NSA, GCHQ and even Donald Trump are all after your data

Comment As production and usage of data keeps growing globally, it’s worth remembering that the US government wants access to your information and will use warrants, decryption or hacking to get to it.

That’s not news and the US government has many tools in its box. Many had already heard of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (aka the Patriot Act) as the means by which the FBI would get access to data. Then the Foreign Intelligence Surveillance Act took centre stage (although the original version of this actually predated the Patriot Act by a couple of decades) following the Snowden revelations that the NSA had access to data on a massive scale.

If Donald Trump gets elected as president, he might introduce more snooping powers. As part of his election campaign, he has already issued some tough statements which seem likely to rebalance powers in favour of the US government and away from the tech industry.

His Trumpness wants Apple to make its "damn computers and things" in America and said Amazon will “have such problems” due to its CEO, Jeff Bezos, buying The Washington Post. He even invited the Russians to hack Hillary Clinton’s email, although he later claimed that was a joke (but not seemingly his threat to throw her in jail). At one point he also said he would deport 11 million illegal immigrants and he will need access to a lot of data to make that happen.

In fact, the US government’s broad access to data was one reason why Safe Harbour was invalidated last year following action by Max Schrems. This led to a tense period during which there was confusion over whether EU-US data transfers were still valid. President Obama set up a committee to examine the extent to which the US National Security Agency should continue to have access to data before concluding that, apart from some minor concessions, they should carry on as before. Then along came Privacy Shield which, after a false start, addressed data protection concerns and tech companies are signing up to.

Of course, Privacy Shield will probably be challenged before too long, although Max Schrems says he hopes he won’t be the one who has to bring the case this time.

Tech companies have our backs

The US Stored Communications Act more recently gained prominence as the US government attempted to use this to obtain information that Microsoft was holding in its datacentre in Dublin. The lower court recognised that one mechanism to obtain data stored outside the USA was to make a request to the sovereign government in question under a “Mutual Legal Assistance Treaty”. The judge noted that this could place a “substantial” burden on the government and could “seriously impede” law enforcement efforts and therefore ruled in the government’s favour.

Microsoft refused to comply, putting itself in contempt of court, but was successful on appeal when the Second Circuit Appeals court ruled that “the Stored Communications Act does not authorise courts to issue and enforce against US‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers”.

The battles to get access to data continue with suggestions that the US government will continue to fight Microsoft. In February, the US District Court in Los Angeles ruled that Apple must provide "reasonable technical assistance" to investigators seeking to unlock the data on the iPhone of one of the killers in a shooting rampage in California. This included bypassing the auto-erase function and passcode protection allowing investigators unlimited passcode guesses. Apple resisted and this sparked debate over whether this was correct. Much of the tech industry, including Google, sided with Apple, with the exception of Microsoft founder Bill Gates. In fact, the FBI dropped the case after it paid for a technical hack to overcome the problem, but there are hints that the issue may resurface soon.

Perhaps it’s not surprising that Microsoft, Amazon, Apple, Facebook, Twitter, and a coalition of tech groups are backing a new bill, the International Communications Privacy Act. If passed, this would clarify the legal process for law enforcement officials to gain access of users’ communications stored outside of the USA.

… or do they?

During the Snowden revelations there were allegations that tech companies had built backdoors to their products and services to make it easier for the US government to snoop on data. The companies vociferously denied those claims and it would be sensible to stay away from that topic; except that allegations have recently resurfaced about one of the tech giants – Yahoo! (remember them?).

It is also clear that some larger tech companies have made a land-grab for data for their own uses. Google was criticised for introducing a single privacy policy to combine and centralise the data from its disparate services, including most notably by the French data protection authority, CNIL.

Facebook was censured for collecting user information from WhatsApp, in particular by Hamburg’s data protection regulator. Even Microsoft has faced questions over use of data in the light of its acquisition of LinkedIn and its virtual assistant Cortana.

The position is better in the UK, right?

This wouldn’t happen in the UK, though, where the position is much stronger. After all, we have the current Data Protection Act and the new General Data Protection Regulation on the way, which will become law in the UK before Brexit. Some wonder whether the vote for Brexit means we can repeal this and other EU-imposed “red tape”. For example, the proposal to rename British sausages as “emulsified high-fat offal tubes” and the ban on selling bananas in bunches of more than two or three. Actually, they were imagined up in the “Yes, Minister” TV Christmas special in 1984 and by Boris Johnson respectively.

Whatever post-Brexit laws look like, it seems unlikely that abolition of the protection of personal data will be high up the Brexit agenda. So personal data looks safe for now. Save that both the current Act and the new Regulation allow for exceptions to safeguard national security and defence (section 28 and article 23 respectively in case you’re interested). In the UK there is the Regulation of Investigatory Powers Act, the Counter-Terrorism and Security Act and the draft Investigatory Powers Bill – aka the Snooper’s Charter – which was debated by the House of Lords in September 2016. This will allow the lawful interception of communications, including bulk interception warrants. This sounds a lot like the NSA, doesn’t it? Well, it became clear through the Snowden revelations that while the NSA had its Prism programme, Britain’s GCHQ had its own Tempora programme and they were sharing data.

Data is safe in Germany though?

How many times have you heard (or said) “German law requires German data to be kept in Germany”. In an effort to debunk this myth, I interviewed a German legal expert in 2013. He explained that German data protection laws are similar to those in Britain. This shouldn’t come as a surprise as they are both drawn from the EU Data Protection Directive. Germans were outraged when allegations surfaced that the NSA had been tapping Chancellor Angela Merkel's phone. "Spying between friends just isn't on," she told the US government angrily.

Does this mean that the German intelligence agencies don’t snoop? Of course not. The lawyer also pointed out that Germans value their privacy so highly because citizens were subject to Orwellian surveillance during the Third Reich and even afterwards by the (East) German state security service, the Stasi. Snowden also revealed that this hasn’t stopped and the German intelligence service has developed methods of mass surveillance of internet and phone traffic in close partnership with GCHQ. The French, Spanish and Swedish agencies were involved too. In fact, it is probably safe to assume that all national intelligence agencies will be able to snoop on your data.

What to do?

To reduce the likelihood of being snooped by intelligence you could follow the lead of the Russian intelligence service and use manual typewriters. Or you could live in a Scottish croft with no internet access. For the rest of us, we will have to accept that snooping by intelligence agencies is a fact of modern life.

Instead, I suggest you have a clear data management policy, collecting only the data that you actually need and then for only as long as you need it, destroying the data you don’t need. Maybe you should then encrypt the data you do want and hope that the NSA hasn’t finished building its encryption cracking quantum computer. Any better ideas? ®