Data Privacy and protection of mission critical Intellectual Property matters! In a global economy, where data, information and knowledge are THE most critical success factors, it is probably even more significant than ever. It’s important to acknowledge, that this information is not only endangered by criminals and hackers, but as well by Intelligence Services – in the USA even legalized by laws such as the USA FREEDOM Act, which replaced the more famous USA PATRIOT Act in 2015. The consequences of these laws for US-american IT providers are disastrous.
The following text is the English translation of a professional article, which I already published in German language on March 8, 2017 on the occasion of the „Vault 7“ disclosure by Wikileaks. In course of the translation I have updated and enhanced the content with insights gained in course of the last five months, so that the following text is not a 1:1 translation. To those of you, who don’t like to be bothered by inconvenient hard facts, I would recommend watching this episode of John Oliver’s „Last Week Tonight“ published in April 2015 including an interview with the whistleblower Edward Snowden in Moscow (see: https://youtu.be/XEVlyP4_11M). The video gives you at least a flavor of potential misuse caused by governmental mass surveillance in an entertaining way.
I consider the following statement provided by Edward Snowden as the most striking argument, why you should care about Data Privacy: „Arguing that you don’t care about the right to privacy because you have nothing to hide, is no different than saying you don’t care about free speech because you have nothing to say“ (see: http://www.businessinsider.de/edward-snowden-privacy-argument-2016-9). And for those of you, who consider Edward Snowden as being a traitor, I recommend reading the following comment issued by James Sensenbrenner, the author of the USA PATRIOT Act, on June 9, 2013 under the headline „The abuse of the USA PATRIOT Act must end“ (see: https://www.theguardian.com/commentisfree/2013/jun/09/abuse-patriot-act-must-end).
That being said, it’s time to have a closer look at the facts.
On March 7, 2017 the disclosure platform Wikileaks started under the term „Vault 7“ (https://www.wikileaks.org/ciav7p1/) to publish approx. 9,000 documents, which prove, how the US foreign intelligence service Central Intelligence Agency (CIA) has been building up in course of the last years a repertoire of cyber weapons, which allows them to hack devices based on Apple iOS/macOS, Google Android or Microsoft Windows as well as TV sets connected to the internet, to spy on the users of these devices.
According to the Wikileaks sources the CIA is able to put e.g. the Samsung-Smart-TV F8000 in a „fake-off“ mode, where the user believes, that the TV set is switched off. In fact the CIA is able to control according to Wikileaks the microphone and the webcam of the TV set in this „fake-off“ mode (code name „Weeping Angel“). Other documents indicate that the CIA could take over control of connected cars, which would allow them according to Wikileaks speculations to assassinate people in a way, which is difficult to reconstruct and to solve. Note: In term of potential damage of these kind of assassinations consider the horrendous terror attacks which happened in course of the last 12 months e.g. in Nice (France), Berlin (Germany), London (UK) or Barcelona (Spain).
After the disclosures provided by the whistleblower Edward Snowden in Summer 2013 regarding the spying activities of the National Security Agency (NSA) this is the second harsh hit, which seriously shatters the trust in US-american IT providers as well as in the Internet as platform for global communication, innovation and economic relations:
- Why should European corporations entrust their mission critical data to US-american IT providers and industrial automation vendors, when they need to fear, that these data are explored and possibly handed over by NSA or CIA to the US-american competitors of the European corporations?
- Why should I as a user still use smartphones, notebooks or other devices based on the operating systems Android from Google, iOS/macOS from Apple or Windows (Mobile/Phone) from Microsoft, when I need to suspect, that these devices are utilized to explore my private data or my circle of friends? Why should I still use Apps like WhatsApp, which transfer by default all my contacts from my smartphone to a server located in the USA? Note: The potential damage, which can be caused by a smartphone as a spy tool is huge as I already illustrated in the professional article „The spy in your pocket“ issued on April 26, 2017 (see: https://kubraconsult.blog/2017/04/25/thy-spy-in-your-pocket/).
- Why should European automobile manufacturers rely on the operating systems from Google, Apple or Microsoft as basis for multimedia applications in their cars, when there is a risk, that US secret services could misuse this technology to take over control of the connected cars?
- Why should European corporations utilize sensor, industry automation or big data analytics technologies of US-american vendors, such as IBM, Microsoft or GE, to build up Internet of Things (IoT) solutions, when they need be afraid that their industrial plants, power plants, elevators or traffic management systems can be attacked and switched off by US secret services?
I already pointed to the problem of industrial espionage performed by secret services in a professional article issued on January 26, 2017 (see: https://kubraconsult.blog/2017/01/26/usa-patriotfreedom-act-vs-schutz-personenbezogener-daten-und-geistigen-eigentums/ – unfortunately so far only available in German language). My conclusion at that time has gained significance in the light of the Wikileaks „Vault 7“ disclosures.
START OF CITATION
„The combination of the following factors is a complete disaster for the credibility and trustworthiness of data processing US-american vendors (such as Apple, Google, Microsoft, Amazon, HP, IBM, Accenture, Oracle, Cisco, AT&T, Verizon oder General Electric), as well as of the US government:
- Mass surveillance measures, which are performed by US Federal Agencies without order of court even outside of the borders of the United States of America (extraterritorial legal claim),
- legal obligation of data processing US-american enterprises under threat of punishment for secretiveness towards affected individuals and the public,
- denegation and relativization of surveillance measure by US politicians and representatives of US Federal Agencies in the public and towards supervisory committees,
- the potential existence of clandestine guidelines of the US Department of Justice, which grant the US Federal Agencies extended competencies,
- and the potential handover of intellectual property, which the US Federal Agencies have gathered in course of their surveillance measures, to the US-american competitors of foreign enterprises.
The risks resulting from a potential misuse of person related data or theft of intellectual property are so significant for European enterprises, that the placement of orders to US-american vendors or the utilization of US-american Cloud services (e.g. from Amazon Web Services, Microsoft, HP, IBM or Dell) at least for mission critical use cases deems not appropriate as long as laws such as the USA FREEDOM Act represent directly enforceable law.
Surprisingly the public in Germany and the European Union as well as the responsible managers in most of the German and European enterprises still ignore these significant aberrations and the inherited risks. If not the cell phone of the German Chancellor Angela Merkel is affected by wiretap operations (or the own Research and Development department) there is hardly any pushback.“
END OF CITATION
The US government is well on the way to destroy the trust into the internet as platform for global digital communication, innovation and economic relations. De facto the Rubikon has already been crossed and it is high time to resist and strike back against the inappropriate and counter productive government surveillance measures.
The „EU-US Privacy Shield“ agreement, which was described by the US-american specialized press as a „deal“, was under heavy criticism right from the beginning. Maximilian Schrems, the claimant, who overthrow the „Safe Harbor“ agreement, criticized, that from his point of view, the legal situation after the „EU-US Privacy Shield“ agreement became effective, is not much different from the legal situation under the „Safe Harbor“ agreement. Schrems said: „In the EU-US Privacy Shield agreement the supremacy of US law is as well formulated as in the Safe Harbor agreement and if US law determines, that data interception is allowed, then data will be intercepted“.
After intensive examination of documentation the „EU-US Privacy Shield“ was declined as well by 27 Civil Liberty Groups and Data Privacy Protection experts. They criticized the missing legal bindingness of the agreement, since it is only a collection of letters. Mass surveillance measures initiated by the US government still remain permissible and the affected individuals and enterprises are still not able to effectively enforce their rights e.g. because they don’t get informed about the surveillance measures.
Last but not least the EU „General Data Protection Regulation“ (GDPR), which was finally approved by the EU-Parliament on April 14, 2016 to determine EU-wide uniform binding rules for processing of person related data by private enterprises and EU Federal Agencies, does not provide effective protection against exploration by US Federal Agencies as well. The GDPR will from May 25, 2018, onwards substitute the EU Guideline 95/46/EG from 1995 which was issued to protected natural persons in course of the processing of person related data and in course of the unlimited data communication. Intention of this EU Guideline was, to protect person related data within the European Union one the one hand and to ensure unlimited data communication within the European Domestic Market on the other hand.
The inadequate treatment of Data Privacy protection by the EU Commission in the negotiations with the US government concerning the „EU-US Privacy Shield“ is unfortunately another example, which illustrates, that basic civil rights of EU citizens are not considered and valued as equally important, than economic interests of private corporations.