0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/340 Thanks! 1 00:00:09,270 --> 00:00:10,980 Well, the CCC has grown a bit, hasn't it? 2 00:00:13,080 --> 00:00:15,119 I'm very pleased to be here and the first 3 00:00:15,120 --> 00:00:16,619 thing I want to do is apologize for my 4 00:00:16,620 --> 00:00:18,719 slides. I know there is far too much 5 00:00:18,720 --> 00:00:20,609 information on my slides. 6 00:00:20,610 --> 00:00:23,009 It breaks every rule of PowerPoint. 7 00:00:23,010 --> 00:00:25,079 So don't look at the slides. 8 00:00:25,080 --> 00:00:26,699 Maybe, but more. 9 00:00:26,700 --> 00:00:28,649 Listen to what I'm saying, because 10 00:00:28,650 --> 00:00:30,659 otherwise it won't make any sense, either 11 00:00:30,660 --> 00:00:31,660 of us 12 00:00:33,930 --> 00:00:34,979 to get through some 13 00:00:36,000 --> 00:00:37,000 preliminaries. 14 00:00:38,370 --> 00:00:40,379 For nine years, I was chief privacy 15 00:00:40,380 --> 00:00:42,209 advisor at Microsoft and I have to 16 00:00:42,210 --> 00:00:44,819 explain a bit about what that job 17 00:00:44,820 --> 00:00:46,019 was. 18 00:00:46,020 --> 00:00:47,999 I didn't have any responsibility for 19 00:00:48,000 --> 00:00:48,989 legal compliance. 20 00:00:48,990 --> 00:00:51,059 Thankfully, I didn't do 21 00:00:51,060 --> 00:00:53,579 anything really in US 22 00:00:53,580 --> 00:00:56,639 privacy. My job was to advise 23 00:00:56,640 --> 00:00:58,829 40 national technology 24 00:00:58,830 --> 00:01:00,869 officers around the world. 25 00:01:00,870 --> 00:01:02,519 And a Microsoft national technology 26 00:01:02,520 --> 00:01:04,589 officer is a guy with a very big 27 00:01:04,590 --> 00:01:06,899 brain, often one or two PhDs able 28 00:01:06,900 --> 00:01:09,179 to function essentially as Microsoft's 29 00:01:09,180 --> 00:01:11,399 ambassador to governments 30 00:01:11,400 --> 00:01:14,279 around the world at a very senior level, 31 00:01:14,280 --> 00:01:15,900 normally citizens of their own country. 32 00:01:17,040 --> 00:01:19,109 In a sense, you could boil down their 33 00:01:19,110 --> 00:01:21,269 job to if Steve Ballmer then 34 00:01:21,270 --> 00:01:22,739 wanted to get a prime minister on the 35 00:01:22,740 --> 00:01:25,319 phone in half an hour, it was the 36 00:01:25,320 --> 00:01:27,119 job to get that done. 37 00:01:28,170 --> 00:01:30,329 So I didn't know about prison when 38 00:01:30,330 --> 00:01:31,469 I was at Microsoft. 39 00:01:31,470 --> 00:01:33,989 And what I'm about to tell you, I deduced 40 00:01:33,990 --> 00:01:36,179 from open sources and by deciding to 41 00:01:36,180 --> 00:01:38,489 read the American laws 42 00:01:38,490 --> 00:01:40,649 and nobody asked me to do 43 00:01:40,650 --> 00:01:41,609 this. 44 00:01:41,610 --> 00:01:44,459 What happened to me after that was 45 00:01:44,460 --> 00:01:46,799 I explained to a big Microsoft 46 00:01:46,800 --> 00:01:48,869 internal strategy conference about cloud 47 00:01:48,870 --> 00:01:50,939 computing with all of 48 00:01:50,940 --> 00:01:52,709 the cloud management that all of my 49 00:01:52,710 --> 00:01:54,179 national technology officers there, the 50 00:01:54,180 --> 00:01:56,819 deputy general counsel at Microsoft, 51 00:01:56,820 --> 00:01:58,649 what I discovered and I said to my 52 00:01:58,650 --> 00:02:00,119 technology officer, look, you ought to 53 00:02:00,120 --> 00:02:01,229 know this. 54 00:02:01,230 --> 00:02:03,269 If you sell Microsoft cloud computing to 55 00:02:03,270 --> 00:02:05,639 your own governments, then 56 00:02:05,640 --> 00:02:07,829 this law means that 57 00:02:07,830 --> 00:02:09,659 the NSA can conduct unlimited mass 58 00:02:09,660 --> 00:02:10,720 surveillance on that data. 59 00:02:11,910 --> 00:02:13,409 So the deputy general counsel of 60 00:02:13,410 --> 00:02:15,029 Microsoft turned green. 61 00:02:15,030 --> 00:02:16,739 I'd never seen anyone turn green before, 62 00:02:16,740 --> 00:02:17,939 but she did. 63 00:02:17,940 --> 00:02:20,099 There was dead silence in the room. 64 00:02:20,100 --> 00:02:21,959 In the coffee break, I was threatened 65 00:02:21,960 --> 00:02:23,339 with being fired. 66 00:02:23,340 --> 00:02:24,959 And then two months later, they did find 67 00:02:24,960 --> 00:02:26,159 me without course. 68 00:02:27,780 --> 00:02:29,999 So since then, I really, 69 00:02:30,000 --> 00:02:32,279 from 2011, went round trying 70 00:02:32,280 --> 00:02:34,439 to tell as many people as I could 71 00:02:34,440 --> 00:02:36,299 about what I discovered. 72 00:02:36,300 --> 00:02:38,819 And I've given variants of the speech 73 00:02:38,820 --> 00:02:40,559 now about 20 times, I suppose. 74 00:02:40,560 --> 00:02:42,959 But I hope this brings things right 75 00:02:42,960 --> 00:02:45,899 up to date as of about two weeks ago. 76 00:02:45,900 --> 00:02:47,999 And also, I'm going to tell you some 77 00:02:48,000 --> 00:02:49,919 things which I haven't told before. 78 00:02:53,140 --> 00:02:54,759 So the first thing to say is this talk is 79 00:02:54,760 --> 00:02:58,029 not about cloud as storage. 80 00:02:58,030 --> 00:03:00,519 This is about parallel processing power 81 00:03:00,520 --> 00:03:02,199 as a commodity. 82 00:03:02,200 --> 00:03:04,329 And in fact, this photo is just 83 00:03:04,330 --> 00:03:06,609 two photos crammed together. 84 00:03:06,610 --> 00:03:08,679 The left is a modern data center. 85 00:03:08,680 --> 00:03:09,819 And on the right, 86 00:03:10,990 --> 00:03:13,149 there's a door, 87 00:03:13,150 --> 00:03:14,349 a doorway. You probably can't see the 88 00:03:14,350 --> 00:03:17,559 number, but the number is 641 a. 89 00:03:17,560 --> 00:03:19,989 Now, how many people know what 640, 90 00:03:19,990 --> 00:03:20,990 190 refers to? 91 00:03:22,580 --> 00:03:23,549 Good. 92 00:03:23,550 --> 00:03:24,550 OK, 93 00:03:25,940 --> 00:03:28,249 so six forty one a came 94 00:03:28,250 --> 00:03:30,349 from the story 95 00:03:30,350 --> 00:03:32,419 of the first warrantless wiretapping 96 00:03:32,420 --> 00:03:35,479 episode from about 2005 97 00:03:35,480 --> 00:03:36,949 to 2007, 98 00:03:38,210 --> 00:03:40,489 and I don't have time to tell that story. 99 00:03:40,490 --> 00:03:43,129 But in fact, that doorway 100 00:03:43,130 --> 00:03:45,409 contained a deep packet 101 00:03:45,410 --> 00:03:49,219 inspection box installed round about 2002 102 00:03:49,220 --> 00:03:51,469 in one of the main AT&T switching centers 103 00:03:51,470 --> 00:03:52,470 in San Francisco. 104 00:03:53,810 --> 00:03:56,239 So in a sense, you could boil 105 00:03:56,240 --> 00:03:58,339 down my talk to 106 00:03:58,340 --> 00:04:01,279 how likely is it legally or technically 107 00:04:01,280 --> 00:04:02,949 that there's one of those on the right 108 00:04:03,980 --> 00:04:05,270 in one of those on the left? 109 00:04:09,440 --> 00:04:11,599 So what this talk is going to be mainly 110 00:04:11,600 --> 00:04:13,849 about is the law underlying 111 00:04:13,850 --> 00:04:15,289 what we now call PRISM, 112 00:04:16,640 --> 00:04:19,219 and it is the 2008 Foreign 113 00:04:19,220 --> 00:04:21,889 Intelligence Surveillance Act Amendment 114 00:04:21,890 --> 00:04:24,019 Act, which, 115 00:04:24,020 --> 00:04:25,309 when it was passed, have a different 116 00:04:25,310 --> 00:04:26,539 numbering, which needn't bother us, 117 00:04:26,540 --> 00:04:28,669 called 1881 a now everyone calls 118 00:04:28,670 --> 00:04:30,529 it Section 702. 119 00:04:31,880 --> 00:04:34,249 And what it's about is obtaining 120 00:04:34,250 --> 00:04:36,579 foreign intelligence information. 121 00:04:37,760 --> 00:04:40,129 It intentionally targets 122 00:04:40,130 --> 00:04:42,709 only non Americans 123 00:04:42,710 --> 00:04:44,719 outside the US. 124 00:04:44,720 --> 00:04:46,729 When I say only, that is, of course, 95 125 00:04:46,730 --> 00:04:49,369 percent of the world's population. 126 00:04:49,370 --> 00:04:51,109 It's a blanket authorization for one 127 00:04:51,110 --> 00:04:52,110 year. 128 00:04:53,060 --> 00:04:55,609 There's a requirement to minimize access 129 00:04:55,610 --> 00:04:57,769 on US persons after collection and to 130 00:04:57,770 --> 00:04:59,269 a certain extent before collection. 131 00:05:00,800 --> 00:05:03,229 And the provider 132 00:05:03,230 --> 00:05:05,569 of these services has to provide 133 00:05:05,570 --> 00:05:07,699 the government with all facilities and 134 00:05:07,700 --> 00:05:09,889 information to accomplish this 135 00:05:09,890 --> 00:05:11,749 acquisition in secret. 136 00:05:13,870 --> 00:05:16,509 So the first point I want to emphasize, 137 00:05:16,510 --> 00:05:18,249 which will make sense when you come to 138 00:05:18,250 --> 00:05:20,589 the next slide, is this means 139 00:05:20,590 --> 00:05:21,729 if you're not an American, 140 00:05:22,930 --> 00:05:24,339 you cannot really trust. 141 00:05:25,750 --> 00:05:27,579 Cryptographic services or in general, 142 00:05:27,580 --> 00:05:29,679 software services provided 143 00:05:29,680 --> 00:05:32,109 by US companies, because 144 00:05:32,110 --> 00:05:34,239 even if that software or that 145 00:05:34,240 --> 00:05:36,579 cryptography is sound to begin 146 00:05:36,580 --> 00:05:38,379 with, you're going to receive software 147 00:05:38,380 --> 00:05:39,609 updates. 148 00:05:39,610 --> 00:05:41,169 And if you're not an American outside the 149 00:05:41,170 --> 00:05:43,299 US, a software update could be pushed 150 00:05:43,300 --> 00:05:45,579 to you, targeted at you, 151 00:05:45,580 --> 00:05:47,350 which is going to hurt your security 152 00:05:48,790 --> 00:05:50,349 if you don't comply with one of these 153 00:05:50,350 --> 00:05:51,579 orders. 154 00:05:51,580 --> 00:05:53,079 It's a contempt of the Foreign 155 00:05:53,080 --> 00:05:54,549 Intelligence Surveillance Court. 156 00:05:55,850 --> 00:05:57,969 If somebody's an American company, as 157 00:05:57,970 --> 00:06:00,099 Marissa Mayer said last year, if 158 00:06:00,100 --> 00:06:01,329 someone, an American company, were to 159 00:06:01,330 --> 00:06:03,429 tell, say, a foreign data protection 160 00:06:03,430 --> 00:06:05,439 authority, that's potentially an offense 161 00:06:05,440 --> 00:06:07,629 under the Espionage Act, 20 162 00:06:07,630 --> 00:06:08,949 years in jail or worse. 163 00:06:10,640 --> 00:06:12,829 So the providers of these 164 00:06:12,830 --> 00:06:14,629 services have complete immunity from 165 00:06:14,630 --> 00:06:15,630 civil lawsuits 166 00:06:17,000 --> 00:06:19,099 and all of this must be done in a manner 167 00:06:19,100 --> 00:06:21,289 consistent with the US 168 00:06:21,290 --> 00:06:22,290 Fourth Amendment. 169 00:06:23,300 --> 00:06:25,819 And the analysis I'm giving you now is 170 00:06:25,820 --> 00:06:28,309 the analysis that I was giving people 171 00:06:28,310 --> 00:06:30,499 a year or 18 months before Snowden 172 00:06:30,500 --> 00:06:31,459 verbatim. 173 00:06:31,460 --> 00:06:32,779 These lights haven't been changed. 174 00:06:34,850 --> 00:06:37,339 So what is foreign intelligence 175 00:06:37,340 --> 00:06:38,340 information? 176 00:06:39,830 --> 00:06:42,019 So we have to now go back 177 00:06:42,020 --> 00:06:44,239 to the very first FISA Act, 178 00:06:44,240 --> 00:06:45,379 the very first Foreign Intelligence 179 00:06:45,380 --> 00:06:47,149 Surveillance Act in 1978. 180 00:06:48,780 --> 00:06:50,279 And the definitions I'm showing you, 181 00:06:51,360 --> 00:06:52,919 the significant part I'm showing you has 182 00:06:52,920 --> 00:06:55,049 not changed since 1978. 183 00:06:55,050 --> 00:06:56,050 It's been there that long. 184 00:06:58,050 --> 00:06:59,579 And the extraordinary thing is that in 185 00:06:59,580 --> 00:07:00,809 the legal literature, the policy 186 00:07:00,810 --> 00:07:01,810 literature. 187 00:07:02,640 --> 00:07:05,069 There is absolutely nothing written 188 00:07:05,070 --> 00:07:07,169 about the part on the bottom 189 00:07:07,170 --> 00:07:09,269 in bold, nothing at all from the 190 00:07:09,270 --> 00:07:11,100 perspective of an non American. 191 00:07:12,210 --> 00:07:14,639 So you, the prince, probably too small, 192 00:07:14,640 --> 00:07:16,439 but in the definition of foreign 193 00:07:16,440 --> 00:07:18,389 intelligence information, you can see the 194 00:07:18,390 --> 00:07:19,829 sort of things that you'd expect, like 195 00:07:19,830 --> 00:07:21,929 money laundering, sabotage, international 196 00:07:21,930 --> 00:07:22,930 terrorism. 197 00:07:23,910 --> 00:07:26,129 And then there's the section in bold. 198 00:07:26,130 --> 00:07:28,139 And to actually get the text at the 199 00:07:28,140 --> 00:07:30,209 bottom, you have to unwind two 200 00:07:30,210 --> 00:07:32,489 levels of legal definition and substitute 201 00:07:32,490 --> 00:07:33,539 them in. 202 00:07:33,540 --> 00:07:35,489 But what you boil it down to foreign 203 00:07:35,490 --> 00:07:38,219 intelligence information can mean 204 00:07:38,220 --> 00:07:40,379 simply information 205 00:07:40,380 --> 00:07:42,389 with respect to a foreign based political 206 00:07:42,390 --> 00:07:45,689 organization or foreign territory 207 00:07:45,690 --> 00:07:49,019 that relates to the conduct 208 00:07:49,020 --> 00:07:51,179 of the foreign affairs of the United 209 00:07:51,180 --> 00:07:52,180 States. 210 00:07:53,040 --> 00:07:55,109 Nothing necessarily to do with national 211 00:07:55,110 --> 00:07:57,989 security, nothing to do with terrorism, 212 00:07:57,990 --> 00:07:59,129 nothing to do with crime, 213 00:08:00,270 --> 00:08:02,519 simply if it relates 214 00:08:02,520 --> 00:08:04,859 to the foreign policy of the US, 215 00:08:04,860 --> 00:08:07,289 which is an incredibly broad definition. 216 00:08:07,290 --> 00:08:08,999 You won't find a definition as broad as 217 00:08:09,000 --> 00:08:11,279 that in any other law, 218 00:08:11,280 --> 00:08:12,280 I believe. 219 00:08:14,500 --> 00:08:16,569 So what is also 220 00:08:16,570 --> 00:08:18,339 peculiar about this definition 221 00:08:20,020 --> 00:08:22,329 is it's conditional on nationality, 222 00:08:23,650 --> 00:08:25,749 if, again, 223 00:08:25,750 --> 00:08:27,969 it's slightly too small to see, but if 224 00:08:27,970 --> 00:08:30,159 you are a United States person, 225 00:08:30,160 --> 00:08:32,349 that is to say, an American citizen 226 00:08:32,350 --> 00:08:33,429 or permanent resident. 227 00:08:35,940 --> 00:08:38,129 Where it says relates would 228 00:08:38,130 --> 00:08:40,349 read necessary, necessary, a very 229 00:08:40,350 --> 00:08:42,389 high and strict legal threshold. 230 00:08:43,390 --> 00:08:45,909 But if you're a foreigner outside 231 00:08:45,910 --> 00:08:48,309 the US, it's relates 232 00:08:48,310 --> 00:08:51,159 a very, very low legal threshold, 233 00:08:51,160 --> 00:08:52,240 trivial to pass. 234 00:08:54,100 --> 00:08:55,809 So this is the only law, as far as I 235 00:08:55,810 --> 00:08:57,879 know, where the very term of a 236 00:08:57,880 --> 00:08:59,919 surveillance information to be obtained 237 00:08:59,920 --> 00:09:01,989 is itself conditioned 238 00:09:01,990 --> 00:09:04,419 by the nationality of the person. 239 00:09:04,420 --> 00:09:05,420 Quite unique. 240 00:09:08,750 --> 00:09:11,119 So what this law did in 2008 241 00:09:11,120 --> 00:09:13,249 is it combined three elements for 242 00:09:13,250 --> 00:09:15,079 the first time which had actually been 243 00:09:15,080 --> 00:09:16,489 there in previous laws. 244 00:09:17,510 --> 00:09:19,999 The first part that it only targets 245 00:09:20,000 --> 00:09:22,759 non US persons located outside the US 246 00:09:22,760 --> 00:09:25,039 had actually been there in a stop gap 247 00:09:25,040 --> 00:09:27,499 precursor law called the Protect America 248 00:09:27,500 --> 00:09:29,269 Act of 2007. 249 00:09:29,270 --> 00:09:31,459 But that expired after one year 250 00:09:31,460 --> 00:09:32,479 and then they had to do something 251 00:09:32,480 --> 00:09:34,549 permanent, which was this. 252 00:09:34,550 --> 00:09:36,559 But that idea of only targeting on U.S. 253 00:09:36,560 --> 00:09:38,629 persons located location outside the US 254 00:09:38,630 --> 00:09:41,599 began with this earlier law in 2007, 255 00:09:41,600 --> 00:09:43,489 and this earlier law of 2007 was 256 00:09:43,490 --> 00:09:46,069 essentially designed to clean up 257 00:09:46,070 --> 00:09:47,839 the first warrantless wiretapping 258 00:09:47,840 --> 00:09:50,119 episode, which had been raging in the US 259 00:09:50,120 --> 00:09:52,489 press for a couple of years 260 00:09:52,490 --> 00:09:53,490 before that. 261 00:09:54,950 --> 00:09:57,469 The second thing that it did 262 00:09:57,470 --> 00:09:59,119 is much more significant 263 00:10:00,680 --> 00:10:02,689 in the Electronic Communication Privacy 264 00:10:02,690 --> 00:10:04,069 Act of 1986. 265 00:10:04,070 --> 00:10:06,889 It defined a term called Remote Computing 266 00:10:06,890 --> 00:10:07,890 Services. 267 00:10:09,080 --> 00:10:11,179 And when you look at that definition, 268 00:10:11,180 --> 00:10:12,499 you'll see that the remote computing 269 00:10:12,500 --> 00:10:13,909 services, even though it was defined in 270 00:10:13,910 --> 00:10:16,159 1986, is a very good definition of 271 00:10:16,160 --> 00:10:19,339 all forms of public cloud computing 272 00:10:19,340 --> 00:10:20,340 that we would call today. 273 00:10:22,190 --> 00:10:24,469 So this new term of remote computing 274 00:10:24,470 --> 00:10:26,179 services was snuck in 275 00:10:27,380 --> 00:10:29,389 to the FISA Amendment Act. 276 00:10:29,390 --> 00:10:31,579 Nobody apparently 277 00:10:31,580 --> 00:10:33,799 noticed it had been put in. 278 00:10:33,800 --> 00:10:35,479 And the effect of this was that all 279 00:10:35,480 --> 00:10:37,939 previous such laws had dealt with 280 00:10:37,940 --> 00:10:40,129 telecommunication providers and Internet 281 00:10:40,130 --> 00:10:41,629 service providers, providers of 282 00:10:41,630 --> 00:10:43,340 communication services 283 00:10:44,630 --> 00:10:46,999 by expanding the scope 284 00:10:47,000 --> 00:10:50,059 of FISA 702 to include 285 00:10:50,060 --> 00:10:51,709 remote computing services. 286 00:10:51,710 --> 00:10:53,779 It effectively then embraced all of 287 00:10:53,780 --> 00:10:55,939 these obligations on providers of cloud 288 00:10:55,940 --> 00:10:57,169 computing. 289 00:10:57,170 --> 00:10:59,479 And as extraordinary as it may be, 290 00:10:59,480 --> 00:11:00,919 there was no commentary on this at the 291 00:11:00,920 --> 00:11:01,879 time. There's nothing in the 292 00:11:01,880 --> 00:11:03,319 Congressional Research Service. 293 00:11:03,320 --> 00:11:04,909 There were no law papers commenting on 294 00:11:04,910 --> 00:11:06,739 it. None of the civil society activism at 295 00:11:06,740 --> 00:11:09,199 the time, no justice, no 296 00:11:09,200 --> 00:11:11,059 reference whatsoever to the sedition. 297 00:11:12,770 --> 00:11:14,539 The third new element, as we discussed, 298 00:11:14,540 --> 00:11:17,059 is coming from Fyssas 299 00:11:17,060 --> 00:11:18,739 1978. 300 00:11:18,740 --> 00:11:21,019 It doesn't have to be about criminality, 301 00:11:21,020 --> 00:11:22,969 even as we would understand it in Europe, 302 00:11:22,970 --> 00:11:24,709 national security, the vital interest of 303 00:11:24,710 --> 00:11:25,759 the state. 304 00:11:25,760 --> 00:11:28,370 It can purely mean political surveillance 305 00:11:29,390 --> 00:11:31,339 in the political and economic interests 306 00:11:31,340 --> 00:11:32,340 of the US. 307 00:11:33,950 --> 00:11:36,439 And surveillance over ordinary, lawful 308 00:11:36,440 --> 00:11:38,389 democratic activities of people in their 309 00:11:38,390 --> 00:11:40,039 own countries, exercising their 310 00:11:40,040 --> 00:11:41,570 democratic rights and freedoms. 311 00:11:43,640 --> 00:11:45,229 So this was designed for mass 312 00:11:45,230 --> 00:11:47,539 surveillance of any cloud data relating 313 00:11:47,540 --> 00:11:49,279 to US foreign policy, and it contains 314 00:11:49,280 --> 00:11:52,069 this extraordinary double discrimination 315 00:11:52,070 --> 00:11:53,329 by nationality. 316 00:11:53,330 --> 00:11:55,429 Firstly, in the fact that in the 317 00:11:55,430 --> 00:11:57,499 title of the statute, FISA said 318 00:11:57,500 --> 00:11:59,659 no to only targets, not Americans 319 00:11:59,660 --> 00:12:02,179 outside the US, but also 320 00:12:02,180 --> 00:12:04,189 in that conditionality in the very 321 00:12:04,190 --> 00:12:06,199 definition of foreign intelligence 322 00:12:06,200 --> 00:12:07,549 information. 323 00:12:07,550 --> 00:12:09,799 Again, that structure is quite unique 324 00:12:09,800 --> 00:12:10,800 in the world. 325 00:12:13,610 --> 00:12:15,709 So you remember 326 00:12:15,710 --> 00:12:17,570 that all of that had to be done. 327 00:12:19,380 --> 00:12:21,719 With regard to the Fourth Amendment and 328 00:12:21,720 --> 00:12:24,269 although it may seem strange today, 329 00:12:24,270 --> 00:12:25,979 back in 2012, 330 00:12:27,420 --> 00:12:29,489 nobody actually knew 331 00:12:29,490 --> 00:12:31,739 whether the Fourth Amendment applied 332 00:12:31,740 --> 00:12:34,109 to non Americans outside 333 00:12:34,110 --> 00:12:35,110 the US. 334 00:12:35,730 --> 00:12:38,339 I would go to data protection conferences 335 00:12:38,340 --> 00:12:40,649 year after year where a representative 336 00:12:40,650 --> 00:12:42,179 from the US State Department would make 337 00:12:42,180 --> 00:12:44,369 these great plans and 338 00:12:44,370 --> 00:12:46,649 hymns of praise to the wonders 339 00:12:46,650 --> 00:12:48,179 of the Fourth Amendment. 340 00:12:48,180 --> 00:12:49,679 And since it was directed to an 341 00:12:49,680 --> 00:12:51,149 international audience, I think it was 342 00:12:51,150 --> 00:12:53,369 reasonable to suppose that 343 00:12:53,370 --> 00:12:54,989 the implication was that somehow the 344 00:12:54,990 --> 00:12:56,699 Fourth Amendment was protecting everybody 345 00:12:56,700 --> 00:12:57,700 in that room. 346 00:12:59,220 --> 00:13:00,929 Well, there was a bit of detective story 347 00:13:00,930 --> 00:13:02,759 to find out that it didn't. 348 00:13:03,840 --> 00:13:06,239 It starts with a 1990 349 00:13:06,240 --> 00:13:08,519 Supreme Court case called the Digo 350 00:13:08,520 --> 00:13:10,139 Akitas. 351 00:13:10,140 --> 00:13:12,599 That isn't quite the perfect fit 352 00:13:12,600 --> 00:13:14,639 for the cloud situation, but it's sort of 353 00:13:14,640 --> 00:13:16,589 the best that we've got. 354 00:13:16,590 --> 00:13:19,019 And then in 2008, 355 00:13:19,020 --> 00:13:20,129 there was a foreign intelligence 356 00:13:20,130 --> 00:13:22,979 surveillance court of review judgment 357 00:13:22,980 --> 00:13:24,570 about the Protect America Act. 358 00:13:26,910 --> 00:13:29,279 And this is the case that we now actually 359 00:13:29,280 --> 00:13:30,359 know was about Yahoo! 360 00:13:30,360 --> 00:13:33,059 It's called Imray REDACTED. 361 00:13:34,920 --> 00:13:36,509 And of course, a lot of information has 362 00:13:36,510 --> 00:13:37,589 now been declassified and come out. 363 00:13:37,590 --> 00:13:38,579 But it was actually Yahoo! 364 00:13:38,580 --> 00:13:39,580 Challenging. 365 00:13:41,960 --> 00:13:44,119 The terms of this Protect America act 366 00:13:44,120 --> 00:13:45,559 and the judgment came down 367 00:13:46,700 --> 00:13:48,829 actually just after the 368 00:13:48,830 --> 00:13:51,079 FISA 72 act had been passed, 369 00:13:51,080 --> 00:13:53,269 so in the unredacted parts. 370 00:13:54,470 --> 00:13:56,479 And this is very surprising because 371 00:13:56,480 --> 00:13:58,099 almost all references to this sort of 372 00:13:58,100 --> 00:14:00,589 thing are redacted, especially 373 00:14:00,590 --> 00:14:03,499 in the newly declassified FISC stuff. 374 00:14:03,500 --> 00:14:05,989 It said that there's no fourth protection 375 00:14:05,990 --> 00:14:08,059 for foreign powers reasonably 376 00:14:08,060 --> 00:14:10,009 believed to be located outside the US and 377 00:14:10,010 --> 00:14:11,010 further. 378 00:14:13,380 --> 00:14:14,580 Probable cause 379 00:14:16,110 --> 00:14:18,209 as a term, meaning a 50 percent 380 00:14:18,210 --> 00:14:19,649 likelihood that you're guilty of 50 381 00:14:19,650 --> 00:14:21,419 percent likelihood that there's 382 00:14:21,420 --> 00:14:23,189 sufficient evidence to show that you are 383 00:14:23,190 --> 00:14:25,289 the person the police are looking for 384 00:14:25,290 --> 00:14:26,290 in some criminal effect. 385 00:14:29,040 --> 00:14:31,289 When I noticed this in 2010 386 00:14:31,290 --> 00:14:33,089 and appeared on the US court service 387 00:14:33,090 --> 00:14:34,619 website for about six months and then 388 00:14:34,620 --> 00:14:36,509 disappeared, but fortunately being cashed 389 00:14:36,510 --> 00:14:38,159 by the Federation of American Scientists, 390 00:14:39,360 --> 00:14:40,949 there was there in black and white, again 391 00:14:40,950 --> 00:14:42,509 in the unredacted parts, this 392 00:14:42,510 --> 00:14:44,759 extraordinary idea that 393 00:14:44,760 --> 00:14:46,949 if you are a foreigner outside the US, 394 00:14:46,950 --> 00:14:48,989 probable cause doesn't become probable 395 00:14:48,990 --> 00:14:50,999 cause of any criminality. 396 00:14:51,000 --> 00:14:52,619 It just becomes probable cause that 397 00:14:52,620 --> 00:14:53,620 you're foreign. 398 00:14:56,130 --> 00:14:57,779 And that's the sufficient trigger to 399 00:14:57,780 --> 00:14:58,780 begin surveillance. 400 00:15:00,390 --> 00:15:01,949 So what I'm going to show you next is a 401 00:15:01,950 --> 00:15:03,119 little short video clip. 402 00:15:04,170 --> 00:15:05,250 It's a clip 403 00:15:06,360 --> 00:15:08,909 primarily with Jameel Jaffer 404 00:15:08,910 --> 00:15:10,469 of the American Civil Liberties Union, a 405 00:15:10,470 --> 00:15:12,659 very fine privacy advocates 406 00:15:13,770 --> 00:15:15,090 at the forefront of challenging 407 00:15:16,170 --> 00:15:17,759 some parts of this from the point of view 408 00:15:17,760 --> 00:15:20,249 of Americans over the past few years. 409 00:15:20,250 --> 00:15:22,319 And he's talking in front of 410 00:15:22,320 --> 00:15:25,169 a House Judiciary subcommittee hearing 411 00:15:25,170 --> 00:15:27,389 in the middle of 2012 because 412 00:15:27,390 --> 00:15:29,999 then FISA 72 was expiring. 413 00:15:30,000 --> 00:15:31,200 It needed to be renewed. 414 00:15:32,220 --> 00:15:34,889 And this is how the dialog went 415 00:15:34,890 --> 00:15:35,089 through. 416 00:15:35,090 --> 00:15:37,289 What does the Fourth Amendment 417 00:15:37,290 --> 00:15:39,899 apply to foreign 418 00:15:39,900 --> 00:15:42,899 targets in foreign lands? 419 00:15:42,900 --> 00:15:44,460 I don't think that's the question. 420 00:15:45,930 --> 00:15:47,459 That's my question. 421 00:15:47,460 --> 00:15:49,619 So obviously it's the 422 00:15:49,620 --> 00:15:50,970 right question because that's what 423 00:15:52,350 --> 00:15:53,840 I told you. 424 00:15:54,890 --> 00:15:56,719 I don't think that's what you said. 425 00:15:56,720 --> 00:15:58,350 You don't think it does? 426 00:15:59,670 --> 00:16:01,829 Well, in the circumstance of the statute, 427 00:16:01,830 --> 00:16:02,939 I don't think it does. 428 00:16:02,940 --> 00:16:03,229 Right. 429 00:16:03,230 --> 00:16:04,169 I mean, we certainly have made the 430 00:16:04,170 --> 00:16:07,189 argument that does the Fourth Amendment 431 00:16:07,190 --> 00:16:09,749 of the statute, does the Fourth Amendment 432 00:16:09,750 --> 00:16:12,659 apply to foreign nationals 433 00:16:12,660 --> 00:16:14,729 and foreign does not 434 00:16:14,730 --> 00:16:16,440 just the Second Amendment apply? 435 00:16:17,970 --> 00:16:20,219 I don't know, first of all, but I think 436 00:16:20,220 --> 00:16:22,409 no, I think it would depend 437 00:16:22,410 --> 00:16:24,449 on the circumstance. Women's suffrage 438 00:16:24,450 --> 00:16:25,649 does not apply. 439 00:16:25,650 --> 00:16:27,659 Now, that's my point. 440 00:16:27,660 --> 00:16:30,359 They don't. So we're not talking about 441 00:16:30,360 --> 00:16:31,919 foreign. We're not talking about 442 00:16:31,920 --> 00:16:34,049 surveillance of foreign nationals in 443 00:16:34,050 --> 00:16:35,280 foreign lands. Right. 444 00:16:38,750 --> 00:16:40,009 That's my second point. 445 00:16:43,210 --> 00:16:45,549 So the significance of that is 446 00:16:45,550 --> 00:16:47,109 that Jameel Jaffer, you know, doing the 447 00:16:47,110 --> 00:16:48,759 best job he could as an advocate, was 448 00:16:48,760 --> 00:16:50,649 really driven against back against the 449 00:16:50,650 --> 00:16:52,719 wall to admit that there 450 00:16:52,720 --> 00:16:54,909 is no constitutional protection for 451 00:16:54,910 --> 00:16:57,009 foreigners in foreign lands, as 452 00:16:57,010 --> 00:16:58,960 the charming Texas congressman put it, 453 00:17:00,100 --> 00:17:02,349 and also that the US 454 00:17:02,350 --> 00:17:04,629 Congress was laughing. 455 00:17:04,630 --> 00:17:07,118 They were laughing at the idea that you 456 00:17:07,119 --> 00:17:08,230 have privacy rights. 457 00:17:09,250 --> 00:17:11,108 That is the climate of political debate 458 00:17:11,109 --> 00:17:13,749 in the US, as anyone who's followed 459 00:17:13,750 --> 00:17:15,150 the coverage will know. 460 00:17:17,230 --> 00:17:18,609 So I had a bit of luck. 461 00:17:20,230 --> 00:17:22,809 I was invited to join some academics 462 00:17:22,810 --> 00:17:24,669 writing a report commissioned by the 463 00:17:24,670 --> 00:17:27,009 European Parliament on fighting 464 00:17:27,010 --> 00:17:28,539 cybercrime and protecting privacy in the 465 00:17:28,540 --> 00:17:30,699 cloud. And probably the reason this 466 00:17:30,700 --> 00:17:32,379 report was commissioned was to sort of 467 00:17:32,380 --> 00:17:34,689 increase the sort of cyber drumbeat 468 00:17:34,690 --> 00:17:36,159 of we must have more intensive 469 00:17:36,160 --> 00:17:37,899 surveillance laws. But I explained all of 470 00:17:37,900 --> 00:17:39,999 this to my academic colleagues and 471 00:17:40,000 --> 00:17:41,319 they thought it was so important. 472 00:17:41,320 --> 00:17:42,789 They let me write the middle section of 473 00:17:42,790 --> 00:17:44,949 the report about all of this, pretty much 474 00:17:44,950 --> 00:17:46,819 the analysis I've shown you more. 475 00:17:48,310 --> 00:17:50,109 And this was published in 476 00:17:51,220 --> 00:17:53,319 October, two 477 00:17:53,320 --> 00:17:54,849 thousand and twelve. 478 00:17:54,850 --> 00:17:56,349 The dates from the actual election, say, 479 00:17:56,350 --> 00:17:58,989 January 2013. 480 00:17:58,990 --> 00:18:00,799 And then, of course, nothing happened. 481 00:18:00,800 --> 00:18:02,319 Nobody reads these European Parliament 482 00:18:02,320 --> 00:18:04,149 reports. It just sort of sat there on the 483 00:18:04,150 --> 00:18:06,639 website for two or three months. 484 00:18:06,640 --> 00:18:08,679 And I was actually then watching the 485 00:18:08,680 --> 00:18:10,779 renewal of the FISA legislation. 486 00:18:12,400 --> 00:18:13,599 When did they decide to do that? 487 00:18:13,600 --> 00:18:15,369 Congress? Well, between Christmas and New 488 00:18:15,370 --> 00:18:16,370 Year, obviously. 489 00:18:17,920 --> 00:18:19,629 So I was watching it on C-SPAN and I just 490 00:18:19,630 --> 00:18:21,549 got fed up. So I started calling out all 491 00:18:21,550 --> 00:18:23,769 the journalists that I remembered 492 00:18:23,770 --> 00:18:25,450 from my old civil society days. 493 00:18:26,500 --> 00:18:27,500 Not much luck. 494 00:18:28,480 --> 00:18:30,429 Offer the story to The Guardian. 495 00:18:30,430 --> 00:18:32,709 No interest to 496 00:18:32,710 --> 00:18:33,909 other British newspapers, to The 497 00:18:33,910 --> 00:18:35,799 Washington Post, The New York Times, no 498 00:18:35,800 --> 00:18:36,849 interest. 499 00:18:36,850 --> 00:18:38,529 And then Ron Galica, who, of course, is 500 00:18:38,530 --> 00:18:39,939 now working on The Intercept with Glenn 501 00:18:39,940 --> 00:18:42,159 Greenwald, wrote a very 502 00:18:42,160 --> 00:18:44,619 tight 800 word summary, 503 00:18:44,620 --> 00:18:46,749 which then created 504 00:18:46,750 --> 00:18:47,829 a little bit of interest in the 505 00:18:47,830 --> 00:18:50,799 blogosphere, about 1500 tweets in a week. 506 00:18:50,800 --> 00:18:52,989 And then at least from Europe, you know, 507 00:18:52,990 --> 00:18:54,759 the general reaction was, how can this 508 00:18:54,760 --> 00:18:57,339 possibly be possible? 509 00:18:57,340 --> 00:18:59,499 What on earth do we have data protection 510 00:18:59,500 --> 00:19:01,089 law for? 511 00:19:01,090 --> 00:19:02,359 If this is going on? 512 00:19:03,850 --> 00:19:06,009 The US blog reaction was much less, but 513 00:19:06,010 --> 00:19:08,259 typically, oh, those Europeans 514 00:19:08,260 --> 00:19:10,119 are kind of upset that we can spy on 515 00:19:10,120 --> 00:19:12,339 them. Who's going to stop us? 516 00:19:12,340 --> 00:19:13,749 And that was from a self-described 517 00:19:13,750 --> 00:19:15,369 American civil libertarian. 518 00:19:17,740 --> 00:19:19,599 So how did all this happen? 519 00:19:19,600 --> 00:19:21,699 How is it the case that thousands of 520 00:19:21,700 --> 00:19:23,769 European policymakers 521 00:19:23,770 --> 00:19:25,869 and data protection officials 522 00:19:25,870 --> 00:19:27,819 all over Europe apparently didn't 523 00:19:27,820 --> 00:19:28,839 understand this was happening? 524 00:19:30,910 --> 00:19:32,589 Well, I think for almost everyone in this 525 00:19:32,590 --> 00:19:34,659 room, what I'm 526 00:19:34,660 --> 00:19:35,979 about to say next is going to be slightly 527 00:19:35,980 --> 00:19:37,150 incredible. But 528 00:19:38,920 --> 00:19:41,049 we as technologists understand 529 00:19:41,050 --> 00:19:43,239 that if you want to encrypt data 530 00:19:43,240 --> 00:19:45,369 yourself and you control the 531 00:19:45,370 --> 00:19:46,869 algorithm, you control the implementation 532 00:19:46,870 --> 00:19:48,759 of the software and you control the key 533 00:19:48,760 --> 00:19:50,199 and then you put that data somewhere else 534 00:19:50,200 --> 00:19:51,200 that's reasonably safe. 535 00:19:52,950 --> 00:19:55,739 But if you want to compute with that data 536 00:19:55,740 --> 00:19:57,269 the meaning of cloud computing, you want 537 00:19:57,270 --> 00:19:58,829 to do useful work with that data in 538 00:19:58,830 --> 00:20:00,719 somebody else's data center thousands of 539 00:20:00,720 --> 00:20:02,279 miles away. 540 00:20:02,280 --> 00:20:03,569 Well, there is no technical way to 541 00:20:03,570 --> 00:20:05,789 protect that, because 542 00:20:05,790 --> 00:20:07,589 even if the data is encrypted on disk 543 00:20:07,590 --> 00:20:09,899 when it passes through the CPU, 544 00:20:09,900 --> 00:20:12,149 it has to be in plain text to do useful 545 00:20:12,150 --> 00:20:14,339 work before somebody mentions Hommel 546 00:20:14,340 --> 00:20:15,569 morphic encryption. 547 00:20:15,570 --> 00:20:17,339 The cryptographers I talked to tell me 548 00:20:17,340 --> 00:20:19,349 that it's always going to be orders of 549 00:20:19,350 --> 00:20:21,449 magnitude to slow 550 00:20:21,450 --> 00:20:22,739 the general-purpose computing. 551 00:20:23,880 --> 00:20:26,039 And amazingly, as far 552 00:20:26,040 --> 00:20:28,169 as I can see, European policymakers did 553 00:20:28,170 --> 00:20:29,159 not understand this. 554 00:20:29,160 --> 00:20:31,319 They bought a whole lot of encryption, 555 00:20:31,320 --> 00:20:34,679 blah, blah, blah, from the industry 556 00:20:34,680 --> 00:20:36,089 that said, yes, of course we protect it. 557 00:20:36,090 --> 00:20:37,499 So it's encrypted, isn't it? 558 00:20:37,500 --> 00:20:39,419 And and, yes, we have very good security 559 00:20:39,420 --> 00:20:40,679 measures and security policies. 560 00:20:40,680 --> 00:20:41,669 Of course, it's impossible. 561 00:20:41,670 --> 00:20:42,960 In fact, the cloud is more secure. 562 00:20:45,930 --> 00:20:47,130 But apart from that, 563 00:20:48,570 --> 00:20:50,909 the general structure of the lobbying 564 00:20:50,910 --> 00:20:52,709 from the US government in particular was 565 00:20:52,710 --> 00:20:54,899 that US law offers 566 00:20:54,900 --> 00:20:56,969 very good protection to its citizens by 567 00:20:56,970 --> 00:20:59,069 the Fourth Amendment as good 568 00:20:59,070 --> 00:21:01,469 or better than many European countries, 569 00:21:01,470 --> 00:21:02,470 which is true. 570 00:21:03,330 --> 00:21:05,309 Therefore, don't worry about the US 571 00:21:05,310 --> 00:21:06,310 clout. 572 00:21:06,900 --> 00:21:08,849 But of course, you can see the fallacy 573 00:21:08,850 --> 00:21:11,729 once the data in Europe goes 574 00:21:11,730 --> 00:21:13,859 to US jurisdiction, it's totally 575 00:21:13,860 --> 00:21:15,959 vulnerable to laws like Pfizer 576 00:21:15,960 --> 00:21:16,960 said no to. 577 00:21:18,000 --> 00:21:22,049 What was also happening from about 2009 578 00:21:22,050 --> 00:21:24,179 is a whole slew 579 00:21:24,180 --> 00:21:26,369 of what I call cloud 580 00:21:26,370 --> 00:21:27,370 wash, 581 00:21:28,950 --> 00:21:31,169 various documents from the US mission 582 00:21:31,170 --> 00:21:33,229 to the EU and the proxies of 583 00:21:33,230 --> 00:21:34,739 the State Department. 584 00:21:34,740 --> 00:21:37,049 A law firm deeply dubious Hogan 585 00:21:37,050 --> 00:21:39,389 Lovells produced a number of 586 00:21:39,390 --> 00:21:41,849 frankly, deceptive quazi 587 00:21:41,850 --> 00:21:44,549 legal analysis that were pure propaganda. 588 00:21:44,550 --> 00:21:46,859 Respectable law firms like Linklaters and 589 00:21:46,860 --> 00:21:49,109 even the European Data Protection 590 00:21:49,110 --> 00:21:51,900 Supervisor was making speeches 591 00:21:53,010 --> 00:21:55,109 at an event organized by one of 592 00:21:55,110 --> 00:21:57,299 the main US lobbyists 593 00:21:57,300 --> 00:21:59,549 talking about using new data 594 00:21:59,550 --> 00:22:01,799 protection mechanisms to streamline data 595 00:22:01,800 --> 00:22:02,800 into the cloud. 596 00:22:03,660 --> 00:22:05,819 ENISA had a very inglorious 597 00:22:05,820 --> 00:22:07,979 role in this, which I'll come back to, 598 00:22:07,980 --> 00:22:09,059 and then various other 599 00:22:10,830 --> 00:22:12,839 usual suspects. 600 00:22:12,840 --> 00:22:14,529 None of those materials at all. 601 00:22:14,530 --> 00:22:16,679 I've now got a collection of 13 before 602 00:22:16,680 --> 00:22:17,680 Snowden. 603 00:22:18,440 --> 00:22:20,809 Mentioned Pfizer at all, 604 00:22:20,810 --> 00:22:22,140 not even the original Pfizer. 605 00:22:23,330 --> 00:22:24,769 There was a lot of concern about the 606 00:22:24,770 --> 00:22:26,839 Patriot Act, but 607 00:22:26,840 --> 00:22:28,639 the Patriot Act turns out not to have 608 00:22:28,640 --> 00:22:30,709 actually been the key point of 609 00:22:30,710 --> 00:22:32,319 vulnerability for cloud computing. 610 00:22:35,960 --> 00:22:38,059 So sort of restating what I just 611 00:22:38,060 --> 00:22:40,309 said is cloud mass surveillance a real 612 00:22:40,310 --> 00:22:41,310 risk? 613 00:22:41,990 --> 00:22:44,149 Well, what we know from what's 614 00:22:44,150 --> 00:22:46,400 been declassified by Snowden so far 615 00:22:48,020 --> 00:22:49,909 is that so far the cloud companies have 616 00:22:49,910 --> 00:22:52,069 not been asked 617 00:22:52,070 --> 00:22:54,049 to, as it were, internalize the mass 618 00:22:54,050 --> 00:22:56,029 surveillance. So far, it appears that 619 00:22:56,030 --> 00:22:57,349 they have been presented with a 620 00:22:57,350 --> 00:22:58,640 particular selector 621 00:23:00,080 --> 00:23:01,579 and you will read enough about what those 622 00:23:01,580 --> 00:23:02,930 can be. I won't leave with a point, 623 00:23:04,040 --> 00:23:06,109 but what I want you to think about for 624 00:23:06,110 --> 00:23:07,670 the future is this problem. 625 00:23:11,300 --> 00:23:13,639 We agree, I think that you cannot 626 00:23:13,640 --> 00:23:16,189 protect data in cloud computing 627 00:23:16,190 --> 00:23:17,190 with encryption, 628 00:23:18,860 --> 00:23:21,019 but the new forms of cloud 629 00:23:21,020 --> 00:23:23,089 computing platform as a service, you 630 00:23:23,090 --> 00:23:24,140 have an entire 631 00:23:26,180 --> 00:23:28,759 way of writing software were, 632 00:23:28,760 --> 00:23:30,319 as it were, under the hood. 633 00:23:30,320 --> 00:23:32,389 If you write the algorithm once, then 634 00:23:32,390 --> 00:23:34,549 the platform is supposed to take care of 635 00:23:34,550 --> 00:23:37,489 scaling that in a few milliseconds 636 00:23:37,490 --> 00:23:39,589 from one CPU perhaps to thousands of 637 00:23:39,590 --> 00:23:40,729 CPUs. 638 00:23:40,730 --> 00:23:42,859 And it's that elasticity of cloud 639 00:23:42,860 --> 00:23:45,199 computing, which is probably 640 00:23:45,200 --> 00:23:46,669 going to be one of the key competitive 641 00:23:46,670 --> 00:23:48,859 advantages for cloud computing in future. 642 00:23:50,030 --> 00:23:51,529 So imagine that you want to intercept 643 00:23:51,530 --> 00:23:52,530 that. 644 00:23:52,990 --> 00:23:54,519 Well, you have to intercept it at the 645 00:23:54,520 --> 00:23:56,619 level where the data makes sense, 646 00:23:56,620 --> 00:23:58,419 which could be, you know, somewhere in 647 00:23:58,420 --> 00:24:00,369 quite a deep software stack. 648 00:24:00,370 --> 00:24:02,229 So it's really not much use plugging in a 649 00:24:02,230 --> 00:24:04,359 deep packet inspection box onto the 650 00:24:04,360 --> 00:24:06,489 cables connecting the data center, 651 00:24:06,490 --> 00:24:08,169 because you might have to have thousand 652 00:24:08,170 --> 00:24:10,239 of those deep boxes on standby if 653 00:24:10,240 --> 00:24:12,339 the capacity of the algorithm that 654 00:24:12,340 --> 00:24:14,679 is actually running then scales onto 655 00:24:14,680 --> 00:24:16,719 how many thousand CPUs, you're going to 656 00:24:16,720 --> 00:24:19,359 need that much extra DPI capacity 657 00:24:19,360 --> 00:24:20,379 to surveil it. 658 00:24:20,380 --> 00:24:22,539 Unless you 659 00:24:22,540 --> 00:24:24,399 use coercive powers to force the cloud 660 00:24:24,400 --> 00:24:26,019 provider to basically build the 661 00:24:26,020 --> 00:24:28,539 surveillance into the software 662 00:24:28,540 --> 00:24:30,669 you build in surveillance subroutines at 663 00:24:30,670 --> 00:24:32,589 the necessary levels of the stack. 664 00:24:32,590 --> 00:24:35,199 So that however that application 665 00:24:35,200 --> 00:24:37,629 scales, the surveillance capacity 666 00:24:37,630 --> 00:24:38,979 is already there in software. 667 00:24:40,480 --> 00:24:41,829 So I don't know. 668 00:24:41,830 --> 00:24:43,449 And it appears we have no evidence that 669 00:24:43,450 --> 00:24:44,500 this has been done already. 670 00:24:45,580 --> 00:24:47,499 But it seems to me the writing is on the 671 00:24:47,500 --> 00:24:49,749 wall, that if governments 672 00:24:49,750 --> 00:24:51,579 are going to be wanting to surveil cloud 673 00:24:51,580 --> 00:24:53,709 computing systematically, they're going 674 00:24:53,710 --> 00:24:55,929 to have to exercise those 675 00:24:55,930 --> 00:24:57,369 sorts of powers. 676 00:24:57,370 --> 00:25:00,099 And I guess the point I'd like to make, 677 00:25:00,100 --> 00:25:02,739 702 already provides these powers, 678 00:25:02,740 --> 00:25:04,509 even if they have not been used to that 679 00:25:04,510 --> 00:25:05,680 extent already. 680 00:25:09,650 --> 00:25:12,169 So and I want to talk 681 00:25:12,170 --> 00:25:14,299 more about the European side 682 00:25:14,300 --> 00:25:16,459 of the affair and what's 683 00:25:16,460 --> 00:25:17,809 been happening with European data 684 00:25:17,810 --> 00:25:20,029 protection regulation, 685 00:25:20,030 --> 00:25:21,709 as I think almost all of you will know, 686 00:25:21,710 --> 00:25:24,739 there is a new data protection regulation 687 00:25:24,740 --> 00:25:26,989 being hung up in in 688 00:25:26,990 --> 00:25:29,239 European legislators for about 689 00:25:29,240 --> 00:25:30,229 two years. 690 00:25:30,230 --> 00:25:33,199 And, of course, discussions continued 691 00:25:33,200 --> 00:25:35,149 after Snowden about what form that should 692 00:25:35,150 --> 00:25:36,109 take. 693 00:25:36,110 --> 00:25:38,449 And one whole part of that regulation 694 00:25:38,450 --> 00:25:40,669 is concerned with the legal means 695 00:25:40,670 --> 00:25:42,739 of exporting EU data 696 00:25:42,740 --> 00:25:45,079 outside and particularly to the US. 697 00:25:46,700 --> 00:25:48,289 So in the current data protection 698 00:25:48,290 --> 00:25:49,290 directive, 699 00:25:50,360 --> 00:25:51,709 there are basically these ways of doing 700 00:25:51,710 --> 00:25:53,630 it, you can get somebody to consent, 701 00:25:54,890 --> 00:25:56,760 you can rely on safe harbor, 702 00:25:57,920 --> 00:26:00,169 you can form a contract with 703 00:26:00,170 --> 00:26:02,239 specially approved clauses with the 704 00:26:02,240 --> 00:26:04,000 person you want to export the data to. 705 00:26:05,060 --> 00:26:07,669 And then there's also something new 706 00:26:07,670 --> 00:26:10,579 called binding corporate rules. 707 00:26:10,580 --> 00:26:12,259 Binding corporate rules essentially 708 00:26:12,260 --> 00:26:14,239 allows a sort of corporation to make up 709 00:26:14,240 --> 00:26:16,489 their own scouts on a charter. 710 00:26:16,490 --> 00:26:18,799 We really will obey this and we'll 711 00:26:18,800 --> 00:26:20,869 invent some sanctions on ourselves if 712 00:26:20,870 --> 00:26:22,879 anybody breaks the rules. 713 00:26:22,880 --> 00:26:25,039 And this is sanctified by 714 00:26:25,040 --> 00:26:26,060 data protection authority. 715 00:26:27,080 --> 00:26:29,209 And these were invented actually for 716 00:26:30,290 --> 00:26:31,789 fairly reasonable purposes. 717 00:26:31,790 --> 00:26:33,769 If if a global corporation wanted to do 718 00:26:33,770 --> 00:26:35,929 all their human resources processing in 719 00:26:35,930 --> 00:26:38,359 one center and therefore 720 00:26:38,360 --> 00:26:40,009 collect data from all around the world to 721 00:26:40,010 --> 00:26:41,029 do that. 722 00:26:41,030 --> 00:26:43,369 This was sort of a template idea behind 723 00:26:43,370 --> 00:26:44,479 a BCR. 724 00:26:44,480 --> 00:26:46,460 But then I think very dangerously. 725 00:26:48,410 --> 00:26:50,539 Data protection authorities in cahoots 726 00:26:50,540 --> 00:26:52,759 with the big cloud providers 727 00:26:52,760 --> 00:26:55,519 thought it would be a very good idea 728 00:26:55,520 --> 00:26:57,259 to extend this idea of binding corporate 729 00:26:57,260 --> 00:26:59,659 rules to so-called data processors, 730 00:26:59,660 --> 00:27:01,819 data processors being entities which 731 00:27:01,820 --> 00:27:04,129 supposedly have no 732 00:27:04,130 --> 00:27:06,379 decision taking power over the data 733 00:27:06,380 --> 00:27:08,089 they process. They're really just acting 734 00:27:08,090 --> 00:27:10,160 on instructions from data controllers. 735 00:27:11,360 --> 00:27:13,219 So somebody and I've got a shrewd idea 736 00:27:13,220 --> 00:27:15,169 who it is, had the brilliant idea. 737 00:27:15,170 --> 00:27:17,509 Well, let's adapt this old fashioned BCR 738 00:27:17,510 --> 00:27:19,759 idea for a fairly tame purposes 739 00:27:19,760 --> 00:27:20,760 to cloud computing. 740 00:27:21,920 --> 00:27:23,869 And then we've got a template which can 741 00:27:23,870 --> 00:27:25,729 basically be the primary vehicle for 742 00:27:25,730 --> 00:27:28,189 legitimating cloud computing 743 00:27:28,190 --> 00:27:29,190 in European terms. 744 00:27:30,810 --> 00:27:32,759 So the rough idea is Microsoft, Google or 745 00:27:32,760 --> 00:27:35,309 whoever gets the 746 00:27:35,310 --> 00:27:37,409 BCOs certified 747 00:27:37,410 --> 00:27:39,389 once they are certified and the new 748 00:27:39,390 --> 00:27:41,489 regulation, the Data Protection Authority 749 00:27:41,490 --> 00:27:42,869 must accept them. They wouldn't have any 750 00:27:42,870 --> 00:27:44,579 discretion as they do today. 751 00:27:44,580 --> 00:27:46,709 And then data can be transferred into 752 00:27:46,710 --> 00:27:49,469 particularly US control clouds. 753 00:27:49,470 --> 00:27:50,699 And then all questions of mass 754 00:27:50,700 --> 00:27:53,249 surveillance just disappear into 755 00:27:53,250 --> 00:27:55,529 what I call a puff of audit, 756 00:27:55,530 --> 00:27:57,899 because Article 757 00:27:57,900 --> 00:27:59,699 29 Working Party, the Committee of 758 00:27:59,700 --> 00:28:01,229 European Data Protection authorities were 759 00:28:01,230 --> 00:28:03,359 so naive that they imagined that 760 00:28:03,360 --> 00:28:06,359 somehow a private security auditor, 761 00:28:06,360 --> 00:28:07,919 if they were inspecting a data center and 762 00:28:07,920 --> 00:28:10,469 they noticed room 641 A 763 00:28:10,470 --> 00:28:12,249 and they said, oh, what's behind that? 764 00:28:12,250 --> 00:28:13,919 Can I have a look in there? 765 00:28:13,920 --> 00:28:15,209 And they've been told, no, of course you 766 00:28:15,210 --> 00:28:16,829 can't. In fact, it's classified 767 00:28:16,830 --> 00:28:19,109 information that you even notice that 768 00:28:19,110 --> 00:28:20,549 if you tell anyone about that, you'll go 769 00:28:20,550 --> 00:28:21,550 to jail for espionage. 770 00:28:22,770 --> 00:28:24,179 Well, data protection authorities were so 771 00:28:24,180 --> 00:28:25,919 naive that they thought somehow a private 772 00:28:25,920 --> 00:28:28,289 security audit could detect 773 00:28:28,290 --> 00:28:30,900 these risks of foreign mass surveillance. 774 00:28:33,200 --> 00:28:35,719 So this diagram is supposed to show 775 00:28:35,720 --> 00:28:37,400 the sort of risk matrix 776 00:28:38,780 --> 00:28:40,879 of EU data sovereignty, 777 00:28:40,880 --> 00:28:43,129 and on the left you've got 778 00:28:43,130 --> 00:28:45,229 three kinds of information 779 00:28:45,230 --> 00:28:47,209 criminal law enforcement, which probably 780 00:28:47,210 --> 00:28:49,429 should include most terrorism cases, 781 00:28:49,430 --> 00:28:51,739 sort of bona fide national security, 782 00:28:51,740 --> 00:28:53,569 which in European terms we think of as 783 00:28:53,570 --> 00:28:55,510 being the vital interests of the states 784 00:28:56,540 --> 00:28:58,669 and then essentially foreign policy 785 00:28:58,670 --> 00:29:00,859 and political spying for 786 00:29:00,860 --> 00:29:01,940 national advantage. 787 00:29:03,260 --> 00:29:05,599 And then in terms of the columns, 788 00:29:05,600 --> 00:29:07,669 you have intra EU transfers and then 789 00:29:07,670 --> 00:29:09,769 EU data in the US. 790 00:29:09,770 --> 00:29:12,019 So the red zone is not covered 791 00:29:12,020 --> 00:29:13,909 by the Fourth Amendment. 792 00:29:13,910 --> 00:29:16,759 It's not covered by EU data protection. 793 00:29:16,760 --> 00:29:18,709 It's not covered by Council of Europe 794 00:29:18,710 --> 00:29:20,749 Convention on eight, certainly not 795 00:29:20,750 --> 00:29:22,759 covered by the cybercrime treaty. 796 00:29:22,760 --> 00:29:24,469 And of course, it's not covered by the 797 00:29:24,470 --> 00:29:26,119 European Convention of Human Rights 798 00:29:26,120 --> 00:29:27,780 because the US doesn't recognize that. 799 00:29:28,970 --> 00:29:31,339 So all of this data for 15 or so years 800 00:29:31,340 --> 00:29:32,690 has been completely unprotected. 801 00:29:36,500 --> 00:29:37,829 Well, the story moves on, I'm going to 802 00:29:37,830 --> 00:29:38,930 have to accelerate a bit. 803 00:29:41,270 --> 00:29:43,669 In January, President 804 00:29:43,670 --> 00:29:45,889 Obama made a flagship speech to try 805 00:29:45,890 --> 00:29:48,019 and address these 806 00:29:48,020 --> 00:29:48,649 concerns. 807 00:29:48,650 --> 00:29:50,209 And, of course, he's in an impossible 808 00:29:50,210 --> 00:29:51,889 position because on the one hand, he has 809 00:29:51,890 --> 00:29:54,739 to assure the American people that 810 00:29:54,740 --> 00:29:56,899 Fizer, 72 in particular, is no threat to 811 00:29:56,900 --> 00:29:58,639 Americans because it's designed to spy on 812 00:29:58,640 --> 00:29:59,640 foreigners. 813 00:30:00,180 --> 00:30:01,739 But then at the same time, he has to find 814 00:30:01,740 --> 00:30:03,029 some way of reassuring the rest of the 815 00:30:03,030 --> 00:30:04,030 world. 816 00:30:05,220 --> 00:30:07,289 So what's he 817 00:30:07,290 --> 00:30:08,879 came up with was a very well written, 818 00:30:08,880 --> 00:30:10,679 very well crafted speech. 819 00:30:10,680 --> 00:30:12,959 But the meat beneath the speech was a new 820 00:30:12,960 --> 00:30:15,479 presidential policy directive, PPD 821 00:30:15,480 --> 00:30:16,480 28. 822 00:30:17,670 --> 00:30:20,309 And basically, 823 00:30:20,310 --> 00:30:22,949 there's a there's a real gotcha 824 00:30:22,950 --> 00:30:23,969 of a footnote. 825 00:30:23,970 --> 00:30:26,369 So footnote nine says 826 00:30:26,370 --> 00:30:28,229 this directive is not intended to alter 827 00:30:28,230 --> 00:30:30,299 the rules applicable to US persons in 828 00:30:30,300 --> 00:30:31,519 executive order. Twelve three, three 829 00:30:31,520 --> 00:30:33,629 three, which I have to mention 830 00:30:33,630 --> 00:30:36,629 the Pfizer or other applicable law. 831 00:30:36,630 --> 00:30:38,489 Just as a brief digression, executive 832 00:30:38,490 --> 00:30:39,809 order twelve three three three was 833 00:30:39,810 --> 00:30:41,879 created by Reagan. 834 00:30:41,880 --> 00:30:44,279 And essentially it is a policy directive 835 00:30:44,280 --> 00:30:46,469 which covers NSA 836 00:30:46,470 --> 00:30:48,659 activities, spying entirely 837 00:30:48,660 --> 00:30:49,739 outside the United States. 838 00:30:49,740 --> 00:30:51,029 When you're basically just spying on 839 00:30:51,030 --> 00:30:52,319 foreigners, there's no reason to believe 840 00:30:52,320 --> 00:30:53,699 Americans involved. 841 00:30:53,700 --> 00:30:56,309 You may have NSA agents infiltrating 842 00:30:56,310 --> 00:30:58,439 data centers in some foreign country. 843 00:30:58,440 --> 00:31:00,629 That's what EO twelve three fifty 844 00:31:00,630 --> 00:31:02,079 is about. And it's policy. 845 00:31:02,080 --> 00:31:03,569 It's not law. 846 00:31:03,570 --> 00:31:04,529 And there's a reason for that. 847 00:31:04,530 --> 00:31:05,530 We'll come back to you. 848 00:31:06,660 --> 00:31:09,299 So in other words, in the small print, 849 00:31:09,300 --> 00:31:12,179 in the footnote, all of the reassurances 850 00:31:12,180 --> 00:31:14,369 in PPD twenty eight are basically 851 00:31:14,370 --> 00:31:15,629 worthless from the point of view of 852 00:31:15,630 --> 00:31:17,399 establishing any kind of equality of 853 00:31:17,400 --> 00:31:19,469 rights. They're still going to be 854 00:31:19,470 --> 00:31:21,659 discrimination by US nationality. 855 00:31:21,660 --> 00:31:23,729 If you're a US person, then 856 00:31:24,780 --> 00:31:26,189 a law enforcement authority would need a 857 00:31:26,190 --> 00:31:29,309 particular justified FISC warrant 858 00:31:29,310 --> 00:31:31,949 to that higher legal standard necessity. 859 00:31:31,950 --> 00:31:34,079 And if you're not a US person, basically 860 00:31:34,080 --> 00:31:35,849 the NSA just adds your selectors to a 861 00:31:35,850 --> 00:31:36,850 list. 862 00:31:40,740 --> 00:31:42,359 Then we had a report from the so-called 863 00:31:42,360 --> 00:31:43,949 Privacy and Civil Liberties Oversight 864 00:31:43,950 --> 00:31:46,529 Board, which essentially has no mandate 865 00:31:46,530 --> 00:31:48,629 to look out for the interests of non 866 00:31:48,630 --> 00:31:50,039 Americans at all. 867 00:31:50,040 --> 00:31:51,659 Their analysis of the situation about 868 00:31:51,660 --> 00:31:55,229 Americans occupied five pages out of 196. 869 00:31:55,230 --> 00:31:57,329 And frankly, I think it's misleading 870 00:31:57,330 --> 00:31:59,519 tautologies, credulous junk. 871 00:32:01,710 --> 00:32:03,329 And there has been a vast amount of 872 00:32:03,330 --> 00:32:05,489 declassification since, not 873 00:32:05,490 --> 00:32:06,779 all of which I've analyzed, but 874 00:32:07,800 --> 00:32:10,109 basically there is this tendency 875 00:32:10,110 --> 00:32:11,699 that a lot of the stuff that is redacted, 876 00:32:11,700 --> 00:32:13,799 you can tell from the context, the stuff 877 00:32:13,800 --> 00:32:16,019 that's redacted is about the situation 878 00:32:16,020 --> 00:32:17,020 of non Americans. 879 00:32:19,350 --> 00:32:21,059 So who did I wore exactly? 880 00:32:22,800 --> 00:32:24,779 Actually, I first got an opportunity to 881 00:32:24,780 --> 00:32:26,909 try and get some interest from the Open 882 00:32:26,910 --> 00:32:28,799 Society Foundation way back in January 883 00:32:28,800 --> 00:32:31,979 11th, and I explained 884 00:32:31,980 --> 00:32:34,289 to that committee not to saurus in person 885 00:32:35,610 --> 00:32:37,919 what the school was made quite an impact 886 00:32:37,920 --> 00:32:40,169 on them, but they didn't do anything. 887 00:32:40,170 --> 00:32:42,689 They said they only fund existing NGOs 888 00:32:42,690 --> 00:32:43,859 and they've done nothing. 889 00:32:43,860 --> 00:32:45,959 In fact, Soros has done nothing about 890 00:32:47,100 --> 00:32:49,169 surveillance issues in Western Europe in 891 00:32:49,170 --> 00:32:51,389 the entire time Open Society 892 00:32:51,390 --> 00:32:53,789 Foundation has been operating. 893 00:32:53,790 --> 00:32:55,619 If anybody doubts that I saw a slut in 894 00:32:55,620 --> 00:32:57,809 person in March at 895 00:32:57,810 --> 00:32:59,639 a conference I attended and he didn't 896 00:32:59,640 --> 00:33:00,640 deny it. 897 00:33:02,370 --> 00:33:04,139 I also warned Privacy International in 898 00:33:04,140 --> 00:33:06,299 June, they said they had no 899 00:33:06,300 --> 00:33:08,759 resources and I tried again in October 900 00:33:08,760 --> 00:33:10,439 and still no interest in Privacy 901 00:33:10,440 --> 00:33:11,819 International. 902 00:33:11,820 --> 00:33:13,349 And that pains me, particularly since 903 00:33:13,350 --> 00:33:14,339 I've known the guys in private 904 00:33:14,340 --> 00:33:15,869 international and worked with them for 15 905 00:33:15,870 --> 00:33:18,599 years. And I'm genuinely baffled 906 00:33:18,600 --> 00:33:20,609 by what's happened to Privacy 907 00:33:20,610 --> 00:33:21,610 International recently. 908 00:33:23,340 --> 00:33:25,529 I also in September, when 909 00:33:25,530 --> 00:33:26,789 I actually left Microsoft, 910 00:33:28,350 --> 00:33:30,599 warned Edry and 911 00:33:30,600 --> 00:33:33,239 DG Justice at Cabinet level 912 00:33:33,240 --> 00:33:34,680 the published Data Protection Authority, 913 00:33:38,370 --> 00:33:40,499 who did nothing and basically 914 00:33:40,500 --> 00:33:42,569 put one footnote of my slide. 915 00:33:42,570 --> 00:33:44,669 I showed him in an academic article 916 00:33:44,670 --> 00:33:45,869 he wrote. 917 00:33:45,870 --> 00:33:48,269 He, of course, has now become the deputy 918 00:33:48,270 --> 00:33:50,349 new European data protection supervisor. 919 00:33:53,100 --> 00:33:55,169 The Greens were very helpful and I 920 00:33:55,170 --> 00:33:57,089 have nothing but praise for particularly 921 00:33:57,090 --> 00:33:59,159 Ralph Brandreth and Jan 922 00:33:59,160 --> 00:34:01,889 Albrecht. And they are straight shooters 923 00:34:01,890 --> 00:34:03,659 and I'm very grateful for the help they 924 00:34:03,660 --> 00:34:04,660 give me. 925 00:34:05,910 --> 00:34:06,930 In September 926 00:34:08,100 --> 00:34:09,988 2012, I had an opportunity to make a 927 00:34:09,989 --> 00:34:12,509 speech at the European Academy of Law 928 00:34:12,510 --> 00:34:14,579 where Peter Hustings 929 00:34:14,580 --> 00:34:15,749 was there. 930 00:34:15,750 --> 00:34:17,849 His deputy, now EDPS 931 00:34:17,850 --> 00:34:20,579 Jovani Bertarelli, representatives 932 00:34:20,580 --> 00:34:22,079 from the EU Council, 933 00:34:23,219 --> 00:34:24,658 the person in charge of the international 934 00:34:24,659 --> 00:34:26,698 transfer section from the Conille and 935 00:34:26,699 --> 00:34:29,549 therefore de facto Article 29. 936 00:34:29,550 --> 00:34:31,229 And I basically explained all of this in 937 00:34:31,230 --> 00:34:33,509 54 slides with a great deal more legal 938 00:34:33,510 --> 00:34:35,069 analysis. 939 00:34:35,070 --> 00:34:37,408 Again, stunned silence, but total 940 00:34:37,409 --> 00:34:38,409 inaction. 941 00:34:40,070 --> 00:34:42,408 At a different conference, I made Ainissa 942 00:34:42,409 --> 00:34:44,599 aware of all this and then had some 943 00:34:44,600 --> 00:34:46,759 correspondence with the head of NSA 944 00:34:46,760 --> 00:34:49,309 who basically said they had no mandate 945 00:34:49,310 --> 00:34:51,678 to act, that this is all excluded 946 00:34:51,679 --> 00:34:53,448 from their mandate by national security 947 00:34:53,449 --> 00:34:54,678 exemptions. 948 00:34:54,679 --> 00:34:56,959 But then, of course, after Snowden, 949 00:34:56,960 --> 00:34:58,129 it was deemed to be politically 950 00:34:58,130 --> 00:35:00,259 impossible for NSA to say 951 00:35:00,260 --> 00:35:02,569 that. So NSA concocted 952 00:35:02,570 --> 00:35:04,789 really rather a bogus and 953 00:35:04,790 --> 00:35:07,549 meretricious document, sort of implying 954 00:35:07,550 --> 00:35:08,959 that they had factored in these sort of 955 00:35:08,960 --> 00:35:10,519 risks to their pre Snowden cloud 956 00:35:10,520 --> 00:35:12,229 analysis. And that's totally untrue. 957 00:35:13,850 --> 00:35:15,889 I had an opportunity to make a speech to 958 00:35:15,890 --> 00:35:17,329 the European Parliament's 959 00:35:17,330 --> 00:35:19,609 Interparliamentary Forum for Civil 960 00:35:19,610 --> 00:35:22,369 Liberties in October 2012 961 00:35:22,370 --> 00:35:25,219 against on silence, the Portuguese DPA 962 00:35:25,220 --> 00:35:26,539 put up their hand and said, Can we have 963 00:35:26,540 --> 00:35:28,009 some details, please? 964 00:35:28,010 --> 00:35:29,569 And then I tried to get in contact with 965 00:35:29,570 --> 00:35:31,429 the podium with the Portuguese DPA, 966 00:35:32,450 --> 00:35:33,450 no response. 967 00:35:34,280 --> 00:35:36,379 And then back 968 00:35:36,380 --> 00:35:37,800 in February 13. 969 00:35:39,110 --> 00:35:41,239 That was when I made the presentation of 970 00:35:41,240 --> 00:35:43,099 the European Parliament report that I 971 00:35:43,100 --> 00:35:45,289 mentioned before in September. 972 00:35:45,290 --> 00:35:46,819 And that did make an impact. 973 00:35:46,820 --> 00:35:48,589 And immediately afterwards, the Labor 974 00:35:48,590 --> 00:35:49,879 Committee asked me to draft some 975 00:35:49,880 --> 00:35:52,069 amendments for the new data 976 00:35:52,070 --> 00:35:54,349 protection regulation, but I'm afraid 977 00:35:54,350 --> 00:35:56,419 they were mostly ignored or 978 00:35:56,420 --> 00:35:57,420 diluted. 979 00:35:58,100 --> 00:35:59,810 And then just before Snowden in May, 980 00:36:01,010 --> 00:36:03,229 DG Connect in charge of climate policy. 981 00:36:03,230 --> 00:36:04,909 I've been beating them up as well. 982 00:36:04,910 --> 00:36:06,979 They finally organized a forum at 983 00:36:06,980 --> 00:36:08,629 the offices of Digital Europe. 984 00:36:08,630 --> 00:36:10,789 Digital Europe are essentially the trade 985 00:36:10,790 --> 00:36:13,759 association for electronics 986 00:36:13,760 --> 00:36:16,129 and software companies, largely dominated 987 00:36:16,130 --> 00:36:18,199 by US and UK companies. 988 00:36:18,200 --> 00:36:20,029 And basically DG Connect said, well, 989 00:36:20,030 --> 00:36:20,959 CASPA, we're not going to think about 990 00:36:20,960 --> 00:36:22,489 this. But look, if you can convince those 991 00:36:22,490 --> 00:36:24,679 hard nosed bastards that digital Europe, 992 00:36:24,680 --> 00:36:25,789 then we'll take you seriously. 993 00:36:27,230 --> 00:36:29,359 And basically they laughed at me 994 00:36:29,360 --> 00:36:30,360 just before Snowden. 995 00:36:32,320 --> 00:36:34,389 So what has been the EU 996 00:36:34,390 --> 00:36:36,429 Commission's cloud policy up to date? 997 00:36:37,660 --> 00:36:39,579 It was run by Neelie Kroes out of DG 998 00:36:39,580 --> 00:36:41,949 Connect and the 999 00:36:41,950 --> 00:36:44,139 official EU policy document 1000 00:36:44,140 --> 00:36:46,539 published around 2012 essentially 1001 00:36:46,540 --> 00:36:48,489 rejected the idea of trying to make any 1002 00:36:48,490 --> 00:36:50,589 pan-European cloud, 1003 00:36:50,590 --> 00:36:52,989 which was sort of safe because 1004 00:36:52,990 --> 00:36:54,369 there was no enthusiasm from member 1005 00:36:54,370 --> 00:36:56,169 states. Basically, the member states 1006 00:36:56,170 --> 00:36:58,449 didn't really trust each other anymore 1007 00:36:58,450 --> 00:37:00,459 than the US, and that sort of collapsed 1008 00:37:00,460 --> 00:37:02,619 the idea to the extent it was ever 1009 00:37:02,620 --> 00:37:04,059 seriously considered. 1010 00:37:04,060 --> 00:37:06,669 There was a steering board composed 1011 00:37:06,670 --> 00:37:07,840 of industry bigwigs 1012 00:37:08,860 --> 00:37:11,589 and then various 1013 00:37:11,590 --> 00:37:13,509 bits of candyfloss about trusted cloud 1014 00:37:13,510 --> 00:37:14,530 Europe, yada, yada. 1015 00:37:15,760 --> 00:37:17,859 And then a new after Snowden 1016 00:37:17,860 --> 00:37:19,989 and a new group was 1017 00:37:19,990 --> 00:37:21,939 set up to try and streamline cloud 1018 00:37:21,940 --> 00:37:23,589 contracts and actually joined that for a 1019 00:37:23,590 --> 00:37:25,659 while until I realized that there was 1020 00:37:25,660 --> 00:37:27,639 no interest whatsoever in drafting 1021 00:37:27,640 --> 00:37:29,049 anything which would make surveillance 1022 00:37:29,050 --> 00:37:32,049 harder or build in sort of deterrents. 1023 00:37:32,050 --> 00:37:33,969 That just wasn't the agenda at all. 1024 00:37:33,970 --> 00:37:36,429 It was simply about making 1025 00:37:36,430 --> 00:37:38,319 essentially cloud less treacherous from a 1026 00:37:38,320 --> 00:37:39,579 contractual point of view, which is 1027 00:37:39,580 --> 00:37:40,959 useful work, but nothing to do with 1028 00:37:40,960 --> 00:37:42,819 stopping surveillance. 1029 00:37:42,820 --> 00:37:44,709 A particularly pernicious idea is if you 1030 00:37:44,710 --> 00:37:45,710 have a 1031 00:37:46,840 --> 00:37:48,999 cloud contract with a provider, then 1032 00:37:49,000 --> 00:37:50,979 that provider should be able to basically 1033 00:37:50,980 --> 00:37:53,169 subcontract what they've contracted with 1034 00:37:53,170 --> 00:37:55,479 you, sort of recursively so 1035 00:37:55,480 --> 00:37:57,189 you can glue on a sub provider and a 1036 00:37:57,190 --> 00:37:58,839 provider as a provider onto that, which 1037 00:37:58,840 --> 00:38:00,489 could, of course, be a different countries. 1038 00:38:00,490 --> 00:38:02,529 So you would have absolutely no idea 1039 00:38:02,530 --> 00:38:04,749 where the data was flowing. 1040 00:38:04,750 --> 00:38:06,939 And Article 1041 00:38:06,940 --> 00:38:08,799 29, the data protection authorities were 1042 00:38:08,800 --> 00:38:10,389 pushing this idea. 1043 00:38:10,390 --> 00:38:11,829 And I sharply criticized that. 1044 00:38:11,830 --> 00:38:13,119 And they said, look, Kasper, you don't 1045 00:38:13,120 --> 00:38:15,639 understand. Our job is not to stop 1046 00:38:15,640 --> 00:38:16,899 any kind of processing. 1047 00:38:16,900 --> 00:38:19,449 Our job is to find a legal basis 1048 00:38:19,450 --> 00:38:20,560 to allow it to happen. 1049 00:38:21,580 --> 00:38:23,679 And that is the mentality still 1050 00:38:23,680 --> 00:38:25,809 in the core part of 1051 00:38:25,810 --> 00:38:28,029 the European data protection authorities. 1052 00:38:28,030 --> 00:38:29,859 So really, there has been no substantive 1053 00:38:29,860 --> 00:38:31,209 change whatsoever 1054 00:38:32,380 --> 00:38:34,489 in EU policy since Snowden. 1055 00:38:35,950 --> 00:38:38,409 But when you listen to the speeches, 1056 00:38:38,410 --> 00:38:40,329 certainly before the new commission of 1057 00:38:40,330 --> 00:38:42,249 Neelie Kroes and Viviane Reding, you 1058 00:38:42,250 --> 00:38:43,659 would hear it is vital that we get a 1059 00:38:43,660 --> 00:38:45,819 strong new data protection regulation so 1060 00:38:45,820 --> 00:38:47,079 that we can deal with all of this 1061 00:38:47,080 --> 00:38:49,329 surveillance stuff, which 1062 00:38:49,330 --> 00:38:50,889 is completely false. 1063 00:38:53,120 --> 00:38:54,139 What did parliament do? 1064 00:38:56,780 --> 00:38:58,879 Well, after they 1065 00:38:58,880 --> 00:39:00,079 asked me for some amendments 1066 00:39:02,420 --> 00:39:04,159 when Snowden happened, the parliament 1067 00:39:04,160 --> 00:39:06,379 phoned me up and said, Kasper, 1068 00:39:06,380 --> 00:39:07,380 it's all true. 1069 00:39:08,510 --> 00:39:10,189 Would you like to write the briefing note 1070 00:39:10,190 --> 00:39:11,719 for the official European Parliament 1071 00:39:11,720 --> 00:39:13,069 inquiry, which I did. 1072 00:39:13,070 --> 00:39:14,249 And there's a reference to that on the 1073 00:39:14,250 --> 00:39:15,469 back of the slide deck. And if you want 1074 00:39:15,470 --> 00:39:18,139 to read one thing about all of this, 1075 00:39:18,140 --> 00:39:20,899 then I'd encourage you to read that 1076 00:39:20,900 --> 00:39:22,729 it's only 30 pages, but I think it's one 1077 00:39:22,730 --> 00:39:24,169 of the best pieces of work I've done. 1078 00:39:25,400 --> 00:39:27,439 So after Snowden, basically the Labor 1079 00:39:27,440 --> 00:39:28,699 Committee, the Civil Liberties Committee 1080 00:39:28,700 --> 00:39:31,739 went into a sort of purdah a lockdown. 1081 00:39:31,740 --> 00:39:33,889 There was one particular politician 1082 00:39:33,890 --> 00:39:35,869 who insisted on this, Baroness Ludford of 1083 00:39:35,870 --> 00:39:38,569 the Liberal Democrats, who marvelously 1084 00:39:38,570 --> 00:39:40,789 lost her seat at the last election. 1085 00:39:40,790 --> 00:39:41,839 So we don't have to worry about her 1086 00:39:41,840 --> 00:39:44,029 anymore, not 1087 00:39:44,030 --> 00:39:45,379 unfortunately, on these accounts, but 1088 00:39:45,380 --> 00:39:46,339 just the luck of the draw. And the 1089 00:39:46,340 --> 00:39:47,569 liberals are so unpopular. 1090 00:39:47,570 --> 00:39:49,789 But anyway, for for 1091 00:39:49,790 --> 00:39:50,779 reasons which are too politically 1092 00:39:50,780 --> 00:39:52,669 complicated going to now essentially 1093 00:39:52,670 --> 00:39:55,069 labor cut itself off from all advice, 1094 00:39:55,070 --> 00:39:57,169 any interchange, really, with 1095 00:39:57,170 --> 00:39:58,639 what they were cooking up, the sort of 1096 00:39:58,640 --> 00:39:59,539 compromise they're cooking up. 1097 00:39:59,540 --> 00:40:02,359 And so what emerged out of this purdah 1098 00:40:02,360 --> 00:40:04,539 was so-called Article 43 1099 00:40:04,540 --> 00:40:06,619 eight. And this is a restoration 1100 00:40:06,620 --> 00:40:08,749 of a clause which was lost from 1101 00:40:08,750 --> 00:40:10,759 a penultimate draft of a draft, was 1102 00:40:10,760 --> 00:40:12,859 actually published by the commission in 1103 00:40:12,860 --> 00:40:14,299 2012. 1104 00:40:14,300 --> 00:40:16,699 And what it said is that in the case 1105 00:40:16,700 --> 00:40:19,249 where you put some data in the cloud 1106 00:40:19,250 --> 00:40:21,199 and then the US, for example, law 1107 00:40:21,200 --> 00:40:23,179 enforcement wants to get direct access 1108 00:40:23,180 --> 00:40:26,059 from that cloud provider, well, 1109 00:40:26,060 --> 00:40:28,669 the cloud provider has got to tell 1110 00:40:28,670 --> 00:40:30,379 and get permission from the data 1111 00:40:30,380 --> 00:40:33,019 protection authority to do that. 1112 00:40:33,020 --> 00:40:34,699 So it sets up a deliberate conflict of 1113 00:40:34,700 --> 00:40:37,129 law because you remember, 1114 00:40:37,130 --> 00:40:39,289 if somebody had done that in 1115 00:40:39,290 --> 00:40:40,729 respect to the FISA law, they would have 1116 00:40:40,730 --> 00:40:42,379 been in contempt of the court and 1117 00:40:42,380 --> 00:40:44,509 possibly endangering themselves 1118 00:40:44,510 --> 00:40:46,249 under the Espionage Act. 1119 00:40:46,250 --> 00:40:47,959 So that's putting the companies in a 1120 00:40:47,960 --> 00:40:51,019 terrible, terrible squeeze, except, 1121 00:40:51,020 --> 00:40:52,489 well, think about it. On the one hand, 1122 00:40:52,490 --> 00:40:55,189 you've got contempt of the court, 1123 00:40:55,190 --> 00:40:57,259 very, very powerful court in the 1124 00:40:57,260 --> 00:40:59,989 US and potentially espionage charges. 1125 00:40:59,990 --> 00:41:02,149 On the other hand, you've got fines 1126 00:41:02,150 --> 00:41:04,189 and a very long, dubious process of 1127 00:41:04,190 --> 00:41:06,139 enforcement by very ponderous European 1128 00:41:06,140 --> 00:41:07,939 data protection authorities. 1129 00:41:07,940 --> 00:41:09,439 The fines might get quite big, but then 1130 00:41:09,440 --> 00:41:10,969 again, they might not. 1131 00:41:10,970 --> 00:41:12,140 So which are you going to choose? 1132 00:41:13,640 --> 00:41:15,159 So it's not a credible deterrent. 1133 00:41:16,380 --> 00:41:18,329 And that was a key part of the advice and 1134 00:41:18,330 --> 00:41:19,379 amendments that I drafted for the 1135 00:41:19,380 --> 00:41:21,179 parliament, but they wouldn't go for it. 1136 00:41:23,010 --> 00:41:24,329 One good thing the parliament did do is 1137 00:41:24,330 --> 00:41:26,309 they removed these because processes. 1138 00:41:26,310 --> 00:41:27,989 But it's likely the commission and the 1139 00:41:27,990 --> 00:41:29,909 council and Article 29, because it's 1140 00:41:29,910 --> 00:41:31,649 their sort of baby, will want them put 1141 00:41:31,650 --> 00:41:32,650 back. 1142 00:41:34,040 --> 00:41:35,629 Well, this is a bit outside the scope of 1143 00:41:35,630 --> 00:41:37,729 the talk, but I want to say that 1144 00:41:37,730 --> 00:41:39,829 there's a lot wrong apart from 1145 00:41:39,830 --> 00:41:41,269 this. With the new data protection 1146 00:41:41,270 --> 00:41:43,039 regulation, I've reluctantly come to the 1147 00:41:43,040 --> 00:41:45,139 view from having thought 1148 00:41:45,140 --> 00:41:46,850 and it was motherhood and apple pie 1149 00:41:47,990 --> 00:41:49,699 that this is going to be a curse on 1150 00:41:49,700 --> 00:41:51,229 personal freedom. This is going to be an 1151 00:41:51,230 --> 00:41:52,939 irreversible bureaucratization of 1152 00:41:52,940 --> 00:41:53,940 everyday life. 1153 00:41:54,800 --> 00:41:56,839 I probably will start going through all 1154 00:41:56,840 --> 00:41:58,459 the things which are wrong here except 1155 00:41:58,460 --> 00:42:00,889 just maybe the penultimate point 1156 00:42:00,890 --> 00:42:02,959 in the new regulation, which is 1157 00:42:02,960 --> 00:42:05,809 going on four times 1158 00:42:05,810 --> 00:42:08,149 as much text as the original directive. 1159 00:42:09,170 --> 00:42:11,419 There are 450 references to this term 1160 00:42:11,420 --> 00:42:12,649 of art processing. 1161 00:42:12,650 --> 00:42:15,499 Processing can mean computing with data 1162 00:42:15,500 --> 00:42:16,500 or storing the data. 1163 00:42:18,100 --> 00:42:20,199 But as we now know, but they didn't 1164 00:42:20,200 --> 00:42:22,329 know in 1981 when somebody had the bright 1165 00:42:22,330 --> 00:42:24,879 idea to manage these two ideas together. 1166 00:42:24,880 --> 00:42:26,869 We now know that you can protect store 1167 00:42:26,870 --> 00:42:28,419 data with encryption, but you can't 1168 00:42:28,420 --> 00:42:30,569 protect computer data with encryption. 1169 00:42:31,600 --> 00:42:33,999 So this entire regulation is built 1170 00:42:34,000 --> 00:42:35,409 on conceptual sand. 1171 00:42:35,410 --> 00:42:38,499 Each of these 450 references 1172 00:42:38,500 --> 00:42:40,779 is inherently ambiguous, 1173 00:42:40,780 --> 00:42:42,969 but it is conflating two completely 1174 00:42:42,970 --> 00:42:45,459 incommensurable information security 1175 00:42:45,460 --> 00:42:47,409 situations, one of which which is 1176 00:42:47,410 --> 00:42:49,029 tractable with technology and the other 1177 00:42:49,030 --> 00:42:50,110 which is not. 1178 00:42:51,340 --> 00:42:53,380 That's how messed up it is conceptually, 1179 00:42:56,260 --> 00:42:58,779 so to come right up to Deetz, 1180 00:42:58,780 --> 00:43:00,909 Article 29 Working Party came 1181 00:43:00,910 --> 00:43:03,729 out just this month with their 1182 00:43:03,730 --> 00:43:06,549 opinion, 51 page opinion on 1183 00:43:06,550 --> 00:43:08,020 the whole surveillance thing, 1184 00:43:09,220 --> 00:43:10,779 expanding from a shorter opinion they 1185 00:43:10,780 --> 00:43:12,609 published last year. 1186 00:43:12,610 --> 00:43:14,709 Um, it's a very muddy piece of 1187 00:43:14,710 --> 00:43:15,969 work. 1188 00:43:15,970 --> 00:43:18,069 It's really a long letter 1189 00:43:18,070 --> 00:43:20,139 of self exploitation by why 1190 00:43:20,140 --> 00:43:21,759 they couldn't reasonably be expected to 1191 00:43:21,760 --> 00:43:24,219 do anything about this to date. 1192 00:43:24,220 --> 00:43:26,799 But they do make some interesting, 1193 00:43:26,800 --> 00:43:28,419 definitive statements. 1194 00:43:28,420 --> 00:43:30,249 The exemption in the EU treaties offers 1195 00:43:30,250 --> 00:43:32,079 no possibility to invoke the national 1196 00:43:32,080 --> 00:43:34,419 security of a third country alone 1197 00:43:34,420 --> 00:43:36,039 in order to avoid the applicability of EU 1198 00:43:36,040 --> 00:43:37,149 law. 1199 00:43:37,150 --> 00:43:39,219 And this is a sort of rebuff to 1200 00:43:39,220 --> 00:43:41,679 the carve out in the EU treaties 1201 00:43:41,680 --> 00:43:42,999 for national security. 1202 00:43:43,000 --> 00:43:44,919 But of course, that is the national 1203 00:43:44,920 --> 00:43:46,809 security of member states, not of a third 1204 00:43:46,810 --> 00:43:47,810 country. 1205 00:43:48,730 --> 00:43:51,159 And DPAs may suspend 1206 00:43:51,160 --> 00:43:53,589 data flows on their existing 1207 00:43:53,590 --> 00:43:55,929 powers, particularly in Germany, 1208 00:43:55,930 --> 00:43:58,029 hint, hint that they haven't 1209 00:43:58,030 --> 00:43:59,030 done so so far. 1210 00:44:00,100 --> 00:44:01,569 And they're also awaiting the outcome of 1211 00:44:01,570 --> 00:44:02,979 the Max Schrems case, which we haven't 1212 00:44:02,980 --> 00:44:04,209 got time to talk about now. 1213 00:44:05,410 --> 00:44:07,659 But they also say that Article 43, 1214 00:44:08,780 --> 00:44:10,269 there's conflict of law. 1215 00:44:10,270 --> 00:44:12,399 The commission's idea now 1216 00:44:12,400 --> 00:44:15,129 put back by the parliament 1217 00:44:15,130 --> 00:44:17,169 after being lobbied away just before the 1218 00:44:17,170 --> 00:44:18,999 publication of the original regulation. 1219 00:44:20,020 --> 00:44:21,879 They don't like it. They say it may be a 1220 00:44:21,880 --> 00:44:23,229 step in the right direction, but it's not 1221 00:44:23,230 --> 00:44:25,469 going to be the solution to all problems. 1222 00:44:26,500 --> 00:44:29,499 But here's the bombshell 1223 00:44:29,500 --> 00:44:31,389 right at the bottom. 1224 00:44:31,390 --> 00:44:32,489 And it's not obvious, 1225 00:44:33,640 --> 00:44:35,739 they say, that if there 1226 00:44:35,740 --> 00:44:37,899 is any such Article 43, they don't want 1227 00:44:37,900 --> 00:44:38,900 the job. 1228 00:44:39,400 --> 00:44:40,749 Basically, it would be the interior 1229 00:44:40,750 --> 00:44:42,999 ministry of each country which would take 1230 00:44:43,000 --> 00:44:44,709 that decision whether to approve or deny 1231 00:44:44,710 --> 00:44:46,989 the transfer, not 1232 00:44:46,990 --> 00:44:48,549 the independent data protection 1233 00:44:48,550 --> 00:44:49,550 authority. 1234 00:44:50,720 --> 00:44:51,709 They don't want the job. 1235 00:44:51,710 --> 00:44:53,179 In other words, within the sort of 1236 00:44:53,180 --> 00:44:55,189 conclave, Article 29, they have failed to 1237 00:44:55,190 --> 00:44:57,289 reach any consensus that 1238 00:44:57,290 --> 00:44:58,669 this problem of foreign intelligence 1239 00:44:58,670 --> 00:44:59,959 surveillance is really anything that 1240 00:44:59,960 --> 00:45:01,340 should be done by them. 1241 00:45:02,450 --> 00:45:03,769 And they can maybe have a question or two 1242 00:45:03,770 --> 00:45:04,770 about that. 1243 00:45:06,200 --> 00:45:08,359 Article 29 also evades their 1244 00:45:08,360 --> 00:45:10,639 own responsibility for this mess. 1245 00:45:10,640 --> 00:45:12,739 Back in 2005, in one of 1246 00:45:12,740 --> 00:45:14,089 their working party documents dealing 1247 00:45:14,090 --> 00:45:16,219 with all of this, they said that 1248 00:45:16,220 --> 00:45:17,929 one of the reasons they were inventing 1249 00:45:17,930 --> 00:45:20,869 these BCR and contract structures 1250 00:45:20,870 --> 00:45:23,329 was so that transfers 1251 00:45:23,330 --> 00:45:25,789 they called repeated mass or structural, 1252 00:45:25,790 --> 00:45:27,259 which was their sort of code for this 1253 00:45:27,260 --> 00:45:29,399 sort of thing precisely because 1254 00:45:29,400 --> 00:45:31,039 of his importance, should somehow be 1255 00:45:31,040 --> 00:45:33,499 carried out within these legal frameworks 1256 00:45:33,500 --> 00:45:34,500 they were inventing. 1257 00:45:35,640 --> 00:45:37,769 But nine years later, 1258 00:45:37,770 --> 00:45:39,359 they say exactly the opposite. 1259 00:45:39,360 --> 00:45:40,859 They say that these instruments, which 1260 00:45:40,860 --> 00:45:43,169 they invented, should 1261 00:45:43,170 --> 00:45:44,879 not be the basis for these massive 1262 00:45:44,880 --> 00:45:47,789 structural or repetitive transfers. 1263 00:45:47,790 --> 00:45:49,439 So in other words, Article 29 in the 1264 00:45:49,440 --> 00:45:51,509 Folley, they got this whole ball rolling 1265 00:45:51,510 --> 00:45:53,759 in the mid 2000s as if these preposterous 1266 00:45:53,760 --> 00:45:55,499 legal mechanisms could possibly contain 1267 00:45:55,500 --> 00:45:57,599 these risks and now they contradict 1268 00:45:57,600 --> 00:45:59,699 themselves and walk away without 1269 00:45:59,700 --> 00:46:00,989 acknowledging that absurdity. 1270 00:46:02,340 --> 00:46:03,509 They also don't mention the 1271 00:46:03,510 --> 00:46:05,699 discrimination by nationality in US law, 1272 00:46:05,700 --> 00:46:07,739 which I stressed, and in fact, in 150 1273 00:46:07,740 --> 00:46:09,929 opinions since 9/11, 1274 00:46:09,930 --> 00:46:11,579 they never even mentioned the concept of 1275 00:46:11,580 --> 00:46:13,230 foreign intelligence at all. 1276 00:46:15,780 --> 00:46:17,099 The other bits, I don't probably have 1277 00:46:17,100 --> 00:46:18,630 time to explain right now. 1278 00:46:21,920 --> 00:46:23,539 But what they did do at a big conference 1279 00:46:23,540 --> 00:46:24,540 the beginning of the month 1280 00:46:26,150 --> 00:46:28,579 is publish a political statement, 1281 00:46:28,580 --> 00:46:30,769 sort of 15 points of political belief, 1282 00:46:30,770 --> 00:46:32,239 which sound very right on. 1283 00:46:32,240 --> 00:46:33,499 They don't they are, in fact, the sort of 1284 00:46:33,500 --> 00:46:35,869 thing that privacy activists 1285 00:46:35,870 --> 00:46:37,609 do say and espouse. 1286 00:46:39,200 --> 00:46:40,909 But really, this is a decoy. 1287 00:46:40,910 --> 00:46:43,339 This is a decoy to try and 1288 00:46:43,340 --> 00:46:44,569 distract attention from the fact that 1289 00:46:44,570 --> 00:46:46,669 they cannot achieve any solidarity among 1290 00:46:46,670 --> 00:46:48,349 themselves for deciding that they 1291 00:46:48,350 --> 00:46:50,809 actually have a responsibility to enforce 1292 00:46:50,810 --> 00:46:52,909 the existing law, 1293 00:46:52,910 --> 00:46:54,979 to shut down data flows, to 1294 00:46:54,980 --> 00:46:56,480 make the United States pay a price. 1295 00:46:58,280 --> 00:47:00,409 And the US is exceptionally expansionist. 1296 00:47:00,410 --> 00:47:02,209 If you look at references in surveillance 1297 00:47:02,210 --> 00:47:04,729 law to discrimination by citizenship 1298 00:47:04,730 --> 00:47:06,919 and nationality rather than the geography 1299 00:47:06,920 --> 00:47:09,139 of the communication path. 1300 00:47:09,140 --> 00:47:11,869 Well, there's about 40 in US law 1301 00:47:11,870 --> 00:47:13,339 counting up Pfizer and Hatriot and 1302 00:47:13,340 --> 00:47:15,619 Pfizer, the first and Fourth Amendment 1303 00:47:15,620 --> 00:47:16,999 special protections. 1304 00:47:17,000 --> 00:47:18,229 The U.K. has zero. 1305 00:47:18,230 --> 00:47:20,449 Surprisingly, Germany has 1306 00:47:20,450 --> 00:47:22,639 one, which is a profound embarrassment. 1307 00:47:22,640 --> 00:47:23,989 And I have got a question about that, 1308 00:47:23,990 --> 00:47:26,149 because in our 1309 00:47:26,150 --> 00:47:27,679 human rights are supposed to be equal. 1310 00:47:27,680 --> 00:47:30,259 But actually part of the German Jiten law 1311 00:47:30,260 --> 00:47:33,109 is very analogous to 702. 1312 00:47:33,110 --> 00:47:34,849 Canada has about to New Zealand, to 1313 00:47:34,850 --> 00:47:36,019 Australia, too. 1314 00:47:36,020 --> 00:47:37,699 And I haven't been able to discover any 1315 00:47:37,700 --> 00:47:39,319 others at all. 1316 00:47:39,320 --> 00:47:40,699 But the US has 40. 1317 00:47:41,960 --> 00:47:43,100 So what have NGOs done 1318 00:47:44,600 --> 00:47:46,759 in Brazil that Mondiale 1319 00:47:46,760 --> 00:47:47,959 in Istanbul IGF? 1320 00:47:49,250 --> 00:47:51,529 Nobody said one word 1321 00:47:51,530 --> 00:47:53,599 about discrimination by nationality. 1322 00:47:53,600 --> 00:47:55,849 I was tweeting like crazy kind of kicking 1323 00:47:55,850 --> 00:47:57,349 their shins. 1324 00:47:57,350 --> 00:47:59,629 The subject was never even raised 1325 00:47:59,630 --> 00:48:00,630 by anybody. 1326 00:48:01,910 --> 00:48:04,339 CTT, ACLU, EFF have done very little 1327 00:48:04,340 --> 00:48:05,569 on nonusers person rights. 1328 00:48:05,570 --> 00:48:06,589 I'm sure there are people here will 1329 00:48:06,590 --> 00:48:07,759 quarrel with you about that. 1330 00:48:07,760 --> 00:48:09,859 Access has done more than most, 1331 00:48:09,860 --> 00:48:12,379 Epic said not one word about 1332 00:48:12,380 --> 00:48:13,279 you. 1333 00:48:13,280 --> 00:48:15,349 In eight years of visiting the EU and 1334 00:48:15,350 --> 00:48:16,849 helping us with our privacy problems, 1335 00:48:18,290 --> 00:48:20,119 Edri has done nothing before or after 1336 00:48:20,120 --> 00:48:21,379 Snowden. 1337 00:48:21,380 --> 00:48:22,909 And I've mentioned Privacy International 1338 00:48:22,910 --> 00:48:23,910 already. 1339 00:48:26,410 --> 00:48:28,509 Is a real treaty with the US even 1340 00:48:28,510 --> 00:48:30,039 possible, supposing we got the sort of 1341 00:48:30,040 --> 00:48:32,169 guarantees that we would like to have the 1342 00:48:32,170 --> 00:48:34,569 criminalization of data protection 1343 00:48:34,570 --> 00:48:36,849 offenses? There is a serious fundamental 1344 00:48:36,850 --> 00:48:38,799 problem, which is that spying on 1345 00:48:38,800 --> 00:48:39,800 foreigners abroad 1346 00:48:40,900 --> 00:48:43,509 is an inherent presidential authority. 1347 00:48:43,510 --> 00:48:45,489 Congress cannot restrain that 1348 00:48:45,490 --> 00:48:46,899 presidential authority. 1349 00:48:46,900 --> 00:48:48,639 So, in other words, if Obama today 1350 00:48:49,900 --> 00:48:51,669 makes a promise and says we changed 1351 00:48:51,670 --> 00:48:54,049 policy, we're going to rewrite EO 23 1352 00:48:54,050 --> 00:48:56,169 pretty much more strongly than PD 1353 00:48:56,170 --> 00:48:57,519 28. 1354 00:48:57,520 --> 00:48:59,469 You can't trust that because a future 1355 00:48:59,470 --> 00:49:00,909 president or the same president could 1356 00:49:00,910 --> 00:49:03,219 tomorrow in secret renounce 1357 00:49:03,220 --> 00:49:05,289 that policy and just go back to business 1358 00:49:05,290 --> 00:49:06,399 as usual. 1359 00:49:06,400 --> 00:49:08,259 So it's not even clear that a legally 1360 00:49:08,260 --> 00:49:10,359 binding treaty is possible unless 1361 00:49:10,360 --> 00:49:11,590 you change the US Constitution. 1362 00:49:13,690 --> 00:49:14,619 And generally, what I've been 1363 00:49:14,620 --> 00:49:16,689 recommending for a couple of years now is 1364 00:49:16,690 --> 00:49:18,429 a three pronged strategy for any 1365 00:49:18,430 --> 00:49:19,809 response. 1366 00:49:19,810 --> 00:49:22,329 Firstly, you work out essentially 1367 00:49:22,330 --> 00:49:24,189 which data flows are more valuable to the 1368 00:49:24,190 --> 00:49:26,349 US than they are to Europe and 1369 00:49:26,350 --> 00:49:28,179 you begin shutting them down as in a 1370 00:49:28,180 --> 00:49:29,180 trade war. 1371 00:49:29,710 --> 00:49:31,599 Secondly, you need a long term EU 1372 00:49:31,600 --> 00:49:33,939 industrial policy to develop software 1373 00:49:33,940 --> 00:49:35,899 and cloud services. 1374 00:49:35,900 --> 00:49:38,049 And I think also critically, that 1375 00:49:38,050 --> 00:49:39,050 should include 1376 00:49:40,300 --> 00:49:42,429 a secure operating system for individuals 1377 00:49:42,430 --> 00:49:44,499 or much more secure operating system for 1378 00:49:44,500 --> 00:49:45,849 individuals. 1379 00:49:45,850 --> 00:49:46,929 You might have seen on the beginning of 1380 00:49:46,930 --> 00:49:48,459 the slides, and I know a policy advisor 1381 00:49:48,460 --> 00:49:50,559 to the Cuba project, and I 1382 00:49:50,560 --> 00:49:52,329 do think if you haven't heard of Cuba and 1383 00:49:52,330 --> 00:49:54,339 you worried about your security very 1384 00:49:54,340 --> 00:49:56,679 laptop, you should check it out. 1385 00:49:56,680 --> 00:49:57,680 That's all I'll say. 1386 00:49:59,320 --> 00:50:00,669 And thirdly, we need whistleblower 1387 00:50:00,670 --> 00:50:03,219 protection because 1388 00:50:03,220 --> 00:50:04,839 it's only through Edward Snowden's 1389 00:50:04,840 --> 00:50:06,979 courage that we know 1390 00:50:06,980 --> 00:50:09,009 at least that anyone is taking this 1391 00:50:09,010 --> 00:50:11,529 seriously now. 1392 00:50:11,530 --> 00:50:13,389 And we don't know that the next 1393 00:50:13,390 --> 00:50:14,319 whistleblower is going to be as 1394 00:50:14,320 --> 00:50:16,359 altruistic as Snowden. 1395 00:50:16,360 --> 00:50:18,129 So we need to actually give them 1396 00:50:18,130 --> 00:50:20,319 watertight asylum and probably 1397 00:50:20,320 --> 00:50:22,449 some incentives, probably some rewards. 1398 00:50:22,450 --> 00:50:24,609 I actually proposed to the parliament 1399 00:50:24,610 --> 00:50:26,679 that the whistleblowers should get 1400 00:50:26,680 --> 00:50:29,409 25 percent of any fines 1401 00:50:29,410 --> 00:50:31,569 subsequently exacted 1402 00:50:31,570 --> 00:50:33,099 on a controller. Now, that sounds an 1403 00:50:33,100 --> 00:50:34,100 enormous amount. 1404 00:50:41,150 --> 00:50:43,009 But you've got to remember, that person 1405 00:50:43,010 --> 00:50:45,079 is likely to be an American, either 1406 00:50:45,080 --> 00:50:46,489 somebody working for a corporation or 1407 00:50:46,490 --> 00:50:48,619 working for the NSA, 1408 00:50:48,620 --> 00:50:50,509 and they are going to need bodyguards and 1409 00:50:50,510 --> 00:50:52,159 protection from extraordinary rendition 1410 00:50:52,160 --> 00:50:53,899 and kidnaping back to sort of Guantanamo 1411 00:50:53,900 --> 00:50:55,819 for the rest of their lives. 1412 00:50:55,820 --> 00:50:57,649 So that's why the incentives have to be 1413 00:50:57,650 --> 00:50:59,600 enormous to provide a credible deterrent. 1414 00:51:02,130 --> 00:51:04,229 So the way that 1415 00:51:04,230 --> 00:51:05,489 I've tried to sort of summarize the 1416 00:51:05,490 --> 00:51:07,469 political situation now is welcome to the 1417 00:51:07,470 --> 00:51:08,669 matter Panopticon. 1418 00:51:08,670 --> 00:51:09,929 It is unfortunately true 1419 00:51:11,100 --> 00:51:12,569 that most people don't think they have 1420 00:51:12,570 --> 00:51:14,699 anything to hide from the government. 1421 00:51:14,700 --> 00:51:17,369 But people vote for politicians 1422 00:51:17,370 --> 00:51:19,439 and they have to have trust in public 1423 00:51:19,440 --> 00:51:21,539 officials. They have to trust the 1424 00:51:21,540 --> 00:51:23,909 public. Officials are acting impartially 1425 00:51:23,910 --> 00:51:25,679 in their national interest and in their 1426 00:51:25,680 --> 00:51:27,060 collective interest. 1427 00:51:28,140 --> 00:51:30,959 So how now are people going to know 1428 00:51:30,960 --> 00:51:31,949 that that is the case? 1429 00:51:31,950 --> 00:51:33,959 Because any politician or official in 1430 00:51:33,960 --> 00:51:36,209 Europe now knows that the NSA 1431 00:51:36,210 --> 00:51:38,309 and probably GHQ knows 1432 00:51:38,310 --> 00:51:40,259 every detail of their private life, every 1433 00:51:40,260 --> 00:51:42,699 indiscretion, everything rash, email 1434 00:51:42,700 --> 00:51:44,849 sent via email or any phone 1435 00:51:44,850 --> 00:51:46,559 call, information deducible through 1436 00:51:46,560 --> 00:51:48,329 traffic analysis. 1437 00:51:48,330 --> 00:51:50,149 Well, anyone with half a brain cell and a 1438 00:51:50,150 --> 00:51:52,109 position of power in the, you know, knows 1439 00:51:52,110 --> 00:51:54,069 their private life is up for grabs. 1440 00:51:54,070 --> 00:51:56,129 Their career could be ruined with one 1441 00:51:56,130 --> 00:51:57,300 tabloid news story 1442 00:51:58,770 --> 00:52:01,019 or the promotion ruined if they show 1443 00:52:01,020 --> 00:52:03,839 perhaps too much anti-American 1444 00:52:03,840 --> 00:52:05,159 bias. 1445 00:52:05,160 --> 00:52:06,989 And that comes to the attention of the US 1446 00:52:06,990 --> 00:52:08,639 and they sort of arrange for the other 1447 00:52:08,640 --> 00:52:10,289 guy to get promoted. 1448 00:52:10,290 --> 00:52:11,579 Well, how do we know that's not going to 1449 00:52:11,580 --> 00:52:13,109 happen? Because even if it doesn't 1450 00:52:13,110 --> 00:52:16,259 happen, we might reasonably suspect 1451 00:52:16,260 --> 00:52:17,260 that may happen. 1452 00:52:18,300 --> 00:52:20,729 So that is a profoundly corrosive idea 1453 00:52:20,730 --> 00:52:22,379 for democracy, but is something that we 1454 00:52:22,380 --> 00:52:23,279 now have to deal with it. 1455 00:52:23,280 --> 00:52:25,529 We cannot deal with it 1456 00:52:25,530 --> 00:52:26,969 by not thinking about it. 1457 00:52:26,970 --> 00:52:29,579 And as I put at the end my report, 1458 00:52:29,580 --> 00:52:31,410 the thoughts that Edward Snowden have 1459 00:52:32,520 --> 00:52:34,619 put in the minds of the public cannot 1460 00:52:34,620 --> 00:52:36,479 now be unthought. 1461 00:52:36,480 --> 00:52:37,480 Thank you very much. 1462 00:53:09,720 --> 00:53:11,999 OK, we can take about about 1463 00:53:12,000 --> 00:53:13,439 ten minutes for Q&A. 1464 00:53:13,440 --> 00:53:15,599 So if you have a question, 1465 00:53:15,600 --> 00:53:17,789 find a microphone, preferably 1466 00:53:17,790 --> 00:53:19,289 one of those. 1467 00:53:19,290 --> 00:53:21,599 Um, and also I have a signal 1468 00:53:21,600 --> 00:53:22,619 angel in the back. 1469 00:53:22,620 --> 00:53:23,620 And she is 1470 00:53:24,840 --> 00:53:26,369 she has a question. 1471 00:53:26,370 --> 00:53:28,319 Yes. Hello, Casper. 1472 00:53:28,320 --> 00:53:31,079 So we have a ton of questions 1473 00:53:31,080 --> 00:53:32,879 for you and the IOC. 1474 00:53:32,880 --> 00:53:35,219 And they were all really excited 1475 00:53:35,220 --> 00:53:36,449 about your talk. 1476 00:53:36,450 --> 00:53:39,599 And I mean, just start with one. 1477 00:53:39,600 --> 00:53:41,849 So can you name three 1478 00:53:41,850 --> 00:53:44,339 countries whose laws are equally 1479 00:53:44,340 --> 00:53:46,499 balanced and protecting 1480 00:53:46,500 --> 00:53:48,989 its citizens as well as foreigners? 1481 00:53:48,990 --> 00:53:51,299 So which countries could 1482 00:53:51,300 --> 00:53:52,229 we. 1483 00:53:52,230 --> 00:53:54,599 Yeah, take as an example 1484 00:53:54,600 --> 00:53:56,759 for laws in Europe or in 1485 00:53:56,760 --> 00:53:57,760 Germany? 1486 00:53:59,370 --> 00:54:01,529 So I think one important 1487 00:54:01,530 --> 00:54:03,719 distinction to make is the sport has been 1488 00:54:03,720 --> 00:54:05,819 going on in reality, 1489 00:54:05,820 --> 00:54:07,709 as we now know from Snowden. 1490 00:54:07,710 --> 00:54:09,749 And then there is what the law is in 1491 00:54:09,750 --> 00:54:10,750 theory. 1492 00:54:11,280 --> 00:54:13,709 So in every European country, 1493 00:54:13,710 --> 00:54:15,779 I believe, apart 1494 00:54:15,780 --> 00:54:16,780 from Germany, 1495 00:54:18,000 --> 00:54:19,049 the laws are equal. 1496 00:54:19,050 --> 00:54:20,969 There's nothing in European laws apart 1497 00:54:20,970 --> 00:54:22,409 from Germany that I discovered where it 1498 00:54:22,410 --> 00:54:24,359 says if you are a French citizen or if 1499 00:54:24,360 --> 00:54:26,189 you a Slovakian citizen or if you are a 1500 00:54:26,190 --> 00:54:28,679 Czech citizen, you get better protection 1501 00:54:28,680 --> 00:54:30,329 in respect to privacy and surveillance. 1502 00:54:31,650 --> 00:54:33,419 What almost every other country's laws 1503 00:54:33,420 --> 00:54:35,579 say is they differentiate between 1504 00:54:35,580 --> 00:54:37,289 purely domestic communications, 1505 00:54:37,290 --> 00:54:39,209 communications, starting and beginning in 1506 00:54:39,210 --> 00:54:41,309 one country and communications 1507 00:54:41,310 --> 00:54:44,189 which cross the border of that country. 1508 00:54:44,190 --> 00:54:46,259 So that is the way that most laws 1509 00:54:46,260 --> 00:54:47,340 make that distinction. 1510 00:54:48,900 --> 00:54:50,789 But he may say, well, does that make a 1511 00:54:50,790 --> 00:54:51,329 difference? 1512 00:54:51,330 --> 00:54:53,639 Yes, it does for cloud computing, because 1513 00:54:53,640 --> 00:54:56,219 the stark contrast is 1514 00:54:56,220 --> 00:54:58,289 if you have any American data 1515 00:54:58,290 --> 00:55:00,479 in Europe, then that data 1516 00:55:00,480 --> 00:55:02,489 is equally protected by European data 1517 00:55:02,490 --> 00:55:04,049 protection and human rights law. 1518 00:55:04,050 --> 00:55:05,849 And American could come over here and 1519 00:55:05,850 --> 00:55:07,709 start taking a case through European data 1520 00:55:07,710 --> 00:55:09,179 protection authorities or European courts 1521 00:55:09,180 --> 00:55:11,249 without any trouble at all 1522 00:55:11,250 --> 00:55:13,079 if they thought their privacy was being 1523 00:55:13,080 --> 00:55:15,179 unjustifiably infringed. 1524 00:55:15,180 --> 00:55:16,619 The converse is not true. 1525 00:55:16,620 --> 00:55:19,019 All EU data, as I hope I've demonstrated 1526 00:55:19,020 --> 00:55:21,209 in the US, you have no legal rights at 1527 00:55:21,210 --> 00:55:23,429 all, and that is the asymmetry 1528 00:55:23,430 --> 00:55:25,499 created by cloud computing 1529 00:55:25,500 --> 00:55:26,999 before cloud computing. 1530 00:55:27,000 --> 00:55:28,919 The rough assumption in the build up of 1531 00:55:28,920 --> 00:55:31,019 these international laws for 50 100 1532 00:55:31,020 --> 00:55:33,269 years was that territory was roughly 1533 00:55:33,270 --> 00:55:35,129 congruent with jurisdiction. 1534 00:55:35,130 --> 00:55:37,109 What cloud computing does is it just flex 1535 00:55:37,110 --> 00:55:39,359 those two apart and creates this vast 1536 00:55:39,360 --> 00:55:40,360 asymmetry. 1537 00:55:41,430 --> 00:55:43,139 Um, the mike over there. 1538 00:55:44,670 --> 00:55:47,339 OK, so thanks for the talk. 1539 00:55:47,340 --> 00:55:49,109 In Germany, the parliament finally 1540 00:55:49,110 --> 00:55:50,969 decided to open up an investigation 1541 00:55:50,970 --> 00:55:53,099 commission after the Snowden revelations. 1542 00:55:53,100 --> 00:55:54,100 And 1543 00:55:55,260 --> 00:55:57,449 so they got witnesses from the 1544 00:55:57,450 --> 00:56:00,329 German intelligence services, 1545 00:56:00,330 --> 00:56:02,999 but not much came out because 1546 00:56:03,000 --> 00:56:04,709 all the details are classified, which 1547 00:56:04,710 --> 00:56:05,759 would as prove. 1548 00:56:05,760 --> 00:56:08,039 And the government also protects them. 1549 00:56:08,040 --> 00:56:10,199 And it appears that somehow 1550 00:56:10,200 --> 00:56:12,479 the intelligence services operate in some 1551 00:56:12,480 --> 00:56:14,459 sort of room that is independent of the 1552 00:56:14,460 --> 00:56:16,559 law. Now, you pointed out how in the 1553 00:56:16,560 --> 00:56:18,749 US they would be and what they could 1554 00:56:18,750 --> 00:56:20,999 do within the boundaries of the law. 1555 00:56:21,000 --> 00:56:23,069 Now, my question is, do they 1556 00:56:23,070 --> 00:56:25,559 even care or more formally put 1557 00:56:25,560 --> 00:56:27,959 how likely would you 1558 00:56:27,960 --> 00:56:30,509 think that they that the US 1559 00:56:30,510 --> 00:56:32,729 agencies would feel bound by 1560 00:56:32,730 --> 00:56:33,839 the US laws at all? 1561 00:56:35,460 --> 00:56:37,619 So I think they do feel bound by the 1562 00:56:37,620 --> 00:56:38,549 US laws. 1563 00:56:38,550 --> 00:56:39,550 There was a great 1564 00:56:41,040 --> 00:56:43,289 John Oliver The Daily Show quip, which 1565 00:56:43,290 --> 00:56:45,059 is the amazing thing, Mr President, is 1566 00:56:45,060 --> 00:56:46,949 not nobody is saying that you broke the 1567 00:56:46,950 --> 00:56:47,189 law. 1568 00:56:47,190 --> 00:56:48,599 The amazing thing is that you didn't have 1569 00:56:48,600 --> 00:56:49,600 to. 1570 00:56:50,580 --> 00:56:52,649 And I do think that when you read the 1571 00:56:52,650 --> 00:56:55,049 texture of what NSA lawyers 1572 00:56:55,050 --> 00:56:57,269 have said and the texture the club 1573 00:56:57,270 --> 00:56:59,519 reports and so forth, they they are, in 1574 00:56:59,520 --> 00:57:00,869 a sense, legal overload. 1575 00:57:00,870 --> 00:57:02,429 We're now getting kind of bombed with 1576 00:57:02,430 --> 00:57:03,899 thousands and thousands of pages of 1577 00:57:03,900 --> 00:57:05,969 American legalese. But the trouble is, 1578 00:57:05,970 --> 00:57:07,529 none of it has any relevance for us. 1579 00:57:07,530 --> 00:57:09,689 It is all about because that 1580 00:57:09,690 --> 00:57:10,919 is the only rights which exist. 1581 00:57:10,920 --> 00:57:12,299 It is all about protecting the rights of 1582 00:57:12,300 --> 00:57:14,069 Americans and there simply is no rights 1583 00:57:14,070 --> 00:57:15,960 defined for anybody else. 1584 00:57:18,070 --> 00:57:19,529 Thank you. The microphone over there, 1585 00:57:19,530 --> 00:57:20,489 please. 1586 00:57:20,490 --> 00:57:21,490 Hi. 1587 00:57:22,200 --> 00:57:24,449 Hi. I have a question about the role 1588 00:57:24,450 --> 00:57:26,039 of jurisdiction in the area of cloud 1589 00:57:26,040 --> 00:57:27,149 computing. 1590 00:57:27,150 --> 00:57:29,219 And as I'm sure you know, Microsoft 1591 00:57:29,220 --> 00:57:31,379 is challenging a ruling in the states 1592 00:57:31,380 --> 00:57:33,659 about access to data held 1593 00:57:33,660 --> 00:57:34,739 in the EU. 1594 00:57:34,740 --> 00:57:36,839 And I'm just wondering what your views 1595 00:57:36,840 --> 00:57:39,119 are on that. Is it sort of snake oil or 1596 00:57:39,120 --> 00:57:41,189 is there something like a positive role 1597 00:57:41,190 --> 00:57:43,349 that US companies can do in sort 1598 00:57:43,350 --> 00:57:45,389 of challenging this global surveillance? 1599 00:57:46,470 --> 00:57:47,999 So, as I say, I'm very glad you asked me 1600 00:57:48,000 --> 00:57:50,369 that. As you can imagine, getting fired 1601 00:57:50,370 --> 00:57:52,379 from by Microsoft for trying to warn them 1602 00:57:52,380 --> 00:57:53,550 about 702. 1603 00:57:54,660 --> 00:57:56,859 I do find it kind of amusing that 1604 00:57:56,860 --> 00:57:58,949 now Microsoft is painting itself 1605 00:57:58,950 --> 00:58:00,209 as the champion of privacy. 1606 00:58:00,210 --> 00:58:02,309 And I'm afraid this case is not 1607 00:58:02,310 --> 00:58:03,599 about protecting the sovereignty of 1608 00:58:03,600 --> 00:58:04,979 European data. 1609 00:58:04,980 --> 00:58:06,269 This is about protecting the sovereignty 1610 00:58:06,270 --> 00:58:07,259 of Microsoft. 1611 00:58:07,260 --> 00:58:08,249 But the short answer. 1612 00:58:08,250 --> 00:58:10,469 There is the substance of that case is 1613 00:58:10,470 --> 00:58:12,749 only about the Stored Communications Act, 1614 00:58:12,750 --> 00:58:14,489 a part of 1996. 1615 00:58:14,490 --> 00:58:16,169 In other words, it only deals with 1616 00:58:16,170 --> 00:58:17,819 criminal law enforcement. 1617 00:58:17,820 --> 00:58:19,979 So even if Microsoft won that case, I'm 1618 00:58:19,980 --> 00:58:22,139 actually hoping they won't because then 1619 00:58:22,140 --> 00:58:24,419 that'll kind of shore up this rotten 1620 00:58:24,420 --> 00:58:27,149 system that we have today. 1621 00:58:27,150 --> 00:58:28,409 But even if they won that case, it would 1622 00:58:28,410 --> 00:58:30,599 do nothing to prevent surveillance under 1623 00:58:30,600 --> 00:58:32,139 EO twelve fifty three or five. 1624 00:58:32,140 --> 00:58:33,659 So it's completely orthogonal to that. 1625 00:58:35,190 --> 00:58:36,599 We'll take another question from the 1626 00:58:36,600 --> 00:58:37,949 Internet. 1627 00:58:37,950 --> 00:58:40,019 So hello. 1628 00:58:40,020 --> 00:58:42,299 OK, so two questions 1629 00:58:42,300 --> 00:58:43,809 and the same direction. 1630 00:58:44,940 --> 00:58:47,099 The question is that, 1631 00:58:47,100 --> 00:58:49,349 I mean, the the 1632 00:58:49,350 --> 00:58:51,959 US are quite powerful in comparison 1633 00:58:51,960 --> 00:58:52,569 to Europe. 1634 00:58:52,570 --> 00:58:55,109 So one of your examples 1635 00:58:55,110 --> 00:58:57,299 was to not give 1636 00:58:57,300 --> 00:58:59,189 them any data anymore, that they really, 1637 00:58:59,190 --> 00:59:01,319 really want to have something to 1638 00:59:01,320 --> 00:59:03,029 trade off. 1639 00:59:03,030 --> 00:59:05,130 So how do you think that will work? 1640 00:59:06,210 --> 00:59:08,459 Is there any possibility that 1641 00:59:08,460 --> 00:59:10,709 this will be the case? 1642 00:59:10,710 --> 00:59:12,899 So when I first started recommending 1643 00:59:12,900 --> 00:59:14,669 this policy a couple of years ago, 1644 00:59:14,670 --> 00:59:16,379 basically everyone said it was crazy and 1645 00:59:16,380 --> 00:59:17,939 they said there is no capacity for this 1646 00:59:17,940 --> 00:59:18,899 in Europe. 1647 00:59:18,900 --> 00:59:19,980 We don't have enough 1648 00:59:21,000 --> 00:59:22,019 software houses. 1649 00:59:22,020 --> 00:59:23,549 We don't have enough people who could 1650 00:59:23,550 --> 00:59:24,989 build and invest in data centers. 1651 00:59:24,990 --> 00:59:26,459 It's completely crazy. 1652 00:59:26,460 --> 00:59:28,919 But what I heard from the commission just 1653 00:59:28,920 --> 00:59:30,929 two weeks ago is that what they're 1654 00:59:30,930 --> 00:59:33,389 hearing now is actually European 1655 00:59:33,390 --> 00:59:35,399 providers, particularly telcos, are 1656 00:59:35,400 --> 00:59:37,679 queuing up to now 1657 00:59:37,680 --> 00:59:39,959 provide European based data 1658 00:59:39,960 --> 00:59:42,239 centers. And of course, another 1659 00:59:42,240 --> 00:59:43,949 consequence of what I said is people 1660 00:59:43,950 --> 00:59:45,629 should not be using open source software 1661 00:59:45,630 --> 00:59:46,630 for security 1662 00:59:47,910 --> 00:59:49,889 because this problem of actually pushing 1663 00:59:49,890 --> 00:59:51,929 software updates and through a software 1664 00:59:51,930 --> 00:59:54,119 update, any security infrastructure 1665 00:59:54,120 --> 00:59:56,489 you've got, being able to be toast 1666 00:59:56,490 --> 00:59:57,599 because you just don't know what's in the 1667 00:59:57,600 --> 00:59:59,729 update. Of course, open source is no 1668 00:59:59,730 --> 01:00:01,919 panacea, but tools 1669 01:00:01,920 --> 01:00:04,229 like static analysis for getting the bugs 1670 01:00:04,230 --> 01:00:05,369 out of open source are much more 1671 01:00:05,370 --> 01:00:07,019 effective than when we last had this 1672 01:00:07,020 --> 01:00:08,909 debate 12, 13 years ago. 1673 01:00:08,910 --> 01:00:10,859 So from all points of view, there is just 1674 01:00:10,860 --> 01:00:13,139 a massive advantage now in everybody, 1675 01:00:13,140 --> 01:00:14,579 particularly governments switching to 1676 01:00:14,580 --> 01:00:16,649 open source cloud computing 1677 01:00:16,650 --> 01:00:19,019 indigenously hosted in the EU. 1678 01:00:19,020 --> 01:00:20,639 If you do that, of course, the NSA can 1679 01:00:20,640 --> 01:00:21,899 still try and break in. 1680 01:00:21,900 --> 01:00:24,089 But if the NSA is trying 1681 01:00:24,090 --> 01:00:25,799 to break in, you can at least defend by 1682 01:00:25,800 --> 01:00:27,119 conventional means. 1683 01:00:27,120 --> 01:00:28,619 And you're in essentially a totally 1684 01:00:28,620 --> 01:00:29,789 different situation. 1685 01:00:29,790 --> 01:00:31,409 And if you've handled all of that data 1686 01:00:31,410 --> 01:00:34,020 over on a plate for the inspection of 72, 1687 01:00:35,400 --> 01:00:36,719 I think we've got time for two more 1688 01:00:36,720 --> 01:00:37,720 questions, 1689 01:00:39,150 --> 01:00:41,399 I think, to the switch. 1690 01:00:41,400 --> 01:00:43,169 Your claim is that 1691 01:00:44,550 --> 01:00:46,679 Article 43 does not work because of 1692 01:00:46,680 --> 01:00:48,869 the asymmetrical nature of the 1693 01:00:48,870 --> 01:00:50,549 crime and punishment. 1694 01:00:50,550 --> 01:00:53,250 The punishment for 1695 01:00:54,300 --> 01:00:56,519 for for it for spying is 20 years 1696 01:00:56,520 --> 01:00:57,629 imprisonment, etc. 1697 01:00:57,630 --> 01:00:59,099 But it does not apply to European 1698 01:00:59,100 --> 01:01:01,289 citizens operating in Europe. 1699 01:01:01,290 --> 01:01:03,389 So could 1700 01:01:03,390 --> 01:01:05,519 Article 43 not be shored up by saying 1701 01:01:05,520 --> 01:01:06,809 anyone who provides cloud 1702 01:01:07,830 --> 01:01:10,019 services in Europe has to have a non 1703 01:01:10,020 --> 01:01:12,689 European, not an American citizen 1704 01:01:12,690 --> 01:01:14,759 working in the role of getting 1705 01:01:14,760 --> 01:01:17,279 the information about 1706 01:01:17,280 --> 01:01:19,559 this on the back and forth 1707 01:01:19,560 --> 01:01:21,599 as required by Article 43? 1708 01:01:21,600 --> 01:01:24,359 And then the asymmetries asymmetrically 1709 01:01:24,360 --> 01:01:26,249 does not exist anymore, if that's a word. 1710 01:01:26,250 --> 01:01:27,689 So it's a nice idea, but a couple of 1711 01:01:27,690 --> 01:01:29,549 problems. I mean, one is that it's by no 1712 01:01:29,550 --> 01:01:31,679 means clear that the Espionage Act can 1713 01:01:31,680 --> 01:01:33,719 only be used against American citizens. 1714 01:01:33,720 --> 01:01:35,759 Ask Julian Assange. 1715 01:01:35,760 --> 01:01:38,039 And the second point is that 1716 01:01:38,040 --> 01:01:40,349 there is the scope of American law 1717 01:01:40,350 --> 01:01:42,419 extends not just to US based companies, 1718 01:01:42,420 --> 01:01:44,609 but to any company that does 1719 01:01:44,610 --> 01:01:45,719 business with the US. 1720 01:01:45,720 --> 01:01:47,729 So theoretically have no to order could 1721 01:01:47,730 --> 01:01:49,559 be put onto Deutsche Telekom or France 1722 01:01:49,560 --> 01:01:51,209 Telecom or whoever. 1723 01:01:51,210 --> 01:01:53,609 But from my experience, working 1724 01:01:53,610 --> 01:01:55,919 in a very big corporation and now 1725 01:01:55,920 --> 01:01:58,619 having my my judgment is 1726 01:01:58,620 --> 01:02:01,829 the US would not serve a 72 1727 01:02:01,830 --> 01:02:03,539 on a European company because the whole 1728 01:02:03,540 --> 01:02:05,009 purpose would be secrecy. 1729 01:02:05,010 --> 01:02:07,169 And I think that may 1730 01:02:07,170 --> 01:02:08,819 be naive, but a European corporation 1731 01:02:08,820 --> 01:02:10,049 staff from the European lawyers, they 1732 01:02:10,050 --> 01:02:11,339 would not put up with that. 1733 01:02:11,340 --> 01:02:13,679 They would ensure that essentially 1734 01:02:13,680 --> 01:02:14,879 they would cry for help from their own 1735 01:02:14,880 --> 01:02:16,979 government, from from 1736 01:02:16,980 --> 01:02:18,209 data protection authorities. 1737 01:02:18,210 --> 01:02:19,799 So I think in practical terms, there's 1738 01:02:19,800 --> 01:02:21,719 very substantially less risk for a 1739 01:02:21,720 --> 01:02:23,519 European company, even if it is doing 1740 01:02:23,520 --> 01:02:25,079 business in the US to be subject to this 1741 01:02:25,080 --> 01:02:26,819 law. But I'm afraid putting 1742 01:02:26,820 --> 01:02:28,769 responsibility, just American citizen, 1743 01:02:28,770 --> 01:02:29,770 won't necessarily do it. 1744 01:02:31,410 --> 01:02:32,460 And the last question, 1745 01:02:34,170 --> 01:02:35,940 do you think over here, 1746 01:02:37,320 --> 01:02:39,509 do you think there's any way an 1747 01:02:39,510 --> 01:02:41,609 American company can set 1748 01:02:41,610 --> 01:02:42,840 up a cloud offering 1749 01:02:43,950 --> 01:02:46,409 that really 1750 01:02:46,410 --> 01:02:48,719 legally protects their 1751 01:02:48,720 --> 01:02:50,489 customers data from, 1752 01:02:51,750 --> 01:02:54,809 let's say, the US legally spying on them? 1753 01:02:54,810 --> 01:02:55,829 Sure, yeah. 1754 01:02:55,830 --> 01:02:57,569 I mean, just use a European company 1755 01:02:57,570 --> 01:03:00,119 running free software physically 1756 01:03:00,120 --> 01:03:02,369 located in the territory of Europe, and 1757 01:03:02,370 --> 01:03:04,679 you protect that as well as you can, 1758 01:03:04,680 --> 01:03:06,969 but not for an American company. 1759 01:03:06,970 --> 01:03:08,209 No, there is. 1760 01:03:08,210 --> 01:03:10,309 Way out for an American company, 1761 01:03:10,310 --> 01:03:11,779 something about which I'm terribly, 1762 01:03:11,780 --> 01:03:12,780 terribly sad. 1763 01:03:15,320 --> 01:03:16,699 Thank you so much, Caspar. 1764 01:03:16,700 --> 01:03:18,799 I hope that there will be a result that 1765 01:03:18,800 --> 01:03:20,469 is bigger than stunned silence.