Parliamentary oversight of security and intelligence agencies in the EU

One of the reasons for the lack of posts on this blog the past months is that I co-authored this large study (446 pages), together with Aidan Wills, for the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE). The study came out today, and also includes a number of attachments written by national intelligence oversight bodies.

Abstract: This study evaluates the oversight of national security and intelligence agencies by parliaments and specialised non-parliamentary oversight bodies, with a view to identifying good practices that can inform the European Parliament’s approach to strengthening the oversight of Europol, Eurojust, Frontex and, to a lesser extent, Sitcen. The study puts forward a series of detailed recommendations (including in the field of access to classified information) that are formulated on the basis of indepth assessments of: (1) the current functions and powers of these four bodies; (2) existing arrangements for the oversight of these bodies by the European Parliament, the Joint Supervisory Bodies and national parliaments; and (3) the legal and institutional frameworks for parliamentary and specialised oversight of security and intelligence agencies in EU Member States and other major democracies.

We will present the study at the LIBE Committee at 15h on Monday the 3d of October. An Interparliamentary Committee Meeting on  “Democratic Accountability of the Internal Security Strategy and the Role of Europol, Eurojust and Frontex” will be held on Wednesday 5 October from 15.00 to 18.30 and on Thursday 6 October from 9.00 to 12.30 in the Hemicycle of the Paul-Henri Spaak building of the European Parliament as well, which is open to the public. You can register for this meeting until the 29th of September.

Advertisements

Freedom of expression and privacy risks across the ICT sector

The BSR report ‘Protecting Human RIghts in the digital age’ describes the evolving freedom of expression and privacy risks faced by information and communications technology (ICT) companies and how these risks can be more effectively mitigated by the industry.  It focuses on the issues for telecommunications services; cell phones and mobile devices; internet services; enterprise software, data storage and IT services, semiconductors and chips, network equipment, consumer electronics and security software.

EESC condemns body scanners as a breach of fundamental rights

(EDRI) On 16 February 2011, the European Economic and Social Committee (EESC) issued its opinion on the use of body scanners in EU airports.

The EESC has opposed the eventual adoption of any measures that would introduce body scanners on an EU-wide level, and feel that the Commission Communication on the use of security scanners does not respect three basic criteria: necessity, proportionality and legality.

The document also criticises the Commission for changing the term “body scanners” to “security scanners”, and outlines four central critiques with regard to the Commission Communication, namely, proportionality, fundamental rights, health risks and passenger rights .

The document urges the Commission to produce a thorough proportionality test in order to determine the necessity of their implementation versus alternative measures. The EESC suggests that the Commission seriously consider alternatives and that it might be better to wait for more precise and less intrusive technology which can recognise security hazards.

The EESC objects to the infringement of fundamental rights as a trade-off for public security. The costs to fundamental rights are three fold:  personal privacy, data privacy and the right to human dignity. To further
underline the inherent risks, the document cites a case in a Florida airport where 35 000 naked scans were recorded by officers and distributed on the Internet.

As there exists no code of best practices or conclusive proof that these scanners do not pose health risks to individuals, the EESC requests that the Commission provide a thorough scientific examination proving that passengers and personnel who frequently fly will not be exposed to any health risks.

The Committee also reminded the Commission that its Communication did not include guarantees of effective recourse for passengers and personnel undergoing the scans, and also failed to include guarantees that passengers will not obliged to undergo body scanning, ensuring individuals reserve the right to ‘opt out’ while not suffering longer wait times, more intrusive pat-downs, or be prevented from flying.

CoE Secretary General Speech on the right to privacy

In his speech the SG stressed the importance of new social media, but he said that they have ‘changed our understanding of privacy’.

The fact is that the line between public life and private life is on the move, and if we do not act, this line will disappear.

Today, privacy is challenged, more than ever before in the history of mankind. Information and Communication Technologies have developed in such a way that information about us is constantly being recorded, communicated, stored and analysed, often without our knowledge, let alone our consent.

We easily overlook the fact that every action involving technology is recorded somewhere. We should remind ourselves that our way of life interferes with privacy. There is a “Big Brother” watching you almost everywhere you go!

Reflecting on this phenomenon, a statement from the Ministers of Justice from the 47 member states of the Council of Europe last year concluded that: “Modern information and communication technologies enable observation, storage and analysis of most day-to-day human activities, more easily, rapidly and invisibly than ever before”, but it also warned that this potentially creates a feeling of being permanently watched, which may impair the free exercise of human rights and fundamental freedoms.

Towards a tiered risk system at airports?

The NY Times reports that the several industry organizations are working on proposals to overhaul security checkpoints to provide more or less scrutiny based on the risk profile of each traveler. While the proposals are in the early stages, they represent a growing consensus around a concept that has the support of John S. Pistole, the head of the Transportation Security Administration: divide travelers into three groups — trusted, regular or risky — and apply different screening techniques based on what is known about the passengers.

A crucial part of the group’s “checkpoint of the future” proposal, and similar plans under discussion by other industry organizations, is creating a trusted traveler program that would allow passengers to undergo a background check to gain access to an expedited security lane at the airport. These trusted travelers would probably pay a fee for the vetting, much like the $100 application fee for the Global Entry program operated by United States Customs and Border Protection. After submitting to an interview, a background check and a fingerprint scan to join Global Entry, members can clear customs using a kiosk instead of waiting to speak with an agent.

The association, a trade group, plans to release its own proposal for ways to improve security checkpoints next month, but many of its core concepts overlap with ideas presented by the International Air Transport Association at an industry conference last year.

Both groups envision three screening lanes with different security procedures based on varying levels of risk. Trusted travelers would undergo lighter screening, perhaps passing through a metal detector with their shoes on and laptops in their bags, whereas anyone flagged as potentially risky would receive more intensive scrutiny, using technology like the body scanners and interviews with officers trained in behavioral analysis.

Although many of the procedural details are still just proposals, the idea is to determine who may present a risk based on better use of government intelligence and watch lists as well as suspicious behaviors like checking in for a one-way international flight with no luggage.

Former CIA and NSA heads on the ‘the need to know’, Wikileaks and increased information sharing

Michael Hayden and Samuel Visner have an open-ed in the Baltimore sun in which they defend wider information sharing, if aided by sound security practices and advanced technology to protect information

Vital information sharing need not be a victim of WikiLeaks.

The principle of “need to know” requires segmenting information according to sensitivity and topic. Sharing must strike a balance between protecting security and fostering collaboration across all levels of government and, often, the private sector.

Striking multiple balances is necessary to protect and share sensitive information. Tactical military field units have little need for diplomatic communications, but they do require real-time access to searchable data from multiple government agencies, such as to tell if someone at a road checkpoint is a person of interest. Sensitive information has long been shared among agencies based on “need to know” but without being dumped into vast, poorly monitored databases. Government data on American citizens merits strong privacy protection, but under proper authorities, information sharing with law enforcement makes sense — if this helps uncover foreign espionage or terrorist plans.

Balance is also required in security measures. Disabling thumb and DVD drives on computers averts some kinds of information theft, but on the battlefield it could harm operational effectiveness. Imposing administrative security requirements common to intelligence headquarters or national agencies, such as polygraph exams, on all personnel in military field units would prove unacceptably burdensome.

In striking better balances, we cannot forget the post-Sept. 11 reasons why sharing became a higher priority. Uncovering and foiling terrorist threats requires that many entities work together and share information — often our best weapon.

Thus, policy on information sharing and security should improve along three paths:

•Personnel security. If Army Private Bradley Manning — suspected of leaking the WikiLeaks documents — had psychological problems, as alleged, should he have had access to sensitive information? When indications merit, personnel should undergo psychological testing to assess vulnerabilities that might raise security risks. Personnel clearances ought to be based on the type of information to which a person has access, not — as now — according to which agency employs someone.

•Security procedures. Although some “insider threats” arise from malicious intent, nearly all are abetted by sloppy execution of routine security procedures or perceptions that they are bothersome or unimportant. National security organizations should elevate security as a management priority, enforce rules more consistently and offer better training.

•Cyber tools. Cybersecurity techniques can detect much anomalous behavior, such as downloading, copying or printing numerous documents, seeking to access information in unusual ways or information not normally accessed, and transferring sensitive information to others. That such tools were not employed on the battlefield in Afghanistan is understandable but in retrospect imprudent.

More advanced cyber tools are being developed, such as to sift through huge volumes of seemingly disparate data and correlate findings. This need is a key lesson from the 2009 Christmas Day bombing attempt. New tools must address potential threats from mobile devices and social media and better detect and resolve suspicious exfiltrations. Improving analytic tools to better understand global information environments and characterize the behavior of systems remains a pressing challenge.

Reacting to the WikiLeaks disclosures by clamping down on information-sharing would risk failing to detect hard-to-predict or increasingly diverse threats. More prudent is to employ sound security practices and advanced technology while leveraging the advantages of information sharing and collaboration. National security and technology professionals have worked hard to gain these advantages, and they ought not to be hastily discarded.

California high court rules no warrant needed to search cell phone text messages

[JURIST] The Supreme Court of California ruled Monday that law enforcement officers can legally search text messages on a suspect’s cell phone without a warrant incident to a lawful custodial arrest. The court held 5-2 that a search of the defendant’s cell phone text messages in the police station 90 minutes after the arrest did not violate the Fourth Amendment prohibition against unreasonable search and seizure without exigent circumstances.