Monday, June 10, 2013


I finally made it to an ORGCon on Saturday. The conference was opened with a Tim Wu keynote telling some stories from his book, The Master Switch, and closed by John Perry Barlow who, perhaps surprisingly, took a 'we have to embrace transparency even in private data' theme.

Undoubtedly the highlight of the show, though, was Caspar Bowden's deeply informed and passionate delivery of a talk on the US Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, data protection and PRISM, the NSA electronic surveillance program. His slides are available online.

Having prefaced his remarks with the fact that he has acquired his knowledge entirely from information in the public domain, Caspar started out with a whistle stop history of intelligence sharing between the UK and US; including Alan Turing's detention at Ellis Island during the war and subsequent 3 month battle with US intelligence bureaucracy to get access to the stuff he had been sent/invited to see. Turing's treatment led to an agreement between the two governments that the US and UK should not spy on each other.

He went on to explain that the FISA law of 1978 was one of the results of the fallout from Watergate. It was paramount, as far as the US Senate Church Committee was concerned, that American citizens should be differentiated sharply from foreigners and not subject to suspicionless surreptitious surveillance by US agents of state.

Everything changed again post 9/11 when President Bush instigated mass warrantless wiretapping and, in 2007, the Protect America Act eliminated the need for warrants, even secret FISA warrants, for government surveillance of foreign intelligence targets "reasonably believed" to be outside of the US; the Act also gave all the telcos involved in illegally facilitating the mass warrantless wiretapping retrospective immunity from prosecution and ended the requirement for targeted warrants. Then in 2008 came the Foreign Intelligence Surveillance Act of 1978 Amendments Act which was renewed at the beginning of 2013.

FISA as it now stands (including the FISAAA) has led to the kind of general broad ranging collect everything warrant the Guardian exposed last week. FISAAA essentially means if you are guilty of not being a US citizen your personal data has no protection in a US cloud. Yet European governments and the EU Commission have effectively been oblivious to this in spite of efforts of Caspar and others to inform them. Much of the reaction to the Fighting cyber crime and protecting privacy in the cloud report was on Twitter, falling into the category of amazement and wondering how exactly such unchecked mass surveillance could be going on. US commentators' reactions were muted, even amongst US civil libertarians who Caspar later accused of being entirely silent on the §1881a 'guilty of being a foreigner' FISA surveillance. The report's authors have had a tough time getting conventional journalists to listen and take them seriously about the issue.

Caspar states with some conviction that there is a lot of misleading PR and outright lying about the complete lack of protection for foreign citizens' personal data in the US cloud, in a commercial and political effort to promote the use of US based cloud services. The notion that US law offers good protection to its citizens, "as good or better as foreign law for foreigners" doesn't withstand any kind of serious scrutiny certainly for non US citizens and not a lot for US citizens e.g. if you look at the cases of William Binney, Thomas Drake or Jacob Applebaum.

You might suggest that encryption is the solution but encryption can only protect data to or from the cloud and “lawful” access (FISA §1881a) reaches inside the SSL. Caspar then went on, convincingly again and expounding in some technical detail, the degree to which evolving platform-as-a-service PaaS facilities will enable scalable mass surveillance. ETSI are already developing LIaaS (Lawful interception as a service) standards! Before going on to make some general remarks about the Guardian disclosures about PRISM, he concluded on FISAAA:
  • EU personal data is naked to FISAAA, contrary to much “Cloudwash” White Paper propaganda – 
  • Whilst the PATRIOT Act is bad, FISAAA is much worse for Cloud data
  • US mass-surveillance over foreign political data in Clouds has been lawful since 2008
  • Astonishingly, the EU Commission, DPAs, MS, MEPs, didn't know about FISAAA 1881a until 2012 
  • There are no practical technical defences in sight 
  • Some LIBE Amendments to the draft DPR have been tabled – Consent-with-drastic-warning and whistle-blower protection are essential
  • Need massive vertical investment in indigenous EU Cloud software platforms and operation
  • And FLOSS has crucial security advantages for Cloud 
  • Proposed new EU data protection regulations have been captured by the surveillance state and commerical interests agendas
On PRISM, Caspar rounded off by saying that in addition to direct documentary evidence of the existence of the programme now being in the public domain, possibly the most significant development last week was the confirmation from James Clapper, the US's Director of National Intelligence, that PRISM was about §1881a of FISAAA (now incorporated as s702 of FISA); §1881a which intentionally targets individuals whose only crime is being guilty of not being a US citizen.

So I'm thinking of adding the following text to my email signature:
Please be aware that this message has, quite likely, been harvested and possibly processed by the NSA, under §1881 FISAAA (now s702 FISA as amended). I am, after all and in fairness to the good guys in the NSA, entirely guilty of the charge of not being a US citizen.
In a final contribution later in the day to the excellent ORGCon 2013, Caspar, at the end of John Perry Barlow's closing keynote, managed to elicit an initially reluctant admission from the EFF founder that the silence from US civil liberties groups on §1881a's blanket licence for the US to spy on the rest of the world had been deafening. When he got JPB to agree to encourage the EFF board to make a noise about §1881a it produced one of the loudest ovations of the day.

In any case, I'm sure ORG will be making audios and videos of the various sessions available in due course and I hope I've convinced at least a few that an hour set aside to view Caspar Bowden's talk would be well worth the investment.

Thanks generally to ORG organisers and volunteers for facilitating such a useful event.

Update: my Google Drive embedded version of  Caspar's slides was causing clunky page loading problems so I've removed the embed code from this post. The version of the slides on the ORG site is much more readable in any case and the video of Caspar's talk is now available on ORG's YouTube channel.

No comments: