Alberto Cammozzocammozzo.com/Papers/cammozzo2016-InformaticaGiuridica-Unipd... · EP resolution...
Transcript of Alberto Cammozzocammozzo.com/Papers/cammozzo2016-InformaticaGiuridica-Unipd... · EP resolution...
Alberto Cammozzo
Università degli Studi di Padova
Corso di laurea triennale in Diritto dell'Economia
Insegnamento di Informatica Giuridica
A.A. 2015/2016
11, 12, 18 e 19 maggio
18 maggio
9/ Arcana Imperii: Datagate e intelligence
10/ Transito transfrontaliero: da Safe Harbor a Privacy Shield
11/ tecnologie biometriche commerciali: riconoscimento facciale
12/ tecnologie biometriche governative
18 maggio
9/ Arcana Imperii: Datagate e intelligence
10/ Transito transfrontaliero: da Safe Harbor a Privacy Shield
11/ tecnologie biometriche commerciali: riconoscimento facciale
12/ tecnologie biometriche governative
Edward Snowden,June 2013
1. data collection
● International fiberoptic exchanges interception (voice & data)STORMBREW OAKSTAR BLARNEY FAIRVIEW TEMPORA SOCIALIST RAMPART-A
● Infiltrations and/or cooperation with ICT industry
Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple PRISM, MUSCULAR, Xkeyscore, SCISSORS, BOUNDLESS INFORMANT
● US Phone conversations metadata collection
Verizon, AT&T e Sprint NextelMAINWAY, STELLARWIND
http
s://n
sa.g
ov1.
info
/dni
/pris
m.h
tml
http
s://w
ww
.tel
egeo
grap
hy.c
om/
2. Targeted operations
● Interception: – Embassies (38), Government offices (Fr), media (Al Jazeera),
– Foreign political leaders and head of State (Br, Mx, De),
– International organizations (ONU, IAEA, UE? – tramite Belgacom)DROPMIRE, SOCIALIST
● Computer intrusion with viruses and malwareGENIE, T.A.O.
● Attack to anonimyzing products such as Tor(EgotisticalGiraffe).
3. Targeting infrastructures
● Weakening standard encryption standards– "Differential Workfactor Cryptography" (Lotus Notes)
– Dual_EC_DRBG standard: (RSA)BULLRUN, EDGEHILL, Sigint Enabling
→ Computer security uprooting – Also on proprietary products: Crypto AG, Windows
4. opaque juridical framework
● FISA (Foreign Intelligence Surveillance Act) ● Foreign Intelligence Surveillance Court
– Blanket legal approvation [?]
– Warrantless intercepts
● NSA letters with nondisclosure provisions: recipient can't divulge the content of the order.
18 maggio
9/ Arcana Imperii: Datagate e intelligence
10/ Transito transfrontaliero: da Safe Harbor a Privacy Shield
11/ Tecnologie Biometriche commerciali: il caso del riconoscimento facciale
12/ tecnologie biometriche governative
NSA surveillance on EU data
● Abuse of bilateral agreements – PNR (Passenger Name Record)
– TFTP (Terrorist Finance Tracking Program) agreementintra-EU financial transaction information to the US
– Safe Harbour
– Council of Europe's Budapest Convention on Cybercrime transborder access to stored computer data
● Cooperative intelligence activities with UE governments (eg RAMPART-A started 1992)
● Covert intelligence activities = spying (eg SOCIALIST)
Risposta UE
Risposta UE
4 July 2013 – European Parliament “Resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens' privacy” → LIBE Inquiry on electronic mass surveillance of EU citizens
21 February 2014 – LIBE Report “Protecting fundamental rights in a digital age”
12 March 2014 – European Parliament “Resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs”
Procedures 2013/2682(RSP), 2013/2188(INI)
EP resolution of 12 March 2014
● “compelling evidence of the existence of far-reaching, complex and highly technologically advanced systems designed by US and some Member States' intelligence services to collect, store and analyse communication data, including content data, location data and metadata of all citizens around the world, on an unprecedented scale and in an indiscriminate and non-suspicion-based manner;”
● “trust has been profoundly shaken: trust between the two transatlantic partners, trust between citizens and their governments, trust in the functioning of democratic institutions on both sides of the Atlantic, trust in the respect of the rule of law, and trust in the security of IT services and communication”
● “data collection of such magnitude leaves considerable doubts as to whether these actions are guided only by the fight against terrorism, since it involves the collection of all possible data of all citizens; points, therefore, to the possible existence of other purposes including political and economic espionage, which need to be comprehensively dispelled”
● “secret laws and courts violate the rule of law”
EP resolution Priority PlanA European Digital Habeas Corpus
1. Adopt the Data Protection Package in 2014; [done in 2016]
2. Conclude the EU-US Umbrella Agreement guaranteeing the fundamental right of citizens to privacy and data protection and ensuring proper redress mechanisms for EU citizens, including in the event of data transfers from the EU to the US for law enforcement purposes;
3. Suspend Safe Harbour until a full review has been conducted and current loopholes are remedied, making sure that transfers of personal data for commercial purposes from the Union to the US can only take place in compliance with the highest EU standards;
4. Suspend the TFTP agreement until [...]
5. Evaluate any agreement, mechanism or exchange with third countries involving personal data in order to ensure that the right to privacy and to the protection of personal data is not violated due to surveillance activities, and take necessary follow-up actions;
6. Protect the rule of law and the fundamental rights of EU citizens, (including from threats to the freedom of the press), the right of the public to receive impartial information and professional confidentiality (including lawyer-client relations), as well as ensuring enhanced protection for whistleblowers;
Safe Harbour DecisionInternational Safe Harbor Privacy Principles
Decision 520/2000/EC COM(2013) 847 final
«transfers of personal data may take place only to non-EU countries that provide an
"adequate" level of privacy protection»
Compagnie US autocertificano di aderire a 7 principi (Frequently Asked Questions) che le rendono adeguate alla EU Data Protection Directive.
Il Department of Commerce vigila e mantiene una lista
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTMLhttps://build.export.gov/main/safeharbor/eu/eg_main_018493
Il caso Shrems
● Max Shrems: preoccupato per la privacy in FB
● Chiede e pubblica i propri dati richiesti a FB http://europe-v-facebook.org
● Inizia alcune azioni legali contro“Safe Harbor”
i miei dati FB non sonoprotetti dalla soveglianza
del governo USA!Non posso farci niente:
la Commissione UEdice che gli USA sono
“sicuri” sotto Safe Harbor
Uhm...Può una DP nazionale
mettere in discussione una decisione della Commissione?
Non sono d'accordo!Mi appello alla
corte suprema Irlandese
Si, può.
“the Commission is not empowered to restrict the
powers of the national supervisory authorities”
Per giunta Safe Harbor è invalida
Case C-362/146 October 2015
Shrems “Prism Case”
Sentenza caso C-362/14
● L’articolo 25, paragrafo 6, della direttiva 95/46/CE del Parlamento europeo e del Consiglio del 24 ottobre 1995, [...] deve essere interpretato nel senso che una decisione adottata in forza di tale disposizione, come la decisione 2000/520/CE della Commissione, [...] con la quale la Commissione europea constata che un paese terzo garantisce un livello di protezione adeguato, non osta a che un’autorità di controllo di uno Stato membro, [...] esamini la domanda di una persona relativa alla protezione dei suoi diritti e delle sue libertà con riguardo al trattamento di dati personali che la riguardano, i quali sono stati trasferiti da uno Stato membro verso tale paese terzo, qualora tale persona faccia valere che il diritto e la prassi in vigore in quest’ultimo non garantiscono un livello di protezione adeguato.
● La decisione 2000/520 è invalida.
EU-US Privacy Shield 29-02-2016 COM(2016) 117 final
1/ impegni vincolanti (binding corporate rules) e non solo autocertificazioni
2/ salvaguardie e maggiore trasparenza sugli accessi governativi
3/ ricorso risoluzione delle dispute più agevole: risposta entro 45 gg, eventuale assistenza DP
4/ monitoraggio e analisi periodica
http://europa.eu/rapid/press-release_IP-16-216_en.htmhttp://ec.europa.eu/justice/data-protection/international-transfers/index_en.htm
18 maggio
9/ Arcana Imperii: Datagate e intelligence
10/ Transito transfrontaliero: da Safe Harbor a Privacy Shield
11/ Tecnologie Biometriche commerciali: riconoscimento facciale
12/ tecnologie biometriche governative
Cosa accade quando caricate una immagine personale?
User/ Customer Service Provider
FR usage
● Law enforcement● Passenger & Border processing● Disaster victim identification ● Voting systems● Time attendance● Computer systems biometric authentication● Vending machines● …
User/ Customer Service Provider
http://www.hertasecurity.com/en/products/biosurveillance-next
FR in SNs
Each scan report costs $75 US
https ://b irdin fligh
t.com
/ru/vd
o hno ven
ie/fo topr o
ect /060
42016
-f ace -big- da
ta .html
https://advox.globalvoices.org/2016/04/22/facial-recognition-service-becomes-a-weapon-against-russian-porn-actresses
http://ntechlab.com/
https://twitter.com/kashhill/status/727230907703136256/photo/1
18 maggio
9/ vari tipi di Censura online e il caso Wikileaks.
Aggiramento con TOR, VPN. Darkweb, deepweb.
10/ Arcana Imperii: Datagate e intelligence
11/ Tecnologie Biometriche commerciali: il caso del riconoscimento facciale
12/ tecnologie biometriche governative
PlatformsTelecamere sorveglianza
NGI searchable database includes «facial imaging, scars, marks, and tattoos» and has «room to accommodate future biometric technologies (i.e., voice, gait, etc.) as they become available and prove reliable»
FBI Next Generation Identification
CBS news 60 minutes May 19, 2013 8:00 PM http://www.cbsnews.com/video/watch/?id=50147161n
Ciò che qui è in questione è la nuova relazione biopolitica «normale» fra i cittadini e lo stato. Questa non riguarda più la partecipazione libera e attiva alla dimensione pubblica, ma l'iscrizione e la schedatura dell'elemento più privato e incomunicabile: la vita biologica dei corpi.
Ai dispositivi mediatici che controllano e manipolano la parola pubblica, corrispondono i dispositivi tecnologici che iscrivono e identificano la nuda vita: tra questi due estremi - una parola senza corpo e un corpo senza parola - lo spazio di quella che un tempo si chiamava politica è sempre più esiguo e ristretto.
2004, Giorgio Agamben
http://ricerca.repubblica.it/repubblica/archivio/repubblica/2004/01/08/se-lo-stato-sequestra-il-tuo-corpo.html
uidai.gov.in
● 12-digit unique identification (UID) number
● linked to the demographic and biometric information: photograph, ten fingerprints and two iris scans,
● centralised database
Blended 18 e 19 maggio
● Approfondimento su Datagate: consultando F.Chiusi, “Grazie Mr.Snowden”, http://static.repubblica.it/ebook/Grazie-MrSnowden-Fabio-Chiusi.pdf
Commentare dul forum su uno (o più) a scelta dei programmi NSA: EGOTISTICAL GYRAFFE, SOCIALIST, XKEYSCORE.
A che serve il programma? Quali possono essere le conseguenze a lungo termine? Che effetto ha avuto il suo disvelamento?