Tag Archives: UK

The Irish PM, Cabinet Ministers & Head of Police Force use Gmail for Official Business

The leader of the country whose government presides over the data protection compliance of a host of global social media sites uses Gmail for government business.

Let’s just think about that for a second. The guy uses a service who in a 2013 filing, while defending a data-mining lawsuit, said that people have “no legitimate expectation of privacy in information” voluntarily turned over to third parties.

Ireland sits next door to the most surveilled society on the planet who last week passed into law the most intrusive surveillance laws ever enacted in a democracy. This is what the British have publicly declared they are willing to do to their own citizens and foreign residents and they even had the audacity to spin “that the protection of privacy is at the heart of this legislation“.

What do you think they might have in their more covert bag of tricks for use on foreign governments?

One wonders why the Irish so close to the British geographically are as so far removed from realising the national security implications of having a kindergarten knowledge level with respect to mass surveillance, industrial espionage and cyber security.

The whole sorry mess and the puerile responses from the PM’s spokespersons made to queries regarding the Irish prime minister’s use of the service were widely covered in the last two weeks by The Irish Daily Mail and The Irish Mail on Sunday in articles by  Senior Reporter Seán Dunne.

How much of Ireland’s bargaining strategy with respect to the Brexit negotiations will the British authorities possess foreknowledge of when a teeny-bopper hacker who took a few hacking 101 classes at the local tech could access the comms of the Irish politicians centrally involved in the discussion.

This blog has made it’s view of Ireland as a Privacy Advocate and the abilities of the Office of the Data Protection Commission in Ireland well known.

The office of the Data Protection Commissioner in Ireland was established under the 1988 Data Protection Act. The Data Protection Amendment Act, 2003, updated the legislation, implementing the provisions of EU Directive 95/46.

The Acts set out the general principle that individuals should be in a position to control how data relating to them is used. The Data Protection Commissioner is allegedly responsible for upholding the rights of individuals as set out in the Acts, and enforcing the obligations upon data controllers.

The Commissioner is appointed by Government and is allegedly “independent” in the exercise of his or her functions but has fallen foul several times to allegations that they are inherently political in their motives and policy.

The DPC have been censured by The High Court in Ireland regarding their a decision to refuse to investigate a data privacy complaint by Austrian law student Max Schrems against Facebook and his attempt to expose the cosy attitude to abuses of Safe Harbour.

Digital Rights Ireland have also claimed in a 2016 lawsuit that the Irish State has not properly implemented EU legislation on data protection. They claim “Ireland’s data protection authority doesn’t meet the criteria set down by the EU case law for true independence,” it added “As the Irish government has refused to acknowledge this to date, we are turning to the courts to uphold Irish and EU citizens’ fundamental rights.”

The group also claims Ireland has not properly implemented EU legislation that requires data protection authorities to be genuinely independent from the government.

DRI had previously taken a case to the Court of Justice of the European Union that led to an EU data-retention directive, then the basis for Irish law, being thrown out in 2014.

Facebook love the Irish Data Protection Commission as do all the other social media giants who not only get a free run enjoying multi-billion dollar tax breaks while the people of Ireland pay for their free ride with swingeing austerity.

Last week I received an email from Twitter and when I clicked the link I read:

“Twitter’s global operations and data transfer – Our services are a window to the world. They are primarily designed to help people share information around the world instantly. To bring you these services, we operate globally. Twitter, Inc., based in the United States, and Twitter International Company, based in Ireland, (collectively, “we”) provide the services, as explained in the Twitter Terms of Service and Privacy Policy. We have offices, partners, and service providers around the world that help to deliver the services. Your information, which we receive when you use the services, may be transferred to and stored in the United States, Ireland, and other countries where we operate, including through our offices, partners, and service providers. In some of these countries, the privacy and data protection laws and rules on when data may be accessed may differ from those in the country where you live. For a list of the locations where we have offices, please see our company information here.”

The section above that I have highlighted and italicised prompted me to tweet:

I followed this tweet up with an emailed request for clarification – which much like my many failed attempts to acquire the elusive “Blue Tick” was met with a stony silence. Which is code I think for “Please go away Mr. Penrose you are a massive pain in the neck”.

I also sent an email to the lovely Ms. Dixon, Irish Data Protection Commissioner requesting a comment. Do I need to tell you what I received? Well – just in case you own an irony bypass – I received nothing.

When regulation is in the hands of amateurs and when policy is set on subjects by people with no qualifications in the matter and when both of them are in the pay of those they are inspecting then what hope do we have really? Again recognising that some do not recognise rhetorical questions, the answer is that we have none.

END

Official Government Response to “Repeal the new Surveillance Laws (Investigatory Powers Act)” Petition

Dear Graham Penrose,

The Government has responded to the petition you signed – “Repeal the new Surveillance laws (Investigatory Powers Act)”.

Government responded:

The Investigatory Powers Act dramatically increases transparency around the use of investigatory powers. It protects both privacy and security and underwent unprecedented scrutiny before becoming law.

The Government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe.

The Investigatory Powers Act transforms the law relating to the use and oversight of Investigatory powers. It strengthens safeguards and introduces world-leading oversight arrangements.

The Act does three key things. First, it brings together powers already available to law enforcement and the security and intelligence agencies to obtain communications and data about communications. It makes these powers – and the safeguards that apply to them – clear and understandable.

Second, it radically overhauls the way these powers are authorised and overseen. It introduces a ‘double-lock’ for the most intrusive powers, including interception and all of the bulk capabilities, so warrants require the approval of a Judicial Commissioner. And it creates a powerful new Investigatory Powers Commissioner to oversee how these powers are used.

Third, it ensures powers are fit for the digital age. The Act makes a single new provision for the retention of internet connection records in order for law enforcement to identify the communications service to which a device has connected. This will restore capabilities that have been lost as a result of changes in the way people communicate.

Public scrutiny

The Bill was subject to unprecedented scrutiny prior to and during its passage.

The Bill responded to three independent reports: by David Anderson QC, the Independent Reviewer of Terrorism Legislation; by the Royal United Services Institute’s Independent Surveillance Review Panel; and by the Intelligence and Security Committee of Parliament. All three of those authoritative independent reports agreed a new law was needed.

The Government responded to the recommendations of those reports in the form of a draft Bill, published in November 2015. That draft Bill was submitted for pre-legislative scrutiny by a Joint Committee of both Houses of Parliament. The Intelligence and Security Committee and the House of Commons Science and Technology Committee conducted parallel scrutiny. Between them, those Committees received over 1,500 pages of written submissions and heard oral evidence from the Government, industry, civil liberties groups and many others. The recommendations made by those Committees informed changes to the Bill and the publication of further supporting material.

A revised Bill was introduced in the House of Commons on 1 March, and completed its passage on 16 November, meeting the timetable for legislation set by Parliament during the passage of the Data Retention and Investigatory Powers Act 2014. Over 1,700 amendments to the Bill were tabled and debated during this time.

The Government has adopted an open and consultative approach throughout the passage of this legislation, tabling or accepting a significant number of amendments in both Houses of Parliament in order to improve transparency and strengthen privacy protections. These included enhanced protections for trade unions and journalistic and legally privileged material, and the introduction of a threshold to ensure internet connection records cannot be used to investigate minor crimes.

Privacy and Oversight

The Government has placed privacy at the heart of the Investigatory Powers Act. The Act makes clear the extent to which investigatory powers may be used and the strict safeguards that apply in order to maintain privacy.

A new overarching ‘privacy clause’ was added to make absolutely clear that the protection of privacy is at the heart of this legislation. This privacy clause ensures that in each and every case a public authority must consider whether less intrusive means could be used, and must have regard to human rights and the particular sensitivity of certain information. The powers can only be exercised when it is necessary and proportionate to do so, and the Act includes tough sanctions – including the creation of new criminal offences – for those misusing the powers.
The safeguards in this Act reflect the UK’s international reputation for protecting human rights. The unprecedented transparency and the new safeguards – including the ‘double lock’ for the most sensitive powers – set an international benchmark for how the law can protect both privacy and security.

Home Office

Click this link to view the response online:

https://petition.parliament.uk/petitions/173199?reveal_response=yes

This petition has over 100,000 signatures. The Petitions Committee will consider it for a debate. They can also gather further evidence and press the government for action.

The Committee is made up of 11 MPs, from political parties in government and in opposition. It is entirely independent of the Government. Find out more about the Committee: https://petition.parliament.uk/help#petitions-committee

Thanks,
The Petitions Team
UK Government and Parliament

My Privacy Lobotomy or How I Learned to Stop Worrying & Love the IP Act

(Please Note: This post is a partial reblog. The re-blogged bits are all the bits under the Malcolm Tucker “grenade app” GIF – Featured Image “Bring me Corbyn, Solo & the Wookie” (Credit to @Trouteyes on Twitter))

After weeks of posting hysterical objections to and concerns about the Investigatory Powers Act I now realise that I was worrying needlessly. It suddenly occurred to me that the Investigatory Powers Act is nothing that I should worry about at all. This radical change of heart came as a result of the following statement from the Home Office which Dave Howe on Peerlyst kindly sent to me:

“The safeguards in this Act reflect the UK’s international reputation for protecting human rights. The unprecedented transparency and the new safeguards – including the ‘double lock’ for the most sensitive powers – set an international benchmark for how the law can protect both Privacy and security.”

This is the civil servant who issued the statement:

author

The patronisingly misleading statement has caused me to make an immediate and unconditional U-Turn on my previous opinion of the legislation.

I am now immensely grateful to Theresa May and everyone who had a part in authoring this document. Hopefully it will soon take it’s rightful place alongside the Magna Carta and the Bill of Rights as milestones in the relentless march toward a privacy protected, liberty guaranteed and freedom based utopia.

tucker

Hardly Anyone Has Access To All My Data

Access to my internet connection records is set out in Schedule 4 of the Act and it only says that the following forty plus departments and about 600,000 government employees can mine my private life:

  • Metropolitan Police force
  • City of London Police force
  • Police Forces maintained under section 2 of the Police Act 1996
  • Police Service of Scotland
  • Police Service of Northern Ireland
  • British Transport Police
  • Ministry of Defence Police
  • Royal Navy Police
  • Royal Military Police
  • Royal Air Force Police
  • Security Service
  • Secret Intelligence Service
  • GCHQ
  • Ministry of Defence
  • Department of Health
  • Home Office
  • Ministry of Justice
  • National Crime Agency
  • HM Revenue & Customs
  • Department for Transport
  • Department for Work and Pensions
  • NHS trusts and foundation trusts in England that provide ambulance services
  • Common Services Agency for the Scottish Health Service
  • Competition and Markets Authority
  • Criminal Cases Review Commission
  • Department for Communities in Northern Ireland
  • Department for the Economy in Northern Ireland
  • Department of Justice in Northern Ireland
  • Financial Conduct Authority Fire and rescue authorities under the Fire and Rescue Services Act 2004
  • Food Standards Agency
  • Food Standards Scotland
  • Gambling Commission
  • Labour Abuse Authority
  • Health and Safety Executive
  • Independent Police Complaints Commissioner
  • Information Commissioner
  • NHS Business Services Authority
  • Northern Ireland Ambulance Service Health and Social Care Trust
  • Northern Ireland Fire and Rescue Service Board
  • Northern Ireland Health and Social Care Regional Business Services Organisation
  • Office of Communications Office of the Police Ombudsman for Northern Ireland
  • Police Investigations and Review Commissioner
  • Scottish Ambulance Service Board
  • Scottish Criminal Cases Review Commission
  • Serious Fraud Office
  • Welsh Ambulance Services National Health Service Trust

Hackers

Bulk surveillance of the population and dozens of public authorities with the power to access your internet connection records is a grim turn of events for a democracy.

Unfortunately, bulk collection and storage will also create an irresistible target for malicious actors, massively increasing the risk that your personal data will end up in the hands of:

  • People able to hack / infiltrate your ISP
  • People able to hack / infiltrate your Wi-Fi hotspot provider
  • People able to hack / infiltrate your mobile network operator
  • People able to hack / infiltrate a government department or agency
  • People able to hack / infiltrate the government’s new multi-database request filter

If the events of the past few years are anything to go by, it won’t take long for one or more of these organisations to suffer a security breach. Assuming, of course, that the powers that be manage not to just lose all of your personal data in the post.

So – nothing to worry about at all.

END

NSA, GCHQ, The Five Eyes Handing Ireland Cyber-Security Opportunity

It is perfectly achievable to maintain national security and manage the security risks posed domestically by extremists without instituting mass-surveillance programs of ones own citizens and corporate entities.

While this would seem like common sense, the continuing activities of authorities in the United States of America and the United Kingdom would suggest otherwise. But the French have also dipped a toe (or rather an entire leg) in these waters when after the Paris attacks they expanded the 1955 State of Emergency law and legislated for a French mass-surveillance program.

The implications of the Snowden revelations were slow to filter through to ordinary people not working in the security domain. The NSA, the PRISM program and the Patriot Act had produced a culture of widespread surveillance of ordinary citizens’ activities with the assistance of many household names and brands.

Shocking news. Huge outcry. Much apologising and “contextualising” and “perspective” setting occurred. “Expediency” and “imminent threat” were debated and on it went.

The collaborators in the form of telco’s, social networks, media organisations and household brands went into overdrive to backpedal from the disastrous PR outcome their involvement created.

At the same time – encryption and privacy software companies made wild claims about the strength of their products and hundreds of new entrants emerged to fill the public demand for Private Messaging, Email Encryption, Secure Voice, VPN’s, Proxy Spoofers and other privacy tools – a space previously reserved for paranoid board room members, activists and some well informed underworld organisations.

It was supposed to have been a watershed  – the worst excesses of intelligence agencies exposed and now oversight, accountability and proportionate measures would rule the day.

Not so.

The Investigatory Powers Bill

The Investigatory Powers bill will become law in the United Kingdom sometime toward the end of 2016. Inside this legal maze of mass surveillance facilitators the UK alphabet agencies can now:

  • Hack any device, any network or any service;
  • Perform these hacks without restriction and against any target;
  • Store the resulting information indefinitely;
  • Maintain databases of private and confidential information on any citizen of the United Kingdom or person in the United Kingdom;
  • Targets do not have to be “persons of interest” nor do they have to be of any interest whatsoever – at this time;
  • It is an omnipresent power to simply gather information on everyone, at anytime, from anywhere – without any reason and store it – “just in case”;
  • In the commercial context the law allows the state to pressure any company to perform decryption on any data that they store – on request – without reason or right to appeal;
  • This in so many words means that un-compromised commercially available encryption products will no longer exist in the United Kingdom after the Bill becomes Law and no company that is based in the United Kingdom  can make that claim to its users and no company that stores its data in the United Kingdom can assure it’s users that it is safe from hacking or more likely simply being handed over to whatever department of the government of the United Kingdom asks for it;
  • It also requires communications service providers to maintain an ongoing log of all digital services their users connect to for a full year.

It has been quite rightly criticised widely and has already been named the most extreme law ever passed in a democracy — because it cements the legality of mass surveillance.

The English Speaking World Is Giving Ireland the Chance for Privacy Leadership 

This blog has already discussed the The “Five Eyes” (FVEY‍) intel‍ alliance many times. The organisation unifies elements of the national alphabet agencies of the United Kingdom, the United States, Australia, Canada and New Zealand and their intel gathering infrastructures.

The AA’s in each member country and the terms of their information exchange mandate is encapsulated in the multilateral‍ agreement called the “UKUSA Agreement”.

This alliance and it’s mass-surveillance capabilities leading to large scale undermining of personal freedoms and civil liberty has really only come into its own with the advent of social networks, big data, the cloud and AI.

Brexit, Trump, US Corporation Tax & Mass Surveillance 

Brexit presents challenges for Ireland but it also presents opportunities. This is one of them.

Trump will shortly be in the White House and he has pledged to end the Irish FDI arrangement of convenience with US corporations. His attitude to surveillance is well known and not categorised by its message of restraint.

Brexit, Trump, The Five Eyes, PRISM, the NSA, GCHQ and now the Investigatory Powers Bill are a frontal assault of epic proportions on the right to privacy of citizens in democracies.

A sort of perfect storm of oppression and suppression tools just standing there waiting – in the wings – for a time when someone will come along and use them for the polar opposite purpose of what they were allegedly created for.

Out of Adversity, Opportunity

The opportunity created by this adversity is not to convince Facebook, Google, Microsoft, Yahoo, Paypal, eBay or the host of other US corporations in Ireland who are either facilitators of the surveillance culture or, like Twitter, engaged in widespread in-house censorship.

But if for once the Irish government showed some spine then the opportunity exists to create an entirely new sector catering to the privacy needs of freedom loving citizens and organisations who dwell in jurisdictions governed by these Stasi like surveillance laws.

And the market size? Well, it’s somewhere around seven billion people and rising.

The attitude of these politicians (Trump, May, Valls & Co.) and their intelligence organisations and the new “laws” – in the form of the revised Patriot Act and the Investigatory Powers Bill – means that’s the vast majority of the worlds English speaking population now live under governments who can – legally – invade their privacy at will – whether at home, at work or at leisure – store the information and use it for any purpose, at any time, at any point in the future – for any reason.

But Ireland has a long way to go to create credibility – the view that Ireland is a Privacy Advocate for the world whose lives are described on social media sites whose data is located in the Irish jurisdiction is a total myth.

I dearly hope that for once Ireland can take the lead – despite its size and influence – and act even if out of self-interest as a stopgap for the complete erosion of civil liberty and privacy in the Western World.

 

END