• Tag Archives privacy
  • Congress, Remember the 4th Amendment? It’s Time to Stop the U.S.-UK Agreement.

    Unless Congress stops it, foreign police will soon be able to collect and search data on the servers of U.S. Internet companies. They’ll be able to do it without a probable cause warrant, or any oversight from a U.S. judge. This is all happening because of a new law enforcement deal between the U.S. and the United Kingdom. And while it seeks to exclude purely domestic correspondence between U.S. citizens and residents, plenty of Americans’ data will get swept up when they communicate with targeted individuals located abroad.

    This is all happening because, for the first time, the U.S. executive branch is flexing its power to enter into law enforcement agreements under the CLOUD Act. We’ve been strongly opposed to this law since it was introduced last year. The recently signed deal between the U.S. Department of Justice and the U.K. Home Office will allow U.K. police easy access to data held by American companies, regardless of where the data is stored. These U.K. data requests, including demands to collect real-time communications, do not need to meet the standards set by U.S. privacy laws or the 4th Amendment. Similarly, the deal will allow U.S. police to grab information held by British companies without following U.K. privacy laws.

    This deal, negotiated by American and British law enforcement behind closed doors and without public input, will deal a hammer blow to the legal rights of citizens and residents of both countries. And the damage won’t stop there. The U.S.-U.K. Cloud Act Agreement may well become a model for further bilateral deals with other foreign governments and the United States. Earlier this month, Australian law enforcement agencies began negotiating their own deal to directly access private information held by U.S. Internet companies.

    There’s still one possible path to put the brakes on this disastrous U.S.-UK deal: Congress can introduce a joint resolution of disapproval of the agreement within 180 days. This week, EFF has joined 19 other privacy, civil liberties, and human rights organizations to publish a joint letter explaining why Congress must take action to resist this deal.

    No Prior Judicial Authorization

    In the U.S., the standard for when law enforcement can collect stored communications content is clear: police need to get a warrant, based on probable cause. If police want to wiretap an active conversation, they have to satisfy an even higher standard, sometimes called a “super warrant,” that limits both the timing and use of a wiretap. Perhaps most importantly, stored communications warrants and wiretap warrants have to be signed by a U.S. judge, which adds an extra layer of review to whether privacy standards are met. At EFF, a core part of our work is insisting on the importance of a warrant in many different scenarios.

    Judicial authorization is a critical step in the U.S. warrant process. When police search people’s private homes, offices, or devices, they must justify why the search for specific evidence outweighs the presumption that individuals remain free from government intrusion. Judicial authorization acts as a safeguard between citizens and law enforcement. Further, history has shown that police can and will abuse their powers for intimidation, or even personal gain. In colonial times, the British military used general warrants to search through colonists’ houses and seize property—actions that helped fuel a revolution, and formed the basis for the 4th Amendment to the U.S. Constitution.

    Incredibly, the DOJ has just thrown those rights away. Instead of relying on probable cause, the new agreement uses an untested privacy standard that says that orders must be based on a “reasonable justification based on articulable and credible facts, particularity, legality, and severity.” No judge in any country has decided what this means.

    Furthermore, it’s debatable whether UK law even satisfies that standard. As our coalition letter states, “U.K. law on the production of stored content data and live wiretaps do not raise to the standards in the U.S.-U.K. Agreement and indeed at points may be weaker, emphasizing the need for strong safeguards to be written into CLOUD Act Agreements.”

    That’s why we believe any agreement should include prior judicial authorization. The current deal just says that the U.K. must have “review or oversight” by an independent authority. Oversight is much different than prior judicial authorization. That means when a U.S. tech software company is asked to hand over communications and other sensitive data to UK police, the police don’t have to go to an impartial third-party to first review and see if the request complies with the U.S.-UK agreement. This takes away an important check before data is turned over to make sure that privacy rights are not harmed. Importantly, this hurts the rights of non-U.S. people as well because it takes away protections and recourse under U.S. domestic privacy laws.

    No Required Notice to People Under Surveillance

    The U.S.-UK agreement also doesn’t create safeguards the provide notice to the target of a law enforcement order, or any other affected people.

    Without notice, a person won’t be aware that they are under foreign surveillance, won’t be able to hire a lawyer, and won’t be able to examine the evidence against them. Further, the agreement allows U.K. police to request U.S.-based data under U.K. law. People subject to unlawful surveillance won’t be able to exercise legal or constitutional rights they have under U.S. law.

    Unfair and Unequal “Minimization” Procedures

    National police agencies are trying to soft-pedal their demand for this new power by pointing out that it won’t be applied to U.S. persons. But foreign police will be getting Americans’ data. First of all, U.K. police will inevitably scoop up the information of Americans who have been in contact with foreigners who are the official subjects of U.K. police requests. That’s why there are mandatory “minimization” procedures to make sure U.K. police don’t get too much data about U.S. persons, or distribute it too widely.

    As for U.K. citizens and residents, what happens to their data under this agreement isn’t clear.  When U.S. police go to British information providers, there are no clear requirements for how the U.S. should even perform minimization. The only requirement on the U.S. is that the agreement be reciprocal, including limitations on targeting people within British territory. But that doesn’t mean that the U.S. won’t still get information about U.K. persons, as long as they’re in communication with a non-U.K. target—just as U.K. police will get from the U.S.

    U.K. Police Can Secretly Gather Evidence to Pursue Low-Level Crimes 

    U.S. Attorney General William Barr has claimed that offering extraordinary access to foreign police is the right thing to do because of the awful crimes they’re pursuing, citing terrorism and crimes against children.

    However, the deal will allow U.K. police to comb through the data of U.S. companies for relatively low-level crimes, including fraud, assault, and simple theft. The only justification U.K. police will have to come up with is that they’re investigating a crime that holds at least a three-year prison sentence in their own country. They could even be investigating acts that aren’t crimes in the U.S. Again, the same holds true for U.S. law enforcement gathering information held in the U.K.—there’s no requirement that a similar crime exists in both countries. It’s worth noting that under U.K. law, a 10-year sentence can also be handed down for criminal copyright infringement.

    No Safeguards for Free Expression

    Under the current system, if a foreign law enforcement agent wants access to protected information in the U.S., both the DOJ and a judge will review the request to make sure it doesn’t violate human rights, or U.S. laws like the First Amendment. This review is a part of the long-standing mutual legal assistance process that lets governments access data stored in other territories, but with procedural safeguards. Under this agreement, there won’t even be a cursory review. In some situations, U.S. authorities won’t even be notified about the foreign agent’s request.

    The CLOUD Act and U.S.-U.K. agreement specifically say that foreign governments shouldn’t be allowed to file requests that “impinge freedom of speech.” But “freedom of speech” has a different meaning in U.S. and in UK law. The U.K. has several laws that potentially violate article 19 of the International Covenant on Civil and Political Rights, as we pointed out last year in a letter signed by EFF and other free expression organizations.

    Under this agreement, it will be up to U.S. tech companies to challenge requests that aren’t compatible with human rights or free speech. As we have seen time and time again, tech companies are not in the best position to understand the nuance of free speech law.

    Congress didn’t give proper thought to the CLOUD Act when it passed last year, and it let fundamental U.S. privacy and speech protections fall to the wayside. Now, Congress shouldn’t double down on its mistake by letting an executive agreement negotiated behind closed doors pass through its halls without review. The 180-day clock is already ticking to protect our privacy. Congress should initiate a joint resolution of disapproval of the U.S.-U.K. agreement, as soon as possible.

    Source: Congress, Remember the 4th Amendment? It’s Time to Stop the U.S.-UK Agreement. | Electronic Frontier Foundation

  • Five Eyes Unlimited: What A Global Anti-Encryption Regime Could Look Like

    This week, the political heads of the intelligence services of Canada, New Zealand, Australia, the United Kingdom, and the United States (the “Five Eyes” alliance) met in Ottawa.  The Australian delegation entered the meeting saying publicly that they intended to “thwart the encryption of terrorist messaging.” The final communiqué states more diplomatically that “Ministers and Attorneys General […] noted that encryption can severely undermine public safety efforts by impeding lawful access to the content of communications during investigations into serious crimes, including terrorism. To address these issues, we committed to develop our engagement with communications and technology companies to explore shared solutions.”

    What might their plan be? Is this yet another attempt to ban encryption? A combined effort to compel ISPs and Internet companies to weaken their secure products? At least one leader of a Five Eyes nation has been talking recently about increasing international engagement with technology companies — with a list of laws in her back pocket that are already capable of subverting encryption, and the entire basis of user trust in the Internet.

    Exporting Britain’s Surveillance Regime

    Before she was elevated to the role of Prime Minister by the fallout from Brexit, Theresa May was the author of the UK’s Investigatory Powers bill, which spelled out the UK’s plans for mass surveillance in a post-Snowden world.

    At the unveiling of the bill in 2015, May’s officials performed the traditional dance: they stated that they would be looking at controls on encryption, and then stating definitively that their new proposals included “no backdoors”.

    Sure enough, the word “encryption” does not appear in the Investigatory Powers Act (IPA). That’s because it is written so broadly it doesn’t need to.

    We’ve covered the IPA before at EFF, but it’s worth re-emphasizing some of the powers it grants the British government.

    • Any “communications service provider” can be served with a secret warrant, signed by the Home Secretary. Communications service provider is interpreted extremely broadly to include ISPs, social media platforms, mail services and other messaging services.
    • That warrant can describe a set of people or organizations that the government wants to spy upon.
    • It can require tech companies to insert malware onto their users’ computers, re-engineer their own technology, or use their networks to interfere with any other system.
    • The warrant explicitly allows those companies to violate any other laws in complying with the warrant.
    • Beyond particular warrants, private tech companies operating in the United Kingdom also have to respond to “technical capability notices” which will require them to “To provide and maintain the capability to disclose, where practicable, the content of communications or secondary data in an intelligible form,” as well as permit targeted and mass surveillance and government hacking.
    • Tech companies also have to the provide the UK government with new product designs in advance, so that the government can have time to require new “technical capabilities” before they are available to customers.

    These capabilities alone already go far beyond the Nineties’ dreams of a blanket ban on crypto. Under the IPA, the UK claims the theoretical ability to order a company like Apple or Facebook to remove secure communication features from their products—while being simultaneously prohibited from telling the public about it.

    Companies could be prohibited from fixing existing vulnerabilities, or required to introduce new ones in forthcoming products. Even incidental users of communication tech could be commandeered to become spies in her Majesty’s Secret Service: those same powers also allow the UK to, say, instruct a chain of coffee shops to use its free WiFi service to deploy British malware on its customers. (And, yes, coffee shops are given by officials as a valid example of a “communications service provider.”)

    Wouldn’t companies push back against such demands? Possibly: but it’s a much harder fight to win if it’s not just the UK making the demand, but an international coalition of governments putting pressure on them to obey the same powers. This, it seems is what May’s government wants next.

    The Lowest Common Privacy Denominator

    Since the IPA passed, May has repeatedly declared her intent to create a an international agreement on “regulating cyberspace”. The difficulty of enforcing many of the theoretical powers of the IPA makes this particularly pressing.

    The IPA includes language that makes it clear that the UK expects foreign companies to comply with its secret warrants. Realistically, it’s far harder for UK law enforcement to get non-UK technology companies to act as their personal hacking teams. That’s one reason why May’s government has talked up the IPA as a “global gold standard” for surveillance, and one that they hope other countries will adopt.

    In venues like the Five Eyes meeting, we can expect Britain to advocate for others to adopt IPA-like powers. In that, they will be certainly be joined by Australia, whose Prime Minister Malcolm Turnbull recently complained in the Australian Parliament that so many tech companies “are based in the United States where a strong libertarian tradition resists Government access to private communications, as the FBI found when Apple would not help unlock the iPhone of the dead San Bernardino terrorist.” Turnbull, it seems, would be happy to adopt the compulsory compliance model of the United Kingdom (as would, he implied at the time of the Apple case, would President Trump).

    In the meantime, the British authorities can encourage an intermediary step: other governments may be more likely to offer support for a IPA regime if Britain offers to share the results of its new powers with them.

    Such information-sharing agreements are the raison d’être of the Five Eyes alliance, which began as a program to co-ordinate intelligence operations between the Anglo-American countries. That the debate over encryption is now taking place in a forum originally dedicated to intelligence matters is an indicator that the states still see extracting private communications as an intelligence matter.

    But hacking and the subversion of tech companies isn’t just for spies anymore. The British Act explicitly granted these abilities to conduct “equipment interference” to more than just GCHQ and Britain’s other intelligence agencies. Hacking and secret warrants can now be used by, among others, the civilian police force, inland revenue and border controls. The secrecy and dirty tricks that used to be reserved for fighting agents of foreign powers is now available for use against a wide range of potential suspects.

    With the Investigatory Powers Bill, the United Kingdom is now a country empowered with a blunt tools of surveillance that have no comparison in U.S. or any other countries’ law. But, along with its Five Eyes partners, it is also seen as a moderate, liberal democracy, able to be trusted with access and sharing of confidential data. Similarly, Australia is one of the few countries in the world (and the only one of the Five) to legally compel ISPs to log data on their users. Canada conducts the same meta-data surveillance projects as the United States; New Zealand contributes its mass surveillance data to the shared XKEYSCORE project.

    While such data-sharing may be business as usual for the Cold War spies, the risk of such unchecked