Parliamentary oversight of security and intelligence agencies in the EU

One of the reasons for the lack of posts on this blog the past months is that I co-authored this large study (446 pages), together with Aidan Wills, for the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE). The study came out today, and also includes a number of attachments written by national intelligence oversight bodies.

Abstract: This study evaluates the oversight of national security and intelligence agencies by parliaments and specialised non-parliamentary oversight bodies, with a view to identifying good practices that can inform the European Parliament’s approach to strengthening the oversight of Europol, Eurojust, Frontex and, to a lesser extent, Sitcen. The study puts forward a series of detailed recommendations (including in the field of access to classified information) that are formulated on the basis of indepth assessments of: (1) the current functions and powers of these four bodies; (2) existing arrangements for the oversight of these bodies by the European Parliament, the Joint Supervisory Bodies and national parliaments; and (3) the legal and institutional frameworks for parliamentary and specialised oversight of security and intelligence agencies in EU Member States and other major democracies.

We will present the study at the LIBE Committee at 15h on Monday the 3d of October. An Interparliamentary Committee Meeting on  “Democratic Accountability of the Internal Security Strategy and the Role of Europol, Eurojust and Frontex” will be held on Wednesday 5 October from 15.00 to 18.30 and on Thursday 6 October from 9.00 to 12.30 in the Hemicycle of the Paul-Henri Spaak building of the European Parliament as well, which is open to the public. You can register for this meeting until the 29th of September.

Freedom of expression and privacy risks across the ICT sector

The BSR report ‘Protecting Human RIghts in the digital age’ describes the evolving freedom of expression and privacy risks faced by information and communications technology (ICT) companies and how these risks can be more effectively mitigated by the industry.  It focuses on the issues for telecommunications services; cell phones and mobile devices; internet services; enterprise software, data storage and IT services, semiconductors and chips, network equipment, consumer electronics and security software.

EESC condemns body scanners as a breach of fundamental rights

(EDRI) On 16 February 2011, the European Economic and Social Committee (EESC) issued its opinion on the use of body scanners in EU airports.

The EESC has opposed the eventual adoption of any measures that would introduce body scanners on an EU-wide level, and feel that the Commission Communication on the use of security scanners does not respect three basic criteria: necessity, proportionality and legality.

The document also criticises the Commission for changing the term “body scanners” to “security scanners”, and outlines four central critiques with regard to the Commission Communication, namely, proportionality, fundamental rights, health risks and passenger rights .

The document urges the Commission to produce a thorough proportionality test in order to determine the necessity of their implementation versus alternative measures. The EESC suggests that the Commission seriously consider alternatives and that it might be better to wait for more precise and less intrusive technology which can recognise security hazards.

The EESC objects to the infringement of fundamental rights as a trade-off for public security. The costs to fundamental rights are three fold:  personal privacy, data privacy and the right to human dignity. To further
underline the inherent risks, the document cites a case in a Florida airport where 35 000 naked scans were recorded by officers and distributed on the Internet.

As there exists no code of best practices or conclusive proof that these scanners do not pose health risks to individuals, the EESC requests that the Commission provide a thorough scientific examination proving that passengers and personnel who frequently fly will not be exposed to any health risks.

The Committee also reminded the Commission that its Communication did not include guarantees of effective recourse for passengers and personnel undergoing the scans, and also failed to include guarantees that passengers will not obliged to undergo body scanning, ensuring individuals reserve the right to ‘opt out’ while not suffering longer wait times, more intrusive pat-downs, or be prevented from flying.

CoE Secretary General Speech on the right to privacy

In his speech the SG stressed the importance of new social media, but he said that they have ‘changed our understanding of privacy’.

The fact is that the line between public life and private life is on the move, and if we do not act, this line will disappear.

Today, privacy is challenged, more than ever before in the history of mankind. Information and Communication Technologies have developed in such a way that information about us is constantly being recorded, communicated, stored and analysed, often without our knowledge, let alone our consent.

We easily overlook the fact that every action involving technology is recorded somewhere. We should remind ourselves that our way of life interferes with privacy. There is a “Big Brother” watching you almost everywhere you go!

Reflecting on this phenomenon, a statement from the Ministers of Justice from the 47 member states of the Council of Europe last year concluded that: “Modern information and communication technologies enable observation, storage and analysis of most day-to-day human activities, more easily, rapidly and invisibly than ever before”, but it also warned that this potentially creates a feeling of being permanently watched, which may impair the free exercise of human rights and fundamental freedoms.

Towards a tiered risk system at airports?

The NY Times reports that the several industry organizations are working on proposals to overhaul security checkpoints to provide more or less scrutiny based on the risk profile of each traveler. While the proposals are in the early stages, they represent a growing consensus around a concept that has the support of John S. Pistole, the head of the Transportation Security Administration: divide travelers into three groups — trusted, regular or risky — and apply different screening techniques based on what is known about the passengers.

A crucial part of the group’s “checkpoint of the future” proposal, and similar plans under discussion by other industry organizations, is creating a trusted traveler program that would allow passengers to undergo a background check to gain access to an expedited security lane at the airport. These trusted travelers would probably pay a fee for the vetting, much like the $100 application fee for the Global Entry program operated by United States Customs and Border Protection. After submitting to an interview, a background check and a fingerprint scan to join Global Entry, members can clear customs using a kiosk instead of waiting to speak with an agent.

The association, a trade group, plans to release its own proposal for ways to improve security checkpoints next month, but many of its core concepts overlap with ideas presented by the International Air Transport Association at an industry conference last year.

Both groups envision three screening lanes with different security procedures based on varying levels of risk. Trusted travelers would undergo lighter screening, perhaps passing through a metal detector with their shoes on and laptops in their bags, whereas anyone flagged as potentially risky would receive more intensive scrutiny, using technology like the body scanners and interviews with officers trained in behavioral analysis.

Although many of the procedural details are still just proposals, the idea is to determine who may present a risk based on better use of government intelligence and watch lists as well as suspicious behaviors like checking in for a one-way international flight with no luggage.

Former CIA and NSA heads on the ‘the need to know’, Wikileaks and increased information sharing

Michael Hayden and Samuel Visner have an open-ed in the Baltimore sun in which they defend wider information sharing, if aided by sound security practices and advanced technology to protect information

Vital information sharing need not be a victim of WikiLeaks.

The principle of “need to know” requires segmenting information according to sensitivity and topic. Sharing must strike a balance between protecting security and fostering collaboration across all levels of government and, often, the private sector.

Striking multiple balances is necessary to protect and share sensitive information. Tactical military field units have little need for diplomatic communications, but they do require real-time access to searchable data from multiple government agencies, such as to tell if someone at a road checkpoint is a person of interest. Sensitive information has long been shared among agencies based on “need to know” but without being dumped into vast, poorly monitored databases. Government data on American citizens merits strong privacy protection, but under proper authorities, information sharing with law enforcement makes sense — if this helps uncover foreign espionage or terrorist plans.

Balance is also required in security measures. Disabling thumb and DVD drives on computers averts some kinds of information theft, but on the battlefield it could harm operational effectiveness. Imposing administrative security requirements common to intelligence headquarters or national agencies, such as polygraph exams, on all personnel in military field units would prove unacceptably burdensome.

In striking better balances, we cannot forget the post-Sept. 11 reasons why sharing became a higher priority. Uncovering and foiling terrorist threats requires that many entities work together and share information — often our best weapon.

Thus, policy on information sharing and security should improve along three paths:

•Personnel security. If Army Private Bradley Manning — suspected of leaking the WikiLeaks documents — had psychological problems, as alleged, should he have had access to sensitive information? When indications merit, personnel should undergo psychological testing to assess vulnerabilities that might raise security risks. Personnel clearances ought to be based on the type of information to which a person has access, not — as now — according to which agency employs someone.

•Security procedures. Although some “insider threats” arise from malicious intent, nearly all are abetted by sloppy execution of routine security procedures or perceptions that they are bothersome or unimportant. National security organizations should elevate security as a management priority, enforce rules more consistently and offer better training.

•Cyber tools. Cybersecurity techniques can detect much anomalous behavior, such as downloading, copying or printing numerous documents, seeking to access information in unusual ways or information not normally accessed, and transferring sensitive information to others. That such tools were not employed on the battlefield in Afghanistan is understandable but in retrospect imprudent.

More advanced cyber tools are being developed, such as to sift through huge volumes of seemingly disparate data and correlate findings. This need is a key lesson from the 2009 Christmas Day bombing attempt. New tools must address potential threats from mobile devices and social media and better detect and resolve suspicious exfiltrations. Improving analytic tools to better understand global information environments and characterize the behavior of systems remains a pressing challenge.

Reacting to the WikiLeaks disclosures by clamping down on information-sharing would risk failing to detect hard-to-predict or increasingly diverse threats. More prudent is to employ sound security practices and advanced technology while leveraging the advantages of information sharing and collaboration. National security and technology professionals have worked hard to gain these advantages, and they ought not to be hastily discarded.

California high court rules no warrant needed to search cell phone text messages

[JURIST] The Supreme Court of California ruled Monday that law enforcement officers can legally search text messages on a suspect’s cell phone without a warrant incident to a lawful custodial arrest. The court held 5-2 that a search of the defendant’s cell phone text messages in the police station 90 minutes after the arrest did not violate the Fourth Amendment prohibition against unreasonable search and seizure without exigent circumstances.

FBI director defends sting operations

(AP) FBI Director Robert Mueller on Wednesday defended his agency’s use of sting operations in snaring terrorism suspects, a technique some have complained amounts to entrapment.

The FBI has come under criticism over its repeated use of stings in which agents and informants walk a suspect through a carefully choreographed plot to carry out what they believe to be a real bomb attack, though the explosives are never real.

Nineteen-year-old Mohamed Osman Mohamud was arrested the day after Thanksgiving in Portland, Ore., after he allegedly tried to detonate a bomb. The bomb was not real and the whole plot had been created by the FBI.

“We have been tremendously successful in thwarting attacks,” Mueller said at a news conference. “We are very careful in these investigations. … They are absolutely essential if we are to protect the community against terrorist attacks.”

Mueller said undercover operations are necessary to many FBI probes, not just those related to counterterrorism, and he noted that defendants have claimed in a string of cases since Sept. 11, 2001, that they were the victims of entrapment.

“There has not been yet to my knowledge a defendant who has been acquitted in asserting the entrapment defense,” Mueller said, crediting “substantial oversight” such probes have.

Additionally, civil rights and Muslim groups in Orange County have faulted the FBI over its infiltration of mosques with at least one informant who was paid to gather intelligence. The informant, Craig Monteilh, claimed that his handlers told him to ask mosque members about “jihad” and their support for terrorist operations abroad.

Extracting passwords from electronic devices is key
Mueller was speaking at the official opening of a new crime laboratory that specializes in extracting data and files from cell phones, flash drives and computers seized in criminal probes.

The so-called Regional Computer Forensic Laboratory will employ a team of 23 forensic examiners who are trained to circumvent passwords and other security measures a user may put on an electronic device.

“There is not a case now where you don’t have a hard drive, a thumb drive, a cell phone or some other mechanism for either communicating or storing data,” Mueller said.

Seven FBI agents will team up with 16 officials from local law enforcement agencies in Orange County to run the center, which was approved in 2008 and cost $7 million to set up. Using the latest software and computer systems, they will be able to quickly pull data, text messages and other information from cell phones.

Smart phones users often leave a plethora of personal data for investigators to pore over, including photographs with a GPS tag giving coordinates of where the picture was taken.

The lab is the 15th of its kind across the country. Mueller said that at a different lab, agents gathered information during an investigation into Najibullah Zazi, the son of an Afghan immigrant who admitted driving from Denver to New York with the intention of attacking the subway system.

Because of the data that was seized, agents were able to track him and prevent the attack, Mueller said.

Use of Night-Vision Goggles Not A Fourth Amendment Search

Orin Kerr reports that a state court in People v. Lieng, 2010 Cal. App. LEXIS 2106 (1st Dist. December 14, 2010), distinguished the goggles from the infrared thermal imaging device used in Kyllo v. United States:

Kyllo is inapplicable to this case. First, night goggles are commonly used by the military, police and border patrol, and they are available to the general public via Internet sales. More economical night vision goggles are available at sporting goods stores.  Therefore, unlike thermal imaging devices, night vision goggles are available for general public use.

Second, state and federal courts addressing the use of night vision goggles since Kyllo have discussed the significant technological differences between the thermal imaging device used in Kyllo, and night vision goggles.  Night vision goggles do not penetrate walls, detect something that would otherwise be invisible, or provide information that would otherwise require physical intrusion. The goggles merely amplify ambient light to see something that is already exposed to public view.  This type of technology is no more “intrusive” than binoculars or flashlights, and courts have routinely approved the use of flashlights and binoculars by law enforcement officials.

For these reasons, we find that Kyllo is clearly distinguishable, and the use of night vision goggles by Sergeant Smith on both March 27 and April 3 on the Lieng property did not constitute a “search” in violation of the Fourth Amendment.

German Ministry Issues Draft Law Regarding Data Protection on the Internet

(Hunton & Williams LLP) On December 1, 2010, the German Federal Ministry of the Interior (the “BMI”) issued a paper  entitled “Data Protection on the Internet,” which contains a draft law  to protect against particularly serious violations of privacy rights online. In its paper, the BMI rejects the adoption of a specific law to regulate services such as Google Street View.  The BMI believes that, to the extent service providers implement sufficient technical and organizational measures to protect data, statutory regulation is not necessary.

The Ministry does, however, see a need for certain statutory rules to protect individuals from serious violations of their Persönlichkeitsrecht or “personality rights.”  In particular, the paper mentions Internet services such as facial recognition, search engine profiling and location-based services based on location information.  According to the paper, the publication of comprehensive data of this nature, or data that describes an individual in a defamatory way, should be published online or made publicly available only if (1) there is a legal justification for the publication, (2) the individual in question consents to the publication, or (3) there is an overriding policy interest in publication of the data.