Tag: United Kingdom

Categories
Links Writing

An Initial Assessment of CLOUD Agreements

The United States has bilateral CLOUD Act agreements with the United Kingdom and Australia, and Canada continues to also negotiate an agreement with the United States.1 CLOUD agreements are meant to alleviate some of the challenges attributed to the MLAT process, namely that MLATs can be ponderous with the result being that investigators have difficulties obtaining information from communication providers in a manner deemed timely.

Investigators must conform with their domestic legal requirements and, with CLOUD agreements in place, can serve orders directly on bilateral partners’ communications and electronic service providers. Orders cannot target the domestic residents of a targeted country (i.e., the UK government could not target a US resident or person, and vice versa). Demands also cannot interfere with fundamental rights, such as freedom of speech. 2

A recent report from Lawfare unpacks the November 2024 report that was produced to explain how the UK and USA governments actually used the powers under their bilateral agreement. It showcases that, so far, the UK government has used this substantially to facilitate wiretap requests, with the UK issuing,

… 20,142 requests to U.S. service providers under the agreement. Over 99.8 percent of those (20,105) were issued under the Investigatory Powers Act, and were for the most part wiretap orders, and fewer than 0.2 percent were overseas production orders for stored communications data (37).

By way of contrast, the “United States made 63 requests to U.K. providers between Oct. 3, 2022, and Oct. 15, 2024. All but one request was for stored information.” Challenges in getting UK providers to respond to US CLOUD Act requests, and American complaints about this, may cause the UK government to “amend the data protection law to remove any doubt about the legality of honoring CLOUD Act requests.”

It will be interesting to further assess how CLOUD Acts operate, in practice, at a time when there is public analysis of how the USA-Australia agreement has been put into effect.

  1. In Canada, the Canadian Bar Association noted in November 2024 that new enabling legislation may be required, including reforms of privacy legislation to authorize providers’ disclosure of information to American investigators. ↩︎
  2. Debates continue about whether protections built into these agreements are sufficient. ↩︎
Categories
Writing

Apple To More Widely Encrypt iCloud Data

Photo by Kartikey Das on Pexels.com

Apple has announced it will begin rolling out new data security protections for Americans by end of 2022, and the rest of the world in 2023. This is a big deal.

One of the biggest, and most serious, gaping holes in the protections that Apple has provided to its users is linked to iCloud. Specifically, while a subset of information has been encrypted such that Apple couldn’t access or disclose the plaintext of communications or content (e.g., Health information, encrypted Apple Notes, etc) the company did not encrypt device backups, message backups, notes generally, iCloud contents, Photos, and more. The result is that third-parties could either compel Apple to disclose information (e.g., by way of warrant) or otherwise subvert Apple’s protections to access stored data (e.g., targeted attacks). Apple’s new security protections will expand the categories of protected data from 141 to 23.

I am very supportive of Apple’s decision and frankly congratulate them on the very real courage that it takes to implement something like this. It is:

  • courageous technically, insofar as this is a challenging thing to pull off at the scale at which Apple operates
  • courageous from a business perspective, insofar as it raises the prospect of unhappy customers should they lose access to their data and Apple unable to assist them
  • courageous legally, insofar as it’s going to inspire a lot of frustration and upset by law enforcement and government agencies around the world

It’ll be absolutely critical to observe how quickly, and how broadly, Apple extends its new security capacities and whether countries are able to pressure Apple to either not deploy them for their residents or roll them back in certain situations. Either way, Apple routinely sets the standard on consumer privacy protections; others in the industry will now be inevitably compared to Apple as either meeting the new standard or failing their own customers in one way or another.

From a Canadian, Australia, or British government point of view, I suspect that Apple’s decision will infuriate law enforcement and security agencies who had placed their hopes on CLOUD Act bilateral agreements to get access to corporate data, such as that held by Apple. Under a CLOUD bilateral British authorities could, as an example, directly serve a judicially authorised order to Apple about a British resident, to get Apple to disclose information back to the British authorities without having to deal with American authorities. It promised to substantially improve the speed at which countries with bilateral agreements could obtain electronic evidence. Now, it would seem, Apple will largely be unable to assist law enforcement and security agencies when it comes to Apple users who have voluntarily enabled heightened data protections. Apple’s decision will, almost certainly, further inspire governments around the world to double down on their efforts to advance anti-encryption legislation and pass such legislation into law.

Notwithstanding the inevitable government gnashing of teeth, Apple’s approach will represent one of the biggest (voluntary) increases in privacy protection for global users since WhatsApp adopted Signal’s underlying encryption protocols. Tens if not hundreds of millions of people who enable the new data protection will be much safer and more secure in how their data is stored while simultaneously restricting who can access that data without individuals’ own knowledge.

In a world where ‘high-profile’ targets are just people who are social influencers on social media, there are a lot of people who stand to benefit from Apple’s courageous move. I only hope that other companies, such as Google, are courageous enough to follow Apple at some point in the near future.

  1. really, 13, given the issue of iMessage backups being accessible to Apple ↩︎
Categories
Links

Cybercrime Overtakes Traditional Crime in UK

Cybercrime Overtakes Traditional Crime in UK:

The NCA’s Cyber Crime Assessment 2016, released July 7, 2016, highlights the need for stronger law enforcement and business partnership to fight cybercrime. According to the NCA, cybercrime emerged as the largest proportion of total crime in the U.K., with “cyber enabled fraud” making up 36 percent of all crime reported, and “computer misuse” accounting for 17 percent.

“The ONS estimated that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the U.K. in 2015,” the report’s authors wrote. “These figures highlight the clear shortfall in established reporting, with only 16,349 cyber dependent and approximately 700,000 cyber-enabled incidents reported to Action Fraud over the same period.”

While there is a persistent issue associated with counting ‘cyber’ events, that UK organizations are highlighting this kind of fraud and espionage so prominently does indicate a real problem is being faced by organizations.

Categories
Links Writing

The Top-Secret Cold War Plan to Keep Soviet Hands Off Middle Eastern Oil

This article discusses how, following the Second World War and advent of the Cold War, the United States and British governments worked with oil companies to plan ‘denial’ operations should the USSR invade the Middle East. Core to the plan was for combined CIA and military, along with corporate employees, efforts to strategically blow up parts of the refineries such that the Soviets would be unable to take advantage of the oil reserves and thus empower the West to invade and ideally retake the strategic resource.

The efforts were developed and iterated on for almost a decade, though towards the end the focus shifted from the USSR and towards nationalist governments in the region. Moreover, what started as a denial approach transformed into one where oil production would be maintained: the thirst for oil on the part of the United States and Britain meant that turning off the taps could be a serious blow to their economic and military efforts.

These were contingency operations but they were taken seriously. Explosives were moved and put in place and the British even established plans for nuclear assaults to prevent the fields from falling into non-Western hands. It raises the question of whether similar kinds of activities are planned, today, or whether cooler heads now are responsible for establishing contingency plans when it comes to core resources that contemporary Western economies rely upon. And would nuclear or other explosives be used, now, or is this where we would see a first and genuinely far-reaching aspect of hard ‘cyber’ power?

Categories
Aside Links

Emergency surveillance bill clears Commons

Emergency surveillance bill clears Commons:

Data retention and investigatory powers bill is agreed after angry exchanges alleging an abuse of parliament

This ‘emergency’ follows the European Court of of Justice finding that mass data retention laws in Europe are illegal. In response, the UK government is passing a localized data retention and surveillance bill.

Significantly, the government has stated that:

The government has insisted the ruling throws into doubt existing regulations, meaning communications companies could begin deleting vital data. Ministers claim the bill only reinforces the status quo and does not create new powers.

At issue is that the existing status quo has been deemed illegal. And yet, in response, Parliament has decided to pass more – still illegal – legislation. And so civil liberties groups will bring this into court, spend years fighting, only to have the legislation overturned. And after which, government will likely pass similar, still illegal, legislation. And the wheel of politics will turn on and on and on…

Categories
Quotations

2014.7.12

At a more domestic level, UK communications providers are worried that they could be exposed to legal action because of the unlawful mass surveillance that they were party to – even though on the whole they wanted no part of it.

Well, more precisely, many comms providers wanted no part of it unless the government picked up all the costs (older readers familiar with US law may recall the CALEA legislation that forced communications companies to make their technology wiretap friendly – with much the same response from companies).

There is a view that if the liability for unlawful surveillance rested entirely with the government, there would be no appetite for this legislation. Britain long ago elevated its institutional vandalism of EU legal rights from a science to an art, and then to a sport.

Simon Davies, “ Britain takes the Uganda Road to legalise and extend state surveillance”
Categories
Quotations

2013.8.20

In the UK, the public, press, and politicians vigorously debated the Communications Data Bill, a law that would require ISPs and telecommunications providers to keep metadata records for 12 months (as of this writing, the bill has been withdrawn). The US had no discussion of such a bill; something more draconian simply happened through a secret interpretation of the law.

Susan Landau, “Making Sense from Snowden
Categories
Aside Quotations

2013.4.8

Although some of the core supporters of that group are prone to violence and criminal behaviour, Catt has never been convicted of criminal conduct in connections to the demonstrations he attended. Nonetheless, Catt’s personal information was held on the National Domestic Extremism Database that is maintained by the National Public Order Intelligence Unit. The information held on him included his name, age, description of his appearance and his history of attending political demonstrations. The police had retained a photograph of Mr Catt but it had been destroyed since it was deemed to be unnecessary. The information was accessible to members of the police who engage in investigations on “Smash EDO”.

In the ruling the Court of Appeal departs from earlier judgments by mentioning that the “reasonable expectation of privacy” is not the only factor to take into account in determining whether an individual’s Article 8 (1) right has been infringed. In surveying ECtHR case law, the Court noted that it is also important to check whether personal data has been subjected to systematic processing and if it is entered in a database. The rationale to include consideration of the latter two categories is that in this way authorities can recover information by reference to a particular person. Therefore, “the processing and retention of even publicly available information may involve an interference with the subject’s article 8 rights.” Since in the case of Catt, personal data was retained and ready to be processed, the Court found a violation of Article 8 (1) that requires justification.

Carolin Moeller, “Peaceful Protester’s personal data removed from extremism database

The removal of Mr. Catt’s data from these databases is a significant victory for him and all those involved in fighting for citizens’ rights. However, the case acts as a clear lens through which we can see how certain facets of the state are actively involved in pseudo-criminalizing dissent: you’re welcome to say or do anything, so long as you’re prepared to be placed under perpetual state suspicion.

Categories
Links

This is not surveillance as we know it: the anatomy of Facebook messages

There are a lot of issues related to ‘wiretapping the Internet.’ A post from Privacy International, from 2012, nicely details the amount of metadata and data fields linked with just a Facebook message and the challenges in ‘just’ picking out certain fields from large lists.

As the organization notes:

Fundamentally, the whole of the request to the Facebook page must be read, at which point the type of message is known, and only then can the technology pretend it didn’t see the earlier parts. Whether this information is kept is often dismissed as “technical detail”, but in fact it is the fundamental point.

We should be vary of government harvesting large amounts of data and then promising to dispose of it; while such actions could be performed, initially, once the data is potentially accessible the laws to legitimize its capture, retention, storage, and processing will almost certainly follow.

Categories
Links Quotations

2013.3.2

At least Britain sort of got it half right. There, to make life easier for stores selling age-restricted items there’s a “Challenge 21″ programme, so anyone looking 21 or under is asked for ID, even if the products are restricted to over-18s. Tesco and other large chain stores championed a “Challenge 25″ programme just in case someone slipped through the net. Finally some idiot in the seaside resort of Blackpool came up with the idea of “Challenge 30″, which is roundly lambasted across Britain.

But at least these outlets demand high-integrity forms of ID such as driving licences. In the US you can show a picture of your dog pasted on the back of a chocolate biscuit and they’re likely to accept it.

That’s because no-one really knows why they are asking for ID in the first place, and no-one up the chain tells them – mainly because they don’t know either. Everyone just goes through the motions. There’s no way to verify the validity of ID, so everyone just plods along with the security theatre.

Simon Davis, “How a dog and some chocolate biscuits reveal an identity crisis in America