CCC has grown a bit, hasn’t it. I am very pleased to be hereand the first thing I want to do isto apologize for my slides. I know there is far too much informationon my slides. It breaks every rule of PowerPoint. So don’t look at thesidesmaybe but more listen to what I’m saying because otherwise it won’t make anysenseto either of us. To get through somepreliminaries. For nine yearsI was chief privacy adviser at Microsoft and I have to explaina bit about what that job was. Ididn’t have any responsibility for legal compliance thankfullyI didn’t do anything really in theUS privacy. My job was to advise40 national technology officiersaround the world. And a Microsoft national technology officeris a guy with a very big brain often one or two PHD’sable to function essentially as Microsoft’s ambassadortwo governments around the world at a very senior levelNormally citizens of their own country. In a sense see couldboil down their job to if Steve Ballmer then wanted to get a primeministeron the phone in half an hour it was the NTO’s jobto get that done. So I didn’t knowabout PRISM when I was at Microsoft and what I’m about to tell youI deduced from open sources and by decidingto read the american laws andnobody asked me to do this. What happened to me after that wasI explained to a big Microsoft internal strategy conference about cloudcomputingwith all of the cloud management there, all of my national technology officerstherethe deputy general counsel of Microsoft what I discoveredand I said to my technology officers look you ought to know this if you sellMicrosoft cloud computing to your own governmentsthen this little means thatthe NSA can conduct unlimited massive survailance on that data. So the deputygeneral counsel at Microsoft turned green. I’ve never seen anyone turn green before but she did. There was dead silence inthe roomin the coffee break I was threatened with being firedand then two months later they did fire without cause. So since then I reallyfrom 2011 went around trying to tell as many peopleas I could about what I discovered. And I’ve given variance in this speechnow about 20 times I suppose but I hope this bringsthings right up to date as about two weeks agoand also I’m gonna tell you some things which I haven’t told before. So the first thing to say is this talk is not aboutcloud as storage. This is aboutparallel processing power as a commodity and in factthis photo is is just two photos crammed togetherthe left is a modern data center and on the rightthere is a door, adoorway. You probably can’t see the number but the number is 641Anow how many people know what 641A refers to. good, okaySo 641A camefrom the story of the firstwarrantless wiretapping episode from about 2005 to 2007and I don’t have time to tell that storybut in fact that doorway containeda deep packet inspection box installed roundabout 2002in one of the main AT&T switching centersin San Francisco. So in a senseyou could boil down my talk tohow likely is it legally or technicallythat there’s one of those on the right in one of those on the left. So what this talk is going to bemainly about is the law underlying what we now callPRISM and it is the 2008Foreign Intelligence Surveillance act amendmentact which when it was passed have a different numbering which needn’t bother uscalled 1881 a now everyone calls itsection 702 and what it’s aboutis obtaining foreign intelligence information. It intentionally targetsonly non-americans outsidethe US. When I say only that is a course ninety-five percentthe world’s population. It’s a blanket authorization for one year. There’s a requirement to minimize accesson US persons after collection and to a certain extent before collectionand theprovider these services has to provide the governmentwith all facilities and information to accomplish thisacquisition in secret. So the first point I want to emphasizewhich will make sense when comes the next slide is this means if you’re notan Americanyou cannot really trust cryptographic servicesor in general software services provided by US companiesbecause even if that softwareor that cryptography is sound to begin withyou’re going to receive software updates and if you’re not an American outside the USa software update could be pushed to you targeted at youwhich is going to subvert your security. If you don’t comply with one of theseordersit’s a contempt for the Foreign Intelligence Surveillance Court. If someone in american company as Marissa Mayer said last yearif somebody in an American company were to tell say a foreign data Protection Authoritythat’s potentially an offence under the Espionage Act. Twenty years in jail or worse. So the providers ofthe services have complete immunity from civil lawsuitsand all this must be done in a manner consistentwith the US Fourth Amendment and theanalysis I’m giving you now his the analysis that I was givingpeople a year or 18 months before Snowdenverbatim. These slides haven’t been changed. So what isforeign intelligence information? Sowe have to now go back to the very first FISA act. The very first foreign intelligence surveillance act in 1978. And the definitions I am showing you, the significant part of what I’m showing youhas not changed since 1978. It’s been that longand the extraordinary thing is that in the legal literature the policy lecturethere is absolutely nothing writtenabout the part in the bottom in bold. Nothing at allfrom the perspective of a non-american. See, the print is probablytoo small but in the definition of foreign intelligence informationyou can see the sort of things that you’d expect like money laundering,sabotage, international terrorism,and then there’s the section in boldand to actually get a text at the bottom you have to unwindtwo levels of legal definition and substitute them in. What you boil it down, foreign intelligence information can meansimply information with respect to a foreign-based political organizationor foreign territory that relatesto the conduct of the foreign affairsof the United States. Nothing necessarily to do withnational security, nothing to do with terrorism,nothing to do with crime. Simplyif it relates to the foreign policy of the USwhich is an incredibly broad definition. You won’t find a definition as broad asthatin any other law I believe. So what is also a peculiar about this definition is its conditionalon nationality. Ifagain it’s slightly too small to see but if you are aUnited States person that is to say an American citizenor permanent residentwhere it saysrelates would read necessary. Necessary isa very high and strict legal threshold. But if you area foreigner outside US, it’s relates. very very low legal threshold trivialto pass. So this is the only law as far as I knowwhere the very term of the surveillance information to be obtainedis itself conditioned by the nationality of the person. Quite unique. So what this law did in 2008is it combined three elements for the first time which hadactually been there in previous laws. The first [INAUDIBLE] that itonly targets non-us persons located outside the UShad actually been there in a stopgap precursorlaw called the Protect America Act of 2007but that expired after one year and then they had to do something permanentWhich was this. But this idea of only targetting non US personslocated outside the US began with this early law in 2007. and this earlier law of 2007 was essentially designed tocleanup the first warrantless wiretappingepisode which had been raging in the US press for a couple years before that. The second thing that it didis much more significant. In the Electronic Communications Privacy Actof 1986 it defined the term called remote computingservices and when you look at that definition you’ll see that remotecomputing serviceseven though it was defined in 1986 is a very good definition ofall forms of public cloud computing that we would call today. So this new term of remote computing serviceswas snuck in to the FISAAmendment Act. Nobody apparently noticedit had been put inand the effect of this was that all the previous such laws had dealtwith telecommunication providers, an Internet service providers, providersof communicationservices. By expanding the scopeof FISA 702 to includeremote computing services it effectively thenembraced all of these obligations on provides a cloud computingand as extraordinary as it may be there was no commentary on this at the time. There’s nothing in the Congressional Research Service, there were no law paperscommenting on it, none of the civil society activism at the timenoticed this. No reference whatsoever to this edition. The third development as we discussedis coming from FISA 7 1978it doesn’t have to be about criminalityas we would understand it in Europe national security. The vital interest tothe state. It can purely mean political surveillancein the political and economic interests of the USand surveillance overordinary lawful democratic activities of people in their own countriesexercising their democratic rights and freedoms. So this was designedfor mass surveillance of any cloud data relating to US foreign policy and itcontains thisextraordinary double discrimination by nationality. Firstly in the fact that in the title of the statuteFISA 702 only targets non-americans outside the USbut also in that conditionalityin the very definition of foreign intelligence informationagain that structure is quite unique in the world. soyou remember that all of that she had to be done with regard to the fourthamendmentand although it may seem strange todayback in 2012 nobody actually knewwhether the fourth amendment applied tonon-americans outside the US. I would go todata protection conferences year after year where a representative from the USstate department would make these great[INAUDIBLE] and hymns of praise to thewonders of the Fourth Amendment and since it was directed to an internationalaudience I think it was reasonable to supposethat the implication was that somehow the fourth amendment was protectingeverybody in that roomWell, there was a bit of detective storyto find out that it didn’t. It starts with thea 1992 Supreme Court case called [INAUDIBLE]that isn’t quite a perfect fitfor the cloud situation but it’s sort of the best that we gotand then in 2008 there was a Foreign Intelligence Surveillance Courtreviewjudgment about the Protect America Actand this is the case that we nowactually know is about Yahoo. It’s called [INAUDIBLE]redacted and of course a lot of information has now been declasified and come outBut was actually Yahoo challengingthe terms of this protect America Actand the judgment came down actually just afterthe FISA 702 acts had been passed soin the unredacted parts and this is very surprising becausealmost all references to this sort of thing are actedespecially in the newly declassified [INAUDIBLE] stuff it saidthat there’s no fourth amendment protection for foreign powers reasonablybelieved to be located outside the US and furtherprobable causeas a term meaning a fifty percent likelihood that you’re guilty. A fiftypercent likelihoodthat there is sufficient evidence to show that you are the personthe police are looking for in some criminal affair. When I noticed this in 2010 and it appeared on the US court service websitefor about six months and then disappeared but fortunately been cashedby the Federation American scientiststhere was there in black and white again in the unredacted partsthis extraordinary idea that if you are a foreigner and outside the US,probable cause doesn’t become probable cause any criminalityit just becomes probable cause that you are a foreigner. And that’s the sufficient triggerto begin surveillance. So what I’m going to show you next is a little short videoclipIt’s clip primarilywith Jameel Jaffer of the American Civil Liberties Union, a very fineprivacy advocate at the forefront of challengingsome parts of this from the point to view of Americans over the past few yearsand he’s talking in front of the house judiciarysubcommittee hearing in the middle of 2012because then FISA 702 was expiringit needed to be renewed and this is howthe dialog went. Chris rock-hard squawklivesforeign targets and foreign landsI don’t think that’s the question presented by[INAUDIBLE] that’s my question! So call upwhich is right question I (laughter)Does it apply? I don’t think it does. What you say you don’t think it does. Well, in the circumstances of this statue I don’t think it does. [INAUDIBLE]Does the fourth Amendment— -I was talking about a statueDoes the Fourth Amendment apply to foreign nationals in a foreign land?It does not. Does the second amendment apply?-I don’t know the law, -The First?-but I think no. -Eight?-I think we depend on circumstances. -Women sufferage, does that apply?-No -That’s my point, they don’t. So we are not talking about surveillance of foreign nationals of foreign lands, right?-[INAUDIBLE] constitutional -[INAUDIBLE] communications-That’s my second point. So the significance of thatis that Jamil Jaffer, you know, doing the best job he couldas an advocate was really driven back against the wall to admitthat there is no constitutional protection for foreigners in foreignlandsas the charming Texas congressman put it andalso that the US Congress was laughing. They were laughing at the idea that you have privacy rights. That is the plan it’s a political debate in the USas anyone who’s followed the coverage will know. So I had a bit of a luckI was invited to joinsome academics writing a report commissioned by the European Parliamenton fighting cybercrime, protecting privacy in the cloud…Probably the reason this report was commissioned was to sort of increase thesort of cyber drumbeat of”we must have more intensive surveillance laws” but I explained all this to myacademic colleaguesand they thought it was so important they let me write the middle section ofthe reportabout all for this, pretty much the analysis I showed you and some moreand this was published inum October 2012the date’s wrong actually I should say January 2013and then of course nothing happened. Nobody reads these European parlament reports itjust sort of sat thereon the website for 2 or 3 months andI was actually done watching the renewal the FISA legislationI did they decide to do that, congressbetween Christmas and the New Year obviously So I was watching on C-span and I just gotfed up so I started calling up all the journalists thatI remembered from my own civil society days. Not much luckOffered the story to the Guardian no interest. To other British newspapers, to The Washington Post and The New York Timesno interest and then [INAUDIBLE] who of course is now working on the interceptswith Glen Greenwaldwrotes a very tight 800 word summarywhich then created a little bit of interest in the blogosphereabout 1500 tweet in a week and thenat least from Europe you know the general reaction was “how can thispossibly bepossible what on earth do we have data protection law forif this is going on?” the US blog reaction was much lessbut typically “Oh those Europeans are kind of upset that we have conspired onthem. Who’s gonna stop u?. ” and that was from a self-described Americancivil libertarian. So how did all this happen? How is it the case that thousands ofEuropean policymakers and data protection officialsall over Europe apparently didn’t understand this is happening?Well I think for almost everyone in this roomwhat I am about o say next is going to be slightly incrediblebut we as technologists understand thatif you want to encrypt data yourselfand you control the algorithm you control the implementation of the software youcontrol the keyand then you put that take you somewhere else, that’s reasonably safe but if you wantto compete with that datathe meaning of how cloud computing, you want to do useful work with that data in somebodyelse’s data center thousands of miles awaywell there is no technical way to protect that because even if the data isencrypted on disk when it passes through the CPUit has to be in plain text to do useful workbefore somebody mentions homomorphic encryption, the cryptographers I talked totell me that it’s always going to beorders of magnitude too slow for general purpose computingand amazingly as far as I can seeEuropean policymakers did not understand this. They bought a whole lotof encryption blah blah blah all from the industrythat said “Of course we protect you, it’s encrypted, isn’t it. And yes we have very good security measures and security policiesOf course it’s impossible. In fact the cloud is more secure. “But apart from thatthe general structure of thelobbying from the US government particular was that US law offersvery good protection to its citizens by the Fourth Amendment as good or betterthe many European countries which is true. Thereforedon’t worry about the US cloud. but of course you can see the fallacy. Once the data in Europe does to US jurisdiction,it’s totally vulnerable to laws like FISA 702. What was also happening from about2009 is a whole slewof what I call cloud wash. Various documents from the US mission to the EUand [INAUDIBLE] proxies State Department law firmdeeply dubious Hogan Lovells produced number referfrankly deceptive Quays I legalanalyses the pure propaganda respect for law firms like I think latest and eventhe European data protection supervisor at was making speechesat an event organized by one of the main US lobbyiststalking about using new data protection mechanisms to streamline datato the cloud and Neysa have veryinglorious role in this which I’ll come back to you and then various other daya usual suspects none of those materials are so right now but a collection of 30before snow day mentioned Faizaat all not even the original Faiza there was a lot of concern about the PatriotActbut the Patriot Act turns out not to actually bethe key point to the ability account computing soso restating what I just said is cloud mass surveillancea real risk well what we know from what’s been declassified by Satan so faris that so far the car companies have not beencosts to as it were internalizea massive islands so far it appears that they have be presented with a particularselectorI am and you will read enough about what that is vehemently got a pointbut what i want. do you think about for the futureis this problem weagree I think that you cannot protect data in cloud computingwith encryption but it’s the new forms tocloud computing platforms a service you have entirea way as writing softwarewhere as well under the hood if you like the algorithm oncethen the platform is supposed to take care stating thatin a few milliseconds from one CPUperhaps 2002 CPU’s and in fact the elasticityabout computing which is probably going to be one of the key competitiveadvantages for cloud computingin future me so imagine that you want to interceptwell you have to intercept it at the level where the day to make sensewhich could be you note somewhere in quantity software stackso it’s really not much use plugging in a deep packet inspection boxonto the cables connecting the data center because you might have to have athousandat those Dekker books on standby if the capacity of the algorithmthat’s actually running then scales onto the have many thousand CPU’syou’re going to need that much extra DPI capacityto survive it unless you use coercive powers to force the cow providerto basically build surveillance into the softwareyou build in surveillance upper teens at the necessarylevels and stack so that however that education scalesthe surveillance capacity is already there and software dayso I don’t know and it appears we have no evidence that this is being done toread abutts it seems to me the writing is on the wallthat if governments going to be wanting to survey of cloud computingsystematically they’re going to have to exercisethose sorts a palace and I guess the point i’d liketo make a 702 already provides a spoutseven if they have not be used to that extent alreadysoand I want to talk more about the Europeansite the affair and what’s been happening with European data protectionRegulation E as i think you must love you will knowthere is a new data protection regulation been hung upin I in European legislatorsfor about two years and a course discussionscontinues after snowden about what form should takeand one whole part of that regulation is concernedwith the legal means exporting EU dataoutside and particularly to the US so in the current state Protection Directivethird base pay these ways of doing ityou can get somebody’s consent you can rely on safe harboryou can formal contracts with specially approved courseswith the person you want to export the data to and then there’s also somethingnewish called binding corporate rules binding corporate rulesessentially allows us to corporation to make up their ownscouts honor charter we really will obey thisI’m will invents some sanctions on ourselves if anybody breaks the rulesand this is sanctified buy Data Protection Authorityand these were invented actually forfairly reasonable purposes if a global corporation want to do all thatHuman Resources processing in one center and thereforecollect data from all around the world to do that this was sort of the templateidea behind the BCLbut then I think very dangerously data protection authoritiesin cahoots with the big fam providers for should be a verygood idea to extend this idea binding corporate rulesto so-called data processes state a process is being and tease whichsupposedly have no decision taking powerover the day-to-day process they were just acting on instructionsfrom day to control its so somebody I’m gonna shoot idea who it ishad the brilliant idea well let’s adapts this old-fashioned PCR ideafor fairly tame hopes is to cloud computing and then we got a templatewhich can basically be the primary vehicle for legitimizingcloud computing in Europe in terms so the rough idea is Microsoft peoplewhethergets a their PCR-based certifiedonce they are certified in the new regulationthe Data Protection Authority must accept them they wouldn’t have anydiscretion as they do todayand that data can be transferred into particularly US control toutsand then all questions a massive valence just disappearinto what I call a puff audit becausearticle 29 Working Party the committee of European data protection authoritieswas so naivethat they imagines that somehow private security auditorif they’re inspected data center and I noticedroom 641 K and they said whole what’s behind the neck and I have a look intheremay be told no course you can’t in fact is classifiedinformation that you even notice that if you tell anyone about that you go tojail for espionagewell data protection authorities was a naive that they thought somehow privatesecurity auditcould detect these risks a foreign mass surveillanceso this diagram is supposed to showthe sort of risk matrix a the you take 270and on the left you gots three kinds informationcriminal law enforcement’s which probably should include most terrorismcasessome bona fide a national security which in European termswe think that this be the vital interests at the state’s and thenessentially foreign policy and political spying fornational advantage and thenall in terms the columns you have been shaky transfersand then euthanasia in the us: so the Reds ais not covered by the Fourth Amendment it’s not covered byyou data protection it’s not covered by Council of Europe Convention 108certainly not covered by the cybercrime treaty and of course it’s not covered bythe European Convention of Human Rights because the US doesn’t recognize thatso all this data for 15 or so years has been completely unprotectedwell the story moves on to have to accelerate a bitchIrish in JanuaryPresident Obama made a flagship speechto try and address these concernsand because he’s in an impossible position because the one hand he has toassure the American Peoplethat 578 in particular is no threat to Americans because its design spunforeman’sbut then at the same time he has to find somewhere reassuring the rest of theworldso what’sshe came up with was a very well written very well crafted speechbut to meet beneath the speech was a new presidential policy directivePPD 20h and suchbasically there’s a there’s a real gotchaafoot in H so footnote 9 saysthis directive is not intended to alter the rules applicable to US personsan executive order toll-free tree to tree to have to mentionFaiza or other applicable law just a brief digressionexecutive order toll-free 33 was created by reaganand essentially it is a policy directive which coversan essay activities spying entirely outside United States when youbasically just point and foreigners is no reason to believe americans involvedyou may have NSA agents infiltrating data centers in some foreign countrythat’s what you know 12:03 few she is about its policyit’s not long and was a relief map will come back to youso in other words in the small printwhen the footnote all of the reassurancesin PBD 28 all basically worthless from the point of viewestablishing any kind of a quality rights they’re still going to bediscrimination by US nationality if you’re a US personthen Ilaw enforcement authority would need a particular justified fiske orangeto not hire legal standard necessitynational to US person basically the NSA JustAnswer selectors to listI am man we had a report from the cycle privacy and civil liberties oversightboard whichessentially has no mandate to look out for theinterested non-americans at all their analysis of the situation that Americansoccupied five pages on 296and frankly I think it’s misleading tautology scrupulouschunk and I have been a vast amount of st. classification senseI am not sure which analyzed but basicallythere is this tendency that a lot of the stuff that is redacted you can tell fromthe contextthe stuff that’s redacted is about the situation upon americansso who did I woreexactly I actually I first so i cant you see charmgets metres from the Open Society Foundations way back in Jan 11ally explains a to that committeenot a source in person I what school wasmade quite an impact on them but they didn’t do anythingthey said they any fund existing ngos and they’ve done nothingin fact sources done nothing about surveillance issues in Western Europe inthe entire timeopen society foundation has be operatinganybody doubts that I also recession person in Marchas a conference I attended and he did tonightI also want private internationalin June they said they had no resourcesand I tried again in October instill no interest from its international and thatpains me to take any since I’ve known the guys in price international workthan 50 yearsand i genuinely baffled my I what’s happened to practice national reach meI also in Septemberwhen it actually left Microsoft’sa war dead reefs andDG justice a cabinet-level the Polish state action authorityum who did nothingI and basically put one footnote my slide deckI showed him an academic article he wrote a he opposes not become the deputyyou European data protection supervisor athe Greens were very helpful and had nothing but praisefor particular outspend rough and yeah no breastsand they are straight shooters and I’m very grateful to the help they give mein September I’m2012 I have an opportunity to make speech at the European Academynor where page listings was therehis deputy now EDPs johnnie which read aI represents just me you counsel andthe person in charge of the international transfer section from theCamilleNational de facto Oscar 29 and I basically explainedthis 54 slides with a great deal more legal analysisagainst on silence but title in actiona different conference ideamade it he said where Feliz and then had some correspondence with the head of anAcerwho basically said they had no mandateattached to this is all excluded from their mandateby national security exemptions but then of course of two snowed inum it would seem to be politically impossible for any sir to say thatso any second cottage really rather bogusand meritorious documents sorted implyingthat they had factored in the sort of risks to that pre sidon out analysisnot take young tree I had an opportunity to make a speech to the Europeanparliament since parliamentary falling for civil libertiesin October 2012 against on silence the Portuguese d-paput up the handset may have some details pleaseand I tried to get in contact with the Polish with the Portuguese d-paand their response and thenin February 30 that was when I made the presentation hethe European Parliament report but I mentioned before Septemberand that did make an impact and immediately afterwards the lead thecommittee asked me to drafting amendments4 than you data protection regulation but I’m afraidthey were mostly ignored with diluted and then just a fortnight in MayI digi connect in charge a policy I’ve been beating them up as wellthey finally organized the forum at the office is a bitchfor europe digital Europe are essentially the trade associationfor electronics IT and software companieslargely dominated by US and UK companies and basically DG connect several pastwhen talking about this paper if you can convince those hard nosed past tensethatdigital Europe that will take you seriously I’mand basically they laughed at me just before snakeso what has beeen the EU Commission’s cow policyup today but was run by Neelie Kroes RDG connectand the official you policy document published around 2012essentially rejected the idea of trying to make any pan-europeanclouds which was sorta safe because there was no enthusiasm for MemberStatesbasically the member states didn’t really trust each other anymore in theUSnot sort of collapse the idea to the extent he was a pic seriously consideredthere was a steering board composed industry bigwigsI and then variousit’s a candy floss about trusted cloud Europe yada yadaand and then a new of the snow menugroup was set up to try and streamlinecloud contracts not rejoin that for a while until I realized it was nointerest whatsoever in drafting anything which would make surveillance harderwill build the incident the terence that just wasn’t the agenda at allit was simply about making essentially cloud less treacherous my contractualpoint of view which is useful work but nothing to do with stopping surveillanceparticularly pernicious idea is if you have aa out contract to provide athen that provider should be able to basically some contractwhat they’ve contracted with you cedric acidly so you can glue on a sub provideras a provider some fight on to that which could cause be different countriessay you have absolutely no idea a where the dataslowing and ahead possible 29today protection authorities were pushing this idea and I shoppingcriticized fashion they saidto capture you don’t understand our job is not to stallany kinda processing our job is to find legal basisto allow it to happen that is the mentalitystill in the call parts the European data protection for itso really there’s been no substantive change what so everthe EU how policy since nineteenbuttswhen you listen to speeches certainly before the new commissionok nearly cruising the beer a day you would hear it is vital that you get astrong new data protection regulations so that we can deal with all thissurveillance stuffwhich is completely falsewhat department do I will aftera may ask me for some amendments umwhen Snowden happens the Parliament for me up and saidcasper it’s all true would you like to write briefing notes for the officialEuropean Parliament Yukari which I did and as a reference to national back theslide deck and if you want to meet one thingabout all of this then I’d encourage you to read factit’s only thirty pages but I think it’s one of the best piece of work doneso of the Snowdon based either leave a committee disabilities committee wentinto a sort a perdera lockdown there was one particular politicianwho insisted on this barren a slut for the Liberal Democratshooey marvelously lost a siege the lastelection so you don’t have to worry about her anymore and not enforcingthese accounts but just luck of the draw and label certain popularbut anyway for reason for 22 pretty competent you nowessentially lieber cut itself off from all adviceany interchange really we’ve what they were cooking upwas a compromise that cooking up and say what emerged out on this Peredawas so-called possible 43aand this is a restoration a clause which was lostfrom the penultimate draw after the draft is actually published by theCommissionin 2012 what it said is thatin the case where you put some data in the cloudand then the US for example law enforcement wants to get direct accessto from thatsa can provide up well the cloud provider has got to telland get permission from the Data Protection Authorityto do that so it sets up a deliberate conflict at lawbecause you rememberif somebody had done that in respect to find the lawthere’ve been a contempt the fiske or and possiblyendanger themselves under the Espionage Act so that’s putting the company’sin a terrible terrible squeeze except well think about it on the one hand yougotcontempt the fiske orch very very powerful porchin the US and potentially espionage charges on the other hand he got finesand a very long dubious process and enforcement by very ponderous Europeandata protection authoritiesfind might get quite big and then again they might not so what she gonna chaseso it’s not a credible deterrent and I was key part of the advice andamendments not drafted for the parliamentbut they wouldn’t a fresh I one beating Obama did do is they remove these PCRprocess but it’s likely the Commission and the council and audible 29 has isthat a babywe want them put back who is this is a bit outside the scope of the talk but Iwhat to say there’s a lot more apart from this with the new take protectionregulations I’vereluctantly come to the view from having full and his mother but nap Ithat this is going to be a curse on personal freedom this is going to be anirreversible bureaucratized nation in everyday lifeI probably will skip going through all the things which are wrong here exceptjust maybethe plot point in the regulation which isgoing on four times as much textas the original direct a for 450 references to this time I thoughtprocessing processing can meet computing with tateror storing the day but as we knowbut they didn’t know in 1981 when somebody had the bright idea to munchthese two ideas togetherwe now know that you can protect stored data encryption but you can’t protectcomputer datawith encryption so this anti-regulationhis bills on conceptual sound each these 450 referencesis inherently ambiguous but it is conflicting to completelyincumbents herbal information security situationswanna which which is tractable with technology and the other whichis not that’s how messed up the datesconceptually saying to come right up to dateI article 29 Working Party came out just this month with thatopinion 51 page opinion on the whole surveillanceFang expanding from a shorter opinion they published last yearI am it’s a very muddy piece a work dayit’s really a long letter have self expel Patito by why they couldn’treasonably be expected to do anything about this todayserver they do make some interestingdefinitive statements the exemption in the EU treaties of is no possibilityto invoke the national security for the country alone in order to avoidduplicative EU lawand this is a sort of ripoffs to the carve-outin the EU treaties for national security but a course thatis the national security member states not a third countryand DPAC may suspend day to placeon their existing cuts particularly in Germanycontent but they haven’t done so so far and they’re also watching the outcomewith the Mac gems case which we have got time to talk about nowand but they also say article forty three-athis conflict have more the Commission’s ideanow put-back by the parliamentafter being lobbied away just before the publication of the originalregulation they don’t like it they say it may be a step in the right directionit’s not going to bethe solution to all problems but histhe the bombshell right at the bottomand it’s not obvious they saythat’s if there is any such a $43. 8 they don’t want the job paybasically a be the interior ministry at each country which would take thatdecision whether to approve or deny the transfernot the independent Data Protection AuthorityK they don’t want the job in other words within the city complain a lot29 they failed to reach any consensus that this problem the ForeignIntelligence Surveillance is really anything that should bedone by then make maybe have a question or two about thatarticle 29 also have AIDStheir own responsibility for this mess back in 2005in one of a working party documents dealing with all of this they saidthat one of the reasons they were inventing these PCR in contractstructureswas up so that transfers they called repeatedmass for structural which was that a code for this sort of thingprecisely because it is portents should somehow be carried outwithin these legal frameworks they’re inventing butnine years later they say exactly the oppositethey say that these instruments which they inventedshould not be the basis for these massive structuralrepetitive transfers some other words of 229 in the fullythey got this whole ball rolling in the mid 2000’s as if these preposterouslegal mechanisms could possibly contain these risksand now they contradict themselves and walk awaywith us technology obscenity they also don’t mention the discrimination bynationality in US law which I stressedand in fact 250 opinion since 9/11 they never even mention the concept a foreignintelligenceat all I am the other bits and pretty have time to explain right nowbut what they did to YouTube a conference being a monthis publish a political statementsome 15 points a political beliefs which sound very light onthey don’t they are in fact the sort of thing that privacy activistsdo you say and espouse butbelieve this is a decoy this is a decoite to try I’mdistract attention the fact they cannot achieve any solidarity amongstthemselvesfor deciding that they actually have a responsibility to enforce the existingmall to shut down day two flights to make the United States fair priceand the US is exception exception is if you look atreferences its financial discrimination by suchcitizenship and nationality rather than the Joe graffiti the communication pathwell as about 40 in US Smallcounting uprising patron fis all the first and fourth amendmentspecial protections the UK has 0 surprisinggermany has one which is a profound embarrassmentmight have got a question about that because in ECHLhuman rights a space to be equal but actually part of the German G-ten littleis very analogous 2702 KCanada has not to New Zealand to Australia to and I have been able todiscoverany others at all but the US has 40so what ngos toparm at Brazil 9 2001 Istanbulby Jeff nobody said one wordabout discrimination by nationality I was tweeting like crazykinda taking actions the subject was nevereven raced by anybody CDT a senior AFF and I’m very littleon non-us person writes in shorter people here or chrome the about thataccess is done more than most s said not one word about FaizaI’m in eighteen years i’ve visiting the UN helping us with our privacy problemsI petrie has done nothing before or after snowdenand I’ve much price international readyis a realtreaty with the US even possible supposing we got the sort of guaranteesthat we would like to have the criminalizationof data protection fences there is a a serious fundamental problemwhich is that spying on foreigners aboard is an inherentpresidential authority Congress cannot restraint but presidential authorityso in other words if Obama today makes a promise and says we change policyagainst rewritespH 0 features a much more strongly than PBT 28you can trust that because a future president of the same president couldtomorrowin secret announce that policy and just go back to business as usualso it’s not even clear was a legally binding treaty is possibleand the sea change the US Constitution Iand generally what I’ve been recommending for couple years now isa three-prong strategy for him response firstlyyou work out essentially which data flows more valuable to the USand they are two yearand he began shutting them down as in a tradingsecondly you need a long-term interview industrial policyto develop software and thou services andI think also critically that should include a secure operating system forindividuals for muchmore secure operation system for individuals you might have seen on thebeginning the slides were not policy adviser to the cubesaus projects might do you think if you haven’t heard a cute Snoopyworried about you security for a laptop you should check it outthat’s all I’ll say and thirdly we need whistleblower protectionbecause its only through it which they discouragethat we know that least for anyone is taking this seriouslynow and we don’t know that the next whistleblowers going to be altruistic asnow dayso we need to actually give them water tight asylumand probably some incentives promising reportsI actually proposed two departments that theywhistleblower should get 25 percent have any finessubcommittee exacted on a controller now that sounds an enormous amountsbut you gotta remember that person is likely to be an Americaneither somebody working for a corporation working for themfor the NSA and they’re going to need bodyguardsprotection for extraordinary rendition kidnapping back to supplant on a mod forthe rest of their livesso that’s why the incentives have to be enormous to provide a credible deterrentso the waybut I try to summarize the political situation eyes welcome to the mattercannot Tucan it is unfortunately true that most people don’t think I haveanything to hide from the government butts people votespoliticians and they have to have trust in public officials they have to trustthe public officials acting impartially in their national interests and in theircollective interest sir hownow people going tonight that that is the casebecause any politician or official in Europe now knowsthat the NSA and public GCHQ as every detail of their private lifeevery indiscretion everything rash email sent by Gmailany phone call education did you spoke to traffic analysiswell a moment of brain cell and position powerneed you nana is that private life is and perhaps their career could be ruinedwith one tabloid news story order promotion ruined if a show perhapstoo much anti-american bias and that comes the attention at the US and maketo arrange for the other guy to get promoted well how do we know that’s notgoing to happen becauseeven if it doesn’t happen we might reasonably suspectthat may happen so that is a profoundly to race if ideafor democracy but is something that we now have to deal with that we cannotdeal with it by not thinking about church and as I put together a reportthe thoughts ahead but Snowden have putin the minds the public cannot now be on Fox thank you very muchCookay we can take a powerabout 10 minutes for Q&A is so if you happen to pasture humfind a microphone preferably one of those Iand I also have a signal angel in the back and she isup she has a question yeshello casper so we have a ton of questions for you and me i seee andthey’re well are reallyexcited about your talk and I’mI just start with one socan you name three countries whose laws areequally balance and protecting its citizensas well as far in as so which countries could to bethe yeah the take as an example forlaws in europe on Germany soI think one important distinctions to make is this what has been going onin reality as we now know from citing and thenthere is what’s the law is in theory soin every European country I believe Iapart from germany the laws he calledthere’s nothing in European laws apart from germany that I discovered where itsaysif you are a French citizen or if you’re slackin citizen with your check citizenyou get better protection in respect to privacy in tonight’swhat almost every other countries laws sayis they differentiate between purely domestic communications communicationsstarting in beginningin one country and communications which crossed the borderthe backcountry so that is the way that most laws make that distinctionbutts he may say what doesn’t make a differenceyes it does for cloud computing because the stark contrast isif you have any american data in Europethen that data is equally protected by European data protection and humanrights lawan American to come over here and start taking a case to European dataprotection authorities all European courts without any trouble at allif they thought their privacy was being I’m just 25 be infringedthe converse is not true all EU data as I have demonstratedin the US you have no legal rights at all and that is the asymmetry created bycloud computingbefore thou computing the rough assumptionin the build-up in these international laws for that 50 100 years was thatterritory was roughly congress with jurisdiction what cloud computing doesis it just like those two apart and creates this fast asymmetryum Michael theirday okay so thanks for the talk of ain Germany the parliament finally decided to open up an investigationcommission after snowed revelationsand arm so day gotwitnesses from the German a. m. intelligence servicesbut not not much came out because some all the details are classified whichwhat hole is prove and the government also protects them and it appears thatsome hard intelligence services operate and some sort of room that isindependent of the law know you pointed out how in the US they would bewhat they could do with in the boundaries of the law know my questionisdo they even care or more formally putHowell I likely would you think that day50 US agencies would feel bound by the US laws at allso I think the bait they do not feel bound by the US lawsthere was a great a at John OliverThe Daily Show quick which is the amazing thing mister president is notmay be saying that you break them or the amazing thing is that you didn’t have toI am and I do think that when you read you know the texturewhat’s NSA lawyers have said and the text to the P club reports and so forththink they arein a sense legal overlay when out getting kinda BOM with thousands andthousands of pages American release butthe trouble is not it has any relevance for us it is allabout because that is the only right to exist is all about protecting rightsAmericans and the simply on our rights to findfor anybody else thank youa microphone over there pleasehi hi I have a question about but the broader jurisdiction in the area ofcloud computingI and as I’m sure you know Microsoft is challenging a ruling in the states aboutaccess to data held in the EU and i’m just wondering what your views on thatis it sorta PR snake oil or is there somethinglike a positive role that US companies can do in sort of challengingthis cycle surveillance so is a San Fran glad you asked me thatarm as you can imagine getting fired from by Microsoft for trying to warnthem about 70 toI am I do find it kind of amusing that now Microsoft is painting itselfthe champion a privacy and I’m afraid this case is not about protecting thesovereignty of European datathis is about protecting some shit Microsoft butthe short answer is the substance about cases only about the storedCommunications Actpart of the ECB 1986 nothing to any deals with criminal law enforcementso even if Microsoft one that case and actually had think I think weptbecause then I feel kinda shore of this rotten systemthat we have today but even if they won that case we do nothing to preventsurveillance under he ate of 83 of isometricits complete your fucked I will take another question from the internetso nope %uh okayam so two questions and the same directionarm the question is thatI mean the at the USare quite powerful in comparison to Europe soone of your arm examples Wars 2not give them any data anymore that they are really really wantsto have something to trade up I’mso how do you think that will work armits there any possibility that list will be the caseso what but I first started to recommending this policy a couple yearsagobut basically everyone said I was crazy and they said there is no capacity forthis in Europewe don’t have enoughthe software houses we don’t have enough people who could build investing datacenters is completely crazybut what I heard from the Commission just the two weeks agois that what they’re hearing now is actuallyEuropean providers particularly telcos a queuing upto now provide European baseddata centers and of course another constant what I saidis people should not be using open source software for securitybecause this problem actually pushing software updatesand through a software update any in security infrastructure you don’t beingable to be tasteI’m because you just don’t know what’s the update of courseopen source is no panacea butts tools like static analysis forgetting the bats at Megan’s or so much more effective them when we last hadthis debate on thirty years agosay from all points of view there is just a massive advantage now andeverybodyparticular governments switching to open source cloud computingindigenously hosted in the EU if you do that of course the NSA can still try andbreak abut if you the NSA tried to break in you can at least defend by conventionalmeansand UN essentially a totally different situation me she’s handed or that dataI wanna play each inspection 780 can’t think we’ve got time for two morequestionsin II thanks for the speechand you claim is that for aarticle 43 does not work because the asymmetrical nature of thecrime and punishment the punish mefull of afor followed it for spying is twenty years in prison et ceterabut does not apply to European citizens operating in europecertain could a article 43 not be short up by saying anyone who provides cloutup services in Europe has to happen on European city a strain onAmerican citizen working in the role of getting theinformation about this onthat the back and forth as required by article 43 and and thenthen the asymmetric asymmetric see does not exist anyway if that’s a wordfor tonight’s ideas but the problems anyone here is that it’s by no meansclear thatthe Espionage Act can only be used against American citizens Australia suchand the second point is that there isthe scope American law extends not just to us-based companies but to any companythe does business with the US so theoretically a 70 to order could be putonto deutsche telecom france telecom or whoeverbus from my experience workingin a very big corporation and now having mymy judgment his the US would notsearch 702 on European company because the whole purpose would be secrecyand I think that maybe naive but the European corporations stuff in theEuropean lawyers they would not put up with thatthey would ensure that essentially they were cries for help from their owngovernmentfrom project action churches so I thinkin practical terms is very substantially less risk for European companyeven if it is doing business in the US to be subject to this law and afraidputting responsibility just me good citizen when necessary dojand the last question dudedo you think over heredo you think there’s and near a una mccanncompany can set up a cloud hovering athats really put legally protectsthe Dec customers deter from a itssay the US legally spying on them Shawyeah I mean just use European company running free softwarephysically located in the territory of Europeand you protect that as well as you can up but not fun to make andcompany not there is no way of an American companyand something about which i’m terribly terribly sadthank you so much casperI hope bad there will be a result that is bigger than some sign in
The post The Cloud Conspiracy 2008-2014 [31c3] appeared first on Open Source.
from http://bit.ly/1ALD2kL
No comments:
Post a Comment