Agentless Backup is Not a Myth

Comment The European Union has redrafted its agreement with the US Treasury which requires Europe’s financial institutions to transfer details of global financial transactions to the US. The revised Draft Agreement is to be put to the European Parliament in July for approval, despite a text containing significant privacy defects and obvious areas of drafting in need of urgent attention.

The Draft Agreement (pdf) often refers to “terrorism or terrorist financing” without defining what “terrorism” is, or what makes a “terrorist”. There is a kind of unwritten assumption that everybody will recognise a terrorist when they see one, despite the adage that one person’s terrorist is another person’s freedom fighter.

For example, Article 2 includes in its “activities” that allow transfer to the US “acts of a person that ... are ... dangerous to human life or create a risk of damage to property ... and are reasonably believed to be committed with the aim of ... coercing a government to act or abstain from acting”.

Can you recall the protracted UK fire-fighters strike in 2002 which involved thousands of fire-fighters? Did this strike “create a risk of damage to property”? Was the strike “dangerous to human life”? Was the strike called “with the aim of coercing a government to act” (in order to allow a large pay rise)? Well I think the answer to all three “terrorist” tests posited by the Agreement is “yes”.

Thus, the Agreement has the potential to transform law-abiding fire-fighters pursuing an industrial dispute into “terrorists” – and the same could apply in the case of the miners in the UK miners’ strike of 1984. Perhaps those organising comprehensive public sector strikes in Greece, France, Spain and Germany against those public sector cuts should be wary – this Agreement could easily assesses them as “terrorists”!

I am sure that the intent of this Draft Agreement is currently not to do this, but the fact is that it clearly has the potential to do so. I raise this prospect merely to show that “flexible drafting” increases the risk of unintended consequences at sometime in the future.

The Draft Agreement appears to be wholly unbalanced. Article 4 allows the US Treasury to obtain “data” on request. All the Treasury needs do is specify the categories of data it wants as being necessary in connection with terrorism, get the formal approval of fellow security officers in Europol, and then the personal data can be transferred.

Note there is no judicial warrant needed in relation to requests which could involve considerable amounts of personal data. However, when the EU wants data from the US, Article 10 requires them to identify “a person or entity that there is reason to believe has a nexus to terrorism or its financing”.

The difference between the two approaches is profound. The Draft Agreement allows the US to say to the EU, for example, “give us a range of data about transactions in a certain region” as we are investigating “terrorism” (whatever that is). By contrast, a Member State of the European Union has to say to the US something like “give us the data on this known entity or specific individual” in relation to “terrorism”.

Put in these terms, it is easy to see that the US can make general requests for “data” whereas the EU has to make specific targeted requests about individuals or entities

That is why the Agreement is unbalanced and will result in a one-way data traffic flow – from EU financial institutions to the US. No explanation has been given as to why the US cannot follow the EU States and make targeted requests for personal data.

Article 12 of the Agreement establishes monitoring safeguards and controls. It states that there is to be an “independent person” appointed by the European Commission to police the data protection safeguards. Note that the Draft Agreement could easily have said that a European Data Protection Commissioner, or an ex-Commissioner, or the European Data Protection Supervisor (the natural choice I would argue) would be appointed to monitor these safeguards - but it doesn’t.

So it follows that the “independent person” is not necessarily a Data Protection Commissioner or someone who has a track record in regulating the difficult area of privacy protection versus law enforcement. Of course the various DP Commissioners will be able to huff and puff on the sidelines, but make no mistake: Europe’s privacy regulators are deliberately being positioned on the periphery of this Agreement. My blog of 14/04/2010 explains one possible reason why the EU Commission has decided on this course of action.

This raises a serious issue. If the purpose of this Article is to ensure that privacy safeguards are properly established and supervised, then the suspicion raised by its text is that the Commission wants to appoint an ex-Chief of Police or some other kind of “security apparatchik”. If such an outcome were to occur, it is not going to reassure anyone. In short, this Article could easily produce a supervisory outcome that lacks credibility.

The Agreement provides for no effective mechanism to challenge a particular data transfer before it happens. For instance, if a Bank or individual or organisation formed the view that a particular exchange would not be in accordance with the Agreement, it could go to Court to challenge the matter. In practice, such a complainant would fail because the complainant, at best, would most likely possess “suspicions of a problem”. By contrast if the Courts are to rule on an issue they need actual evidence of a problem – mere suspicion is not enough.

What should happen is that the Agreement should provide for a complainant procedure via the Independent Supervisor who should then, assuming the complaint is not vexatious or trivial, be required to investigate fully. By contrast, under the current arrangements in the Agreement, a complainant could invite the Supervisor to investigate, and hope that the Supervisor might investigate.

However, this makes the system of supervision and privacy protection, especially prior to transfer, depend on “hope” and "might" – and “hope and might” are insecure foundations upon which to build any rigid system of protection. As everybody knows, I “hope” Barnsley FC "might" win the European Cup in the near future.

Article 13 establishes a yearly review of the Agreement to investigate how well it is working, and measure its effectiveness and the safeguards. Is this review undertaken by an independent body or the independent supervisor? Well the answer is “no” - this review is to be undertaken by appointees nominated by the Parties to the Agreement.

This Article thus contains another credibility gap (or chasm, in my view). It suggests a protective mechanism akin to that achieved by allowing Count Dracula to appoint one of his brides to investigate whether an agreement to supply blood works properly.

So to my conclusion? The EU and the US want wide-ranging powers to “follow the terrorist money trail” - most people support that objective. However, the absence of a definition of “terrorism”, the provision of a weak regulatory regime to act as a counter-balance to wide-ranging data sharing powers and the deliberate exclusion of Europe’s Data Protection Commissioners mean that this Agreement should not progress in its current form.

If the Agreement goes through, the UK has to choose whether to become a member. Most international agreements become law by the Royal Prerogative so there is a significant risk that there will be little Parliamentary scrutiny prior to implementation if the decision is taken to join the Agreement.

Originally published on Hawktalk, the blog of Amberhawk Training Ltd.

Cloud storage: Lower cost and increase uptime