Pseudonymous Data For Debate In Future EU Regulation

The European Union may have standard unified data protection laws by 2014, and the European Commission is currently debating what kind of data falls under their proposed protection scheme.  The potentially far-reaching law, called the General Data Protection Regulation (GDPR), aims to update the current EU directive that does not take into account social media data or the complexities of cloud computing.  Where pseudonymous data fits into this new law, however, is subject to heated debate.

Pseudonymous data refers to online information that may not identify an individual directly, but often allows indirect identification rather easily.  This includes anything from Internet user names to IP addresses to user-generated data such as forum posts, search terms, or friend lists on social media.  While some argue that this pseudonymous data does not require the same stringent protection as clearly personal online information, others claim that this data demands the same privacy protection.

In a March 2013 speech in Brussels, Valerie Reding, Vice-President of the EU Commission in charge of GDPR, strongly stated her support for vigilant protection of data, pseudonymous or otherwise.  “Data protection is a fundamental right,” she said, “[and] privacy is an integral part of human dignity and personal freedom.”  She continued to clarify: “Pseudonymous data is personal data . . . [it] must not become a Trojan horse at the heart of the regulation, allowing the non-application of its provisions.”  Reding made clear that she supports data protection including indirect personal data, or any data that allows for eventual accurate identification of an individual.  She ended her address by calling for “robust safeguards” for citizens while also making solutions workable for businesses.

The Washington-based Center for Democracy and Technology (CDT) further clarifies the definition of pseudonymous data and argues for its broad protection.  In a position paper the CDT claims that data should be protected that makes indirect links to an individual or an individual’s device, as device-level information such as IP addresses can be easily linked today to a real name identity.  IP addresses in particular require new and strong protection, the CDT paper explains, because currently companies process and obtain IP addresses simply when a user downloads content from a webpage.  The key to unified privacy regulation like GDPR would be a system where “a data controller cannot readily tie the data to an individual . . .it should not be sufficient that a party has the ability to link but does not intend to.”  The CDT argues that regulations and incentives for companies to follow them will encourage Internet companies to collect data more often in pseudonymous rather than directly personal form, and will give pseudonymous data the protection level it needs.

Online privacy advocates argue that this regulation is explicitly required because business interests will continue to work toward collecting and eventually selling their user data.  As Fredrik Soderblom, owner of the Swedish company Storesafe.com, told the EU Observer: “if you have properly anonymized data it wouldn’t be commercially interesting to buy it because you want it to be able to pinpoint the individual so you can direct the advertising [at them].”  Adopting strict privacy regulation with obligation to protect on the part of industry would curb such misuse of personal and traceable data, advocates hope.

Other privacy provisions that may end up as law under the GDPR include mandatory notification of individual data breaches, required consent for user data collection and a clear statement of the purpose of the collection, and the Right to Be Forgotten, which would require an organization to delete personal data once that consent has been revoked by the user.  European Commission negotiations will continue until 2014, and they will ultimately determine if pseudonymous data fits under the protective umbrella of the GDPR.

ASIC Brings New Internet Censorship To Australia

asicThe Australian Securities and Investments Commission (ASIC), an independent corporate governance body that acts as Australia’s financial regulator, was revealed as the group responsible for shutting down close to 1,200 websites temporarily in April, including the community-based educational website of the Melbourne Free University.  The Australian federal government has confirmed that the ASIC has the authority to require Internet service providers to shut down sites suspected of committing financial fraud.

This black-hole action comes only months after Australian Communications Minister Stephen Conroy agreed to abandon a nationwide mandatory Internet filtering program in November 2012, in favor of a still widespread voluntary filtering policy.  The voluntary program involves the Australian Federal Police (AFP) requesting that service providers black out certain sites that Interpol labels as criminal, such as child pornography rings or blatant financial scams.  Australia’s largest telecommunications companies, including Optus, Telestra, and Vodafone, have complied with federal filter requests.  The Telecommunications Act that allows for this censorship offers no requirements for government transparency or civilian oversight.

Minister Conroy defended the recent shutdown in April: “ASIC believed that the website in question was operating in breach of Australian law, specifically section 911a of the Corporations Act 2001,” Conroy’s office said. “Under Section 313 of the Telecommunications Act, websites that breach Australian law can be blocked.”

Of the many sites shut down for over a week with little explanation, only one was the fraudulent website in question: a group of sites called Global Capital Wealth.  The group’s websites operate a cold-calling investment scam that had been discovered by the ASIC in March.

The nearly 1,200 sites shut down in April were not given notice as to why they were suspended, only that the ASIC suspected their site of illegal activity or hosting illegal material.  Thousands of users of the community education initiative of the Melbourne Free University site were particularly bemused.  Conroy’s office eventually issued a statement claiming that “Melbourne Free University’s website was hosted at the same IP address as [a] fraud website, and was unintentionally blocked . . .The government is working with enforcement agencies to ensure that Section 313 requests are properly targeted in future.”

The blocking of IP addresses as opposed to specific web addresses is a method used only by the ASIC in Australia — the AFP, for example, blocks site addresses.  Internet freedom advocates, including the US-based Electronic Frontier Foundation (EFF), called the IP blackout “reckless” and warned of future problems due to lack of transparency on the part of Australian authorities.  The arbitrary but firm nature of the shutdown has free information advocates worried about future unilateral filtering actions without oversight, and the potential of a slippery slope.

“Decisions that affect the global connectivity of the Internet should be made transparently,” the April EFF response memo reads, “whether they are made in the offices of ISPs, or in the courts and corridors of government.”  The EFF has publicly opposed Australia’s budding but growing Internet censorship policy since before the April incident, and they suggest that Australian users operate through Virtual Private Networks (VPNs) or peer-to-peer software like Tor to maintain Internet freedom.

Leaked Slides Offer Insight Into Prism Spying

nsa-logoIn the continually developing story of the NSA’s use of its Prism program to broadly collect data, newly released slides show how the program works with Internet companies like Google and Apple to mine users’ information.  The slides, published this week with some redactions in the Washington Post, show a presentation of PRISM’s workflow and details the targeting process, confirming that both the NSA and the FBI have the ability to conduct real-time digital surveillance.

The leaked slides reveal that the surveillance process begins when an analyst gives Prism the task of gathering information about a specific target.  The system then has a built-in stall mechanism, as the program requires permission to target from a supervisor.  This supervisor must determine that there is a “reasonable belief” of threat, at least 51% certainty, as detailed in the slides.  This initial supervisory process appears to be the only human check on the system.

The data collection process then begins with the FBI, using interception units installed at the private companies involved, including Google, Skype, and Apple.  As the Washington Post reports, the FBI “deploys government equipment on private company property to retrieve matching information from a participating company, such as Microsoft or Yahoo, and pass it” on for analysis.  The information can be forwarded without review to the CIA, NSA, or within the FBI.  At this point, based on certain “selector” key words determined by analysts, data like chats and e-mail can be monitored live, with content mined through the service providers.  This data can also include location information, real-time video and voice events over IP addresses, and unique device signatures.

The latest four slides give further detail about the extent and timeline of Internet companies’ involvement with the program.  Microsoft joined first in 2007, followed by Yahoo, Google, Facebook, YouTube, Skype, AOL, and Apple most recently in 2012.  The evidence leak has left some companies scrambling to explain their initial denials of involvement earlier this June.  The companies are currently legally barred from discussing their involvement in the program, although both Google and Microsoft have petitioned for this gag order to be lifted.

The leak reveals that as of April 2013, 117,675 targets were being monitored using the Prism system.  The NSA and other agencies do not need a warrant to use the Prism program to target individuals, as Prism is approved by a court order through the Foreign Intelligence Surveillance Act.  There is no report yet as to how many of those targeted so far have been foreign nationals or American citizens.

The government and intelligence community maintain that the Prism program was built to spy on foreign targets operating outside of the US, but worries about lack of transparency and accountability suggest the potential for “incidental” data mining of the private lives of American citizens.  There are checks against this for stored content, as opposed to live real-time monitoring: towards the end of the process documented in the new slides, the FBI runs the target through its own databases to make sure their information does not match that of any known Americans.  For real-time monitoring, there remains no oversight for American personal data falling into the surveillance net.

The Washington Post reports that these latest slides claim that Prism is the number one source of raw information used today by the NSA.