Monday, December 21, 2015

Better that a thousand innocents suffer than one guilty person go free...?

The Universal Declaration of Human Rights (UDHR), Article 11 states:
Everyone charged with a penal offence has the right to be presumed innocent until proved guilty according to law in a public trial at which he has had all the guarantees necessary for his defence.
The EU Charter of Fundamental Rights article 48 states:
Everyone who has been charged shall be presumed innocent until proved guilty according to law.
The presumption of innocence has been a cornerstone of English law for centuries. William Blackstone put it thus:
"the law holds it better that ten guilty persons escape, than that one innocent party suffer"
Benjamin Franklin was even more emphatic:
"it is better 100 guilty Persons should escape than that one innocent Person should suffer" 
Otto von Bismark, Pol Pot and Dick Cheney took the opposite view. It was better for them that innocents suffer than one guilty person escape.

The deadline for submitting your thoughts to the Joint Committee on the Draft Investigatory Powers Bill is today. This is probably the single most important piece of prospective legislation in a generation and the committee have been given an unconscionably short period to analyse and review this large and complex Bill.

I sent my thoughts to the Committee Friday evening last and will publish them here as soon as I'm able to do so.

In the meantime, though, I wanted to highlight something that doesn't appear to have been discussed in the context of the Bill anywhere that I'm aware of - the Bill's implicit reversal of the presumption of innocence.

The Investigatory Powers Bill is an attempt to codify permissions in law for the UK government to run a gigantic computerised multi systems communications surveillance apparatus. An apparatus that we know from the Snowden documents they have been running for some years. It also expands the scope and scale of those operations and the powers facilitating them. It is mass surveillance by any other name - collecting, retaining, processing and analysing the electronic communications of the entire population and as many of those overseas they can access.

The government is essentially creating intimate digital dossiers of every connected resident of the UK amongst others. We may decide as a society that is something we wish to accept - I don't - but there most certainly must be open, informed public debate about the direction of travel.

One of the key justifications for this mass surveillance is to find terrorists. As regular readers will be sick of hearing me say, finding a terrorist is a needle in a haystack problem and you can't find the needle by throwing infinitely more needle free hay on the stack.

The government have a stated belief that this is not mass surveillance because most of the collected data is only seen and analysed by computers not human beings. Every time I hear this mass surveillance defended or excused, I get a picture of the National Lottery's giant magic promotional hand emerging from the government's giant magic computerised terrorist catching machine, with a booming voice-over saying "it's you" as it points out the bad guys.

Now let's give them the benefit of the doubt and assume their machine could work. Assume it is 99% effective at pointing out a terrorist if the person it is watching at the time really is a terrorist. A 1% false negative rate is a pretty good hit rate. Ok so one gets away but you've found 99 baddies out of a hundred.

Unfortunately, your 99% catch-a-terrorist effectiveness has a down side. It will also show false positive results some of the time. So sometimes it will identify innocents as terrorists. The false positive rate won't necessarily (or even often) be the same as the false negative rate. If you calibrate your machine to identify 999 terrorists out of 1000 (instead of 99 from 100) it will also tend to falsely identify more innocents as terrorists.

However, to keep matters simple, lets assume the false positive rate is also 1%. So for every innocent person it looks at there is a 99% chance it correctly identifies them as innocent. One innocent is wrongly tagged but that may, to you, even if not to Ben Franklin, be an acceptable risk.

Except that again things are no so simple as they seem. When your magic machine is watching 60 million people in the UK and you don't know which comparative few are terrorists, life gets more complicated. How effective your magic machine is depends on how many terrorists and innocents there are relative to each other in the surveilled population.

I've periodically heard ministers and spokespersons for multiple successive governments over the past 15 years refer to 6,000 dangerous individuals in the UK. Let's assume that's the terrorist base rate. I don't know whether it is and we don't have enough empirical evidence to judge it but take the governments' claims at face value to give us some numbers to work with.

[Note: More generally it is to be recommended not to take claims about statistics at face value but to examine the detailed evidence critically]

6,000 out of 60 million means the population contains 0.1% terrorists, or 1 in a 1,000. Now the question is, given 1 terrorist per 1,000, how reliable or useful is your 99% reliable terrorist catching machine?

The answer which many people find surprising is: not very.

Your machine, when watching the 6,000 terrorists, will identify 5,994 of them as terrorists. (Assuming 1% false negative rate)

Your machine when watching the remaining 59,994,000 innocents (60 million minus 6,000) will identify 599,940 of these innocents as terrorists. (Assuming a 1% false positive rate)

Your 99% reliable giant computerised magic terrorist catching machine catches 5,994 terrorists but falsely accuses 599,940 innocents.

So, roughly speaking, your 99% "reliable" giant computerised magic terrorist catching machine accuses about a 100* innocents, in order to find one real terrorist. The 99% effective machine is really only 1% effective.

And even then 6 terrorists get away to perpetrate the next attack that will draw calls for even bigger more powerful magic computerised terrorist catching machines...

We have not even begun to consider here the security and law enforcement resource implications of having to investigate such a disproportionate number of innocent people; let alone the target-infested, cost-cutting cultures visited by government upon dedicated security and law enforcement services personnel, creating pressures to "get results".

I would ask you to consider one question, before getting onto the parliamentary website and sharing your views of the Draft Investigatory Powers Bill:

Do you want to live in a society where the default operational state of the security, intelligence and law enforcement services is: that it is better that a thousand innocents suffer than that one guilty person go free?

[... And... er... some terrorists will still slip through the net... shhhh...]

That reversal of the presumption of innocence is a central, if unspoken and somewhat unnoticed, tenet of the Draft Investigatory Powers Bill and the operations it seeks to protect and expand within its legal framework.

Don't be silent on something that really matters. Offer the Joint Committee your views.

Update: I made a decimal point error in original calculation, now corrected.

Saturday, December 19, 2015

Deadline for submitting evidence to IP Bill Joint Committee imminent

With the deadline for submitting evidence to the Draft Investigatory Powers Bill Joint Committee looming on Monday, it's worth considering Privacy International's short video (3m54s) explaining what communications surveillance is and why they are calling for an end to mass communications surveillance.



The Committee's call for evidence is available here. Given this is probably the single most important piece of legislation in a generation, I would urge anyone with a few spare moments, who has not yet done so, to express their opinion on the Bill.

The following conditions attach to providing written evidence to the committee:
"Evidence which is accepted by the Committee may be published online at any stage; when it is so published it becomes subject to parliamentary copyright and is protected by parliamentary privilege. Submissions which have been previously published will not be accepted as evidence. Once you have received acknowledgement that the evidence has been accepted you will receive a further email, and at this point you may publicise or publish your evidence yourself. In doing so you must indicate that it was prepared for the Committee, and you should be aware that your publication or re-publication of your evidence may not be protected by parliamentary privilege"
I sent in a submission yesterday evening and will publish it here in due course. 

Friday, December 04, 2015

Nothing to hide, nothing to fear: a short response

Ruth Coustick-Deal at the Open Rights Group has done a really useful blogpost on responding to the "nothing to hide, nothing to fear" mantra.

Frankly, every journalist worthy of the name should blast this seductive, toxic little soundbite and all its derivatives into discredited oblivion, immediately and every time a talking head tries to use it to rig a discussion on surveillance or other privacy issues.

Expose it for what it is. Laugh at it, if that works.

Don't accept the demonstrably false premise that privacy is exclusively sought or needed by evil people wanting to hide nefarious deeds and intentions. It is not.

Don't accept the demonstrably false premise that destroying privacy will solve the complex socio-technical-economic-environmental-justice-immigration-terrorism-[choose your issue] problem/mess du jour. It has not and will not.

By all means, list the collection of types of people for whom privacy is not only about dignity and humanity but about risk to life and limb.

By all means quote Snowden and Schneier, Applebaum, Greenwald and others, most especially Daniel Solove. Solove's Nothing to Hide: The False Tradeoff between Privacy and Security is, by a street, the best book-length argument, exclusively devoted to debunking the vicious, sleazy, lazy, ignorant, sophistic but powerful debating trick that is the 'nothing to hide' meme.

But start by saying you do not and cannot accept the false assertion that privacy is only about bad people hiding bad things.

Start by saying you do not and cannot accept the false assertion that destroying privacy (or "giving up a little individual privacy for collective security", as it is often deceitfully wielded) will fix terrorism/fraud/immigration/[issue of choice].

Never, ever accept "nothing to hide..." as the basis for framing a debate.

People who use it innocently or ignorantly need to be educated about its false underpinning assumptions.

People who use it with a deliberate privacy destroying or power grabbing agenda need to be reigned in.

Privacy, individual and collective, is at the foundation of a health society.

Be wary of anybody who seeks to destroy or undermine it, brandishing the malignant 'nothing to hide' slogan, whatever their motives.

Saturday, November 21, 2015

The poisonous seduction of the demonising of whole classes of people

This is no time for people who oppose Senator McCarthy's methods to keep silent.



Politicians, journalists and their paymasters would do well to heed Edward R. Murrow, who repeatedly inveighed against the extremism of Congressional McCarthyism.

The demonisation of Muslims, Syrians, refugees, [pick a categorisation for your discrimination of choice] is poisonous and destructive.

Wednesday, November 11, 2015

Science and Technology Committee IP Bill hearings

Some day when you find yourself with a couple of hours free, sit down in front of your computer and watch a debate in parliament on something you know a little about. I couldn’t spare a couple of hours but nevertheless couldn’t resist the Science and Technology Select Committee’s hearings on the draft Investigatory Powers Bill published by the government last week.

My very own MP, Nicola Blackwood, the recently installed Chair of the committee, opened proceedings with a briefing from the Home Office. She assured us that the Home Office had assured her that there were no plans for new powers to ban encryption deployed by overseas companies. I assume that was rushed to Ms Blackwood in advance of the briefing, following Apple chief Tim Cook’s dim view of the Bill headlining the front page of the Telegraph that morning. The only new power in the bill, Nicola assured us, was the facilitation of access to internet connection records. Given the amount of public relations there has been in the run up to the publication of the bill, I was assured that Nicola was assured and that MPs had been assured that all was ok and they need not worry too much about what that bill actually says.

One problem with watching parliamentary proceedings on the Internet, however, is that no, not that the spies/police might be watching when the IP Bill passes, but that the Parliamentlive streaming service can be decidedly flaky. I spent a fair and irritating chunk of my couple of hours watching a buffering circle on my screen.

First up in the witness chairs were Matthew Hare, Chief Executive Officer, Gigaclear, John Shaw, Vice President, Product Management, Sophos, and James Blessing, Chair, Internet Services Providers' Association. All three tried valiantly to enlighten but separating an MP in thrall to a party briefing from a clear view of the world is a bit like trying to separate a toddler from a beloved comfort blanket.

Witnesses:
  • High speed internet connections could result in an annual storage requirement of 15 terrabytes of data, just relating to a single home
  • The amount of data the IP bill requires service providers to collect, indiscriminately, is huge and costly and will not meet the aims of the bill
  • Serious criminals are already using strong encryption the IP Bill won’t address
  • Keeping massive stores of data safe and secure is really difficult... cough… TalkTalk cough…
  • Definitions in the bill are ridiculously broad – not even clear what a service or a service provider is
  • The Bill disadvantages UK companies which appear obliged to hand over data overseas companies do not
  • Internet protocol data networks are not run the same way as telephony networks and assuming they do is a fundamental error
  • Engaging in a population wide data dragnet in order to engage in a historical data fishing expedition at some point in the future is inappropriate
  • What is being proposed in the IP Bill is what has already been done in China
  • With port mirroring everything delivered to a customer can be delivered to 3rd party (MPs eyes glazing over)
  • It’s going to cost taxpayers a lot of money
  • Targeted rather than mass surveillance is a more effective, efficient and practical approach to the aims of the bill. If service providers get a request to intercept traffic to a particular IP address they can and do do that today.
  • The removal of electronic protection aka nobble encryption clause is a baaaaad idea
  • The Bill talks about 3 layers of data – communications data, content and one or the other. Unfortunately, once you capture comms data it becomes content, when you analyse it, it becomes information. (MPs glazing over again)
  • The IP Bill, as it stands, potentially makes it a criminal offense for service providers to share information about security vulnerabilities
In summary their evidence amounted to – the Bill is technically complicated and unclear what it really means in practice; it'll cost a fortune, fail to catch terrorists and other serious criminals, damage business, undermine everyone’s security and result in large numbers of innocent people being inappropriately dragged into the net of suspicion.

MPs:
  • But, but, but…
  • We’re already paying to be spied on – that’s how we fund the secret services
  • It’s ok to have a dragnet for the internet because we have a dragnet for phones and it’s just the same
  • Stella Creasy enthusiastically jumped in to share her knowledge of IPv6 which would fix everything by allowing the “spearfishing” of the baddies’ data from giant data stores and thereby making everything ok with bulk personal data collection. Unfortunately, as the techies heroically tried to explain, IPv6 generates vastly more data and makes everything more not less complicated technically
  • But, but, but…
  • It’s ok because we don’t intend to do all those things you’re complaining about
In summary, but, but but…

Just as the ever excellent Professor Ross Anderson of Cambridge opened for the second collection of witnesses of the day, my dreaded buffering circle kicked in again… The second group also included Professor Mike Jackson, Birmingham City Business School, Dr Joss Wright, Oxford Internet Institute, and Professor Sir David Omand, King's College London.

My feed came back online just in time to hear Nicola Blackwood emphatically declaring that there was no place for ethics in the hearing. The committee was here to be educated purely on the technology issues.  Prof Omand open by profoundly disagreeing with everything Prof Anderson had just said.

Ah shucks. What did I miss?

As far as Prof Omand was concerned the questions underpinning the bill were not ethical in nature but empirical. Unfortunate though the revelations of former NSA contractor, Edward Snowden, were, they demonstrated, empirically and without question, that the intelligence authorities were very good at handling large quantities of data.

Prof Omand went on to explain that in his opinion the main “fuzziness” in the bill was in the distinction between communications data and content. It was, however, a fuzziness with minimal practical relevance. The bill was as close as you can get to clear on the distinction between the two. The word "clear" did draw some sharp intakes of breath in the room but he ploughed on. The real significance was in the authorisation process for intercepting or accessing the data; and since that could be worked out by the insiders with the appropriate expertise, there was nothing to be concerned about.

Joss Wight respectfully disagreed with the good Prof about there being a clear practical line between metadata and content. His main opening concern was with mass retention or “bulk” retention which the government likes to call it. Dr Wight would want to see some respect for proportionality. Prof Omand was a little irritated with this and noted that the mistake the Home Office made in last 5 years was to not update interception and surveillance codes of practice. If the public had known there were secret codes of practice governing everything, all would have been ok and then the Snowden wouldn't have been such a shock.

Prof Anderson was invited back into proceedings again and decided it was time to ground all this abstract stuff in something the MPs might understand – their Google calendars – Google calendar data relating to who they were meeting with, where and when would be within the scope of what the Bill would consider content. Prof Omand jumped in insisting that this was not intended and accusing critics of the bill of using “worst case” examples to undermine it. Theoretically, the Infinite Power (sic) Bill could be abused but trust us, it won’t be.

Dr Wight noted a fundamental misunderstanding underpinning the bill being the assumption that metadata (or communications data) is less sensitive than content. Prof Omand was, metaphorically at least, on his feet again – the authors of the bill (by this stage observers must have been wondering if he was one) were not disagreeing that communications data might be sensitive but "most of the time" it is not.

Dr Wight insisted that comparing web communications data to telephony data is ridiculous. A better analogy is to real life - what shop, home, workplace, place of leisure you visit are all captured. That provides a much more intrusive picture of life than telephone billing records. Content data is not more sensitive than communications data. It is merely differently sensitive.

An MP ventured a really good question (that was not of the variety ‘can you confirm how clever I am’) – how do we frame this kind of surveillance legislation so it is practical now and future proof? 

Prof Anderson bluntly explained you can't. The technology is changing too quickly and parliament will have to continually revisit access to personal data issues for the foreseeable future. Technology and policy are inextricably interlinked and guess what? The internet of things is about to hit us. Also whether we like it or not, the networks are international in nature and Prof Anderson strongly encouraged international cooperation in their regulation.

Dr Wight then pointed out that from an investigatory perspective a targeted approach to surveillance was more effective and more practical. Though he understood the seductive attractions of creating a time machine with which to explore, at some future point, the intimate details of anyone’s past life, it was somewhat unethical. 

Prof Anderson agreed. There may be information gold in them there communications data hills but that didn’t make it ethical to build them. 

Prof Jackson confirmed that even as you continue to construct these data mountains you’ll find only a tiny amount of the data is useful. This is mass surveillance.

Nicola Blackwood was now getting tired of reminding these techies that the panel was here to discuss technology not ethics.

And Prof Omand was having none of it from his fellow witnesses. The British government simply does not and would not indulge in mass surveillance. It’s not the done thing. Mass surveillance is the persistent surveillance of all or large part of population. And since it is only computers that are engaged in the persistent recording, storage and analysis of the intimate details of everyone's lives, that’s perfectly fine. Human beings only look at a small amount of the data you see. [By which measure, incidentally, you could make an argument for installing the most sophisticated modern video cameras, filming 24/7 in every corner of every room and space in the country - it will be ok if nobody looks at it].

Prof Jackson pointed out that when mass databases exist that opens the personal data to the post hoc (rather than real time) equivalent of mass surveillance. Dr Wight agreed – proponets of the IPbill might be claiming there is no mass surveillance going on because human beings only see a small proportion of the data but computers can do a phenomenal amount with mass data before humans ever get involved in the loop. We also need to be cognisant of the clear and empirically measured chilling effects of a population’s awareness of constant surveillance.

Ms Blackwood: No ethics please, we’re here to discuss technological issues!

Profs Anderson, Jackson & and Dr Wight: The elephant in the room here is the destruction of privacy and you cannot deal with this bill without discussing it.

Prof Anderson tried again to bring the discussion back to something the MPs would understand. There are, he noted, significant sensitivities around medical records for example. Likewise bank records – did the MPs want police or other public services trawling through people’s bank records?

Prof Omand was in no doubt that of course we do – it was perfectly reasonable. It was perfectly unreasonable for Prof Anderson to be attempting to scare people witless about abuse of these powers with worst case scenarios. It won’t happen because we will now have stronger oversight including the involvement of judicial oversight. We listened to our US cousins on that one.

Dr Wight, at this point, disputed the notion that the IP Bill was not expanding existing powers. It would additionally lead to a reluctance on the part of commerce to do business in the UK and people seeking to subvert what the bill is trying to do would simply use services overseas.

Prof Anderson again noted that if we’re to get a handle on the regulation of these technologies we have to have international cooperation. Something along the lines of an international cyber evidence convention is called for.

Prof Omand: The security of the internet is the number one priority. The policy in the bill is extremely clear. You simply cannot remove the right of the authorities to deal with pedophiles and the IP bill might give the police and security services a chance to catch them. We do note, however, that the judicial commissioners involved in the oversight processes will need a lot of technical expertise.

Prof Anderson: Yes and the problem with the proposed set up is that the experts on the advisory board will have representatives from police, security services and service providers. No one from civil society or academia is entitled to even a look in – no representatives, in short, for Jo Public. Given big data is manna from heaven for government and commerce, that appears somewhat unbalanced.

Nicola Blackwood watching the clock, with relief, summed up: We’re out of time. We need to give the security services what they need. We need to insure proportionality in the deployment of these powers. She also thanked the witnesses for their heated advice. [Actually it was all reasonably civilised even though there was a split in opinions on the panel]

So, in summary where did we actually get to?

Profs Anderson, Jackson and Dr Wight: The government are collecting digital dossiers on the intimate details of the personal lives of the entire population.  Whatever you choose to call it that is mass surveillance

MPs: But, but, but…

Prof Omand: No it isn’t and it is irritating that people keep saying so

MPs: Ah that’s a relief... and they vacated the room, party briefing comfort blankets still tightly clenched.

Update: The Science and Technology Committee has invited written submissions on the Investigatory Powers Bill by Friday 27 November. As Nicola Blackwood repeatedly reminded her witnesses, they are looking for submissions that focus on technology issues, including:
  • The technical feasibility and costs of meeting the obligations imposed by the Bill 
  • The impact on communications service providers and related businesses 
  • The likely consequences for citizen/consumer use of ICT services
You can submit your thoughts via the UK Parliament website.

Update 2:  A full official transcript of the hearings is now available.

Thursday, October 15, 2015

Tuesday, October 06, 2015

CJEU Schrems, The Irish Data Protection Commissioner and Facebook

The Court of Justice of the European Union has today declared the EU-US Safe Harbour agreement, which  facilitates the transfer of personal data from the EU to the US, invalid.

The Court opens by highlighting the provisions of the 1995 Data Protection Directive
Object of the Directive
1. In accordance with this directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.
Article 25 of the directive lays down the principles under which it may be permitted to transfer personal data to countries outside the EU, "a third country" (or countries), primarily that the 3rd country offer "an adequate level" of data protection. The European Commission has the power to declare 3rd countries compliant with EU standards but are obliged to engage in due diligence in accordance with procedures outlined in article 31 of the directive, to ensure the requisite checks and balances are in place.

Under article 26, EU member states can sanction personal data transfers to third countries not yet in possession of the Commission's seal of approval under a specific set of circumstances e.g. if the person whose data is to be transferred agrees to it.

From an initial scan of the decision, it seems that the Safe Harbour agreement of 2000, declaring the US a safe 3rd country for EU personal data transfers, has been declared invalid by the Court because the EU were not careful enough in checking out the US; and because untrammeled US mass surveillance practices would appear to make it an unsafe third country.

From paragraph 5, the Court outlines the Commission's Safe Harbour Decision 2000/520 (including principles and US organisations' self certification and dispute resolution processes) declaring the US a safe third country for personal data transfers. The agreement allowed for US law to override Safe Harbour obligations. So if US law explicitly imposes an obligation on US organisations to process or transfer data in ways that would breach the Safe Harbour principles it is ok for them to do so. The idea being to give US companies an exit when caught between complying with conflicting legal obligations.

At the time, privacy advocates were unhappy with the Safe Harbour decision, accusing EU negotiators of folding in the face of US demands. Several reviews of the agreement, including this one by a group of internationally renowned scholars, in the summer of 2007, have noted that the Safe Harbour scheme does not meet the requirements of the 1995 data protection directive or EU privacy standards. Documentary evidence, released to journalists by NSA whistleblower Edward Snowden in 2013, on the mass surveillance practices of the US and UK governments, have given weight to those conclusions.

The CJEU get to the Snowden revelations and the EU's response to these in paragraph 11 to 25 of the Schrems decision. In a kind of an 'ooops, oh dear, those nice US Safe Harbour compliant companies are doing things they shouldn't be with EU data; but let's not upset them because it's the government's fault' realisation, the Commission issued Communication COM(2013) 846 final and Communication COM(2013) 847 final; noting US mass surveillance (though they didn't call it that) "raises serious questions".

As our US cousins might say, you're darn tootin' it raises serious questions.

Paragraph's 26 to 36 deal with the Schems complaint about Facebook to the Irish Data Protection Commissioner and the Irish High Court.

Schrems asserted that Facebook's data transfers to the US undermined his fundamental rights to privacy and the protection of his personal data, guaranteed by articles 7 and 8 the Charter of Fundamental Rights of the European Union.

The Irish Data Protection Commissioner said not my job guv, get lost but even if it was, there was no specific evidence that the NSA had been playing with Mr Schrems's data.

Judge Hogan in the Irish High Court took a different view. Whilst accepting that electronic surveillance and interception "serve necessary and indispensable objectives in the public interest... the revelations made by Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies." [para 30 Schrems] Judge Hogan also noted that EU citizens have no effective right to be heard in relation to the "indiscriminate surveillance and interception" carried out on them on a large scale by US federal agencies like the FBI and NSA. Protections for privacy, fundamental rights and freedoms guaranteed by the Irish Constitution were essentially being undermined by indiscriminate and disproportionate mass surveillance by US authorities. On the basis of Irish law alone, the Irish Data Protection Commissioner was wrong to reject Mr Schrems complaint.

Judge Hogan's view, that then brings the Commission's Safe Harbour decision of 2000 into play. Does that decision, certifying the US as a safe place for EU personal data, bind member states, obliging them to accept that certification; or can a data protection authority of a Member State, independently examine the claim of a person concerning a breach of their rights by a third country, when the law and practices in the third country do not ensure an adequate level of protection? Additionally, given what we know from Snowden, Judge Hogan believes the Safe Harbour decision itself to be invalid - as the fundamental right to privacy would be rendered meaningless if "State authorities were authorised to access electronic communications on a casual and generalised basis without any objective justification based on considerations of national security or the prevention of crime that are specific to the individual concerned and without those practices being accompanied by appropriate and verifiable safeguards."

The Court's deliberations play out in paragraphs 37 to 107.

The fundamental rights to privacy and data protection have been affirmed and re-affirmed in the Court time and again (Österreichischer Rundfunk and Others, Google Spain and Google, Ryneš, Rijkeboer, Digital Rights Ireland and Others). The independence of national supervisory authorities is an important element in protecting those rights in practice. They are obliged, however, to balance those rights with the interests of those requiring free movement of data and have no power relating to the processing of data, once it is transferred to another country. They do have an obligation, under articles 25, 26 and 28 of the 1995 directive, to monitor the transfer of data to a third country and ensure it complies with EU standards. Transfers may only be effected where the country the data is being sent to offers an "adequate level of protection".

Member states or the Commission may assess and determine whether protections offered by a third country are adequate. When the Commission makes a decision that a third country provides adequate protections it is binding on member states, until it is declared invalid by the CJEU. But that Commission decision cannot prevent EU citizens from pursuing a claim through the national supervisory authorities and, if necessary, national courts, if they have reason to be concerned that their fundamental rights are being undermined by the transfer to and processing of their personal data in a third country. If the national courts consider the complaint well founded, as did Judge Hogan in the Schrems case, they must refer it to the CJEU.

Bottom line - even if the Commission white-lists a country like the US, it does not prevent national data protection authorities investigating and national courts hearing an individual's complaint. And if an individual, like Mr Schrems, has a legitimate complaint, then it may be referred to the CJEU and the Commission's decision approving the US as a privacy respecting jurisdiction, may itself be reviewed [exclusively] by the Court of Justice.
"66 Having regard to the foregoing considerations, the answer to the questions referred is that Article 25(6) of Directive 95/46, read in the light of Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Decision 2000/520, by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection."
Paragraphs 67 to 106 review the validity of the Commission's Safe Harbour decision and constitute another CJEU warning over US and UK mass surveillance practices and the tepid European Commission response to these, following in the tradition of the Google Spain and Digital Rights Ireland cases from 2014.

Short version: the Commission failed totally, in its obligation to ensure that the laws and international obligations of the US actively respected the privacy rights of EU citizens, when approving the US as a trusted data protection nation, in their Safe Harbour decision of 2000. US organisations were permitted approval under a Safe Harbour self certification scheme which had no effective US public authority or legislative oversight (the US Federal Trade Commission's oversight being restricted to commercial disputes relating to unfair or deceptive practices in or affecting commerce and not the legality of interference with fundamental rights) and no remedies for individuals concerned about the potential abuse or misuse of their personal data. Not only did it fail, the Commission didn't even bother to check but eventually did get round to admitting, once the Snowden revelations emerged, that there might be "serious questions" over the Safe Harbour agreement.

Additionally the Commission, in the Safe Harbour decision, exceeded its authority in attempting to nullify national data protection authorities' powers to enable individuals to raise concerns about the processing of data in Commission approved third countries like the US.
86 ... Decision 2000/520 lays down that ‘national security, public interest, or law enforcement requirements’ have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them. ...
88 In addition, Decision 2000/520 does not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security.
89 Nor does Decision 2000/520 refer to the existence of effective legal protection against interference of that kind...
92 Furthermore and above all, protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary (judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 52 and the case-law cited).
93 Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail ...
94 In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (see, to this effect, judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 39).
95 Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter...
96 As has been found in particular in paragraphs 71, 73 and 74 of the present judgment, in order for the Commission to adopt a decision pursuant to Article 25(6) of Directive 95/46, it must find, duly stating reasons, that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order, a level that is apparent in particular from the preceding paragraphs of the present judgment.
97 However, the Commission did not state, in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. 98 Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid... 
99      ... national supervisory authorities must be able to examine, with complete independence, any claim concerning the protection of a person’s rights and freedoms in regard to the processing of personal data relating to him. That is in particular the case where, in bringing such a claim, that person raises questions regarding the compatibility of a Commission decision adopted pursuant to Article 25(6) of that directive with the protection of the privacy and of the fundamental rights and freedoms of individuals...  
102 The first subparagraph of Article 3(1) of Decision 2000/520 must ... be understood as denying the national supervisory authorities the powers which they derive from Article 28 of Directive 95/46, where a person, in bringing a claim under that provision, puts forward matters that may call into question whether a Commission decision that has found, on the basis of Article 25(6) of the directive, that a third country ensures an adequate level of protection is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
103 The implementing power granted by the EU legislature to the Commission in Article 25(6) of Directive 95/46 does not confer upon it competence to restrict the national supervisory authorities’ powers referred to in the previous paragraph of the present judgment.
104 That being so, it must be held that, in adopting Article 3 of Decision 2000/520, the Commission exceeded the power which is conferred upon it in Article 25(6) of Directive 95/46, read in the light of the Charter, and that Article 3 of the decision is therefore invalid.
105 As Articles 1 and 3 of Decision 2000/520 are inseparable from Articles 2 and 4 of that decision and the annexes thereto, their invalidity affects the validity of the decision in its entirety. 106 Having regard to all the foregoing considerations, it is to be concluded that Decision 2000/520 is invalid."
The Court concludes that the Safe Harbour Decision 2000/520 is invalid.

I would just repeat paragraph 93 for emphasis: "Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail"

So, in summary, national data protection authorities and national courts can review claims of abuse of personal data by third countries and the Safe Harbour EU-US agreement, Decision 2000/520 is invalid.
"On those grounds, the Court (Grand Chamber) hereby rules: 1. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
2. Decision 2000/520 is invalid."

Update: Peter Swire who was one of the US expert negotiators when the Safe Harbour provisions were agreed, yesterday criticised CJEU AG's opinion in the case, as suffering from particular inaccuracies concerning the law and practice of U.S. foreign intelligence law, notably the PRISM program. He particularly emphasises changes to US law since the original Snowden revelations notes with approval the PRISM program is governed by Section 702 of the law enacted in 2008 to amend the Foreign Intelligence Surveillance Act. I suspect, given s702's 'guilty of being a foreigner' provisions Caspar Bowden would have had a few words to say on the subject.

The full court don't get into the intricacies of PRISM but it does hint strongly that Kafkaesque mass surveillance, without remedy available to those affected, undermines the rule of law.

Update 2: Daniel Solove does a really accessible analysis of the Court's decision and its possible implications. I suspect he over-estimates the likely impact of the coming revisions to EU data protection laws, given the giant privacy avoidance loopholes built into the draft general data protection regulations. But it is still essential reading.

Update 3: I also highly recommend Andres Guadamuz's analysis of the case.

Update 4: Some typos plus one error relating to FTC corrected. There follow links to EU Commission/Parliament reviews of Safe Harbour in 2002, 2004 and the post Snowden reviews of 2013 COM(2013) 846 final Rebuilding Trust in EU-US Data Flows and COM(2013) 847 final on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU

Friday, September 25, 2015

John Oliver, Privacy International & Ryan Gallagher on mass surveillance

In the light of The Intercept's latest story on the Snowden documents, could I recommend revisiting John Oliver on government surveillance plus his Snowden interview...



 ... and Privacy International's short videos on communications surveillance, big data, data protection, metadata and privacy





Tuesday, September 15, 2015

In praise of Open University people

The Open University (OU) is a phenomenal institution with fundamentally decent ethos and values which it has been a privilege for me to be able to tell people I work for, for the past 20 years or so.  We are, however, facing some serious challenges.

The latest plan to deal with those challenges is to close seven front-line regional operations centres. The OU centres marked for closure are London, Oxford, Bristol, Birmingham, Cambridge, Leeds and Newcastle.

Understanding the OU deeply takes a long time. It is full of incredible people who care deeply about our students and who have repeatedly shown they will go to the ends of the earth for this place, even to the point of putting their own health and welbeing at risk. Staff in the East Grinstead regional office which was shut down by the University at the end of November 2014, worked evenings and weekends, even in the knowledge they would be unemployed by Christmas, to ensure the students were settled with experienced, well qualified-tutors for our courses starting last autumn. In the thick of all the complexity and accommodation of massive structural changes of the past few years, though, it's worth noting that fundamentally the OU is simply about putting people in touch with people, people who care.

Historically the OU turned a discredited education method - correspondence courses - into hugely effective supported open learning at a distance which, for over 40 years, has outstripped the personal support provided by most of the conventional university sector by a street. Through a combination of energy, novelty, creativity, mutual support, organisation, sense, care, goodwill, a following wind and the right people, we, by accident as much as by design, got a lot of the key structural things right in the early days -
  1. The course production module - multidisciplinary concentrated teams producing intensely peer reviewed, tailored, self-contained, high quality self-study print, audio, video,multimedia and networked course material 
  2. The central administrative infrastructure needed to support production and operation at scale, on everything from exams to summer schools and associated  logistics 
  3. The regional administrative infrastructure - essentially front end regional offices and operations - that put the OU in the local community and real people who cared in touch with the people who were our students; names and faces that students got to know and trust throughout their period of study.
  4. Above everything else, the foundation stone that the place is built on is the deep level of care and the goodwill of the staff and students.
Unparalleled care, dedication to duty and goodwill are at the heart of all public services from education to policing, the health services and beyond. Care, dedication to duty and goodwill, unfortunately are also things that cannot be easily measured or counted. Things that politicians and bureaucrats are not easily held accountable for and things in recent generations, therefore, that have been sadly neglected and badly damaged, across the entire public sector. Simplistic targets, process, efficiency and cost cutting are the order of the day.  

Vice-chancellors, like all senior officers in the public sector, have been under intolerable pressure to rationalise and provide more for less.  The OU’s vice-chancellor, Peter Horrocks is quoted by the Times Higher Education Supplement as saying that the regional centre closures were aimed at providing students with the “best possible experience”.
“With developments in technology changing how we work, the student’s experience of the OU has not been limited by geography for some time. This is a difficult decision and I fully recognise the impact it will have on many of our staff, but we cannot afford to stay still.
This recommendation, if approved, would allow us to enhance student support in a way that’s simply not possible in our current office network, and offer our students the sort of support they expect and deserve.”
At its heart, education is a gift economy and the OU, for most of its life, has been the high water benchmark service for that economy, with care and goodwill at the core of its DNA.

I had been trying to hold onto the hope that when the dust settles on all the upheaval, we at the OU and the higher education sector in the round would emerge heavily bruised but re-trenched and largely intact. I'm now seriously concerned that we are evolving towards a future where students are numbers to be processed rather than people we care about and enable to develop their inherent talents and potential. 

Education cannot be done by treating people as numbers and it cannot be packaged as standardised widgets and sold via automated processes. Putting people in touch with people is the key. 

When universities feel they are forced to put the futures of the staff who care at risk - in this case incredibly special, unbelievably caring, dedicated OU people, with impossibly high standards, who demand nothing but the best of themselves and our institution in support of our students - then we put the futures of our students, our universities and our education system as a whole at risk.

Thursday, July 09, 2015

RIP Caspar

It's hard to believe but privacy activist, Caspar Bowden, has died following a short battle with cancer.

My first encounter with Caspar was on a listserv when he was director (and co-founder) of the Foundation for Information Policy Research. I believe it was the late 1990s but he was telling me off for spelling his name wrong. I apologised and we subsequently became friends. The substance of what we were discussing is lost to my memory but I suspect it was something around key eschrow and the original crypto wars at the time. It's shocking that Caspar should be lost to the security and privacy community just as that ugly battle is rearing its head again, with politicians and securocrats both sides of the Atlantic demanding back door access to encryption.

Combative and prickly, Caspar was also unfailingly kind and generous.

Whilst at FIPR Caspar worked tirelessly to inform parliamentarians and the public of the personal data pollution dangers of the burgeoning information age and ill designed regulations like the Regulation of Investigatory Powers Act (RIPA). He won the Winston award in 2000 for his work on RIPA and he carried that activism into his role as Chief Privacy Officer of Microsoft (initially for Europe, the Middle East and Africa, then for 40 countries worldwide) between 2002 and 2011. 

Long before the Snowden revelations, Caspar was warning of the nature of a huge range of privacy invading behaviour, commercial and governmental, and the facilitating evolving regulations round the world; not least the US Foreign Intelligence Surveillance Act 1978 (FISA) and the FISA Amendments Act 2008, in particular s1881, subsequently implemented as s702 FISA, Procedures for targeting certain persons outside the United States other than United States persons. His report, "The US surveillance programmes and their impact on EU citizens' fundamental rights", for the Civil Liberties, Justice and Home Affairs (LIBE) committee of the EU parliament is the definitive document on the subject.

It was Caspar's insistence on publicly spreading the word about this s702 'guilty of being a foreigner' provision of FISA that he recently explained led to his parting of the ways with Microsoft. 

Caspar was a big believer in a Rawlsian model of justice, a stickler when it came to the universality of human rights and was unstinting in his criticism of corporate or government entities or agents who sought to undermine those rights and principles; and even of US civil rights organisations who he felt passively endorsed the notion of better rights for US citizens.

He was a member of the board of directors of the Tor project. In recent times had become convinced of the potential of Qubes to form at least part of the technical architecture of a counter-insurgency against the seemingly all powerful, unstoppable erosion of personal privacy, by corporate and government agencies and others. 

Caspar was a rare polymath, an expert practitioner in the computer science, the laws of multiple jurisdictions, the technology more generally, identity management and information ethics. And he was prepared to wrestle with the user unfriendly inconveniences of privacy enhancing technologies, as the almost meltdown of his laptop, 4 minutes into his 'Reflections on Mistrusting Trust' talk at QCon last summer, demonstrated. 

For some time he had been contemplating and working on the establishment of a pan-European privacy rights organisation. It would be an appropriate legacy if an effective sustainable such institution could be brought into being.

There were few, if any, more deeply informed, active, passionate and energetic advocates for the privacy cause. Caspar you will be sadly missed. My thoughts and condolences go to your wife Sandi and family.

Update: a truly lovely personal tribute to Caspar by Malavika Jayaram, So long and thanks for all the fish, Caspar Bowden. Other really nice pieces from Natasha Lomas, Chris Soghoian, Robin Wilton, John Leonard, Ben Goldacre, Danny O'Brien, Martin Hoskins, Wendy Grossman, Simon Davies, Joanna Rutkowska, the Open Rights Group, Ind.ie, Sarah Clarke, Phil Booth, EDRi, the Tor Project, here, here, here, here, here, here, here, here, here, here, here, here, here, herehere and here.

Update 2: Guardian Obituary by Ross Anderson and tribute from John Naughton.

Thursday, June 11, 2015

A question of trust: notes on the terror watchdog report


The Terror Watchdog’s Report

The UK government has finally got round to releasing the report of the investigatory powers review by the independent reviewer of terrorism legislation, David Anderson QC and his team. Mr Anderson submitted the report to the Prime Minister on 6 May, just prior to the general election.

As Mr Anderson predicted, the report “won’t please everybody (indeed it may not please anybody)” but it is a substantive piece of work and deserves careful reading and consideration in full. In the press release accompanying the 379 page report he says:

“Modern communications networks can be used by the unscrupulous for purposes ranging from cyber-attack, terrorism and espionage to fraud, kidnap and child sexual exploitation.  A successful response to these threats depends on entrusting public bodies with the powers they need to identify and follow suspects in a borderless online world.

  But trust requires verification.  Each intrusive power must be shown to be necessary, clearly spelled out in law, limited in accordance with international human rights standards and subject to demanding and visible safeguards.

 The current law is fragmented, obscure, under constant challenge and variable in the protections that it affords the innocent.  It is time for a clean slate.  This Report aims to help Parliament achieve a world-class framework for the regulation of these strong and vital powers.”

So far so good. 

The report itself summarises the importance of privacy, threats to the UK, technologies implicated, laws, powers, safeguards and practices and the views from a disparate variety of actors from law enforcement and the intelligence services to service providers and civil society. It closes with a set of 5 governing principles and 124 specific recommendations. It was not limited to counter-terrorism considerations but also included counter-espionage, missing persons investigations, internet enabled crime (fraud, cyber-attacks, child sexual exploitation) and crime in general. 

The purpose of the report is:

a. to inform the public and political debate on these matters, which at its worst can be polarised, intemperate and characterised by technical misunderstandings; and
b. to set out proposals for reform, in the form of five governing principles and 124 specific recommendations. 

I think it’s fair to say it succeeds with both, even if I can’t agree with some of the recommendations.  Mr Anderson has had unrestricted access, at the highest level of security clearance, to the responsible government departments whilst conducting his review.

Key issues arising from the report seem to be:

               The need to start from scratch on a comprehensive and comprehensible, fit-for-purpose legislative framework for investigatory powers – including the retirement of the “incomprehensible to all but a tiny band of initiates” Regulation of Investigatory Powers Act (RIPA) 2000
               Continuation of communications data retention under the Data Retention and Investigatory Powers Act (DRIPA) 2014
               There should be judicial rather than Secretary of State authorisation of communications data warrants – the report itself describes this recommendation as “radical” departure
               The approval of bulk collection of communications data.
               Lack of acceptance of government’s glossy claims for the magic, unimpeachable value of government access to bulk communications data and recommendations for improved oversight of same
               Approval of extraterritorial reach of DRIP Act, for now, until improved international framework for data sharing is in place
               Abolition of existing oversight commissioners and replacement with Independent Intelligence and Surveillance commission
               The power, in Theresa May’s beloved snoopers’ charter, for the retention of internet searches should only apply where “a detailed operational case can be made out and a rigorous assessment has been conducted of the lawfulness, likely effectiveness, intrusiveness and cost”.
               An emphatic rejection of David Cameron & Theresa May’s notion of blanket encryption backdoors for government

 

Why Theresa and Dave are Glum

Though there is a lot in there, it’s becoming clear why the government delayed publication and both Theresa May and the Prime Minister’s spokeswoman seem to be already distancing themselves from the report.

You can understand why Theresa and Dave might be a bit miffed that Mr Anderson disapproves of blanket encryption backdoors (pointing out the agencies don’t want it and it would undermine security for everyone), has the nerve to suggest judicial rather than Executive oversight of interception warrants might be appropriate, kneecaps the snoopers’ charter and notes some of the claims about the value of communications data in the investigation of nefarious actors might be somewhat overblown.

You would expect them, however, to be positively dancing in the aisles as a result of his apparent support for the continuation of the bulk collection and retention of communications data and the continuation of the extra territorial reach of DRIPA beyond its sunset at the end of 2016.

I have to admit I share Privacy International’s disappointment that Mr Anderson didn't condemn bulk interception. However, whatever cheer the government’s senior Cabinet members derive from the nominal support for bulk collection will be tempered by Mr Anderson’s qualification of this approval by saying   "Though I seek to place the debate in a legal context, it is not part of my role to offer a legal opinion (for example, as to whether the bulk collection of data as practiced by GCHQ is proportionate). A number of such questions are currently before the courts..." [1.12].  

This continual emphasis in the report that he and the government should respect the courts as the requisite arbiters in determining the proportionality of indiscriminate bulk collection, within the framework of the European Convention on Human Rights (ECHR), is interesting. Even as he approves, also, of blanket data retention under DRIPA, he insists that retention would have to comply with the ECHR and the European Court of Justice decision in Digital Rights Ireland case in 2014, which banned indiscriminate data retention.

On the approval of the extra territorial DRIPA powers Mr Anderson is again careful to note:

"I understand those who argue that extraterritorial application sets a bad example to other countries, and who question whether it will ever or could ever be successfully enforced. It is certainly an unsatisfactory substitute for a multilateral arrangement under which partner countries would agree to honour each others’ properly warranted requests, which must surely be the long-term goal.”

So Mr Anderson’s report has turned out to be nothing like the useful excuse for pushing through the snoopers’ charter that the Home Secretary must have hoped it would be.

 

Why the report might not please anybody

It’s a real pity that, even within the constraints within which he was working, and the reasonable set of 5 principles outlined for underpinning investigatory powers, laid out in Part IV of the report, Mr Anderson did not condemn bulk collection of communications data. I accept it is not part of his role to offer a legal opinion on whether bulk collection is proportionate. 

Yet I find the justification for supporting bulk collection is rather weak and not commensurate with the deeper consideration of the rest of the report. It is linked to a principle of minimising no go areas for law enforcement as far as possible, whether in the physical or the digital world and justified on the grounds of 6 sample cases briefly outlined in Annex 9 of the report. None of these 6 cases provide the detail to demonstrate that bulk collection was the primary source leading to the identification of these criminals in the first instance.  

It is not in dispute that if law enforcement or the intelligence services have just cause to suspect some person/group of involvement in criminal activity, the availability of bulk data which includes the data of the suspect/s, will enable data mining that may be useful in an investigation. Bulk collection facilitates the significant discovery of multiple details about anyone once they become a suspect or a person of interest. Authorities simply do not have the resources to engage deep data mining the lives of everyone even if they have that data available.

Since the turn of the century, time and again from the 9/11 attacks to the murders of Fusilier Rigby and people at the Charlie Hebdo offices in Paris,  information overload caused by bulk data collection has been a primary factor in the failure to prevent terrorist attacks by known dangerous individuals. It is simply not proportionate to engage in bulk data collection in the hope that it will be useful when the authorities decides to look into someone they disapprove of. It actually actively impedes already over stretched investigatory authorities, who would be better served by putting the resources apparently available for such bulk collection, into recruiting more and better trained investigators and analysts.

Mrs May and Mr Cameron would do well to note that the opportunity costs of engaging in the security theatre that is bulk data collection and data retention, undermines security for everyone by making the jobs of those tasked with protecting us more difficult, whilst simultaneously denying them the resources to be more effective.

Update: the airline worker example from Annex 9, according to Joshua Rozenberg is Rajib Karim, who was convicted in 2011 and jailed for 30 years.