[Reader-list] [CI] echelon etc: lambda 702 + Eurocops Enfopol group
Rishab Aiyer Ghosh
rishab at dxm.org
Mon Jun 18 15:15:45 IST 2001
Delivered-To: lambda-en-outgoing at freenix.org
Delivered-To: lambda-en at freenix.org
X-Sender: thorel at mail.imaginet.fr
Date: Sun, 17 Jun 2001 16:18:17 +0200
To: lambda-en at freenix.org
From: Jerome T <jt at freenix.fr>
Subject: lambda 702 + Eurocops Enfopol group
Sender: owner-lambda-en at freenix.org
X-Rcpt-To: rishab at dxm.org
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
lambda 7.03
June, 2001
Jerome Thorel, Paris
http://lambda.eu.org/7xx/703-e.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
to unsubscribe: send a blank subject message to: majordomo at freenix.fr - =
with the following command: unsubscribe lambda-en
Contents:
+ Short-circuits: Supreme Court case and Carnivore; Bug hunters unveil =
special weapon
+ Euro cops challenge privacy guidelines, forbid anonymous access to =
advanced networks - strong lobbying from the US
+ Echelon spotted by European Parliament - US trade policy link-up with =
intelligence services
++++++++++++++
Short-circuits
++++++++++++++
De-(web)bug your PC
-------------------
This month the Privacy Foundation unveiled a new software to keep an eye =
and eliminate "spyware" and "webbugs" that send private data to unwanted =
sources (works only for a Windows PC and an IE-5.0 browser)
http://www.bugnosis.org/
Supreme Court Rules on Thermal Imaging Case
Carnivore email collection system under attack.
-----------------
(From EPIC newsletter, June 15, 2001. )
In a 5-4 opinion written by Justice Scalia, the U.S. Supreme Court held i=
n =
Kyllo v. United States that the warrantless use of a thermal imaging =
device to detect heat emanating from a person's residence constituted an =
illegal search under the Fourth Amendment.
In 1992, Danny Lee Kyllo was arrested after Oregon police searched his =
home and found more than 100 marijuana plants growing inside. The search =
warrant was obtained after the police scanned the roofs and walls of =
Kyllo's home with a thermal imager to detect the infrared rays radiating =
from the halide lamps typically used to grow marijuana. Kyllo pleaded =
guilty to the charges, conditioned on his ability to challenge the =
constitutionality of the search. Although the District Court and Ninth =
Circuit rejected his Fourth Amendment claim, the Supreme Court reversed, =
stating that "[w]here, as here, the government uses a device that is not =
in general public use, to explore details of the home that would =
previously have been unknowable without physical intrusion, the =
surveillance is a 'search' and is presumptively unreasonable without a =
warrant." (...)
On June 14, House Majority Leader Dick Armey (R-TX) sent a letter to =
Attorney General John Ashcroft drawing a parallel between the Supreme =
Court's majority opinion in Kyllo v. United States and the FBI's =
controversial continued use of the Carnivore Internet surveillance =
system. In the letter, Rep. Armey asks whether, similar to thermal =
imaging, Carnivore "undermines the minimum expectation that individuals =
have that their personal electronic communications will not be examined b=
y =
law enforcement devices unless a specific court warrant has been issued."=
+ Kyllo v. United States, No. 99-8508:
http://www.supremecourtus.gov/opinions/00pdf/99-8508.pdf
+ June 14 Letter from House Majority Leader Armey to Attorney General =
Ashcroft regarding Carnivore (DCS-1000):
http://www.freedom.gov/library/technology/ashcroftletter.asp
+ "Armey to Press Opposition to Net Wiretaps", By JOHN SCHWARTZ, The New =
York Times:
http://dailynews.yahoo.com/h/nyt/20010615/tc/armey_to_press_opposition_to=
_net_wiretaps_1.html
++++++++++++++++++++++++++++++++++++++++++
+ ENFOPOL CHALLENGES EU PRIVACY GUIDELINES +
++++++++++++++++++++++++++++++++++++++++++
- Foreword -
" Evidence obtained with the aid of Internet traffic data
" The following example shows how traffic data can be used in an =
investigation into a classic crime. A woman had been found dead in the =
basement of her house. In her computer, numerous e-mails and some =
information on newsgroups were found. The content of these messages guide=
d =
the police towards a person whom it was possible to identify thanks to th=
e =
traffic data on the messages. However, no formal evidence made it possibl=
e =
to link the man to the crime. During a search at the man's home, =
investigators found other messages that appeared in the victim's computer=
=2E =
They also discovered some texts in the attacker's computer that showed ho=
w =
the crime had been premeditated. The man was sentenced to death. (...)"
From "ENFOPOL 71, ECO 316, REV 1 LIMITE - COUNCIL OF THE EUROPEAN UNION =
Brussels, 27 November 2000"
http://www.statewatch.org/news/2001/apr/12855.1.00.htm
Paris, June 15, 2001. -- This curious apology for the death penalty =
appeared in a restricted "ENFOPOL" document from the Council of the =
European Union, published on May 16 by the British civil rights group =
Statewatch. This so-called "Enfopol" group is the Police Cooperation =
Working Party, formed by police experts of every member. To prevent =
cybercrime they want to oblige operators of "advanced networks" (IP, GSM,=
=
GPRS, UMTS...) to keep regular reports of traffic logs in order to =
identify users prior to any investigation.
While Britain was said to ask for a period of 7 years of storage, the =
majority claim now 12 months could be enough, while privacy officials =
favor 3 months, not more.
The ENFOPOL requirements were supposed to be cleared by EU Justice and =
Home Affairs ministers during their May 28 and 29 meeting in Brussels. Bu=
t =
they dropped the case --for now.
Too hot to handle? Or bad timing? At the same time, European policy maker=
s =
were busy to condemn privacy threats by the US-led Echelon spying network=
: =
on May 18 the European Parliament's Temporary Committee published a draft=
=
report after 11 months of investigation (see details below), in which =
Britain and Germany were officially criticized for breaching European law=
s =
on privacy.
US lobbying (again)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The abstract quoted above ("Evidence obtained with the aid of Internet =
traffic data"), in which ENFOPOL experts promoted death penalty as a =
legitimate way to conclude a 'modern' criminal investigation. EU may have=
=
been too much inspired by a well known North American State, because ever=
y =
EU's 15 members have banned death penalty from their Criminal Code.
It's an excellent reminder that ENFOPOL meetings have emerged after the U=
S =
FBI's efforts to lobby OECD and G8 States on telecom surveillance, inside=
=
the ILETS informal group (International Law Enforcement Telecommunication=
s =
Seminar) founded secretly in early 1990's. Statewatch was the first =
organisation to report about behind-the-scene influence of FBI in a 1995 =
resolution passed by the European Council ("lawful acces to advanced =
networks communications").
Statewatch revealed last month that the last ILETS' meeting, held in =
November 1999 (Saint Cyr au Mont d'Or, near Lyon, France), concluded that=
:
"All delegations (had to) consider options for improving the retention of=
=
data by Communications Service Providers".
ILETS urges EU countries to modify Directive 97/66 on personal data and =
privacy in the telecommunications sector
"which orders the operators to erase or to make anonymous historic data=
=
upon the termination of a call"
http://www.statewatch.org/news/2001/may/03Denfopol.htm
Anonymity paranoia
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This 1997 Directive (thanks to ILETS intervention?) is under review for =
modification. A draft version (Directive concerning the processing of =
personal data and the protection of privacy in the electronic =
communications sector) was proposed by the Brussels' European Commission,=
=
dated 12 July 2000. But ENFOPOL experts were still angry about it.
"ENFOPOL 71" paper (Nov. 27 2000), states:
"Various delegations (B/D/F/NL/S/UK) expressed misgivings about the =
implications of the Directive, in particular Article 6, where it is state=
d =
that "traffic data relating to subscribers and users processed for the =
purpose of the transmission of a communication and stored by the provider=
=
of a public communications network or service must be erased or made =
anonymous upon completion of the transmission."
The last ENFOPOL requirements are resumed in the "ENFOPOL 29" paper (Marc=
h =
30, 2001). They are seeking:
i) to stop the deletion of telecommunications data which is required unde=
r =
the law as laid down in the EC Directives on data protection and privacy;=
ii) to stop users having anonymity in their communications (attack on =
cybercafes);
iii) to ensure that the law enforcement and security agencies have access=
=
to the retained/archived data;
iv) to ensure that data is retained, in the first instance, for at least =
12 months - once the EC Directives are breached they can argue for seven =
years, ten years or more later.
http://www.statewatch.org/news/2001/may/03Genfolpol.htm
Further arguments :
"Each operator is generally required to delete the traffic data or render=
=
them inaccessible at the end of each call (or at the latest when the time=
=
required for their commercial processing has elapsed). ... The issue of =
storing connection data therefore seems crucial. ...
"At present the issue of the storage of connection data and the length of=
=
that storage is clearly the weak link in the fight against cyber-crime. A=
s =
witness, few countries have a legal requirement concerning the length of =
time connection data must be kept."
Public internet caf=E9s are considered as a new threat:
"It is also imperative that a solution be found to the problems raised by=
=
the various forms of anonymity on the World Wide Web, the most significan=
t =
example being cybercaf=E9s, which have been the source of a number of cas=
es =
of fraud."
A consensus seems to favor a "minimum of 12 months" of storage, as Belgiu=
m =
has already put it in its new cybercrime law (enacted in February 2001). =
The proposed law in France (LSI or Loi sur la soci=E9t=E9 de l'informatio=
n) =
puts 12 month also as a "minimum" delay target, so as may decide Spain in=
=
its draft LSSI law, reports said. The Nederlands are more pragmatic, =
requesting just a 3 months delay.
Statewatch reports that Britain is still pushing its own ranks to raise =
the period to 7 years (yes, seven!). But Britain, Statewatch argues, won'=
t =
pass any law for that, it may prefer to adopt "informal agreements" with =
telecom and internet operators.
Data retention cacophony
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Meanwhile, the Council of Europe (not a EU's body), a 43-countries =
consultative assembly based in Strasbourg, France has been working since =
the end of 1999 on a "Draft Convention On Cyber-Crime". The COE has =
released its version-27 of the convention on May 25, 2001. This draft wil=
l =
be submitted to the COE's Committee on Crime Problems in a plenary sessio=
n =
(18 - 22 June 2001), and then will be passed to COE's members' government=
s =
for final adoption and ratification.
The draft convention was also prepared by non-COE members, i.e. the USA, =
Canada, Japan, South Africa, and others.
The article 16 regarding "Expedited preservation of stored computer data"=
=
states that countries must adopt laws:
"to order or similarly obtain the expeditious preservation of specified =
computer data, including traffic data, (and) to preserve and maintain the=
=
integrity of that computer data for a period of time as long as necessary=
, =
up to a maximum of 90 days, to enable the competent authorities to seek =
its disclosure."
Privacy officials are upset
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The problem is: the EU's 15 privacy experts strongly disagree all these =
requirements. A working group of the Commission ('Article 29' or Data =
Protection Working Party), made up by each country's Data Commissioners, =
published its "Opinion on the Council of Europe's Draft Convention on =
Cyber-crime" (March 22 2001). They said it will be disproportionate to =
impose "general surveillance obligation consisting in the routine =
retention of all traffic data".
Abstracts of their opinion (made on the v.25 of the Convention):
"The EU Data Protection Commissioners at their Spring 2000 Conference in =
Stockholm ... adopted a resolution expressing that they "note with concer=
n =
proposals that ISPs should routinely retain traffic data beyond the =
requirements of billing purposes in order to permit access by law =
enforcement bodies. ... Such retention would be an improper invasion of =
the fundamental rights guaranteed to individuals by Article 8 of the =
European Convention on Human Rights. Where traffic data are to be retaine=
d =
in specific cases, there must be a demonstrable need, the period of =
retention must be as short as possible and the practice must be clearly =
regulated by law." (...)
Nevertheless, the provisions in the draft Convention concerning traffic =
data raise serious concerns: Articles 29 and 30 on expedited preservation=
=
and disclosure of traffic and other data do not provide for the =
possibility for the requested party to refuse such assistance for data =
protection reasons, but only for the general grounds (such as "ordre =
public", sovereignty, security or other essential interests.) (...)
Conclusions (...)
The Working Party therefore sees a need for clarification of the text =
because their wording is often too vague and confusing and may not qualif=
y =
as a sufficient basis for relevant laws and mandatory measures that are =
intended to lawfully limit fundamental rights and freedoms. (...)
The Working Party sees a need to improve the justification of the measure=
s =
envisaged in terms of necessity, appropriateness and proportionality as =
required by the Human Rights and Data Protection instruments (...).
http://europa.eu.int/comm/internal_market/ en/media/dataprot/wpdocs/wp41e=
n.htm
In France (CNIL - Commission informatique et libert=E9s) and the UK (IC -=
=
Information Commissioner) they consider that 90 days of "connection data"=
=
is the maximum our democratic countries could handle. On June 13th, the =
French governement approved the draft LSI law (Parliament may debate the =
case in early 2002) but did not changed the 12 months target.
Sources close to the French Industry minister, who was the main sponsor o=
f =
the law, said "security officials" fiercely opposed to follow the CNIL's =
advice (3 months).
From traffic to content data
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
The law, however, said that the "connexion logs" concerned by the =
retention proposals "would not permit to give access to the content of =
private messages and would not enable to have a list of consulted materia=
l =
to list consulted information".
The lambda has learned that EU Data Commissioners have classified these =
data in 4 categories (from less to more intrusive):
1) connection data namely designed to identify a single user (i.e., IP =
address) or login account when connected to any fixed or mobile network; =
Data Commissioners requirements >> 1 to 3 months of records prior to =
official investigations, but under special circumstances
2) protocols data, designed to learn what king of networked protocols or =
channels have been used online (chat rooms, web, IRC or instant messaging=
) =
by a single account;
>>no records justified prior to
official investigations
3) traffic data aimed at identifying the user's "friends list", (i.e., =
'who speaks/writes to whom', "from"/"to" contacts list, caller/called =
numbers for phone systems);
>>no records justified
prior to official investigations
4) content data designed to intercept private correspondence and discussi=
ons;
>>any records made prior to official investigations
would constitute an "illegal interception" and thus would breach human =
rights basic principles (ECHR).
Lambda comments
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
- The search for logs could not be considered as the simple prolongation =
of physical fingerprints (even if both are designed to identify somebody)=
=2E
- The requirements to scan, record and preserve these so-called "traffic =
data" could be even more intrusive than mere fingerprints. For example, =
traffic data such as "who speaks to whom", related to a user's web surfin=
g =
habits, forums' used, etc., are potentially a more intrusive arm than any=
=
investigation methods used nowadays.
- The confusion between "log", "traffic", and "protocols" data is an idea=
l =
pretext for governments to extend their investigative powers on "advanced=
=
networks".
- The next step would be to require, prior to any official investigation,=
=
the same kind of routine storage obligation for "content data" -- just as=
=
the British government is about to consider.
- It has been proven in the US with the FBI's "Carnivore" system =
(real-time collection of emails): it's impossible to discriminate exactly=
=
between "content" and "traffic" data when only the later is authorized by=
=
a judge.
- Telephone wiretapping has been accepted (it's a fact) in democratic =
countries as a legitimate way for the police not to be surpassed by =
'modern crime'.
- But "content data" of any electronic communications do have a more =
intrusive impact than phone conversations. Computer files and pictures =
that would reveal private writings and thinkings could not be intercepted=
=
by telephone. Electronic medium consist of a much more choice of forms of=
=
expression than a mere phone discussion over a phone.
- To preserve the basic principle of a democratic legal system =
(presumption of innocence), an electronic wiretap court order may be more=
=
restrictive than a simple wiretap warrant.
++++++++++++++++++++++++++++++++++++++++++++++++++++
ECHELON SPOTTED (BUT NOT UNPLUGGED) BY EURO PARLIAMENT
++++++++++++++++++++++++++++++++++++++++++++++++++++
The Temporary Committee on the ECHELON interception system, a 36-member =
semi-investigative group of the European Parliament in Strasbourg, decide=
d =
to publish its Draft report on May 18 -- after some leaks of an older =
version was unveiled by the Federation of American Scientists.
Later Duncan Campbell and the German online magazine Telepolis revealed =
other papers that give further evidence of economic spying on European =
firms. The Department of Commerce's Advocacy Center, helped by =
intelligence services, seems to have played a key role. As Campbell =
reports, "From 1992 to date Europe is likely to have sustained significan=
t =
employment and financial loss as a result of the U.S. government policy o=
f =
"leveling the playing field", introduced in 1991."
The EP report is still a draft. The May 18th version contains some =
comments about the delegation the Echelon Committee sent to Washington, =
DC, May 8-10. The delegation had to cut short their visit because of =
refusal from NSA, CIA, State Department and DOC Advocacy Center officials=
=
to meet European MPs. There had meetings with DOJ officials, Congress' =
select committee on intelligence activities, with no news answers - asked=
=
if Echelon did exist, MPs were given a copy of the American Constitution.=
=2E.
The draft report will be finalized and approved on 20/21 June 2001, and =
later, with a draft resolution, will be debated by the European Parliamen=
t =
on 3 September 2001.
EP REPORT
+ HTML version - emphasis added by Cryptome to look for comments that wer=
e =
added afetr the Washington visit.
http://cryptome.org/echelon-ep.htm
+ Pdf version from the EP web site
http://www.europarl.eu.int/tempcom/echelon/pdf/prechelon_en.pdf
Duncan Campbell 2001 report
+ Interception Capabilities - Impact and Exploitation (IC-IE2001), which =
were presented on 22/23 January 2001 before the Committee:
http://www.heise.de/tp/english/special/ech/7753/1.html
+ COMINT impact on international trade
It sets out, with detailed sources, the case that from 1992 to date Europ=
e =
is likely to have sustained significant employment and financial loss as =
a =
result of the U.S. government policy of "levelling the playing field", =
introduced in 1991.
http://www.heise.de/tp/deutsch/special/ech/7752/1.html
+ U.S. trade "Success stories" affecting Europe - financial and =
geographical analysis - a table with contracts, countries defeated, etc:
http://www.heise.de/tp/deutsch/special/ech/7796/1.html
+ COMINT, privacy and human rights
This paper reveals that Britain undertakes to protect the rights of =
Americans, Canadians and Australians against interception that would not =
comply with their own domestic law, while offering no protection of any =
kind to other Europeans. This and other background papers provided to the=
=
Echelon committee have prompted them to observe that "possible threats to=
=
privacy and to businesses posed by a system of the ECHELON type arise not=
=
only from the fact that is a particularly powerful monitoring system, but=
=
also that it operates in a largely legislation-free area." =
http://www.heise.de/tp/deutsch/special/ech/7748/1.html
lambda / arQuemuse
J. Thorel - June 2001
lambda.eu.org
+++
to unsubscribe: send a blank subject message to: majordomo at freenix.fr - =
with the following command: unsubscribe lambda-en
_______________________________________________
Cypherpunks-India mailing list
http://lists.vipul.net/mailman/listinfo/cpunks-india
More information about the reader-list
mailing list