Tag: Privacy (page 2 of 5)

What do your Internet connection records reveal about you?

Not anymore!

Not anymore!

When I brought up in a conversation the issue regarding the measures intended to be taken by some governments, in particular the access to Internet connection records foreseen in the UK draft Investigatory Powers Bill, I was quite surprised to realise that some people around me seemed to accept that online privacy should be curtailed in order to ensure stronger security, a view with which I strongly disagree.

But more importantly for this post, they did not consider it excessively intrusive.

And then I just realised that, none withstanding the fact that Internet is an intrinsic part of our daily lives, many are simply clueless about the detailed digital fingerprint they leave behind, website after website visited, and how much revealing that is.

It never ceases to amaze me how, in this Internet dependent era, so many people actually ignore how much information regarding their lives, habits, and ultimately, their privacy is at stake.

One thing is to ponder the pros and cons of registering in a website or downloading an app and take a decision accordingly. Another completely different is to simply be unaware of the risks, to not wonder: what is done with this information?… And subsequently take completely unaware decisions and form and convincingly express their opinions on flawed grounds.

Let’s be clear here: to have access to someone’s Internet connection records is to have access to their Internet browsing history!

Yes, the very same some people delete for the most various reasons, but that essentially amounts to one and only: for it not to be known.

Now consider that there is little in our real life that does not reflect in our online activities. From booking flights and hotels, buying books and clothes, or other less random items, online dating, participating in discussion groups and forums, ‘googling’ in general… Imagine, for instance, googling a specific health condition that is worrying you…

And what can be inferred and the correlations which can be made from those searches and websites accessed… From your interests, to your lifestyle, to your personal life and your health…

And, yes, that includes the most embarrassing little details that your browsing history can reveal.

In this context, I would say that the time and amount of times you visited a website would be the less worrisome but even these can be quite informative, if a pattern emerges.

Only someone who is not familiar at all with the concept of ‘profiling’ of interests and behaviour and the detailed conclusions which can be reached can argue that the access to the browsing history is not sufficiently revealing and intrusive to raise any concerns from a privacy viewpoint.

This is not about having ‘something to hide’ or ‘anything to be ashamed of’. It is about unwilling exposure and the complete unaware loss of privacy. Even for those who truly believe to be utter uninteresting, there is certainly something they would rather keep secret. And it is that little bit that should be considered before taking a stance on the issue of government surveillance.

Those who have copies of torrid homemade videos, beware!

Safe enough!

Safe enough! Not.

As a comeback after this very long pause, I would like to address a recent ruling of a Portuguese court, which followed the complaint of a woman against her ex-boyfriend, alleging revenge porn due to the online release of an intimate video on related websites.

Grosso modo, the details of the case are as follows: the woman and the man had a relationship. During that period, they mutually agreed to video record sexual interactions, on the condition that that record would never be watched by anyone else.

The quality and the angles of the images allowed for a clear identification of the complainant. The man retained a copy of the record and saved it in his personal computer.

After having ended the relationship, the woman found out that the video had been published and further divulged online, where it was freely available, and easily found by a simple and adequate terminological search. Moreover, it was argued that it was visualized by people who personally knew the complainant, namely from her area of residence and workplace.

It was not demonstrated in court that the man was the author of the original online release of the video. As a result, it was not demonstrated that this was a case of revenge porn. However, he admitted that the computer where a copy of the video was saved was frequently used by friends and family members.

Thus considering, the court concluded that the man was – due to the abovementioned pre-existing verbal agreement – obliged to keep safe the copy of the video he retained and to practice according necessary acts.

Therefore, by unrestrainedly permitting the access to the computer where a copy of the aforesaid recording was saved, it was deemed that he consequently had violated the duty of appropriately guarding it, i.e., by lacking to practice the acts he was obligated to.

The court hence ruled that this omission of properly secure sensitive information regarding the complainant entitled the latter to a pecuniary compensation.

In my opinion, this unprecedented ruling is very welcomed as a necessary judicial answer to the proliferation of revenge porn in the online context.

However, while I am fully aware that it is very difficult to judicially sustain allegations of revenge porn and that neither the responsibility of its authors nor the moral damages of the victims should go unanswered, I am really not sure if the procedence of such claims should rely on the ‘omission’ of an agreed act of keeping a given information secure.

It is evident that nowadays, particularly in regards of computerized information, privacy cannot be dissociated from security. However, recent history demonstrates that even large firms, processing information as sensitive, with far more resources and despite spending millions on security diligence, are unable to keep personal and sensitive data safe.

Therefore, it must be asked: what can qualify as such an omission when individuals are involved, specifically when demonstrated that an individual has no particular knowledge regarding ICT security or is convinced that all the appropriate measures were taken?

In the particular case at stake, it seems that it was the negligence – the permission of access to the computer where a copy of the video was saved – that was deemed determinant to qualify the conduct as a relevant omission.

Nevertheless, considering the lack of objective criteria, would it make a difference if the video was saved on the desktop as ‘wildnightsexwith(girlfriend’sname).mp4’ or if it was in a personal account in the computer and he forgot to log off, thus enabling others to access his personal files?

Anyway, as this is certainly the first of many ruling on similar factual issues, the courts will have plenty of opportunities to clarify the unanswered questions and to define objective criteria – or at least try – in this regard.

The ‘Dick-Pic Programme’

How unfortunate it is that people are not generally very concerned about government mass surveillance… except when pictures of their private parts are involved.

The good news is that there is no such ‘dick-pic programme’. The bad one is that, well, the intelligence services do collect those kind of pictures and they are only a small part of the information which has been collected – and depending on each individual’s exhibitionist tendencies – not the most privacy-infringing one.

A spy in your living room: ‘Tu quoque mi’ TV?

How smart are you?

How smart are you?

So, it seems that the room we have for our privacy to bloom is getting smaller and smaller. We already knew that being at home did not automatically imply seclusion. Still, nosy neighbours were, for quite a long time, the only enemies of home privacy.

However, thicker walls and darker window blinds no longer protect us from external snooping as, nowadays, the enemy seems to hide in our living room or even bedroom.

Indeed, it seems that when we bought our super duper and very expensive Smart TV, we actually may have brought to our home a very sneaky and effective – although apparently innocent – spy.

As you may (or may not) already know, TV with Internet connectivity allow for the collection of its users’ data, including voice recognition and viewing habits. A few days ago many people would praise those capabilities, as the voice recognition feature is applied to our convenience, i.e., to improve the TV’s response to our voice commands and the collection of data is intended to provide a customized and more comfortable experience. Currently, I seriously doubt that most of us do look at our TV screens the same way.

To start with, there was the realization that usage information, such as our favourite programs and online behaviour, and other not intended/expected to be collected information, are in fact collected by LG Smart TV in order to present targeting ads. And this happens even if the user actually switches off the option of having his data collected to that end. Worse, the data collected even respected external USB hard drive.

More recently, the Samsung Smart TV was also put in the spotlight due to its privacy policy. Someone having attentively read the Samsung Smart TV’s user manual, shared the following excerpt online:

To provide you the Voice Recognition feature, some voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service that converts speech to text or to the extent necessary to provide the Voice Recognition features to you. (…)

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

And people seemed to have abruptly waken up to the realization that this voice recognition feature is not only directed to specific commands in order to allow for a better interaction between an user and the device, as it also may actually involve the capture and recording of personal and sensitive information, considering the conversation taking place nearby. No need to be a techie to know that this does not amount to performance improvement. This is eavesdropping. And to make it worse, the data is transferred to a third-party.

In the aftermath, Samsung has clarified that it did not retain voice data nor sell the audio being collected. It further explained that a microphone icon is visible on the screen when voice activation was turned on and, consequently, no unexpected recording takes place.

Of course you can now be more careful about what you say around your TV. But as users can activate or deactivate this voice recognition feature, my guess is that most will actually prefer to use the old remote control and to keep the TV as dumb as possible. I mean, just the idea of the possibility of private conversations taking place in front of your TV screen being involuntarily recorded is enough motivation.

Also, it should be pointed out that, considering the personal data at stake (relating to an identified or identifiable person) involved, there are very relevant data protection concerns regarding these situations. Can it simply be accepted that the user has consented to the Terms and Conditions on the TV acquired? Were these very significant terms made clear at any point? It is quite certain that there users could not have foreseen, at the time of the purchase, that such deep and extended collection would actually take place. And if so, such consent cannot be considered to have been freely given. It suffices to think that the features used for the collection of data are what make the TV smart in the first place and, therefore, the main reason for buying the product. Moreover, is this collection strictly necessary to the pretended service to be provided? When the data at stake involves data from other devices or other wording than the voice commands, the answer cannot be positive. And the transmission of personal data to third parties only makes all this worse as it is not specified under what conditions data is transmitted to a third party or who that third party actually is. Adding to this, if we consider that these settings mostly come by default, they are certainly not privacy-friendly and amount to stealthily monitoring. Last but not the least, it still remains to be seen if the proper data anonymisation/pseudinonymisation techniques are effectively put in place.

Nevertheless, these situations brought back into the spotlight the risks to privacy associated with personal devices in the Internet of Things era. As smart devices are more and more present in our households, we are smoothly loosing privacy or, at least, our privacy faces greater risks. In fact, it is quite difficult to live nowadays without these technologies which undoubtedly make our lives so much more comfortable and easier. It is time for people to realize that all this convenience comes with a cost. And an high one.

Sex in the city: Is there a reasonable expectation of privacy when having sex with the lights on?

When I read this post I could not help remembering the discussions within the Privacy module of the post grad learning programme I have recently enrolled in. A particular issue discussed was precisely the legitimate expectation of privacy regarding events which take place in public, such as those analysed in the Peck, Campbell or Von Hannover cases.

In the situation at stake, two office colleagues had sex in the workplace premises, with the lights on, having forgotten to pull the blinds down… and therefore in full view of transients and the customers of the pub located right across the street, who were able to observe the full scene, unnoticed from the inside.

The events were recorded by many (how useful are Smartphones in these situations!) and uploaded to the Internet. Obviously, it did not take long to spread both on social media and on the press and very quickly the couple has inadvertently become a viral sensation. Their sexual performance has been broadly gossiped, commented, assessed and rated. They have been publicly identified since then and details regarding their personal lives have been exposed.

Putting aside other pertinent considerations in regards of what internal proceedings the company should take, I would like to focus on the privacy issues at stake.

Our expectation of privacy does not forcefully depends of the place where the events take place. It is not because something happens in a public space or is visible by the public or from a public place that any reasonable expectation of privacy is automatically excluded. It suffices to think that most of our private life, such as conversations or encounters,  actually happens in public. How unfortunate would it be if that mere fact would ultimately deprive us of any expectation of living our lives discreetly. It would not be remotely reasonable to accept that people abdicate of their privacy expectations once they leave their homes. Specially when considering all the buzz surrounding smart TVs, our privacy is at risk even in our own households.

In this particular case, it was late in the evening and the couple expected to be alone in the office and away from peering eyes. It is unquestionbly a quite different situation than that of having sex in broad day light in a busy street, which would be more appropriately qualified as exhibicionism.

Moreover, the revealing and intimate nature of the activity cannot be ignored, considering that they were undressed and, well, having sex. I would say with some certainty that it is not something that most of us do not mind to be watched, recorded and commented, over and over, on a large-scale. And, in spite of being something that the public finds interesting, there is certainly not any public interest at stake.

Furthermore, despite acting on plain sight, the couple was absolutely unaware that their activities were being observed, let alone filmed. They did not give their consent – nor explicitly, nor implicitly – for their image to be captured. But, more relevant, they were certainly oblivious that those images and recordings would be disseminated at a large-scale. To be put within the public eye and the public attention which ensued were neither expected nor desired.

The moral damages at stake are evident. On a personal level, the couple has been publicly exposed, scorned, humiliated and shamed. Their dignity and self-esteem have been incessantly injured. At least for one of them, being married and with children, this exposure has also far more reaching consequences, affecting the family members concerned.

To say that the lesson to be learnt from this is to turn the lights off next time you intend to have sex is the easiest joke to make. However, such situations should not be socially treated so light-heartedly. Namely because with the advanced technologies available, it is getting easier to photograph and record events humiliating for someone. That is how many of the known cyber bullying situations actually start.  Technologies are evolving so fast that the general awareness and sensitivity are having a hard time keeping track of the issues at stake.

Perahps a very good first step would be for people to start accepting that it is not because they can see something, and are able to easily record it and quickly share it online, that it is legitimate to do so.It is so easy to laugh at someone’s expenses. And the next big joke could be any of us.

 

Monitoring of employees in the workplace: the very private parts of a job in the EU private sector

Let us all see what you are doing.

Let us all see what you are doing.1)Copyright by MrChrome under the CC-BY-3.0

Whilst not all employers in the U.S.A. monitor their employees’ communications and activities, the majority do so, namely to evaluate their professional performance, to protect trade secrets, to prevent information security breaches or to avoid or reduce their liability in lawsuits.

So, incoming and outgoing email correspondence, telephone calls, websites visited and documents saved on the computer may be only some of the data accessed in this context.

This surveillance of employees’ electronic communications and activities over employer-provided facilities are generally deemed unlawful under the European Union law. Member States legal systems usually include constitutional laws, telecommunications laws, labour laws and criminal laws which are intended to be dissuasive.

Currently, there is no specific EU legislation regarding the privacy and protection of workers’ personal data at work.

Nevertheless, Article 31(1) of the Charter of Fundamental Rights of the European Union, whose application is mandatory whenever Member States apply EU law, states: “Every worker has the right to working conditions which respect his or her (…) dignity”.

In parallel, there are two EU Directives which can be applicable in these professional contexts. Although they do not specifically deal with any aspect of employment relationships nor address employee monitoring, they establish some privacy principles which are applicable regarding surveillance at workplace. These provisions are then furthered by Member States through their national legislation.

Firstly, we have the 95/46/EC Directive which relates to the protection of individuals with regard to the processing of personal data. Under this framework, data subjects are provided control over the collection, transmission, and use of their personal information. In fact, this instrument foresees that data subjects have the right to be notified of collection of personal information.

In this context, employers have to ensure that their surveillance is legitimate and restricted and must be transparent regarding any surveillance conducted. Any monitoring of the employees communications and activities, namely regarding the use of e-mail, the internet or phones, without their employee’s knowledge or consent, is unlawful.

Secondly, the 2002/58/EC Directive relates to the processing of personal data and the protection of privacy in the electronic communications sector. The interception of  communications over private networks, including e-mails, instant messengers, and phone calls, and generally private communications, are not covered as the instrument only refers to publicly available electronic communications services in public communication networks.

The European Convention for the Protection of Human Rights and Fundamental Freedoms (hereafter ‘ECHR’), in its article 8, reads as follows: “Everyone has the right to respect for his private and family life, his home, and his correspondence”.

Whilst the right to privacy at work has not yet be considered by the Court of Justice of the European Union, the European Court of Human Rights (hereafter ‘ECtHR’) has already ruled that the right to privacy right is not restricted to the household and extends to the workplace environment.

In fact, in Köpke v Germany, the Court stated as follows: “(…) that the concept of private life…may include activities of a professional or business nature and may be concerned in measures effected outside a person’s home or private premises(…)”.

In the Niemietz v. Germany case, the ECtHR included business relations, e-mails, and any other form of electronic communication in the concept of ‘private life and correspondence’, no distinction being made between private or professional correspondence.

In Halford v. UK Gov., the ECtHR held that the employer’s surveillance of the employee’s calls at work unjustifiably interfered with the employee’s right to privacy and correspondence. Communications via e-mail, fax, wireless, and any technological means is covered by the concept of correspondence.

Moreover, in the ruling Copland v United Kingdom, the ECtHR concluded that the fact that the calls or the e-mail usage occur in the office and, at least in theory, are business related, was irrelevant. Business correspondence and telephone calls may contain personal information, which is protected by human rights and by data protection law.

It also found that, even if the telephone monitoring was limited to “the date and length of telephone conversations” and “the numbers dialled,” and do not involve the content of the communications, it still violates article 8 of the ECHR.

The Court stated as well that article 8 is infringed where the monitoring is not previously communicated to the employees, as they have, in consequence, a “reasonable expectation” that they will not be.

However, a worker’s right to privacy at work is not absolute.

In Benediktsdóttir v. Iceland, the ECtHR concluded that the right to privacy and to correspondence has to be balanced with the other rights, namely those of the employer.

In this context, although not legally binding, the Article 29 Working Party (hereafter WP29) opinions provide important guidance. In fact, national data protection authorities take them into account when applying and enforcing national laws.

The WP29 issued an opinion on the processing of personal data in the employment context in 2001, concluding that “[t]here should no longer be any doubt that data protection requirements apply to the monitoring and surveillance of workers whether in terms of email use, internet access, video cameras or location data.” Therefore, monitoring must be proportionate, not excessive for the intended purposes, and carried out in the least intrusive way possible. Furthermore, it stated that, under the Data Protection Directive, employers may process data concerning their employees only with “unambiguous consent” or if the processing is “necessary.”

In 2002, the WP29 issue a Working Document on the surveillance of electronic communications in the workplace, in which was argued that the employee’s right to privacy should be balanced with the legitimate rights and interests of the employer, such specific and important business need, as efficiency or the right to protect the employer from harm caused by employees’ actions. Therefore, the monitoring activities should be necessary, proportionate and transparent.

In the WP29’s viewpoint, any monitoring of electronic communications should be exceptional, namely when necessary to obtain to obtain proof of certain actions of the worker; detect unlawful activity; detect viruses; or guarantee the security of its systems. Therefore, concealed or intrusive monitoring is generally unlawful.

In 2005, in its annual report, the WP29 has affirmed that “[i]t is not disputed that an e-mail address assigned by a company to its employees constitutes personal data if it enables an individual to be identified.

The WP29 stressed, in another Opinion, in 2006, that all online communications in the workplace are subjected to confidentiality protection, including those sent from workplace equipment for private as well as professional purposes. It suggested seven principles to ensure a proper monitoring: necessity regarding a specified purpose; a specified, explicit and legitimate purpose; prior notice to employees about the monitoring; the monitoring should be aimed to safeguard employer’s legitimate interests; personal data processed in connection with any monitoring must be adequate, relevant, and not excessive with regard to the purpose for which they are processed; data must be accurate and not retained for longer than necessary; and appropriate technical and organisational measures shall be implement regarding security.

The requirements at stake may vary according to the monitoring technologies used as some will require stricter standards according to the extent of interference with private life. For instance, in Uzun v. Germany, the ECtHR concluded that the monitoring via GPS is not as intrusive telephone tapping.

Considering that the data collected by the employer may constitute sensitive data, it can only be processed in the cases foreseen in Article 7 of the Directive 95/46. In this context, considering the disparity in the contractual positions at stake the employee’s consent may not deemed to legitimize the processing.

In this context, it is quite advisable for private employers established in the EU to set up clear and acknowledged internal policies or guidelines regarding the use of Internet and electronic equipment in the workplace, for instance as part of the work contract.

This legal and jurisdictional context highlights the challenge that companies and other organizations face when doing business in the European Union, especially those which also operate under U.S.A. law.

References   [ + ]

1. Copyright by MrChrome under the CC-BY-3.0

Microsoft or the rider on a white horse of modern times

My hero!

My hero!

Microsoft has been challenging a USA search warrant, issued within an ongoing narcotics trafficking related investigation, seeking to access the content information of the electronic communications of one of its customers, which are stored exclusively outside the jurisdiction of the USA authorities, more specifically hosted in a data centre in Dublin, Ireland.

The abovementioned warrant would require an extraterritorial search and seizure of data stored in Microsoft’s Dublin datacenter. The very particular question at stake is if and to what extent a USA warrant compels a USA communications service provider to provide data stored abroad. What is to determine territoriality for a USA based provider with data stored abroad: the location where the data is stored or where the company is headquartered?

As any other service provider company, Microsoft stores the e-mail messages sent and received by its users and related information in datacenters, both in the USA and abroad, according to the users own location and proximity, given at registration, in order to increase the quality of the communications and decrease the network latency1)The concept refers to the time it takes for data to get from one designated point to another..

In this specific case, considering that the content is hosted outside the EUA, it is quite possible that the customer at stake is a non-US citizen. And this makes this issue all the worse in the post-Snowden age.

In fact, this situation is not so vaguely reminiscent of the statements of Robert Hannigan, the head of the GCHQ, which qualified tech companies as ‘the command and control networks of choice’, precisely because they do not agree to cooperate on some very dubious terms. Or those of James Comey, the FBI director, a strong opponent of the growing market for secure private telecommunications, namely through data encryption technologies that companies such as Apple and Google have inserted to their Smartphone operating systems.

Needless to say that a “trapdoor” access to the tech companies networks by intelligence agencies and law enforcement authorities, in order to collect information about its users, is not a good idea. With such a free access door, there is no guarantee about who else would be able to gain access to these networks.

And it is quite hard to accept the need of such doubtful mechanisms when existing legal mechanisms do exist and allow achieving the same result. They are called warrants.

But it seems that when even when using the proper legal mechanisms, some governments fail to understand its territorial limitations in regards of competence and jurisdiction. That is certainly why a USA court assumes to have the authority to issue warrants for the search and seizure of property outside the territorial limits of the United States.

According to the Court which issued the warrant, the specific nature of an SCA2)The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order. warrant differs from a normal warrant, compelling the service provider to gather and produce the data itself, rather than authorizing the entrance into the physical premises in order to conduct a search and seizure. In this context, it is not bound by the geographical restrictions of a search warrant and therefore no elements of extraterritoriality are at stake as Microsoft is merely required to produce information in its possession or control, regardless the location of that information.

The Court further considered that otherwise it would be sufficient for an individual intending to engage in criminal activities to give false residence information or to establish its residence abroad in order to have his account assigned to a server outside the USA and, thus, evade an SCA warrant.

There are, for what I managed to gather, substantial theoretical ambiguities regarding the interpretation and the historical drafting of the SCA. Nevertheless, there are others which are quite straightforward.

For instance, at an international level, such a unilateral initiative risks of negatively interfering with the sovereignty and jurisdiction of another country and may even damage diplomatic relations and foreign policies. The German Government has already stated that it will cease the storage of data in USA cloud providers.

There are indeed proper specific procedures established in bilateral agreements aimed at obtaining criminal evidence located in another country. Take for instance the Mutual Legal Assistance Treaty (MLAT), which is an international instrument designed to facilitate cross-border criminal investigations, concluded between Ireland and the USA. This is precisely because a USA Court Order is no more binding in Ireland as an Irish Court Order would be in the US. For this very reason, the data shouldn’t be transferred from Ireland to the USA other than through such a formal and official channel of co-operation.

However, this mechanism was deemed “slow and laborious” by the USA Court, which also outlined the possibility for one of the parties to decline the request for assistance as a negative feature. Apparently, the main issue is that the requested party may oppose “the exercise of jurisdiction which is in its view extraterritorial and objectionable”. The same Court considered that the fact that some MLAT require the execution of a search warrant to be operated in accordance with the laws of the requested party to be an issue.

Humm, quite self-explanatory, isn’t it? The intention is to access private emails of any customer of a USA based service provider disregarding where the data is located, and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.

The interpretation according to which the search of digital data occurs where the data is remotely accessed is just a not so smart and very unfortunate attempt of bypassing the proper existing mechanisms. And it opens the door for legal uncertainty.

The search of digital data undoubtedly occurs where the data is stored when the company at stake is required to copy the data from the server. The location should dictate the competent jurisdiction. If the court has no competence to obtain through a court warrant some evidence, it cannot circumvent that limitation by compelling Microsoft to do what it has no authority to do itself.

Considering that USA-based companies can be constricted to produce documents stored anywhere worldwide – just because they are based in the USA – fails to acknowledge that different laws apply depending on the jurisdictions where the user is located. For instance, Microsoft would be compelled to breach EU data protection laws, namely the Data Protection Directive3)Directive 95/46/EC and the Framework Decision which regulates data transfers to non-EU Member States4)The Council Framework Decision 2008/977/JHA.

In this context, in a statement issued last November, the Article 29 WP stated as follows:

a public authority in a non-EU country should not have unrestricted direct access to the data of individuals processed under EU jurisdiction, whatever the conditions of this access and the location of the data. Conflicts of jurisdiction shall be resolved only under certain conditions–e.g. through prior authorisation by a public authority in the EU or through a mutual legal assistance treaty, respectively covering access by foreign law enforcement authorities to data transferred from the EU or to data stored in the EU. Foreign requests must not be served directly to companies under EU jurisdiction.

Moreover, allowing for the USA government such an access would create a dangerous precedent, potentially leading other countries to disregard the existing legal mechanisms to seek data stored abroad. Such an anarchy is certainly not a desirable outcome to be achieved!

Anyway, considering the company’s previous relation with the National Security Agency (NSA), I must admit this came as a surprise. After all, among the several very inconvenient and ugly truths, namely regarding the PRISM program, the documents provided by Edward Snowden revealed that Microsoft has collaborated closely with USA intelligence services in order to allow users’ communications to be intercepted, including enabling the NSA to circumvent the company’s own encryption.

This can really be the first time that a company challenges the USA government over a domestic warrant for data held overseas. In the meantime, the Irish government has already manifested its support, along with several other tech companies and consumer privacy advocates.

While this situation outlines the increasing role of private companies as the ultimate defendants our rights, it brings to the spotlight that the right of protection against illegal access, search and seizure of physical property needs to clearly apply also to the digital world. I mean, if governments are not entitled to freely conduct searches in a building located in another country, I cannot fathom any reason for considering that this power of search would be bestowed to them in regard of the content of an email stored overseas. The information located in the cloud should be covered by an equally high standard of protection and any exchange should be covered by a strict framework. Otherwise, it is the very cloud model that is put at risk and we all know that the trust of customers has been quite challenged already.

References   [ + ]

1. The concept refers to the time it takes for data to get from one designated point to another.
2. The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order.
3. Directive 95/46/EC
4. The Council Framework Decision 2008/977/JHA

The impact of the attack against Charlie Hebdo on our rights and freedoms

This will be the excuse for more intrusion.

This will be the excuse for more intrusion.

I do not particularly appreciate the work of the satirical magazine Charlie Hebdo. I frequently find it distasteful and offensive. And I do like to live in a society where others are able to freely express themselves and I am able to openly dislike or disagree with. That is what the right of expression is about. Of course it is not an absolute right and, of course, when the critique is about sensitive issues, such as religion, race, sexual orientation or gender, someone will most certainly get offended. This is not the main purpose of the satire. As history shows us, this kind of critique has prompted reflections, discussions and cultural, political and social changes.

Thus said, a cold-blooded attack was conducted against the headquarters of the magazine, in Paris, and 12 innocent persons were killed, due to the drawing of a cartoon. I cannot help lingering on the absurdity of these words as I write them. And to feel, over again, the shock, the incredulity, the anger, the frustration, the revolt, the hope. And the fear. The fear of this invisible enemy who is able to strike anywhere, at any time, against anybody. The very same feelings that are awaken each time a terrorist attack occurs.

Looking at the solidarity marches held in Paris, it is unavoidable to outline the particular unifying effect of this particular attack. It has united those in favour of freedom of speech, freedom of information, and, ultimately, the rule of law and democracy ideals. Values that are so deeply anchored in our mindsets and yet so frequently put at risk. On the other side, it has ignited one of the most powerful and basic feelings, the fear. The same fear which has empowered anti-immigration movements with an afresh wave of arguments, increased xenophobia and fed the confusion of concepts such as Muslims, Islamism, extremism and terrorism. As strange as it can be, this event has joined in solidarity existing conflicting ideals that would not be put side to side otherwise. And this is where the scission happens.

In fact, when individuals feel insecure and threatened, intolerance, regarding minorities, cultural, ethnic and religious, for instance, arises. It has happen before. It has been happening more frequently due to the economic crisis. And it has happened again a few days ago, considering the almost immediate popularity of some extreme right political parties on social networks.

Moreover, fear does not only compel individuals to pacifically accept the sacrifice others’ rights and freedoms in order to preserve their own privileges and liberties. In the name of an alleged bigger value, such as national security, individuals also tend to more easily allow, without questioning, restrictions on their own civil and fundamental rights. Anything to feel safe again or at least live the comfort of that illusion.

Times like these, where these kinds of emotions and beliefs so vividly oppose a common threat, are therefore treacherous. One particular danger subsists in the appearance of legitimacy from which certain not so legitimate political ideals and governmental initiatives may benefit.

For instance, in the wake of the abovementioned attack, the French government has notified the European Commission of the impending publication of decrees allowing that websites advocating or promoting terrorist practices or ideals could be blocked without the intervention of a judge.

In this particular case, I sincerely fail to see any relation between the attack itself and such online activities or to perceive how such decrees will somehow help to prevent any eventual similar attacks in the future. However, it is much certainly a first step to take control over the content of online communications and to achieve the desired Internet governance. In the wake of Edward Snowden’s revelations, it was already been made clear how interesting our communications can be to some intelligence services. Of course, if censorship can ever be defensible, it is particularly in this case. Nevertheless, it is a very hazardous path. Where to draw the limit? What guarantees do we have that this is just not the climbing of the first step of the staircase? When will surveillance measures be enough?

Furthermore, the fight against terrorism being primarily of their competence, and in what seems to be the result of passionate emotions and precipitation, some EU Members States are already developing extra security measures. No surprise here. Following a terrorist attack, it is quite common for governments to push for increased surveillance.

I have to admit that I am very sceptic in regards of the efficiency of a more intrusive government surveillance. I do believe that surveillance is needed to be conducted in order to tackle terrorism. But the police and the intelligence services do already conduct surveillance activities which allow for the identification of people involved in terrorist activities. For instance, the Cherif and Said Kouachi brothers, the authors of the attack conducted against Charlie Hebdo, were already known to the security services and this has not prevented the horrific murder of those people. Moreover, Charlie Hebdo was already known as a potential target, as it has been firebombed in 2011.

So to argue that more invasive powers of surveillance on a larger scale, which will imply to treat everyone as a suspect, are required in order to prevent future attacks is very unconvincing. Surveillance must be targeted and limited and the competence of courts in regards of restrictions to individuals’ fundamental rights cannot be diluted.

Considering the existing fear, it is very easy to turn terrorist attacks into the perfect excuse for the practice of mass surveillance and a full government control over the Internet. However, this would get us dangerously close to the very same political regimes we are so proud to differ of. Contrarily to what some of us might think or say, we do not want to risk living in a society where we all are monitorized and afraid to express ourselves. Mass surveillance does not only violate our privacy, it also undermines our ability to speak freely. In this context, the line to censorship can be smoothly crossed. Which is the opposite of what Charlie Hebdo actually stands for.

I mean, if this attack was primarily directed to the freedom of expression of a democratic country, counter-attacking on the same freedom of expression – although in its online manifestation – does seem a little bit odd. Shouldn’t we aim precisely the opposite: to protect the very rights and freedoms that have been attacked? Our freedoms are not protected by further limitations.

At the EU level, border management, internal security, the “foreign fighters” travelling and the online terrorist propaganda were already very vivid concerns. In the wake of the Charlie Hebdo attacks, the European Commission has pledged to present a new programme to fight terrorism. Under the present scenario, it is very likely that the discussions in regards an EU PNR will be boosted.

Only time will tell to what extent these terrorists attacks were able affect our core values. But in the aftermath, it seems that, if the intention of the attack was to undermine our fundamental rights, in the long run, they may be successful.

 

Older posts Newer posts

© 2018 The Public Privacy

Theme by Anders NorenUp ↑