Draft LIBE Report Seeks U.S. Assurances It Will Stop Spying on Friends

Meanwhile, European mobile networks aren’t safe from interception by U.S. and other intelligence services, Christopher Soghoian, American Civil Liberties Union principal technologist for ACLU’s speech, privacy and technology project, warned lawmakers. He and former Guardian journalist Glenn Greenwald rejected claims that a U.S. District Court, D.C., decision in Klayman v. Obama on NSA metadata-vacuuming isn’t significant.

The actual report won’t be available to co-drafters until Friday, Moraes said at a hearing. Its publication was delayed to allow him to incorporate several other issues, including analysis of the U.S. court decision (CD Dec 17 p3), he said. The report will be discussed Jan. 9, with proposed amendments due Jan. 13, he said.

Spying by the U.S., U.K., France and Germany “is no longer in doubt,” Moraes wrote in speaking points. Nor is there any question that those operations breach international and European law, he said. MEPs understand the need for intelligence and ensuring the security of citizens, but that doesn’t “have to spell out the death of privacy,” he said. Security services can’t operate in a legal vacuum and must respect the law with proper democratic oversight, he said. National oversight systems have clearly failed to restrain intelligence agencies, he said. The report recommends an overhaul of existing national systems and a high-level EU working group to define minimum surveillance standards and better cooperation among oversight bodies.

On EU-U.S. relations, the report said, the U.S. has taken steps to cooperate with Europe on aspects related to the spy revelations, but NSA activities have caused serious damage to the parties’ relationship. It asked Congress to enact laws and effective guarantees for Europeans whose privacy has been breached. The U.S. must say who its friends and foes are, and establish with the EU a code of conduct that ensures that no U.S. espionage takes place against EU bodies and facilities, it said.

Other recommendations included: (1) Suspending safe harbor, which allows U.S. companies to transfer Europeans’ data, and suspending the Terrorist Finance Tracking Program. (2) Reaching agreement on the EU data protection reform package by 2014. (3) Finalizing the EU-U.S. data protection umbrella agreement quickly. The report acknowledged the major importance of the Transatlantic Trade and Investment Partnership but said the European Parliament shouldn’t consent to TTIP unless it omits data protection provisions, given the lack of trust between the parties. There should also be swift development of an EU cloud to protect citizens’ data from being stored where the NSA can access it, the report said.

Ex-NSA contractor Edward Snowden’s disclosures exposed a “huge weakness” in the information technology systems of EU institutions, the speaking points said. In response, Parliament will review and assess technical capabilities, including possible open source software, cloud storage, mobile tools and more use of encryption technologies, it said. The need for better technological protections was underscored by the ACLU’s Soghoian, who warned LIBE members that Europe’s mobile phone networks “are not safe.” European policymakers who have long known about the flaws in the networks have ignored warnings and exploited the faults, he said.

There’s no lockbox security built into cellphones, even those made by European companies, said Soghoian. Law enforcement agencies have known that wireless phones can be spied on for any purpose and have taken advantage of that knowledge, he said. Europeans have systems “that are secure against nothing,” he told MEPs. Encrypted phones are pricey, but free open-source software exists and is available to everyone, he said. He urged lawmakers to protect the privacy of all Europeans by pushing for privacy-enhancing technologies.

German information technology security consultant Christian Horchert urged lawmakers not to ban hacker tools, saying they're needed to check whether security measures work. He recommended barring law enforcement and security services from requiring companies to build back doors into hardware and software because those can also be exploited by criminals. Hardware and software developers that build in flaws that allow surveillance should be held liable, he said. There should be better encryption of communications services, and people should have a right to anonymous communications, he said. The goal should be to make technical insecurity much more expensive that technical security, he said.

MEPs are closely watching developments in Klayman v. Obama, several said. Citing the “dismissive analysis” Tuesday of the ruling by House Intelligence Committee Chairman Mike Rogers, R-Mich., who met with MEPs on the TTIP (CD Dec 18 p7), Moraes asked if the case is significant. Soghoian, who stressed he’s not a lawyer, said the decision is the first time any court except the Foreign Intelligence Surveillance Act (FISA) Court has analyzed the NSA program. The most significant aspect of the ruling is that it tears apart the idea that people have no expectation of privacy in their metadata and that if it’s acceptable to monitor one person’s metadata, it’s OK to do the same to everyone, he said.

In the U.S., only courts that would be unacceptable in a democratic society, such as the FISA court, rule on surveillance matters, said Greenwald, speaking from Brazil via videoconference. The opinion by one of the country’s most respected national security judges, Judge Richard Leon, is significant, he said.