Did you really think that the European Union would protect your privacy? Don’t be so naive.
The US-EU Privacy Shield program is supposed to give EU citizens greater data protections. As I wrote previously, the Privacy Shield program has several legal loopholes, which makes it look a bit like a block of Swiss cheese.
To add insult to injury, not only does the Privacy Shield fail to protect people’s private data, even NSA contractors are invited to join the party! The Privacy Shield program gives these NSA contractors the ability to transfer personal data stored in the EU to the US. From watching international news over the past few years, you may remember how Edward Snowden blew the whistle on the NSA’s mass surveillance programs. Snowden exposed how the US government had access to read your emails and to listen in on your phone calls.
Including NSA contractors on the list of Privacy Shield is a bit like letting the fox guard your henhouse. While some of the NSA contractors are signed up only to share human resources data, their inclusion in the program does nothing to improve Privacy Shield’s already dismal public image. The companies on the list are allowed to submit a self-assessment to ensure their compliance with Privacy Shield. In practice, this means that these companies have little or no independent oversight.
The following NSA contractors have joined the Privacy Shield program: BAE Systems, Boeing, General Dynamics, Lockheed Martin, Northrop Grumman, and Raytheon.
With the inclusion of NSA contractors in the Privacy Shield program, it is rather obvious that the US government cares nothing for data protection. While Europeans are lulled into a false sense of security with Privacy Shield, the US continues to build its surveillance state.
In 2013, BAE Systems won a multi-year contract with the NSA for high performance computing. The contract is valued at $127 million. A leaked top-secret document outlines the NSA’s surveillance priorities for 2012-2016. One of the NSA’s stated goals is to use high performance computing to crack encryption. As a goal, the document states that the NSA plans to “Dynamically integrate endpoint, midpoint, industrial-enabled, and cryptanalytic capabilities to reach previously inaccessible targets in support of exploitation, cyber defense, and cyber operations.” In other words, the NSA plans to use its high performance computing program to broaden its surveillance capabilities, and BAE Systems is helping.
The American telecom, AT&T, built a secret room in one of its centers to facilitate NSA spying. In 2006, an AT&T technician blew the whistle and revealed the NSA’s massive spying operations. The NSA used a device to sift through massive amounts of data from the internet’s backbone. The device was made by a company called Narus. In 2010, Boeing acquired Narus.
In 2008, Boeing acquired Digital Receiver Technology (DRT). The NSA used DRT equipment to track people’s locations by their cellphone signals. Some DRT devices also have the ability to listen in on cellphone conversations and jam cellphone signals. Several DRT devices appear in the NSA’s surveillance catalog.
In 2014, the Intercept revealed that the NSA was recording virtually every phone call in the Bahamas. The program is called SOMALGET, which is part of a broader surveillance program called MYSTIC. The broader surveillance program, MYSTIC, collects phone call metadata from several countries including Mexico, Kenya, and the Phillipines. General Dynamics had an 8 year contract valued at $51 million to process data for the MYSTIC program.
In 1988, Margaret Newsham, a software engineer for Lockheed Martin, blew the whistle on a massive NSA spying program. The NSA was intercepting phone calls and electronic data in a surveillance program called ECHELON. While working for Lockheed Martin, Newsham was helping to create software that ran the ECHELON program. Newsham also revealed that the NSA was listening to phone calls of a US Congressman.
The US military’s research arm, DARPA, awarded contracts for the Total Information Awareness (TIA) program. The TIA program would collect massive amounts of data and use a predictive policing model. In other words, TIA used automated analysis to identify people as potential terrorists. In a very eery sense, it was the film Minority Report becoming reality. DARPA gave Lockheed Martin 23 contracts valued at $27 million for the TIA program. Several branches of the US government were involved in the TIA program, including the NSA. In 2012, the New York Times revealed that the NSA was running a program very similar to the TIA. The full extent of the TIA’s legacy would not be revealed until the Snowden leaks in 2013.
In 2000, the NSA launched the Trailblazer project. The aim of Trailblazer was to update the old Cold War era interception technology employed by the NSA. The Trailblazer project was mired in scandal. The NSA had wasted over a billion dollars for a program that did not work. Northrop Grumman was one of the contractors working on the failed Trailblazer project.
The Trailblazer project was terminated in 2006. The next year, the NSA awarded Northrop Grumman a $220 million contract. The contract was to help the NSA manage the vast amounts of data it collected from its surveillance programs.
In 2009, the NSA founded the US Cyber Command. The new command center would focus on defensive as well as offensive cyber warfare. Raytheon posted job advertisements for “cyber warriors” to work at locations near known NSA sites.
In 2010, the NSA awarded Raytheon a classified $100 million contract for the Perfect Citizen program. The program would place sensors, to detect cyber attacks, in the backbone infrastructure of public utilities. A Raytheon employee criticized the program with the following words in an email: “Perfect Citizen is Big Brother.” The NSA rather comically claimed that Perfect Citizen would not be used for spying; however, privacy advocates were worried that the program would be used for domestic surveillance.
The text of this article is released into the public domain. You are free to translate and republish the text of this article. Featured picture is CC BY-NC-ND 2.0 Flicker user jrothphotos. Secondary picture CC by EFF.
Printouts from PrivacyShield.gov website, link.
What if your most intimate and private information was for sale to anyone in the world? What if anyone could find out your political beliefs, religious affiliation, sexual orientation, or even your medical history? In the US, it is legal for the private sector to collect and sell these types of personal information, and the government is powerless to stop it. Due to the US’ lack of general data protection laws, Europeans’ personal information could wind up in the hands of unscrupulous data brokers and for sale on the global market. Data transfers from the EU to the US is cause for on-going controversy, because the EU considers data protection to be a fundamental right.
In testimony before the US Congress, Pam Dixon of the World Privacy Forum detailed abuses by data brokers. MEDbase200 sold personal information on rape survivors and people with an HIV positive status for $79.00 per thousand names. Addresses of domestic violence shelters are supposed to be kept secret, but FirstMark sold lists of these shelters online. DMDatabases sold comprehensive databases detailing patients’ medical conditions and which prescription medications they were taking.
Data brokers obtain personal information from various sources. Many US companies rather shamelessly sell information on their customers. Data brokers can also collect information online through tracking cookies, mobile app data, social media postings, and online surveys. Data brokers also sell each other vast amounts of data, making it virtually impossible to figure out who originally collected the information.
EU regulators should have pause for concern that social media sites are now partnering with American data brokers. Especially controversial is Facebook’s partnership with data broker Acxiom. After the 9/11 terror acts, Acxiom lobbied the US government to weaken the few and limited federal privacy protections in the US. In 2001, Acxiom proposed to establish a government surveillance programs to crawl the internet and gather intelligence from websites. The US Department of Defense also considered partnering with Acxiom to build a large surveillance database. In 2003, Acxiom was embroiled in controversy when it worked with the US Department of Homeland Security on a proposed system to give airline passengers color-coded ratings based on the likelihood of being a terrorist. Despite holding vast amounts of personal data, Acxiom has been the victim of numerous data breaches, with computer hackers stealing large amounts of information.
Starting in 2000, the US-EU Safe Harbor agreement allowed companies in the EU to send personal data to the US. In 2015, the EU Court of Justice struck down the legal basis for the Safe Harbor agreement, because the agreement failed to provide adequate data protections. The US and the EU quickly negotiated a new agreement called Privacy Shield to allow the continued flow of data from the EU to the US.
The new US-EU Privacy Shield agreement is a complete disaster. The agreement’s greatest weakness is that the Privacy Shield program is completely voluntary. An American company with no subsidiaries in the EU could refuse to sign up for Privacy Shield and can ignore EU data protection authorities. The US government is powerless to stop data collection over the internet, which is completely legal in the US.
Even when a company voluntary signs up for the Privacy Shield program, it requires the US Federal Trade Commission (FTC) to enforce the rules. This year, President Trump has the authority to nominate four FTC commissioners (out of five commissioners total). Considering President Trump’s history, his nominations for the FTC will be extremely business-friendly, and the new commissioners may do everything in their power to stop any consumer protections (including Privacy Shield). On the rare instance that the FTC would actually investigate a company for failing to comply with the Privacy Shield framework, the FTC would have to prove that the data is covered under Privacy Shield. In the US, data brokers repackage and sell data so many times that it may be difficult or impossible for the FTC to ever prove where the data originally came from.
Recently, President Trump named Maureen Ohlhausen as acting Chair for the FTC. Ohlhausen has previously criticized the FCC (Federal Communications Commission) proposal to require ISP (internet service providers) to obtain consent before sharing customers’ private data with data brokers and other third parties. Ohlhausen argued that the FCC’s proposal would harm consumers by offering too many privacy protections. With Ohlhausen as acting Chair, the FTC will likely fail to enforce the Privacy Shield framework.
The Privacy Shield framework does nothing to stop the US government’s mass surveillance and bulk collection of data. In a letter included in the Privacy Shield notice, the former Secretary of State, John Kerry, promises to establish an ombudsperson to take complaints regarding US government surveillance practices. A close reading of the memorandum reveals that the Privacy Shield ombudsperson has no legal authority to investigate or provide independent oversight. The memorandum also mentions several OIGs (Office of Inspector Generals) and the PCLOB (Privacy and Civil Liberties Oversight Board), which are the same mechanisms that failed to protect people from the NSA’s mass surveillance in the first place.
The Privacy Shield notice also includes a letter from the Office of the Director of National Intelligence (ODNI). The letter cites PPD-28 (Presidential Policy Directive-28) as limiting the US government’s surveillance efforts. It is difficult to independently verify what PPD-28 actually contains, since some portions of the directive are classified. The PPD-28 was signed by President Obama, who is no longer in office. President Trump is not required to follow PPD-28, and he can secretly overturn the directive at any time without any public notice.
The US government has no international legal obligations to enforce Privacy Shield. The Privacy Shield framework is a voluntary program, operated by the US Department of Commerce, which could be rescinded at any time. It is hard to imagine how the EU ever approved an agreement so dreadful as Privacy Shield. I cringe thinking that the EU completely lacks an understanding of the US Constitution and how the American government operates. Before ever entering another agreement with the US, the EU needs to first hire some extremely well-read American lawyers as advisors.
As it stands, the Privacy Shield framework leaves EU consumers’ personal data open to abuse, with few or no rights to recourse and redress. If the EU is serious about data protection, it should immediately suspend the Privacy Shield framework. Access to the EU market is of paramount importance to many American businesses. Using its economic leverage, the EU should pressure the US to reform its legal code to ensure better data protection.
For further reading:
GAO report on data brokers, link
FTC report on data brokers, link
Featured image: CC-BY-NC-ND, thenoodleator
2016 will be remembered for the unprecedented and monumental acceptance of the pirate movement by citizens at a national level!
We are very happy to see that the first decade of the pirate movement was completed and celebrated by a great electoral success; The officially recorded 14.48% of the votes in favor of the Pirate party of Iceland (PP-IS), on last October’s parliamentary elections! PPIS reached new heights for the pirate movement by electing 10 MPs, and by receiving a mandate from the president of Iceland in order to form a governmental coalition.
As we are now entering the second decade of the movement, anything is open to happen!
But, if there was a prize of “political and electoral behavior,” then surely this year it would be given to the 27.449 Icelander voters who deliberately rejected the traditional parties and preferred to vote in favor of the Pirate party, in favor of the new politics that express the digital age, and in step with the modern world in which we live in.
That world stands for simple things, that can be done easily without any high cost! Things like transparency, the protection of privacy, the reviewing of the legislation on copyright and patents, net neutrality, the change of governance model to that of the direct participation of citizens at all levels and phases of consultation and decision-making,
Thanks to them, the voice of the new world will be heard in the parliament!
Thanks to them, it is now proven that 27.449 people can really shake up the system of traditional politics worldwide, by voting for a party which is named “The Pirate party”! Icelanders pushed international and national mainstream media to write extended articles on the pirate movement and empowered the voice of a new world that emerges, slowly but steadily, and takes its place in decision making centers.
Big chance for the Pirates in Iceland to form a government
After the elections, no party in Iceland held a majority to form a government. The president gave a mandate to the first party in votes to start searching for a coalition government. But there was no positive outcome, so the “Left Greens”, the second party in votes, received the mandate. PPIS participated in that second round of unproductive talks on the establishment of a 5 parties coalition government with the “Left Greens”.
Those 5 parties hold a majority of 34 (out of 63) seats divided as follows:
Left Green Movement (10)
Pirate Party (10)
Bright Future (4)
Social Democratic Alliance (3)
Then the mandate was given to PP-IS, third party in votes. Birgitta Jonsdottir, MP and party leader, received it on Friday, 2nd of December and PP-IS started a new round of negotiations. Pirates of Iceland held in their hands a great opportunity, the greatest ever given to a Pirate party, to form a government! Despite the initial optimism, Pirates finally failed and returned the mandate but set new heights for the pirate movement.
If all negotiations went well, then PPIS would have achieved something inconceivable! It would have been the first Pirate Party participating in governmental seats, 10 years since the establishment of the Pirate movement and only 4 years after the founding of the party itself!
Birgitta’s meeting with Snowden and Lessig in Moscow, filmed by French director
Taking a secret trip to Moscow, Birgitta Jonsdottir met with Edward Snowden and Lawrence Lessig, lawyer, activist, founder of Creative Commons, for the needs of a documentary film by Flore Vasseur, French journalist and director. The filming took 3 hours and Birgitta said in her interview to grapevine.is “We just wanted to talk about the state of democracy. But there we were—three ordinary citizens who decided to do something…”
Also, “Alternative party” from Denmark made a documentary on the Icelandic pirates. Uffe and Rasmus, 2 members of the party, visited Rejkavik during the elections to find out the agenda behind the success of PPIS! What did they learn from the Pirates? As they say at the end of their documentary: “Reset the system”, “Be the change”, “Give the power to the people”!