/jun/07retention.htm

+ EU's Data Protection Working Party's Letter to the EU Council (dated June 7, signed by the DPWP's president, Sefano Rodata) : http://www.statewatch.org/news/2001/jun/07Rodota.pdf

 

US lobbying (again)

 

The abstract quoted above ("Evidence obtained with the aid of Internet traffic data"), in which ENFOPOL experts promoted death penalty as a legitimate way to conclude a 'modern' criminal investigation. EU may have been too much inspired by a well known North American State, because every EU's 15 members have banned death penalty from their Criminal Code.

It's an excellent reminder that ENFOPOL meetings have emerged after the US FBI's efforts to lobby OECD and G8 States on telecom surveillance, inside the ILETS informal group (International Law Enforcement Telecommunications Seminar) founded secretly in early 1990's. Statewatch was the first organisation to report about behind-the-scene influence of FBI in a 1995 resolution passed by the European Council ("lawful acces to advanced networks communications").

Statewatch revealed last month that the last ILETS' meeting, held in November 1999 (Saint Cyr au Mont d'Or, near Lyon, France), concluded that:

"All delegations (had to) consider options for improving the retention of data by Communications Service Providers".

ILETS urges EU countries to modify Directive 97/66 on personal data and privacy in the telecommunications sector,

"which orders the operators to erase or to make anonymous historic data upon the termination of a call"

http://www.statewatch.org/news/2001/may/03Denfopol.htm

 

Anonymity paranoia

 

This 1997 Directive (thanks to ILETS intervention?) is under review for modification. A draft version (Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector) was proposed by the Brussels' European Commission, dated 12 July 2000. But ENFOPOL experts were still angry about it.

 

"ENFOPOL 71" paper (Nov. 27 2000), states:

"Various delegations (B/D/F/NL/S/UK) expressed misgivings about the implications of the Directive, in particular Article 6, where it is stated that "traffic data relating to subscribers and users processed for the purpose of the transmission of a communication and stored by the provider of a public communications network or service must be erased or made anonymous upon completion of the transmission."

 

The last ENFOPOL requirements are resumed in the "ENFOPOL 29" paper (March 30, 2001). They are seeking:

i) to stop the deletion of telecommunications data which is required under the law as laid down in the EC Directives on data protection and privacy;

ii) to stop users having anonymity in their communications (attack on cybercafes);

iii) to ensure that the law enforcement and security agencies have access to the retained/archived data;

iv) to ensure that data is retained, in the first instance, for at least 12 months - once the EC Directives are breached they can argue for seven years, ten years or more later.

http://www.statewatch.org/news/2001/may/03Genfolpol.htm

Further arguments :

"Each operator is generally required to delete the traffic data or render them inaccessible at the end of each call (or at the latest when the time required for their commercial processing has elapsed). ... The issue of storing connection data therefore seems crucial. ...

"At present the issue of the storage of connection data and the length of that storage is clearly the weak link in the fight against cyber-crime. As witness, few countries have a legal requirement concerning the length of time connection data must be kept."

Public internet cafés are considered as a new threat:

"It is also imperative that a solution be found to the problems raised by the various forms of anonymity on the World Wide Web, the most significant example being cybercafés, which have been the source of a number of cases of fraud."

 

A consensus seems to favor a "minimum of 12 months" of storage, as Belgium has already put it in its new cybercrime law (enacted in February 2001). The proposed law in France (LSI or Loi sur la société de l'information) puts 12 month also as a "minimum" delay target, so as may decide Spain in its draft LSSI law, reports said. The Nederlands are more pragmatic, requesting just a 3 months delay.

Statewatch reports that Britain is still pushing its own ranks to raise the period to 7 years (yes, seven!). But Britain, Statewatch argues, won't pass any law for that, it may prefer to adopt "informal agreements" with telecom and internet operators.

 

Data retention cacophony

Meanwhile, the Council of Europe (not a EU's body), a 43-countries consultative assembly based in Strasbourg, France has been working since the end of 1999 on a "Draft Convention On Cyber-Crime". The COE has released its version-27 of the convention on May 25, 2001. This draft will be submitted to the COE's Committee on Crime Problems in a plenary session (18 - 22 June 2001), and then will be passed to COE's members' governments for final adoption and ratification.

The draft convention was also prepared by non-COE members, i.e. the USA, Canada, Japan, South Africa, and others.

The article 16 regarding "Expedited preservation of stored computer data" states that countries must adopt laws:

"to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, (and) to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of 90 days, to enable the competent authorities to seek its disclosure."

 

Privacy officials are upset

 

The problem is: the EU's 15 privacy experts strongly disagree all these requirements. A working group of the Commission ('Article 29' or Data Protection Working Party), made up by each country's Data Commissioners, published its "Opinion on the Council of Europe's Draft Convention on Cyber-crime" (March 22 2001). They said it will be disproportionate to impose "general surveillance obligation consisting in the routine retention of all traffic data".

Abstracts of their opinion (made on the v.25 of the Convention):

"The EU Data Protection Commissioners at their Spring 2000 Conference in Stockholm ... adopted a resolution expressing that they "note with concern proposals that ISPs should routinely retain traffic data beyond the requirements of billing purposes in order to permit access by law enforcement bodies. ... Such retention would be an improper invasion of the fundamental rights guaranteed to individuals by Article 8 of the European Convention on Human Rights. Where traffic data are to be retained in specific cases, there must be a demonstrable need, the period of retention must be as short as possible and the practice must be clearly regulated by law." (...)

Nevertheless, the provisions in the draft Convention concerning traffic data raise serious concerns: Articles 29 and 30 on expedited preservation and disclosure of traffic and other data do not provide for the possibility for the requested party to refuse such assistance for data protection reasons, but only for the general grounds (such as "ordre public", sovereignty, security or other essential interests.) (...)

Conclusions (...)

The Working Party therefore sees a need for clarification of the text because their wording is often too vague and confusing and may not qualify as a sufficient basis for relevant laws and mandatory measures that are intended to lawfully limit fundamental rights and freedoms. (...)

The Working Party sees a need to improve the justification of the measures envisaged in terms of necessity, appropriateness and proportionality as required by the Human Rights and Data Protection instruments (...).

http://europa.eu.int/comm/internal_market/ en/dataprot/wpdocs/wp41en.htm


In France (CNIL - Commission informatique et libertés) and the UK (IC - Information Commissioner) they consider that 90 days of "connection data" is the maximum our democratic countries could handle. On June 13th, the French governement approved the draft LSI law (Parliament may debate the case in early 2002) but did not changed the 12 months target.

Sources close to the French Industry minister, who was the main sponsor of the law, said "security officials" fiercely opposed to follow the CNIL's advice (3 months).

 

From traffic to content data

 

The law, however, said that the "connexion logs" concerned by the retention proposals "would not permit to give access to the content of private messages and would not enable to have a list of consulted material to list consulted information".

The lambda has learned that EU Data Commissioners have classified these data in 4 categories (from less to more intrusive):

1) connection data namely designed to identify a single user (i.e., IP address) or login account when connected to any fixed or mobile network;
Data Commissioners requirements >> 1 to 3 months of records prior to official investigations, but under special circumstances

2) protocols data, designed to learn what king of networked protocols or channels have been used online (chat rooms, web, IRC or instant messaging) by a single account;
>> no records justified prior to official investigations

3) traffic data aimed at identifying the user's "friends list", (i.e., 'who speaks/writes to whom', "from"/"to" contacts list, caller/called numbers for phone systems);
>> no records justified prior to official investigations

4) content data designed to intercept private correspondence and discussions;
>> any records made prior to official investigations would constitute an "illegal interception" and thus would breach human rights basic principles (ECHR).

 

Lambda comments:

- The search for logs could not be considered as the simple prolongation of physical fingerprints (even if both are designed to identify somebody).

- The requirements to scan, record and preserve these so-called "traffic data" could be even more intrusive than mere fingerprints. For example, traffic data such as "who speaks to whom", related to a user's web surfing habits, forums' used, etc., are potentially a more intrusive arm than any investigation methods used nowadays.

- The confusion between "log", "traffic", and "protocols" data is an ideal pretext for governments to extend their investigative powers on "advanced networks".

- The next step would be to require, prior to any official investigation, the same kind of routine storage obligation for "content data" -- just as the British government is about to consider.

- It has been proven in the US with the FBI's "Carnivore" system (real-time collection of emails): it's impossible to discriminate exactly between "content" and "traffic" data when only the later is authorized by a judge.

- Telephone wiretapping has been accepted (it's a fact) in democratic countries as a legitimate way for the police not to be surpassed by 'modern crime'.

- But "content data" of any electronic communications do have a more intrusive impact than phone conversations. Computer files and pictures that would reveal private writings and thinkings could not be intercepted by telephone. Electronic medium consist of a much more choice of forms of expression than a mere phone discussion over a phone.

- To preserve the basic principle of a democratic legal system (presumption of innocence), an electronic wiretap court order may be more restrictive than a simple wiretap warrant.
 
 

ECHELON SPOTTED

(BUT NOT UNPLUGGED)

BY EURO PARLIAMENT

The Temporary Committee on the ECHELON interception system, a 36-member semi-investigative group of the European Parliament in Strasbourg, decided to publish its Draft report on May 18 -- after some leaks of an older version was unveiled by the Federation of American Scientists.

Later Duncan Campbell and the German online magazine Telepolis revealed other papers that give further evidence of economic spying on European firms. The Department of Commerce's Advocacy Center, helped by intelligence services, seems to have played a key role. As Campbell reports, "From 1992 to date Europe is likely to have sustained significant employment and financial loss as a result of the U.S. government policy of "leveling the playing field", introduced in 1991."

The EP report is still a draft. The May 18th version contains some comments about the delegation the Echelon Committee sent to Washington, DC, May 8-10. The delegation had to cut short their visit because of refusal from NSA, CIA, State Department and DOC Advocacy Center officials to meet European MPs. There had meetings with DOJ officials, Congress' select committee on intelligence activities, with no news answers - asked if Echelon did exist, MPs were given a copy of the American Constitution...

The draft report will be finalized and approved on 20/21 June 2001, and later, with a draft resolution, will be debated by the European Parliament on 3 September 2001.
 
EP REPORT

+ HTML version - emphasis added by Cryptome to look for comments that were added afetr the Washington visit.
http://cryptome.org/echelon-ep.htm

+ Pdf version from the EP web site
http://www.europarl.eu.int/tempcom/echelon/pdf/prechelon_en.pdf

Duncan Campbell 2001 report

+ Interception Capabilities - Impact and Exploitation (IC-IE2001), which were presented on 22/23 January 2001 before the Committee:
http://www.heise.de/tp/english/special/ech/7753/1.html

+ COMINT impact on international trade

It sets out, with detailed sources, the case that from 1992 to date Europe is likely to have sustained significant employment and financial loss as a result of the U.S. government policy of "levelling the playing field", introduced in 1991.
http://www.heise.de/tp/deutsch/special/ech/7752/1.html

+ U.S. trade "Success stories" affecting Europe - financial and geographical analysis - a table with contracts, countries defeated, etc:
http://www.heise.de/tp/deutsch/special/ech/7796/1.html

+ COMINT, privacy and human rights

This paper reveals that Britain undertakes to protect the rights of Americans, Canadians and Australians against interception that would not comply with their own domestic law, while offering no protection of any kind to other Europeans. This and other background papers provided to the Echelon committee have prompted them to observe that "possible threats to privacy and to businesses posed by a system of the ECHELON type arise not only from the fact that is a particularly powerful monitoring system, but also that it operates in a largely legislation-free area."
http://www.heise.de/tp/deutsch/special/ech/7748/1.html

 


lambda / arQuemuse
J. Thorel - June 2001
Réactions I Home