Alberto Cammozzo

Università degli Studi di Padova

Corso di laurea triennale in Diritto dell'Economia

Insegnamento di Informatica Giuridica

A.A. 2015/2016

11, 12, 18 e 19 maggio

18 maggio

9/ Arcana Imperii: Datagate e intelligence

10/ Transito transfrontaliero: da Safe Harbor a Privacy Shield

11/ tecnologie biometriche commerciali: riconoscimento facciale

12/ tecnologie biometriche governative

18 maggio

9/ Arcana Imperii: Datagate e intelligence

10/ Transito transfrontaliero: da Safe Harbor a Privacy Shield

11/ tecnologie biometriche commerciali: riconoscimento facciale

12/ tecnologie biometriche governative

Edward Snowden,June 2013

1. data collection

● International fiberoptic exchanges interception (voice & data)STORMBREW OAKSTAR BLARNEY FAIRVIEW TEMPORA SOCIALIST RAMPART-A

● Infiltrations and/or cooperation with ICT industry

Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple PRISM, MUSCULAR, Xkeyscore, SCISSORS, BOUNDLESS INFORMANT

● US Phone conversations metadata collection

Verizon, AT&T e Sprint NextelMAINWAY, STELLARWIND

http

s://n

sa.g

ov1.

info

/dni

/pris

m.h

tml

http

s://w

ww

.tel

egeo

grap

hy.c

om/

2. Targeted operations

● Interception: – Embassies (38), Government offices (Fr), media (Al Jazeera),

– Foreign political leaders and head of State (Br, Mx, De),

– International organizations (ONU, IAEA, UE? – tramite Belgacom)DROPMIRE, SOCIALIST

● Computer intrusion with viruses and malwareGENIE, T.A.O.

● Attack to anonimyzing products such as Tor(EgotisticalGiraffe).

3. Targeting infrastructures

● Weakening standard encryption standards– "Differential Workfactor Cryptography" (Lotus Notes)

– Dual_EC_DRBG standard: (RSA)BULLRUN, EDGEHILL, Sigint Enabling

→ Computer security uprooting – Also on proprietary products: Crypto AG, Windows

4. opaque juridical framework

● FISA (Foreign Intelligence Surveillance Act) ● Foreign Intelligence Surveillance Court

– Blanket legal approvation [?]

– Warrantless intercepts

● NSA letters with nondisclosure provisions: recipient can't divulge the content of the order.

18 maggio

9/ Arcana Imperii: Datagate e intelligence

10/ Transito transfrontaliero: da Safe Harbor a Privacy Shield

11/ Tecnologie Biometriche commerciali: il caso del riconoscimento facciale

12/ tecnologie biometriche governative

NSA surveillance on EU data

● Abuse of bilateral agreements – PNR (Passenger Name Record)

– TFTP (Terrorist Finance Tracking Program) agreementintra-EU financial transaction information to the US

– Safe Harbour

– Council of Europe's Budapest Convention on Cybercrime transborder access to stored computer data

● Cooperative intelligence activities with UE governments (eg RAMPART-A started 1992)

● Covert intelligence activities = spying (eg SOCIALIST)

Risposta UE

Risposta UE

4 July 2013 – European Parliament “Resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens' privacy” → LIBE Inquiry on electronic mass surveillance of EU citizens

21 February 2014 – LIBE Report “Protecting fundamental rights in a digital age”

12 March 2014 – European Parliament “Resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs”

Procedures 2013/2682(RSP), 2013/2188(INI)

EP resolution of 12 March 2014

● “compelling evidence of the existence of far-reaching, complex and highly technologically advanced systems designed by US and some Member States' intelligence services to collect, store and analyse communication data, including content data, location data and metadata of all citizens around the world, on an unprecedented scale and in an indiscriminate and non-suspicion-based manner;”

● “trust has been profoundly shaken: trust between the two transatlantic partners, trust between citizens and their governments, trust in the functioning of democratic institutions on both sides of the Atlantic, trust in the respect of the rule of law, and trust in the security of IT services and communication”

● “data collection of such magnitude leaves considerable doubts as to whether these actions are guided only by the fight against terrorism, since it involves the collection of all possible data of all citizens; points, therefore, to the possible existence of other purposes including political and economic espionage, which need to be comprehensively dispelled”

● “secret laws and courts violate the rule of law”

EP resolution Priority PlanA European Digital Habeas Corpus

1. Adopt the Data Protection Package in 2014; [done in 2016]

2. Conclude the EU-US Umbrella Agreement guaranteeing the fundamental right of citizens to privacy and data protection and ensuring proper redress mechanisms for EU citizens, including in the event of data transfers from the EU to the US for law enforcement purposes;

3. Suspend Safe Harbour until a full review has been conducted and current loopholes are remedied, making sure that transfers of personal data for commercial purposes from the Union to the US can only take place in compliance with the highest EU standards;

4. Suspend the TFTP agreement until [...]

5. Evaluate any agreement, mechanism or exchange with third countries involving personal data in order to ensure that the right to privacy and to the protection of personal data is not violated due to surveillance activities, and take necessary follow-up actions;

6. Protect the rule of law and the fundamental rights of EU citizens, (including from threats to the freedom of the press), the right of the public to receive impartial information and professional confidentiality (including lawyer-client relations), as well as ensuring enhanced protection for whistleblowers;

Safe Harbour DecisionInternational Safe Harbor Privacy Principles

Decision 520/2000/EC COM(2013) 847 final

«transfers of personal data may take place only to non-EU countries that provide an

"adequate" level of privacy protection»

Compagnie US autocertificano di aderire a 7 principi (Frequently Asked Questions) che le rendono adeguate alla EU Data Protection Directive.

Il Department of Commerce vigila e mantiene una lista

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTMLhttps://build.export.gov/main/safeharbor/eu/eg_main_018493

Il caso Shrems

● Max Shrems: preoccupato per la privacy in FB

● Chiede e pubblica i propri dati richiesti a FB http://europe-v-facebook.org

● Inizia alcune azioni legali contro“Safe Harbor”

i miei dati FB non sonoprotetti dalla soveglianza

del governo USA!Non posso farci niente:

la Commissione UEdice che gli USA sono

“sicuri” sotto Safe Harbor

Uhm...Può una DP nazionale

mettere in discussione una decisione della Commissione?

Non sono d'accordo!Mi appello alla

corte suprema Irlandese

Si, può.

“the Commission is not empowered to restrict the

powers of the national supervisory authorities”

Per giunta Safe Harbor è invalida

Case C-362/146 October 2015

Shrems “Prism Case”

Sentenza caso C-362/14

● L’articolo 25, paragrafo 6, della direttiva 95/46/CE del Parlamento europeo e del Consiglio del 24 ottobre 1995, [...] deve essere interpretato nel senso che una decisione adottata in forza di tale disposizione, come la decisione 2000/520/CE della Commissione, [...] con la quale la Commissione europea constata che un paese terzo garantisce un livello di protezione adeguato, non osta a che un’autorità di controllo di uno Stato membro, [...] esamini la domanda di una persona relativa alla protezione dei suoi diritti e delle sue libertà con riguardo al trattamento di dati personali che la riguardano, i quali sono stati trasferiti da uno Stato membro verso tale paese terzo, qualora tale persona faccia valere che il diritto e la prassi in vigore in quest’ultimo non garantiscono un livello di protezione adeguato.

● La decisione 2000/520 è invalida.

EU-US Privacy Shield 29-02-2016 COM(2016) 117 final

1/ impegni vincolanti (binding corporate rules) e non solo autocertificazioni

2/ salvaguardie e maggiore trasparenza sugli accessi governativi

3/ ricorso risoluzione delle dispute più agevole: risposta entro 45 gg, eventuale assistenza DP

4/ monitoraggio e analisi periodica

http://europa.eu/rapid/press-release_IP-16-216_en.htmhttp://ec.europa.eu/justice/data-protection/international-transfers/index_en.htm

18 maggio

9/ Arcana Imperii: Datagate e intelligence

10/ Transito transfrontaliero: da Safe Harbor a Privacy Shield

11/ Tecnologie Biometriche commerciali: riconoscimento facciale

12/ tecnologie biometriche governative

Cosa accade quando caricate una immagine personale?

User/ Customer Service Provider

FR usage

● Law enforcement● Passenger & Border processing● Disaster victim identification ● Voting systems● Time attendance● Computer systems biometric authentication● Vending machines● …

User/ Customer Service Provider

http://www.hertasecurity.com/en/products/biosurveillance-next

FR in SNs

Each scan report costs $75 US

https ://b irdin fligh

t.com

/ru/vd

o hno ven

ie/fo topr o

ect /060

42016

-f ace -big- da

ta .html

https://advox.globalvoices.org/2016/04/22/facial-recognition-service-becomes-a-weapon-against-russian-porn-actresses

http://ntechlab.com/

https://twitter.com/kashhill/status/727230907703136256/photo/1

18 maggio

9/ vari tipi di Censura online e il caso Wikileaks.

Aggiramento con TOR, VPN. Darkweb, deepweb.

10/ Arcana Imperii: Datagate e intelligence

11/ Tecnologie Biometriche commerciali: il caso del riconoscimento facciale

12/ tecnologie biometriche governative

PlatformsTelecamere sorveglianza

NGI searchable database includes «facial imaging, scars, marks, and tattoos» and has «room to accommodate future biometric technologies (i.e., voice, gait, etc.) as they become available and prove reliable»

FBI Next Generation Identification

CBS news 60 minutes May 19, 2013 8:00 PM http://www.cbsnews.com/video/watch/?id=50147161n

Ciò che qui è in questione è la nuova relazione biopolitica «normale» fra i cittadini e lo stato. Questa non riguarda più la partecipazione libera e attiva alla dimensione pubblica, ma l'iscrizione e la schedatura dell'elemento più privato e incomunicabile: la vita biologica dei corpi.

Ai dispositivi mediatici che controllano e manipolano la parola pubblica, corrispondono i dispositivi tecnologici che iscrivono e identificano la nuda vita: tra questi due estremi - una parola senza corpo e un corpo senza parola - lo spazio di quella che un tempo si chiamava politica è sempre più esiguo e ristretto.

2004, Giorgio Agamben

http://ricerca.repubblica.it/repubblica/archivio/repubblica/2004/01/08/se-lo-stato-sequestra-il-tuo-corpo.html

uidai.gov.in

● 12-digit unique identification (UID) number

● linked to the demographic and biometric information: photograph, ten fingerprints and two iris scans,

● centralised database

Blended 18 e 19 maggio

● Approfondimento su Datagate: consultando F.Chiusi, “Grazie Mr.Snowden”, http://static.repubblica.it/ebook/Grazie-MrSnowden-Fabio-Chiusi.pdf

Commentare dul forum su uno (o più) a scelta dei programmi NSA: EGOTISTICAL GYRAFFE, SOCIALIST, XKEYSCORE.

A che serve il programma? Quali possono essere le conseguenze a lungo termine? Che effetto ha avuto il suo disvelamento?