archive-org.com » ORG » P » PRIVACYINTERNATIONAL.ORG

Total: 465

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Kaveh Lahooti | Privacy International
    Surveillance Briefings Investigations Research Reports Submissions to the UN Legal Actions About Us Staff Trustees Financial Opportunities Contact Donate You are here Home Kaveh Lahooti Kaveh Lahooti is a Law student at the LSE specialising in Public Law and Human Rights He has experience working in Human Rights Law and Advocacy mainly for NGOs He has also been a regional and national finalist in advocacy competitions on Digital Rights Privacy

    Original URL path: https://privacyinternational.org/node/831 (2016-04-27)
    Open archived version from archive


  • Centre for Internet and Society | Privacy International
    of Surveillance Briefings Investigations Research Reports Submissions to the UN Legal Actions About Us Staff Trustees Financial Opportunities Contact Donate You are here Home Centre for Internet and Society The Centre for Internet and Society is a non profit research organization that works on policy issues relating to freedom of expression privacy accessibility for persons with disabilities access to knowledge and IPR reform and openness including open government data free

    Original URL path: https://privacyinternational.org/node/799 (2016-04-27)
    Open archived version from archive

  • NGO Coalition calls on EU to update Dual Use Regulation to protect human rights | Privacy International
    of legitimate security tools are not subject to controls and are subject to explicit exemptions Controls of encryption and encryption products be eradicated Concerns have been raised that the term legitimate security research seeks to differentiate between legitimate and illegitimate research The term legitimate in this context is used to simply emphasise the legitimacy of all security research and is not supposed to make a distinction Background Since 2011 the EU has been conducting a review of the Dual Use Regulation mandated by the Regulation itself In 2011 the European Commission published a Green Paper and call for evidence followed by a report on the public consultation being adopted in January 2013 Regarding surveillance technology the Commission Communication published in 2014 recognised the risk posed by the emergence of specific cybertools for mass surveillance monitoring tracking and interception while importantly also recognising the interlinkages between human rights peace and security Any changes to the Regulation will need to be agreed upon by all member states as well as by the European Parliament The Parliamentary Subcommittee on Human Rights and the Committee on International Trade convened a hearing in January 2015 In April 2015 the Foreign Affairs Committee of the European Parliament adopted a report by MEP Marietje Schaake on Human rights and technologies the impact of digital surveillance and intrusion systems on human rights in third countries The report will be voted on by the plenary in summer 2015 The Commission has also initiated an impact assessment aimed at informing the policy making process by quantifying and providing objective data on the industry and the potential cost of any regulatory changes Ecorys a European research and consultancy company in partnership with the Stockholm International Peace Research Institute SIPRI is carrying out a data collection project including a component specifically focused

    Original URL path: https://privacyinternational.org/node/602 (2016-04-27)
    Open archived version from archive

  • Encryption and Anonymity create “a zone of privacy online”, says UN Special Rapporteur | Privacy International
    into the digital age The report notes that discussions of encryption and anonymity have all too often focused only on their potential use for criminal purposes in times of terrorism rather than their role in promoting secure private and free communications facilitating the realisation of rights to expression opinion and privacy Mr Kaye observes that encryption and anonymity separately or together assist in shielding opinions from outside scrutiny particularly important in hostile environments empower individuals to circumvent censorship and other unlawful barriers to the free flow of information and shield journalists researchers lawyers and civil society from unlawful surveillance and harassment In this regard encryption and anonymity provide individuals and groups with a zone of privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attacks Mr Kaye concludes Affirming an important application of the right to freedom of expression and opinion to modern day realities the report notes that the right to form and hold opinions unlike the rights to privacy and freedom of expression is an absolute right that cannot be limited in any circumstances Whereas the right to an opinion may traditionally have been construed as an abstract right that occurs only within one s mind the report observes the mechanics of holding opinions have evolved in the digital age with individuals both holding opinions digitally saving their views and their search and browse histories for instance on hard drives in the cloud and in e mail archives and forming opinions online through search and browsing activities The report recommends inter alia that States should not restrict encryption and anonymity and blanket prohibitions fail to be necessary and proportionate and thus cannot comply with human rights law States should avoid all measures that weaken the security that individuals privacy may enjoy online such as backdoors weak encryption standards and key escrows States should refrain from making the identification of users a condition for access to digital communications and online services and requiring SIM card registration for mobile users Corporate actors should likewise consider their own policies that restrict encryption and anonymity including through the use of pseudonyms Entities of the United Nations system especially those involved in human rights and humanitarian protection must urgently alter their systems to support the use of communication security tools in order to ensure that those who interact with them may do so securely Companies like states should refrain from blocking or limiting the transmission of encrypted communications and permit anonymous communication Attention should be given to efforts to expand the availability of encrypted data centre links support secure technologies for websites and develop widespread default end to end encryption A global battle The Special Rapporteur s report comes at a crucial time in recent months countries such as the United States and United Kingdom have suggested that the state should have more power to override encrypted communications in order to intercept communications for the purpose of combatting terrorism In his review of British investigatory powers

    Original URL path: https://privacyinternational.org/node/600 (2016-04-27)
    Open archived version from archive

  • Privacy International briefing on A Question of Trust: Report of the Investigatory Powers Review | Privacy International
    relate to defence of the UK or its foreign policy We fundamentally believe that even when such interests are at stake a legal analysis of whether interception is justified should still trump a political analysis On extraterritorial powers I understand those who argue that extraterritorial application sets a bad example to other countries and who question whether it will ever or could ever be successfully enforced It is certainly an unsatisfactory substitute for a multilateral arrangement under which partner countries would agree to honour each others properly warranted requests which must surely be the long term goal But some service providers find it easier to assist if there is a legal power purporting to require them to do so and despite the fact that extraterritorial enforcement has not yet been tried the presence on the statute book of DRIPA 2014 s4 has been of some assistance in securing vital cooperation from service providers On that pragmatic basis I suggest that it should remain in force at least for the time being 14 59 Pending a satisfactory long term solution to the problem extraterritorial application should continue to be asserted in relation to warrants and authorisations DRIPA2014 s4 and consideration should be given to extraterritorial enforcement inappropriate cases R 25 We welcome Mr Anderson s criticisms of the extraterritoriality provisions of DRIPA which we believe set a dangerous precedent for less democratic states who might follow Britain s example and seek to assert their own power to intercept communications and access data outside their borders While we would have preferred to see Mr Anderson recommending the immediate repeal of DRIPA s extraterritoriality provisions we encourage further pursuit of a multilateral arrangement that includes appropriate safeguards to ensure extraterritorial requests comply with international human rights standards In this regard it should be noted that Sir Nigel Sheinwald s report will provide important guidance and should be published without haste or redaction On the Snoopers Charter I have no doubt that retained records of user interaction with the internet would be useful But that is not enough on it s own to justify the introduction of new obligations on CSPS particularly one which could be portrayed as potentially very intrusive on their customers activities 14 33 In relation to the subject matter of the 2012 Communications Data Bill a The provisions for IP resolution in the Counter Terrorism and Security Act 2015 are useful and should be kept in force b The compulsory retention of records of user interaction with the internet weblogs or similar would be useful for attributing communications to individual devices identifying use of communications sites and gathering intelligence or evidence on web browsing activity But if any proposal is to be brought forward a detailed operational case needs to be made out and a rigorous assessment conducted of the lawfulness likely effectiveness intrusiveness and cost of requiring such data to be retained c There should be no question of progressing proposals for the compulsory retention of third party data before a compelling operational case for it has been made out as it has not been to date and the legal and technical issues have been fully bottomed out R 13 The report is clear that the Communications Data Bill should not be progressed until a compelling operational case for the powers it contains has been made Mr Anderson reiterates that the government has so far failed to do so This is a resounding condemnation of the government s plans to introduce the Snoopers Charter which should now be scrapped once and for all On content communications data distinction As to the distinction between content and communications data The borderline is neither as clear nor as simple as when it could be explained in terms of the content of the letter versus the writing on the envelope I do not recommend removing the distinction A difference in terms of intrusiveness between what is said or written on the one hand and the who when where and how of a communication on the other is generally recognised including in the practice of other States and in the case law of international courts But there is a case for a defining content in the new law and b reviewing the borderline between content and communications data in the new law or its Codes of Practice so as to ensure that it reflects the reality of modern technology CSPs pointed to web logs cloud services and social media as areas of ambiguity Thought has undoubtedly been given to these matters within the security and intelligence agencies but no proposal was ready to be put before me Accordingly I recommend a review which should be as open and inclusive as possible 14 11 While Mr Anderson stopped short of recommending that content and communications data be given equal consideration in legal frameworks he made the important recommendation that the definitions of both be addressed He sadly stopped short of requiring judicial commissioners to approve of requests for access to communications data retaining the status quo in this regard and recommended the introduction of a new bulk communications data warrant On privileged material There can be no fairness in litigation involving the state if one party to it has the ability to monitor the privileged communications of the other 2 12 in recognition of the fact that some communications data may be relatively intrusive I have recommended that in some circumstances including but not limited to privileged and confidential material there should be judicial determination of an application to access communications data 14 11 Mr Anderson recommended raising the level of protection afforded to those in positions to which legal privilege attached stipulating that decisions for access to communications data of such persons would have to be approved by a judicial commissioner On judicial commissioners The ISC suggested that judges might approve more warrant applications thanMinisters Privacy and Security Report para 203 but the Foreign Office made to me the opposite point that judicial authorisation

    Original URL path: https://privacyinternational.org/node/596 (2016-04-27)
    Open archived version from archive

  • Swiss moves to curb surveillance exports an example to the EU | Privacy International
    technology subjected to licensing restrictions within the Wassenaar Arrangement control lists 3 Over to EU While the need for such a mandate is apparent in Switzerland it also provides a blueprint for the EU and its member states which are this year carrying out a major review into the export control system to decide the extent to which it should and can be reformed in order to restrict exports of surveillance technologies One of the main issues to be resolved is whether or not criteria similar to the one now adopted by Switzerland can be introduced into the EU dual use regulation Similarly to Switzerland export controls of dual use items in the EU are regulated differently from the trade in military items Applications for exports of military goods should be screened by EU national licensing authorities for their potential to lead to repression but these criteria are not uniformly applied to surveillance technologies by all countries as they are classifed as dual use items Privacy International and the wider Coalition Against Unlawful Surveillance Exports are calling for the EU to introduce a clear appropriate and strong mandate for national authorities to reject applications if exports have the potential to lead to human rights abuses In addition surveillance technologies should be subject to exporting restrictions Authorities should consider the legal framework governing the use of the surveillance technology in the country of destination and the risk of the exported item to be used for internal repression It is essential that this reform be prioritised As the Swiss example demonstrates export restrictions are not a silver bullet designed to comprehensively protect human rights but rather a necessary and major component of any successful mitigation strategy In order to ensure that EU trade policy and regulation are in line with its commitment to human rights and democratisation it is essential that it takes steps to prevent its companies from actively facilitating repression and authoritarianism The road to reform Late 2013 Following reports in the Swiss media 4 that Swiss authorities had received some 15 applications from companies seeking permission to export surveillance technology Privacy International wrote to over 70 Swiss lawmakers competent committees and departments 5 highlighting the potential of such products to be used for human rights abuses Examples included internet and phone monitoring technology Among these were tools produced by Gamma capable of allowing its user full access to a targeted computer or mobile phone including devices cameras and microphones March 2014 The reports and pressure from Privacy International and other organisations appeared to work Some of the companies withdrew their applications 6 following the announcement of a federal review into the issue and the postponement of any decisions by the Swiss authorities related to the applications According to one of Switzerland s largest German language dailies St Galler Tagblatt Gamma was one of the companies that had withdrawn their application 7 Summer 2014 Soon afterwards however Privacy International learned that another Swiss company NeoSoft was attempting to export mobile

    Original URL path: https://privacyinternational.org/node/589 (2016-04-27)
    Open archived version from archive

  • US Publishes Proposed Rules Implementing 2013 Wassenaar Agreements | Privacy International
    to place control on the actual intrusion software as it is defined but rather on the software and technology used to control and to disseminate intrusion software In other words the controls aren t aimed at the malware and rootkits that actually infect a device but on the software used to create deliver and instruct them So whereas the actual definition of intrusion software is fairly broad in the Wassenaar language Software specially designed or modified to avoid detection by monitoring tools or to defeat protective countermeasures of a computer or network capable device and performing any of the following a The extraction of data or information from a computer or network capable device or the modification of system or user data or b The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions What is being subjected to control is actually 4 A 5 Systems equipment and components therefor specially designed or modified for the generation operation or delivery of or communication with intrusion software 4 D 4 Software specially designed or modified for the generation operation or delivery of or communication with intrusion software As is standard throughout all export controls regulations any enabling infrastructure is also controlled in addition to a finished complete item For example it is not only drones that are subject to licensing restrictions but also Equipment or components specially designed to convert a manned aircraft or a manned airship to a UAV or unmanned airship As a result the following categories are also controlled in relation to intrusion software 4 E 1 c Technology for the development of intrusion software 4 D 1 a Software specially designed or modified for the development or production of equipment or software specified by 4 A or 4 D 4 E 1 Technology according to the General Technology Note for the development production or use of equipment or software specified by 4 A or 4 D Recognising the risks for legitimate research posed by exporting restrictions Wassenaar contains a number of exceptions designed to protect research contained within the General Software Note and the General Technology Note GENERAL SOFTWARE NOTE The Lists do not control software which is any of the following 1 Generally available to the public by being a Sold from stock at retail selling points without restriction by means of 1 Over the counter transactions 2 Mail order transactions 3 Electronic transactions or 4 Telephone call transactions and b Designed for installation by the user without further substantial support by the supplier 2 In the public domain or 3 The minimum necessary object code for the installation operation maintenance checking or repair of those items whose export has been authorised Note Entry 3 of the General Software Note does not release software controlled by Category 5 Part 2 Information Security GENERAL TECHNOLOGY NOTE The export of technology which is required for the development production or use of items controlled in the Dual Use List is controlled according to the provisions in each Category This technology remains under control even when applicable to any uncontrolled item Controls do not apply to that technology which is the minimum necessary for the installation operation maintenance checking or repair of those items which are not controlled or whose export has been authorised Note This does not release such technology controlled in entries 1 E 2 e 1 E 2 f and 8 E 2 a 8 E 2 b Controls do not apply to technology in the public domain to basic scientific research or to the minimum necessary information for patent applications Implications As security researcher Collin Anderson points out in his paper on the controls the original language of the controls is specifically aimed at products integrated as components of the intrusion system through proprietary means that should only encounter controls as a part of an Intrusion Software system For example FinFisher uses a number of methods to actually install the trojan on a targeted device including via regular USBs through the creation of fake websites and through the dissemination of fake updates and links via emails that surreptitiously install the malware unknown to the target It is this delivery infrastructure that the controls were aimed at These methods of surreptitiously installing the FinFisher malware can involve using flaws in the software of a device When a flaw is discovered code known as an exploit or a zero day is written that takes advantage of these weaknesses FinFly exploit portal is a service sold to customers by FinFisher from which they can buy these exploits There is both an underground market for exploits as well as registered businesses such as Vupen that sell exploits to governments authorities for example for use with products such as FinFisher While subjecting the exploit used in products such as FinFisher to licensing requirements may be attractive from this perspective and might fall under category 4 E 1 c to do so fails to take into account wider implications Security researchers individuals and companies all rely on developing exploits to test and better understand network device and software security They also need to be able to test the security of systems known as penetration testing They further rely on being able to share findings and research over the internet for example sending research to a colleague working in another country Even if emailing someone in the same country it is possible for the packets to actually leave its territory for example going intermittently to Gmail servers based in the US For this and a variety of other reasons leaving aside the impossible nature of actually enforcing any regulations subjecting exploits to export control doesn t make sense and has never been advocated for by Privacy International The problem at the moment is that the US BIS proposal has stated that Systems equipment components and software specially designed for the generation operation or delivery of or communication with intrusion software include

    Original URL path: https://privacyinternational.org/node/588 (2016-04-27)
    Open archived version from archive

  • Collaborating companies: shady moves in a secretive sector | Privacy International
    export was jamming equipment that is specially designed to detect and exploit specific characteristics of the mobile telecommunications protocol employed e g GSM This category fits the description of an IMSI Catcher a surveillance technology that intercepts data from mobile phones used in a particular area Documents from Datong reveal they have partners in Vietnam and Bangladesh within the Asia Pacific region While the rumour of the rejection was confirmed the document threw up further questions The technology in question was given a name Optima and was referred to as a BTS transceiver module BTS refers to Base Transceiver Stations something which an IMSI Catcher will emulate which further confirms the technology that Datong were attempting to export However Datong did notactually build IMSI Catchers Neither did the name Optima refer to any of their products Datong built products for location monitoring through tracking devices not intercepting data from mobile phones What was Optima Why were Datong selling it Had Datong been building and selling IMSI Catchers all along without specifically advertising that technology The discovery of a patent dispute in 2011 revealed the truth behind Datong and its attempted export This dispute on the right to patent IMSI Catchers named as a party to a dispute alongside Cellxion a Surrey based company that specialises in phone monitoring technology A search for the product name Optima reveals Cellxion s IMSI Catcher This particular product represents the cutting edge of the technology in surveillance of mobile phones allowing the user to disable all handsets caught in the wide net cast by the technology While this finally revealed the manufacturer of the product the relationship between Datong and Cellxion remained unclear from the court case Cellxion s lawyers however confirmed that Datong was in fact the UK distributor for Cellxion and their Optima IMSI Catcher This relationship between Datong and Cellxion and and the difficulty in revealing it is not unique This is the private surveillance sector where secrecy and obfuscation are natural operating policies for these companies This makes the effective regulation of these technologies very difficult Collaborating to avoid responsibility Some companies have used the relationship between manufacturers and distributors to absolve themselves of responsibilities for any misuse that surveillance technologies are put to The prevalence of these relationships has also allowed one company in particular Elaman to position themselves as the surveillance industry s middleman Finally the combination of particular products could provide a much greater capacity than originally considered This is another issue that export control authorities will need to weigh up in their consideration of applications for export licences Utimaco are a German company that acts as an Original Equipment Manufacturer OEM by providing mediation systems for surveillance on communications networks These systems have been used in Iran Tunisia and Syria Utimaco took no responsibility for the sale of their product to Tunisia and Iran At the time both countries had civil society under heavy oppression Utimaco brushed the sales off as an issue of resellers selling

    Original URL path: https://privacyinternational.org/node/587 (2016-04-27)
    Open archived version from archive



  •