Cloud Computing at Risk? The Political Impact of the Surveillance Revelations

Similar documents
TEXTS ADOPTED. having regard to the Treaties, and in particular to Articles 2, 3, 4 and 6 of the Treaty on European Union (TEU),

DRAFT MOTION FOR A RESOLUTION

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT

IMPLEMENTATION GUIDELINES FOR THE PRINCIPLES ON FREEDOM OF EXPRESSION AND PRIVACY

Comments and suggestions on the Terms of Reference for drafting a Second Optional Protocol to the Cybercrime Convention

Proposal of an European Citizens Initiative (ECI) on strengthening Protection of Data Privacy

Working Document on surveillance of electronic communications for intelligence and national security purposes

EUROPEAN PARLIAMENT. Committee on Civil Liberties, Justice and Home Affairs (8958/2004 C6-0198/ /0813(CNS))

State Security And Personal Liberty In The Digital Age. 1. State surveillance for legitimate national security & interests

European Parliament resolution of 16 February 2012 on the recent political developments in Hungary (2012/2511(RSP))

TEXTS ADOPTED PART II. United in diversity. at the sitting of. Wednesday 5 May 2010 EUROPEAN PARLIAMENT

INTRODUCTION TO THE STUDY OF EU LAW PROFESSOR SIR DAVID EDWARD

Committee on Civil Liberties, Justice and Home Affairs

September Council of Europe. Privacy and Internet. Loreta Vioiu. Administrator Internet Governance Unit

General remarks. B. Key concepts

Analysis of the Ethiopia Charities and Societies Proclamation 00/ 2008

EU Charter of Fundamental Rights

The draft General Data Protection Regulation

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT. Committee on Civil Liberties, Justice and Home Affairs

The principle of proportionality in EU law


CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

4. EU Charter of Fundamental Rights

Regulating Surveillance

Briefing on Investigatory Powers Bill Prepared for the Public Bill Committee March 2016

Answers to Questionnaire: Spain

EDRi analysis on the most dangerous flexibilities allowed by the General Data Protection Regulation (*)

A. General public international law

STAFF CODE OF CONDUCT

MILLICOM S POLICY FOR LAW ENFORCEMENT ASSISTANCE AND MAJOR EVENTS

Admiral Michael S. Rogers NSA/CSS Fort Meade, MD November 4, Admiral Rogers:

WORKING PAPER. Brussels, 29 January 2018 WK 1019/2018 INIT LIMITE CONOP COMER CFSP/PESC ECO UD ATO

Fairness and transparency are fundamental bases for our business and our guiding principle for dealing with employees and clients.

Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 SUPPLEMENTARY SUBMISSION

Statewatch. Detection technologies and democracy

Group Policy - Freedom of Expression in Telecommunications

International and Transorganizational Information Flow of Tracking Data

Handbuch Code of Conduct url:consense://produktiv/d Our success is based on satisfied customers

ARTICLE 29 DATA PROTECTION WORKING PARTY

The European Union's New Ambitions

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

Achieving GDPR Compliance with Avature

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

Peter Hustinx European Data Protection Supervisor. European Leadership in Privacy and Data Protection 1

11th Conference on Data Protection and Data Security - DuD 2009 Berlin, 8 June 2009

Organizational Accountability and Privacy Compliance

EU data protection reform

Committee on Civil Liberties, Justice and Home Affairs. of the Committee on Civil Liberties, Justice and Home Affairs

Amending the (Dutch) Constitution?

6280/18 CFP/agi 1 DGC 2A

Class Unification of Law - Uniform Law (Rechtsvereinheitlichung) Summer term 2015

Online Ads: A new challenge for privacy? Jörg Polakiewicz*

Briefing Agenda (as at 15 th March 2010) (All 1 st June sessions in English) 1 st June, 2010

COUNCIL OF THE EUROPEAN UNION. Brussels, 18 May /11 FREMP 54 JAI 319 COHOM 132 JURINFO 31 JUSTCIV 129

Prince Edward Island

PENAL IMITS TO THE FREEDOM OF EXPRESSION PhD Thesis ABSTRACT

Constitution for Europe

Dutch Data Protection Authority - Annual Report 2013

Strong and independent data protection authorities: the bedrock of the EU's data protection reform

CM1702. Note on the interparliamentary scrutiny of Europol

EUROPEAN DATA PROTECTION SUPERVISOR

The institutions of the European Union. The Treaty of Rome 1957.

Class Unification of Law - Uniform Law (Rechtsvereinheitlichung) Summer term 2016

The European Ombudsman and the right to good administration as a fundamental right: conceptual issues

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

UK Law Enforcement and GDPR

JOINT DECLARATION ON COMBATING TERRORISM

JUS 5630 / 1630: Privacy and Data Protection Law. Lecture Overview, Spring 2018

REPORT. EN United in diversity EN A7-0139/

International Standards of Elections

REDDISH VALE HIGH SCHOOL PRIMARY PRIVACY NOTICE

Meeting environmental Justice A critical overview of environmental policies in the European Union

Departmental Disclosure Statement

RECORD OF PROCESSING OPERATIONS

ACCESS TO INFORMATION AND FIGHT AGAINST CORRUPTION

POLICE COOPERATION LEGAL BASIS OBJECTIVES ACHIEVEMENTS

Code of Conduct. English Edition

EU Law making process

(Text with EEA relevance) Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Data Protection Policy

Background Paper by James X. Dempsey, Jennifer Stoddart, Fred H. Cate, and Martin Abrams. May 2014

The German Federal Data Protection Authority- The BfDI

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

SUSTAINABLE DEVELOPMENT GOALS: Target 16.10

European Data Protection Supervisor (Controleur europeen de la protection des donnees)

DGD 2 EUROPEAN UNION. Brussels, 2 December 2015 (OR. en) 2014/0339 (COD) PE-CONS 56/15 PROAPP 20 CATS 97 CODEC 1284

Preparing for the General Data Protection Regulation (GDPR)

Privacy Impact Assessment: Standard Operating Procedure

This document has been provided by the International Center for Not-for-Profit Law (ICNL).

Data Flow Mapping and the EU GDPR

From 0 60: Privacy and the New Generation of Connected Cars The European Perspective

GDPR in SAP. June, Igor Gregurec

General Data Protection Regulation (GDPR) Business Guide

Sierra Leone s draft Access to Information Bill

GDPR Webinar 4: Data Protection Impact Assessments

Technical factsheet: General Data Protection Regulation (GDPR) April 2018

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

AP COMPARATIVE GOVERNMENT AND POLITICS 2011 SCORING GUIDELINES

Transcription:

Cloud Computing at Risk? The Political Impact of the Surveillance Revelations Ninja Marnau Independent Centre for Privacy Protection Schleswig-Holstein TClouds No. 257243 Trustworthy Clouds - Privacy and Resilience for Internet-scale Critical Infrastructure

What happened? National security authorities surveillance activities : Massive collection, retention and analysis of metadata around the globe Wiretapping of international communication cables and Internet Exchange Points Backdoors/direct access to commodity software and communication infrastructure Excessive options to force providers to hand out users data Access to financial transactions via SWIFT network Purposeful vulnerabilities of encrypted communication (SSL, VPN) Compromising of other encryption standards? 2

Why is that problematic? National security provisions got completely out of hand since 2001 Lack of proportionality of laws and measures Lack of transparency (secret laws and gag orders) Non-functioning national democratic control Non-functioning judicial scrutiny (secret courts with dubious staffing, secret decisions) No information to the subjects No possibility for legal actions Discrimination of foreign citizens 3

The actual power of national security authorities infringes the essential separation of powersof a democratic state. 4

Trustworthy Clouds 5

Trustworthy Clouds 6

Economic Consequences Asian countries: Mandatory PRISM security checks for authorities, review of used software and providers Global: CSA surveyon theimpactofthrevelations(207 non US anwers, most from Europe) 56% less likely to use US CSP 10% cancelledatleast oneprojectwithan US CSP 31% noimpacton usageofus CSP 3% morelikelytousea US CSP 7

Economic Consequences Global: Information Technology & Innovation Foundation(ITIF) forcast: Between21.5 and35 billionus dollarsdropin revenueoverthe next3 yearsforus CSPs Germany: BITKOM survey 2/3 of internet users have lost trust in communication confidentiality 19% will reduce their usage of US-based internet services 8

Political Consequences Transfers of personal data within the EU rely on the fiction of comparable data protection levels Certain level of trust between the member states regarding industrial espionage EP Committee on Civil Liberties, Justice and Home Affairs is investigating QCHQ s activities 9

Political Consequences For legitimization of personal data transfer to the USA, the EU has acknowledged the Safe-Harbor Principles, PNR records and to some extent SWIFT Safe Harbor has always been criticised by DPAs All big US CSPs are Safe Harbor self-certified Actual Wording of the principles: adherence to these principles may be limited [ ] to the extent necessary to meet national security, public interests, or law enforcement requirements 10

After PRISM/Bullrun: Political Consequences Commissioner Redingannounced a re-evaluation of Safe Harbor until the end of the year Article 29 Working Party will independently assess PRISM and especially the role of the FISA court German DPAs refrain from further data transfer authorization on basis of Safe Harbor 11

Is the EU Data Protection Regulation the solution? 12

A look at the proposal One directly applicable data protection law for the EU BUT: Article 2 (2) This Regulation does not apply to the processing of personal data a) in the course of an activity which falls outside of the scope of Union law, in particular concerning national security b) by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. 13

Is the UN International Covenant on Civil and Political Rights (ICCPR) the solution? 14

A look at the ICCPR UN treaty from 1966 (most states of the world have signed) Signing parties commit to respect the civil and political of individuals Art. 17 (1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence 15

Problems: A look at the ICCPR 1. What is considered unlawful? 2. National implementation is lacking (e.g. USA) 3. UN Human Rights Committee has no enforcement power 4. Only an optional protocol allows citizens to enforce their rights legally (not signed by many states, e.g. USA) ICCPR is nice but toothless 16

So, what now? 17

References CSA CSA Survey Results: Government Access to Information, July 2013 https://downloads.cloudsecurityalliance.org/initiatives/surveys/nsa_prism/csa-govtaccess-survey-july-2013.pdf ITIF How Much Will PRISM Cost The U.S. Cloud Computing Industry?, August 2013 http://www2.itif.org/2013-cloud-computing-costs.pdf BITKOM Internetnutzerwerdenmisstrauisch, July 2013 http://www.bitkom.org/de/presse/8477_76831.aspx Art. 29 WP s Letter to Viviane Reding, August 2013 http://ec.europa.eu/justice/data-protection/article-29/documentation/otherdocument/files/2013/20130813_letter_to_vp_reding_final_en.pdf Conference of German data protection commissioners press release intelligence services constitute a massive threat to data traffic between Germany and countries outside Europe, July 2013 http://www.bfdi.bund.de/shareddocs/publikationen/entschliessungssammlung/ergae nzendedokumente/pmdsk_safeharbor_eng.pdf? blob=publicationfile 18

Thanks! www.tclouds-project.eu "The TClouds project has received funding from the European Union's Seventh Framework Programme ([FP7/2007-2013]) under grant agreement number ICT-257243. 19

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback