Report: US to grant foreigners limited NSA data deletion rights

The U.S. administration is set to make a few changes to the country’s mass surveillance practises, according to a New York Times report late Monday.

The piece, which appears to be based on official leaks ahead of a Tuesday announcement, suggested foreigners will get for the first time get limited rights regarding how their personal data is treated after it’s been scooped up by agencies such as the NSA. Whereas the data of Americans would be deleted after incidental collection, foreigners’ data would be deleted after five years.

This is a small step – it’s arguably better than nothing, and most countries’ surveillance operations don’t grant privacy rights to foreigners. However, that doesn’t make the NSA’s practices OK, particularly as they and their “Five Eyes” partners have unrivalled access to foreigners’ data.

Data collection still violates the right to privacy, and the discrimination between Americans and non-Americans still falls foul of the basic human rights tenet that maintains all people should enjoy equal protection under the law, as stated in Article 26 of the International Convention on Civil and Political Rights (ICCPR). As it happens, the U.S. ratified the ICCPR with one “reservation” being that discrimination is allowed when it is “rationally related to a legitimate governmental objective.” The U.S. Constitution also grants equality under the law, but its application to foreigners outside U.S. borders is a complex matter.

Then again, human rights are inalienable and countries don’t grant them – they recognize them, or not. Even if the U.S. is about to grant foreigners some legal rights regarding the deletion of their recorded/stolen personal data, the 95 percent of the world’s population living outside those borders still has good reason to complain about their treatment by the NSA.

The White House’s changes would also formalize a process about the monitoring of international leaders, that was drawn up after the embarrassing revelation — from the Snowden documents – that the NSA was spying on German Chancellor Angela Merkel. The NYT piece was fuzzy on this: It seems some leaders are off the spy list and some aren’t.

The gag orders associated with national security letters – the orders that force communications providers to hand over customer data – will also “presumptively” end after three years, the article stated, although “mid-level” intelligence agents will be able to plead for continued secrecy.

This article was updated at 4am PT to note that most countries’ surveillance operations don’t grant privacy rights to foreigners.

The curious case of Angela Merkel and her EU data retention ideas

In the wake of last week’s terrorist attacks in Paris, German Chancellor Angela Merkel has called on the European Commission to deliver on its “promise” of a new EU-wide data retention directive to replace the one struck down by the EU’s highest court last year.

Merkel wants to implement this new directive into German law. There’s only one problem: the Commission doesn’t seem to have promised any such thing, at least not in public.

The Court of Justice of the European Union struck down the Data Retention Directive 2006 in April of last year because it was disproportionate and had insufficient safeguards. The directive had mandated that EU countries had to force telecommunications firms to retain metadata about their customers’ communications for between six and 24 months. Even before the CJEU scrapped it, Germany had already stopped implementing it on constitutional grounds.

On Thursday, according to a DPA report, Merkel told German parliamentarians:

Given the cross-party conviction among all interior ministers, both state-level and federal, that we need such minimum retention periods, we should insist that the revision of the directive promised by the EU Commission is quickly completed and then implemented into German law.

That DPA report claims “Brussels is drafting a follow-up that meets the judges’ standards,” but that’s not what the Commission says.

Last month, Netzpolitik reported that new Home Affairs Commissioner Dimitris Avramopoulos was planning to make such an announcement, and that his department was “now reflecting on the how, rather than the if.” However, after that report came out, the department backtracked, with a spokeswoman saying: “I meant that we are now reflecting on the how to take things forward, rather than if we need a new directive or not.”

Avramopoulos’s predecessor, Cecilia Malmström, had previously said she wouldn’t propose any new data retention directive until the EU’s new data protection rules had been finalized – something that now may not happen before 2016.

An EU source confirmed to me today that the Commission is taking its time evaluating the issues raised by the CJEU ruling, and intends to have an open dialog with the European Parliament, member states, civil society, law enforcement and data protection authorities. Only then will it be able to decide whether there is a need for a new proposal, the source said.

Technically, Merkel could try setting up a new German data protection law without a broader EU directive. However, her own justice minister has firmly rejected the mass surveillance idea, telling German television a few days ago: “With data retention, we also store all data from journalists and restrict freedom of the press. That does not fit together.”

She would also need to somehow make sure that her data retention law didn’t fall foul of the arguments the CJEU used to strike down the EU Data Retention Directive, advice from the EU Legal Service division suggests.

German government website attack may be Ukraine-related

Two German government websites were knocked offline by a distributed denial of service (DDoS) attack around 10am local time on Wednesday. Chancellor Angela Merkel’s site is still down five and a half hours later, but that of the Bundestag came back minutes ago. The pro-Russian CyberBerkut hacker group has claimed responsibility, claiming the attack was carried out as an appeal to Germany to “stop financial and political support of criminal regime in Kiev, which unleashed a bloody civil war” in Ukraine. Although the attribution of today’s attack remains unconfirmed, the group has been highly active since the ouster of Ukrainian president Viktor Yanukovych in February 2014.

German court denies Snowden visit bid

The German high court has denied an attempt by two of the country’s opposition parties to have NSA whistleblower Edward Snowden visit Berlin to testify before the Bundestag, Germany’s parliament.

The Karlsruhe court reportedly said that the suit was an administrative issue that had to go before the Federal Court of Justice instead. The suit had been filed by the Greens and the Left, seeking to force the government to allow Snowden into Germany – he is currently still stuck in Russia, and Chancellor Angela Merkel’s administration has not been keen to let him in, lest the visit further impair relations with the U.S.

The German government has previously asked whether Snowden would be willing to testify before the parliamentary inquiry into the NSA allegations if the committee members went to visit him, but his lawyer has said he would only be willing to testify in Berlin.

Meanwhile, a formal probe into the alleged bugging of Merkel’s phone by the NSA has so far come up short. The investigation launched in June, more than half a year after those allegations were published by Der Spiegel, leading to a great deal of public frostiness from Germany towards the U.S.

Germany’s chief federal prosecutor, Harald Range, told a press conference on Wednesday that there wasn’t enough evidence to bring charges in the case. He said: “The document presented in public as proof of an actual tapping of the mobile phone is not an authentic surveillance order by the NSA. It does not come from the NSA database.”

The original Spiegel article in question (PDF) did not actually depict the document in question, which included Merkel’s phone number as a “selector”, though it did show others that apparently came from the NSA. Range, whose investigation continues, said the Spiegel reporter who produced the document had not provided further details to aid the investigation, and neither had the BND spy agency.

Perhaps importantly, the original article did not claim that the document came from the Snowden cache, but rather said more ambiguously that Spiegel‘s wider investigation had taken in “internal documents of the U.S. National Security Agency and other information, most of which comes from the archive of former NSA contractor Edward Snowden.”

UPDATE (December 13): Der Spiegel has hit back over allegations in some reportage that the Merkelphone document was a fake. The publication said on Saturday that Range had categorically denied during the press conference that the document was a fake. It also reiterated that what it had published and passed onto Merkel’s office was “a transcription and not the original document”, and accused Range of trying to “publicly undermine the credibility” of Der Spiegel.