blogzilla, profile picture
Uploaded byblogzilla
PPTX, PDF1,694 views

Privacy post-Snowden

This document summarizes international laws and policies regarding privacy and mass surveillance in the post-Snowden era. It discusses obligations under international human rights law, calls by the UN General Assembly to review surveillance practices, and reports by the UN High Commissioner for Human Rights criticizing secret interpretations of law and lack of protections for individuals. The document also reviews data privacy regulations in Europe, debates around data localization, encryption technologies, and concludes that strengthening international law and information security is needed to curb mass surveillance by powerful states.

Embed presentation

Downloaded 18 times
PRIVACY POST-SNOWDEN Ian Brown, Prof. of Information Security and Privacy Oxford Internet Institute, University of Oxford @IanBrownOII
Implants in the supply chain
International law and politics • International Covenant on Civil and Political Rights §17 and §19 and their interpretation by the UN Human Rights Committee, UN High Commissioner for Human Rights, and UN Special Rapporteurs (on Freedom of Opinion and Expression; on the promotion and protection of human rights and fundamental freedoms while countering terrorism; on human rights and transnational corporations) • Regional treaties, esp. Eur. Conv. on Human Rights §8 and EU Charter of Fundamental Rights §§7-8 • How to make transparent, let alone improve, bi- and multi-lateral intelligence sharing agreements?
United Nations • General Assembly: “Calls upon all States…To review their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law” (A/RES/68/167) • HR Cmtte: Concluding Observations on USA (2014). Inter-State complaint? (Scheinin) • IGF 2014: “Civil society managed to get many of these issues on the conference’s agenda but governments chose to ignore them.” -Sherif Elsayed-Ali, Deputy Director of Global Issues at Amnesty International
UN High Commissioner for HR • “Even the mere possibility of communications information being captured creates an interference with privacy, with a potential chilling effect on rights” §20 • “overarching principles of legality, necessity and proportionality” §23 • “secret rules and secret interpretations – even secret judicial interpretations – of law do not have the necessary qualities of “law” §29 • “sharing of data between law enforcement agencies, intelligence bodies and other State organs risks violating article 17” §27 • “Governments have operated a transnational network of intelligence agencies through interlocking legal loopholes, involving the coordination of surveillance practice to outflank the protections provided by domestic legal regimes. Such practice arguably fails the test of lawfulness” §30
UN High Commissioner for HR • “States have also failed to take effective measures to protect individuals within their jurisdiction…in breach of their own human rights obligations.” §30 • “digital surveillance therefore may engage a State’s human rights obligations if that surveillance involves the State’s exercise of power or effective control in relation to digital communications infrastructure, wherever found, for example, through direct tapping or penetration of that infrastructure. Equally, where the State exercises regulatory jurisdiction over a third party that physically controls the data, that State also would have obligations under the Covenant. If a country seeks to assert jurisdiction over the data of private companies as a result of the incorporation of those companies in that country, then human rights protections must be extended to those whose privacy is being interfered with, whether in the country of incorporation or beyond.” §34
UN GGE A/68/98 (24 June 2013) • “international law and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability” • “States must meet their international obligations regarding internationally wrongful acts attributable to them” • “Recommendations on voluntary measures to build trust, transparency and confidence, as well as international cooperation to build capacity for ICT security” • New GGE held first meeting in New York in July 2014, and elected Brazil as the Chair. Three more meetings in 2015
Council of Europe and EU • CoE Convention 108: • 7 States Parties do not apply Convention to State security (Andorra, Ireland, Latvia, Malta, Romania, Russia, Macedonia) • Modernised Convention does not allow this §3(2)(a) scope limit • Cybercrime Convention §32 • US-EU umbrella DP agreement • Accounting and Transparency Directives • Recent cases: • ECtHR: Big Brother Watch and ors v UK, App. No. 38170/13; Bernh Larson Holdings v Norway, App. No. 24117/08; Privacy International v UK • CJEU: Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Ors C-293/12 and Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and others, C 594/12 • 1 BvR 370/07 and 1 BvR 595/07: breaching const. right to IT-security requires factual evidence indicating a specific threat to an outstanding and overriding legal interest, such as threats to the life or freedom of an individual, or threats concerning the fundamentals or existence of the state + judicial authorisation
Data localisation • German interior minister: “whoever fears their communication is being intercepted in any way should use services that don't go through American servers.” • Snowden: “you should never route through or peer with the UK” • Brazil & Russia – considered or passed laws requiring citizens’ data held within country. Digital Rights Ireland and Art 29 WP on retained communications data • Regional data centres – but limited impact given expansive American jurisdiction (In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., No. 13-MJ-2814-UA, SDNY 28 Aug. 14) • Norwegian domains .sj and .bv
Renewed focus on encryption • Storage encryption using client-held keys is relatively straightforward – e.g. SpiderOak • Homomorphic encryption in the cloud? • End-to-end encrypted peer-to-peer systems • Verifiable?
Conclusion • International law is (slowly) being strengthened – perhaps not at the scale that will effectively protect privacy against SIGINT agencies (ideas of optional ICCPR Protocol or even new General Comment 16 seem to have faded) • Cybersecurity norms are up for grabs • IANA and ICANN in some senses a sideshow, aside from leverage against US, although play important role concerning WHOIS, and potentially DNSSEC, RPKI, and more broadly as a fulcrum for transnational enforcement • Much greater attention to information security a pre-condition for raising cost of mass surveillance beyond the great (Internet) powers – IETF role

More Related Content

PPSX
Internet governance
byGhazala Ajami
 
PPT
Freedom of expression on the internet
bymoldovaictsummit2016
 
PPTX
Where next for the Regulation of Investigatory Powers Act?
byblogzilla
 
PPTX
Keeping our secrets? Shaping Internet technologies for the public good
byblogzilla
 
PPTX
Internet user's rights and fundamental freedoms day
bymoldovaictsummit2016
 
PPTX
Where next for encryption regulation?
byblogzilla
 
PPT
Copyright and privacy by design - what lessons have we learned?
byblogzilla
 
PPT
Wikileaks freedom of speech on the internet
byVincy
 
Internet governance
byGhazala Ajami
 
Freedom of expression on the internet
bymoldovaictsummit2016
 
Where next for the Regulation of Investigatory Powers Act?
byblogzilla
 
Keeping our secrets? Shaping Internet technologies for the public good
byblogzilla
 
Internet user's rights and fundamental freedoms day
bymoldovaictsummit2016
 
Where next for encryption regulation?
byblogzilla
 
Copyright and privacy by design - what lessons have we learned?
byblogzilla
 
Wikileaks freedom of speech on the internet
byVincy
 

What's hot

PPTX
Cybercrime convention
bymoldovaictsummit2016
 
PPT
The Data Retention Directive: recent developments
byblogzilla
 
DOCX
International convention on cyber crime
byIshitaSrivastava21
 
PPTX
Artificial Intelligence, elections, media pluralism and media freedom
byCentre for Media Pluralism and Media Freedom
 
PPTX
Digital security act (DSA)
byMd.Azizul hakim Anik
 
PPTX
cybercrime landscape for moldova
bymoldovaictsummit2016
 
PDF
Social media impact on freedom of expression and privacy
byYasmin AbdelAziz
 
PDF
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
byAPNIC
 
PPT
Legal Aspect of the Cloud by Giuseppe Vaciago
byTech and Law Center
 
PPTX
Investigating cybercrime at the United Nations
byblogzilla
 
PPTX
Research on Digital Security Act 2018
byNilima Tariq
 
PPT
Privacy in the age of anti-terrorism
byblogzilla
 
PDF
Digital security law security of individual or government
byM S Siddiqui
 
PDF
Cyber Crime & Cyber Security Workshop, ZIE
byKangai Maukazuva, CGEIT
 
PPTX
After 9 11
byJenn Robillard
 
PPTX
Cyber security and prevention in Bangladesh
byRabita Rejwana
 
PDF
An Exploratory Study on Mechanisms in Place to Combat Hacking In South Africa...
byAJHSSR Journal
 
PPTX
Cyber crime
byDani Ann Eunice Vargas Espelico
 
PPT
Snezana Trpevska - Content Regulation and Censorship – What is the Difference?
byMetamorphosis
 
PDF
Consumers' and Citizens' Privacy
byCarolina Rossini
 
Cybercrime convention
bymoldovaictsummit2016
 
The Data Retention Directive: recent developments
byblogzilla
 
International convention on cyber crime
byIshitaSrivastava21
 
Artificial Intelligence, elections, media pluralism and media freedom
byCentre for Media Pluralism and Media Freedom
 
Digital security act (DSA)
byMd.Azizul hakim Anik
 
cybercrime landscape for moldova
bymoldovaictsummit2016
 
Social media impact on freedom of expression and privacy
byYasmin AbdelAziz
 
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
byAPNIC
 
Legal Aspect of the Cloud by Giuseppe Vaciago
byTech and Law Center
 
Investigating cybercrime at the United Nations
byblogzilla
 
Research on Digital Security Act 2018
byNilima Tariq
 
Privacy in the age of anti-terrorism
byblogzilla
 
Digital security law security of individual or government
byM S Siddiqui
 
Cyber Crime & Cyber Security Workshop, ZIE
byKangai Maukazuva, CGEIT
 
After 9 11
byJenn Robillard
 
Cyber security and prevention in Bangladesh
byRabita Rejwana
 
An Exploratory Study on Mechanisms in Place to Combat Hacking In South Africa...
byAJHSSR Journal
 
Cyber crime
byDani Ann Eunice Vargas Espelico
 
Snezana Trpevska - Content Regulation and Censorship – What is the Difference?
byMetamorphosis
 
Consumers' and Citizens' Privacy
byCarolina Rossini
 

Viewers also liked

PDF
Snowden-final-report-for-publication
byZarte Siempre
 
PPTX
The Post Snowden World One Year Later: What Has Changed?
byChristian Dawson
 
PPTX
British Newspaper Coverage of State Surveillance and the Edward Snowden Revel...
byKarin Wahl-Jorgensen
 
PDF
Treason or Loyalty? Ethics and Edward Snowden
byBarry Casey
 
PPTX
Edward joseph snowden
byCelina Anctil
 
PPTX
Digital Citizenship and Surveillance Society: UK State-Media-Citizen Relation...
byKarin Wahl-Jorgensen
 
PPTX
Seen at InfoSec Europe 2015: Spot your Snowden!
byJohn Wallix
 
PPTX
Bus snowden presentation
byCJW78755
 
PDF
Cyber after Snowden (OA Cyber Summit)
byOpen Analytics
 
PPTX
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
byAndrew Schwabe
 
PPTX
Mass Internet Surveillance: The Snowden Case
byHacking Mom
 
PPTX
Assange & Snowden
byPearlyn Low
 
PPSX
Snowden creates new headache Arise Roby
byArise Roby
 
PDF
Snowden's NBC (Anons vs. GCHQ)
byDedalo-SB
 
PPT
Snowden as whistleblower - Future of Privacy Forum
byKathleen Clark
 
PDF
Take Back Control in a Post-Snowden World
byHyun Seo
 
PDF
EY Snowden - Mobile Transforming Retail
byMassTLC
 
PDF
Keeping your files safe in the post-Snowden era with SXFS
byRobert Wojciechowski
 
PPTX
From Orwell to Snowden
byFrancesco Giarola
 
PPT
Alumni from snowden
byNEOA
 
Snowden-final-report-for-publication
byZarte Siempre
 
The Post Snowden World One Year Later: What Has Changed?
byChristian Dawson
 
British Newspaper Coverage of State Surveillance and the Edward Snowden Revel...
byKarin Wahl-Jorgensen
 
Treason or Loyalty? Ethics and Edward Snowden
byBarry Casey
 
Edward joseph snowden
byCelina Anctil
 
Digital Citizenship and Surveillance Society: UK State-Media-Citizen Relation...
byKarin Wahl-Jorgensen
 
Seen at InfoSec Europe 2015: Spot your Snowden!
byJohn Wallix
 
Bus snowden presentation
byCJW78755
 
Cyber after Snowden (OA Cyber Summit)
byOpen Analytics
 
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
byAndrew Schwabe
 
Mass Internet Surveillance: The Snowden Case
byHacking Mom
 
Assange & Snowden
byPearlyn Low
 
Snowden creates new headache Arise Roby
byArise Roby
 
Snowden's NBC (Anons vs. GCHQ)
byDedalo-SB
 
Snowden as whistleblower - Future of Privacy Forum
byKathleen Clark
 
Take Back Control in a Post-Snowden World
byHyun Seo
 
EY Snowden - Mobile Transforming Retail
byMassTLC
 
Keeping your files safe in the post-Snowden era with SXFS
byRobert Wojciechowski
 
From Orwell to Snowden
byFrancesco Giarola
 
Alumni from snowden
byNEOA
 

Similar to Privacy post-Snowden

PPTX
Right to Privacy in the Digital Age-final
byGraham Smith
 
PDF
The Human Right to Privacy in the Digital Age
by- Mark - Fullbright
 
PDF
Framework of responsible state behaviour in cyberspace - for Marshall Center ...
byBenjamin Ang
 
PPTX
Cybersecurity Strategies - time for the next generation
byHinne Hettema
 
PDF
The Schengen Information System And Border Control Cooperation A Transparency...
bylistoreisenn95
 
PDF
Ethics of security and surveillance technologies opinion 28
byKarlos Svoboda
 
PPTX
Trusted government access to private sector data
byblogzilla
 
PPTX
Communications Privacy and the State
byGraham Smith
 
PPT
Wild West or gulag: models for policing cyberspace
byblogzilla
 
PPTX
Digital freedoms in international law
byblogzilla
 
PDF
Un may 28, 2019
byZahidManiyar
 
PPT
Istanbul conference 2011_roberto_lattanzi
byAtıf ÜNALDI
 
PPT
Cr4 tpp aucklan2012_edit
byCarolina Rossini
 
PPT
Privacy in a Human Rights and Social Justice Context
byInfo_Studies_Aberystwyth
 
PDF
Corso pisa-7 dh-2017
byLuca De Biase
 
PPT
Constitutions and tussles in cyberspace
byblogzilla
 
DOCX
Outline D
bybutest
 
PDF
Human Rights Council Study Guide
bydudasings
 
PPT
Human Rights And Internet Regulation
byblogzilla
 
PPTX
Steve Purser
byglobalforum11
 
Right to Privacy in the Digital Age-final
byGraham Smith
 
The Human Right to Privacy in the Digital Age
by- Mark - Fullbright
 
Framework of responsible state behaviour in cyberspace - for Marshall Center ...
byBenjamin Ang
 
Cybersecurity Strategies - time for the next generation
byHinne Hettema
 
The Schengen Information System And Border Control Cooperation A Transparency...
bylistoreisenn95
 
Ethics of security and surveillance technologies opinion 28
byKarlos Svoboda
 
Trusted government access to private sector data
byblogzilla
 
Communications Privacy and the State
byGraham Smith
 
Wild West or gulag: models for policing cyberspace
byblogzilla
 
Digital freedoms in international law
byblogzilla
 
Un may 28, 2019
byZahidManiyar
 
Istanbul conference 2011_roberto_lattanzi
byAtıf ÜNALDI
 
Cr4 tpp aucklan2012_edit
byCarolina Rossini
 
Privacy in a Human Rights and Social Justice Context
byInfo_Studies_Aberystwyth
 
Corso pisa-7 dh-2017
byLuca De Biase
 
Constitutions and tussles in cyberspace
byblogzilla
 
Outline D
bybutest
 
Human Rights Council Study Guide
bydudasings
 
Human Rights And Internet Regulation
byblogzilla
 
Steve Purser
byglobalforum11
 

More from blogzilla

PDF
Privacy and Data Protection in South Africa
byblogzilla
 
PPTX
Trust in the Cloud
byblogzilla
 
PDF
Interoperability in the Digital Services Act
byblogzilla
 
PPTX
Regulation and the Internet of Things
byblogzilla
 
PPTX
Introduction to Cybersecurity for Elections
byblogzilla
 
PDF
Interoperability for SNS competition
byblogzilla
 
PPT
Internet freedom: a comparative assessment
byblogzilla
 
PPTX
Human rights and the future of surveillance - Lord Anderson QC
byblogzilla
 
PPTX
Transatlantic data flows following the Schrems II judgment
byblogzilla
 
PPTX
Can the law control Digital Leviathan?
byblogzilla
 
PDF
Data science and privacy regulation
byblogzilla
 
PPTX
Regulating code
byblogzilla
 
PPTX
Key issues in data protection policy
byblogzilla
 
PPT
Exceptions & Limitations in Copyright or Systemic Overhaul?
byblogzilla
 
PPT
Data protection redress in the UK
byblogzilla
 
PPTX
Lessons for interoperability remedies from UK Open Banking
byblogzilla
 
PPTX
Global Cyber Security Capacity Centre
byblogzilla
 
PPTX
Cyber Essentials for Managers
byblogzilla
 
PPTX
Making effective policy use of academic expertise
byblogzilla
 
PPTX
Covid exposure apps in England and Wales
byblogzilla
 
Privacy and Data Protection in South Africa
byblogzilla
 
Trust in the Cloud
byblogzilla
 
Interoperability in the Digital Services Act
byblogzilla
 
Regulation and the Internet of Things
byblogzilla
 
Introduction to Cybersecurity for Elections
byblogzilla
 
Interoperability for SNS competition
byblogzilla
 
Internet freedom: a comparative assessment
byblogzilla
 
Human rights and the future of surveillance - Lord Anderson QC
byblogzilla
 
Transatlantic data flows following the Schrems II judgment
byblogzilla
 
Can the law control Digital Leviathan?
byblogzilla
 
Data science and privacy regulation
byblogzilla
 
Regulating code
byblogzilla
 
Key issues in data protection policy
byblogzilla
 
Exceptions & Limitations in Copyright or Systemic Overhaul?
byblogzilla
 
Data protection redress in the UK
byblogzilla
 
Lessons for interoperability remedies from UK Open Banking
byblogzilla
 
Global Cyber Security Capacity Centre
byblogzilla
 
Cyber Essentials for Managers
byblogzilla
 
Making effective policy use of academic expertise
byblogzilla
 
Covid exposure apps in England and Wales
byblogzilla
 

Recently uploaded

PDF
Lab 4.1 Cloud IAM - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PDF
Raman Bhaumik - A Junior Software Developer
byRaman Bhaumik
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
DMVPN Tunnels to multi sites in networks
byMahboabAliGhalib
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Lab 4.1 Cloud IAM - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
How to Evaluate a High Performance Database
byScyllaDB
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Raman Bhaumik - A Junior Software Developer
byRaman Bhaumik
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
DMVPN Tunnels to multi sites in networks
byMahboabAliGhalib
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 

Privacy post-Snowden

  • 1.
    PRIVACY POST-SNOWDEN IanBrown, Prof. of Information Security and Privacy Oxford Internet Institute, University of Oxford @IanBrownOII
  • 4.
    Implants in thesupply chain
  • 9.
    International law andpolitics • International Covenant on Civil and Political Rights §17 and §19 and their interpretation by the UN Human Rights Committee, UN High Commissioner for Human Rights, and UN Special Rapporteurs (on Freedom of Opinion and Expression; on the promotion and protection of human rights and fundamental freedoms while countering terrorism; on human rights and transnational corporations) • Regional treaties, esp. Eur. Conv. on Human Rights §8 and EU Charter of Fundamental Rights §§7-8 • How to make transparent, let alone improve, bi- and multi-lateral intelligence sharing agreements?
  • 10.
    United Nations •General Assembly: “Calls upon all States…To review their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law” (A/RES/68/167) • HR Cmtte: Concluding Observations on USA (2014). Inter-State complaint? (Scheinin) • IGF 2014: “Civil society managed to get many of these issues on the conference’s agenda but governments chose to ignore them.” -Sherif Elsayed-Ali, Deputy Director of Global Issues at Amnesty International
  • 11.
    UN High Commissionerfor HR • “Even the mere possibility of communications information being captured creates an interference with privacy, with a potential chilling effect on rights” §20 • “overarching principles of legality, necessity and proportionality” §23 • “secret rules and secret interpretations – even secret judicial interpretations – of law do not have the necessary qualities of “law” §29 • “sharing of data between law enforcement agencies, intelligence bodies and other State organs risks violating article 17” §27 • “Governments have operated a transnational network of intelligence agencies through interlocking legal loopholes, involving the coordination of surveillance practice to outflank the protections provided by domestic legal regimes. Such practice arguably fails the test of lawfulness” §30
  • 12.
    UN High Commissionerfor HR • “States have also failed to take effective measures to protect individuals within their jurisdiction…in breach of their own human rights obligations.” §30 • “digital surveillance therefore may engage a State’s human rights obligations if that surveillance involves the State’s exercise of power or effective control in relation to digital communications infrastructure, wherever found, for example, through direct tapping or penetration of that infrastructure. Equally, where the State exercises regulatory jurisdiction over a third party that physically controls the data, that State also would have obligations under the Covenant. If a country seeks to assert jurisdiction over the data of private companies as a result of the incorporation of those companies in that country, then human rights protections must be extended to those whose privacy is being interfered with, whether in the country of incorporation or beyond.” §34
  • 13.
    UN GGE A/68/98(24 June 2013) • “international law and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability” • “States must meet their international obligations regarding internationally wrongful acts attributable to them” • “Recommendations on voluntary measures to build trust, transparency and confidence, as well as international cooperation to build capacity for ICT security” • New GGE held first meeting in New York in July 2014, and elected Brazil as the Chair. Three more meetings in 2015
  • 14.
    Council of Europeand EU • CoE Convention 108: • 7 States Parties do not apply Convention to State security (Andorra, Ireland, Latvia, Malta, Romania, Russia, Macedonia) • Modernised Convention does not allow this §3(2)(a) scope limit • Cybercrime Convention §32 • US-EU umbrella DP agreement • Accounting and Transparency Directives • Recent cases: • ECtHR: Big Brother Watch and ors v UK, App. No. 38170/13; Bernh Larson Holdings v Norway, App. No. 24117/08; Privacy International v UK • CJEU: Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Ors C-293/12 and Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and others, C 594/12 • 1 BvR 370/07 and 1 BvR 595/07: breaching const. right to IT-security requires factual evidence indicating a specific threat to an outstanding and overriding legal interest, such as threats to the life or freedom of an individual, or threats concerning the fundamentals or existence of the state + judicial authorisation
  • 15.
    Data localisation •German interior minister: “whoever fears their communication is being intercepted in any way should use services that don't go through American servers.” • Snowden: “you should never route through or peer with the UK” • Brazil & Russia – considered or passed laws requiring citizens’ data held within country. Digital Rights Ireland and Art 29 WP on retained communications data • Regional data centres – but limited impact given expansive American jurisdiction (In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., No. 13-MJ-2814-UA, SDNY 28 Aug. 14) • Norwegian domains .sj and .bv
  • 16.
    Renewed focus onencryption • Storage encryption using client-held keys is relatively straightforward – e.g. SpiderOak • Homomorphic encryption in the cloud? • End-to-end encrypted peer-to-peer systems • Verifiable?
  • 17.
    Conclusion • Internationallaw is (slowly) being strengthened – perhaps not at the scale that will effectively protect privacy against SIGINT agencies (ideas of optional ICCPR Protocol or even new General Comment 16 seem to have faded) • Cybersecurity norms are up for grabs • IANA and ICANN in some senses a sideshow, aside from leverage against US, although play important role concerning WHOIS, and potentially DNSSEC, RPKI, and more broadly as a fulcrum for transnational enforcement • Much greater attention to information security a pre-condition for raising cost of mass surveillance beyond the great (Internet) powers – IETF role

Editor's Notes

  • #2 http://www.economist.com/news/world-week/21599834-kals-cartoon?fsrc=scn/tw_ec/kals_cartoon
  • #4 http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html
  • #9 http://electrospaces.blogspot.co.uk/2013/11/five-eyes-9-eyes-and-many-more.html
  • #11 Intelligence protocol to CoE Convention 108, or interpretations of ICCPR/regional human rights treaties? MLATs? UKUSA amendment? http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/68/167
  • #12 http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf
  • #13 http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf
  • #14 http://www.un.org/en/ecosoc/cybersecurity/maurer-cyber-norm-dp-2011-11.pdf http://www.un.org/disarmament/topics/informationsecurity/ http://www.un.org/ga/search/view_doc.asp?symbol=A/68/98
  • #15 Intelligence protocol to CoE Convention 108, or interpretations of ICCPR/regional human rights treaties? MLATs? UKUSA amendment? http://www.conventions.coe.int/Treaty/Commun/ListeDeclarations.asp?NT=108&CM=1&DF=07/09/2014&CL=ENG&VL=1 http://tech.transparency-initiative.org/with-milestone-u-k-announcement-eu-disclosure-laws-speeding-toward-reality/ http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:182:0019:0076:EN:PDF http://www.twobirds.com/en/news/articles/2008/german-constitutional-court-creates-a-new-fundamental-it-privacy-right
  • #16 https://www.opendemocracy.net/håkon-wium-lie/net-names-for-safe-shelter Svalbard and Jan Mayen (.sj) and Bouvet Island