Feeds

Terror data handover seriously flawed

EU gives up bank data, for nothing in return

Secure remote control for conventional and virtual desktops

Comment The European Union has redrafted its agreement with the US Treasury which requires Europe’s financial institutions to transfer details of global financial transactions to the US. The revised Draft Agreement is to be put to the European Parliament in July for approval, despite a text containing significant privacy defects and obvious areas of drafting in need of urgent attention.

The Draft Agreement (pdf) often refers to “terrorism or terrorist financing” without defining what “terrorism” is, or what makes a “terrorist”. There is a kind of unwritten assumption that everybody will recognise a terrorist when they see one, despite the adage that one person’s terrorist is another person’s freedom fighter.

However, the Agreement (in Article 2) does define a range of activities that most people would recognise as “terrorist”, but because these activities do not use the word “terrorism”, they can be interpreted with, how shall we put it, “a degree of flexibility”.

For example, Article 2 includes in its “activities” that allow transfer to the US “acts of a person that ... are ... dangerous to human life or create a risk of damage to property ... and are reasonably believed to be committed with the aim of ... coercing a government to act or abstain from acting”.

Can you recall the protracted UK fire-fighters strike in 2002 which involved thousands of fire-fighters? Did this strike “create a risk of damage to property”? Was the strike “dangerous to human life”? Was the strike called “with the aim of coercing a government to act” (in order to allow a large pay rise)? Well I think the answer to all three “terrorist” tests posited by the Agreement is “yes”.

Thus, the Agreement has the potential to transform law-abiding fire-fighters pursuing an industrial dispute into “terrorists” – and the same could apply in the case of the miners in the UK miners’ strike of 1984. Perhaps those organising comprehensive public sector strikes in Greece, France, Spain and Germany against those public sector cuts should be wary – this Agreement could easily assesses them as “terrorists”!

I am sure that the intent of this Draft Agreement is currently not to do this, but the fact is that it clearly has the potential to do so. I raise this prospect merely to show that “flexible drafting” increases the risk of unintended consequences at sometime in the future.

The Draft Agreement appears to be wholly unbalanced. Article 4 allows the US Treasury to obtain “data” on request. All the Treasury needs do is specify the categories of data it wants as being necessary in connection with terrorism, get the formal approval of fellow security officers in Europol, and then the personal data can be transferred.

Note there is no judicial warrant needed in relation to requests which could involve considerable amounts of personal data. However, when the EU wants data from the US, Article 10 requires them to identify “a person or entity that there is reason to believe has a nexus to terrorism or its financing”.

The difference between the two approaches is profound. The Draft Agreement allows the US to say to the EU, for example, “give us a range of data about transactions in a certain region” as we are investigating “terrorism” (whatever that is). By contrast, a Member State of the European Union has to say to the US something like “give us the data on this known entity or specific individual” in relation to “terrorism”.

Put in these terms, it is easy to see that the US can make general requests for “data” whereas the EU has to make specific targeted requests about individuals or entities

That is why the Agreement is unbalanced and will result in a one-way data traffic flow – from EU financial institutions to the US. No explanation has been given as to why the US cannot follow the EU States and make targeted requests for personal data.

Article 12 of the Agreement establishes monitoring safeguards and controls. It states that there is to be an “independent person” appointed by the European Commission to police the data protection safeguards. Note that the Draft Agreement could easily have said that a European Data Protection Commissioner, or an ex-Commissioner, or the European Data Protection Supervisor (the natural choice I would argue) would be appointed to monitor these safeguards - but it doesn’t.

So it follows that the “independent person” is not necessarily a Data Protection Commissioner or someone who has a track record in regulating the difficult area of privacy protection versus law enforcement. Of course the various DP Commissioners will be able to huff and puff on the sidelines, but make no mistake: Europe’s privacy regulators are deliberately being positioned on the periphery of this Agreement. My blog of 14/04/2010 explains one possible reason why the EU Commission has decided on this course of action.

This raises a serious issue. If the purpose of this Article is to ensure that privacy safeguards are properly established and supervised, then the suspicion raised by its text is that the Commission wants to appoint an ex-Chief of Police or some other kind of “security apparatchik”. If such an outcome were to occur, it is not going to reassure anyone. In short, this Article could easily produce a supervisory outcome that lacks credibility.

The Agreement provides for no effective mechanism to challenge a particular data transfer before it happens. For instance, if a Bank or individual or organisation formed the view that a particular exchange would not be in accordance with the Agreement, it could go to Court to challenge the matter. In practice, such a complainant would fail because the complainant, at best, would most likely possess “suspicions of a problem”. By contrast if the Courts are to rule on an issue they need actual evidence of a problem – mere suspicion is not enough.

What should happen is that the Agreement should provide for a complainant procedure via the Independent Supervisor who should then, assuming the complaint is not vexatious or trivial, be required to investigate fully. By contrast, under the current arrangements in the Agreement, a complainant could invite the Supervisor to investigate, and hope that the Supervisor might investigate.

However, this makes the system of supervision and privacy protection, especially prior to transfer, depend on “hope” and "might" – and “hope and might” are insecure foundations upon which to build any rigid system of protection. As everybody knows, I “hope” Barnsley FC "might" win the European Cup in the near future.

Article 13 establishes a yearly review of the Agreement to investigate how well it is working, and measure its effectiveness and the safeguards. Is this review undertaken by an independent body or the independent supervisor? Well the answer is “no” - this review is to be undertaken by appointees nominated by the Parties to the Agreement.

This Article thus contains another credibility gap (or chasm, in my view). It suggests a protective mechanism akin to that achieved by allowing Count Dracula to appoint one of his brides to investigate whether an agreement to supply blood works properly.

So to my conclusion? The EU and the US want wide-ranging powers to “follow the terrorist money trail” - most people support that objective. However, the absence of a definition of “terrorism”, the provision of a weak regulatory regime to act as a counter-balance to wide-ranging data sharing powers and the deliberate exclusion of Europe’s Data Protection Commissioners mean that this Agreement should not progress in its current form.

If the Agreement goes through, the UK has to choose whether to become a member. Most international agreements become law by the Royal Prerogative so there is a significant risk that there will be little Parliamentary scrutiny prior to implementation if the decision is taken to join the Agreement.

Originally published on Hawktalk, the blog of Amberhawk Training Ltd.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Britain's housing crisis: What are we going to do about it?
Rent control: Better than bombs at destroying housing
'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
And now a message from our sponsors: 'STFU or else'
Top beak: UK privacy law may be reconsidered because of social media
Rise of Twitter etc creates 'enormous challenges'
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
Uber, Lyft and cutting corners: The true face of the Sharing Economy
Casual labour and tired ideas = not really web-tastic
The police are WRONG: Watching YouTube videos is NOT illegal
And our man Corfield is pretty bloody cross about it
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?