US law on global hacking will puncture Privacy Shield

US supreme court’s action would allow FBI to hack into computers and devices worldwide

Privacy Shield, the proposed replacement to the now-invalid US-EU data exchange agreement Safe Harbour, may end up the prominent casualty of a relatively obscure US supreme court action last week. Photograph: Thinkstock

Privacy Shield, the proposed replacement to the now-invalid US-EU data exchange agreement Safe Harbour, may end up the prominent casualty of a relatively obscure US supreme court action last week. Photograph: Thinkstock

 

Privacy Shield, the proposed replacement to the now-invalid US-EU data exchange agreement Safe Harbour, may end up the prominent casualty of a relatively obscure US supreme court action last week.

The court’s action, in the form of an amendment to federal court rules, would grant US agencies such as the FBI permissions to hack into and monitor computers and devices anywhere in the world.

Privacy Shield – which has yet to be approved by the European Parliament – must address the key faults of Safe Harbour noted by the European Court of Justice in its Schrems decision last year. Thousands of European and US businesses are eager to get an effective Safe Harbour replacement to ease compliance with data-protection responsibilities.

The most daunting challenge in addressing the ECJ’s objections to Safe Harbour is to somehow guarantee that European data processed in the US will be given the same protections as in the EU. This requires ensuring federal agencies cannot access that data, at least not without following formal and transparent procedures such as those contained in the mutual legal assistance treaties already agreed.

But, of course, as we know post-Edward Snowden’s document releases, surveillance agencies don’t bother with such inconveniences when they have the means to easier snooping, and when post 9/11 laws provide much scope, and little meaningful oversight, for such activities.

Critics have already noted the US letters of assurance offered to the EU as part of the Privacy Shield proposal don’t mean much as long as opaque federal laws permit surveillance as well as secrecy. For example, under US law, companies that wish to formally oppose certain requests for access to their customer’s data are not allowed to reveal that such requests were ever made, nor the result of their appeal.

How can anyone know what is going on in such a world of unknown unknowns?

Explosive content

The supreme court’s move last Thursday is a change, but in the wrong direction.

The court has the ability to put forward amendments to federal judiciary procedures. On Thursday, it passed an amendment to Rule 41 of the Federal Rules of Criminal Procedure. The dry title belies some explosive content. Up until now, this rule stated warrants could only be granted to access and search electronic data held on a computer or device, if the location of the device were known. The amendment allows law enforcement “to search electronic storage media and to seize or copy electronically stored information located within or outside that district.”

In other words, the computer can be outside the US – or completely unknown. Advocates of the amendment argue that, as data can be held in the “cloud”, law enforcement needs these new permissions. Opponents say the amendment could allow the sensitive personal data of victims in a criminal investigation to be gathered. They see the move as having the potential of creating open-door surveillance opportunities, endangering vulnerable individuals and activists, and raining on cloud computing.

The amendment has drawn the ire of technology companies for what Silicon Valley digital rights group the Electronic Frontier Foundation called its “sweeping expansion” of powers. In a statement to the court, Google argued that “[despite a] weak assurance that the amendment does ‘not purport’ to expand the current scope of Rule 41, in reality it will: the nature of today’s technology is such that warrants issued under the proposed amendment will in many cases end up authorising the government to conduct searches outside the United States.”

The court has sent the amendment to congress, which has until December to approve it. Some US legislators are saying they will propose new laws to undermine the amended Rule 41.

As for Privacy Shield: the supreme court’s action will – if let stand – further undermine existing US assurances to the EU. On the one hand, negotiators and US authorities have insisted EU citizen data will not be subject to surveillance. On the other, new legal rights to do exactly that are being added to vague legislation.

Even before this amendment, Privacy Shield was on unstable ground. If the European Parliament somehow approves Privacy Shield, it will only be a brief period before Privacy Shield is hauled up before the ECJ.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.