 Well, CCC has grown a bit, hasn't it? I'm very pleased to be here. And the first thing I want to do is apologize for my slides. I know there is far too much information on my slides. It breaks every rule of PowerPoint. So don't look at the slides. Maybe more listen to what I'm saying, because otherwise it won't make any sense, either of us. To get through some preliminary preliminaries. For nine years, I was Chief Privacy Advisor at Microsoft. And I have to explain a bit about what that job was. I didn't have any responsibility for legal compliance, thankfully. I didn't do anything really in US privacy. My job was to advise 40 national technology officers around the world. And a Microsoft National Technology Officer is a guy with a very big brain, often one or two PhDs, able to function essentially as Microsoft's ambassador to governments around the world at a very senior level. Normally citizens of their own country. In a sense, you could pull down their job to if Steve Ballmer then wanted to get a prime minister on the phone in half an hour, it was the NTO's job to get that done. So I didn't know about prison when I was at Microsoft. And what I'm about to tell you, I deduced from open sources and by deciding to read the American laws. And nobody asked me to do this. What happened to me after that was I explained to a big Microsoft internal strategy conference about cloud computing. With all of the cloud management there, all of my national technology officers there, the Deputy General Counsel of Microsoft, what I discovered. And I said to my technology officers, look, you ought to know this. If you sell Microsoft cloud computing to your own governments, then this law means that the NSA can conduct unlimited mass surveillance on that data. So the Deputy General Counsel of Microsoft turned green. I'd never seen anyone turn green before, but she did. There was dead silence in the room. In the coffee break, I was threatened with being fired. And then two months later, they did fire me without cause. So since then, I really, from 2011, went round trying to tell as many people as I could about what I discovered. And I've given variants of this speech now about 20 times, I suppose. But I hope this brings things right up to date as of about two weeks ago. And also I'm gonna tell you some things which I haven't told before. So the first thing to say is this talk is not about cloud as storage. This is about parallel processing power as a commodity. And in fact, this photo is just two photos crammed together. The left is a modern data center. And on the right, there's a door, a doorway. You probably can't see the number, but the number is 641A. Now how many people know what 641A refers to? Good, okay. So 641A came from the story of the first warrantless wiretapping episode from about 2005 to 2007. And I don't have time to tell that story, but in fact that doorway contained a deep packet inspection box installed round about 2002 in one of the main AT&T switching centers in San Francisco. So in a sense, you could boil down my talk to how likely is it, legally or technically, that there's one of those on the right and one of those on the left. So what this talk is going to be mainly about is the law underlying what we now call Prism. And it is the 2008 Foreign Intelligence Surveillance Act, Amendment Act, which when it was passed had a different numbering which needn't bother us called 1881A. Now everyone calls it Section 702. And what it's about is obtaining foreign intelligence information. It intentionally targets only non-Americans outside the US. When I say only, that is of course 95% of the world's population. It's a blanket authorization for one year. There's a requirement to minimize access on US persons after collection to a certain extent before collection. And the provider of these services has to provide the government with all facilities and information to accomplish this acquisition in secret. So the first point I want to emphasize, which will make sense when we come to the next slide, is this means if you're not an American, you cannot really trust cryptographic services or in general software services provided by US companies because even if that software or that cryptography is sound to begin with, you're going to receive software updates. And if you're not an American outside the US, a software update could be pushed to you targeted at you, which is going to subvert your security. If you don't comply with one of these orders, it's a contempt of the Foreign Intelligence Surveillance Court. If someone in an American company, as Marissa Mayer said last year, if someone in an American company were to tell, say a foreign data protection authority, that's potentially an offense under the Espionage Act, 20 years in jail or worse. So the providers of these services have complete immunity from civil lawsuits. And all of this must be done in a manner consistent with the US Fourth Amendment. And the analysis I'm giving you now is the analysis that I was giving people a year or 18 months before Snowden, verbatim. These slides haven't been changed. So what is foreign intelligence information? So we have to now go back to the very first FISA Act, the very first Foreign Intelligence Surveillance Act in 1978. And the definitions I'm showing you, the significant part I'm showing you has not changed since 1978. It's been there that long. And the extraordinary thing is that in the legal literature, the policy literature, there is absolutely nothing written about the part on the bottom in bold, nothing at all from the perspective of a non-American. So the print's probably too small, but in the definition of foreign intelligence information, you can see the sort of things that you'd expect, like money laundering, sabotage, international terrorism. And then there's the section in bold. And to actually get the text at the bottom, you have to unwind two levels of legal definition and substitute them in. But what you boil it down, foreign intelligence information can mean simply information with respect to a foreign-based political organization or foreign territory that relates to the conduct of the foreign affairs of the United States. Nothing necessarily to do with national security, nothing to do with terrorism, nothing to do with crime. Simply if it relates to the foreign policy of the US, which is an incredibly broad definition, you won't find a definition as broad as that in any other law, I believe. So what is also peculiar about this definition is it's conditional on nationality. If, again, it's slightly too small to see, but if you are a United States person, that is to say an American citizen or permanent resident, where it says relates would read necessary. Necessary, a very high and strict legal threshold, but if you're a foreigner outside the US, it relates a very, very low legal threshold, trivial to pass. So this is the only law, as far as I know, where the very term of the surveillance information to be obtained is itself conditioned by the nationality of the person. Quite unique. So what this law did in 2008 is it combined three elements for the first time which had actually been there in previous laws. The first part that it only targets non-US persons located outside the US had actually been there in a stop-gap precursor law called the Protect America Act of 2007, but that expired after one year and then they had to do something permanent, which was this. But that idea of only targeting non-US persons located outside the US began with this earlier law in 2007, and this earlier law of 2007 was essentially designed to clean up the first warrantless wiretapping episode which had been raging in the US press for a couple of years before that. The second thing that it did is much more significant. In the Electronic Communication Privacy Act of 1986, it defined a term called Remote Computing Services. And when you look at that definition, you'll see that the Remote Computing Services, even though it was defined in 1986, is a very good definition of all forms of public cloud computing that we would call today. So this new term of Remote Computing Services was snuck in to the Pfizer Amendment Act. Nobody apparently noticed it had been put in. And the effect of this was that all previous such laws had dealt with telecommunication providers and internet service providers, providers of communication services. By expanding the scope of Pfizer 702 to include Remote Computing Services, it effectively then embraced all of these obligations on providers of cloud computing. And as extraordinary as it may be, there was no commentary on this at the time. There's nothing in the Congressional Research Service. There were no law papers commenting on it. None of the civil society activism at the time noticed this, no reference whatsoever to this addition. The third new element, as we discussed, is coming from Pfizer's 1978, it doesn't have to be about criminality, or even as we would understand it in Europe, national security, the vital interest of the state. It can purely mean political surveillance in the political and economic interests of the US. And surveillance over ordinary lawful democratic activities of people in their own countries, exercising their democratic rights and freedoms. So this was designed for mass surveillance of any cloud data relating to US foreign policy, and it contains this extraordinary double discrimination by nationality. Firstly, in the fact that in the title of the statute, Pfizer 702 only targets non-Americans outside the US, but also in that conditionality, in the very definition of foreign intelligence information. Again, that structure is quite unique in the world. So you remember that all of that had to be done with regard to the Fourth Amendment. And although it may seem strange today, back in 2012, nobody actually knew whether the Fourth Amendment applied to non-Americans outside the US. I would go to data protection conferences year after year where a representative from the US State Department would make these great pions and hymns of praise to the wonders of the Fourth Amendment. And since it was directed to an international audience, I think it was reasonable to suppose that the implication was that somehow the Fourth Amendment was protecting everybody in that room. Well, there was a bit of detective story to find out that it didn't. It starts with a 1990 Supreme Court case called Vodigo Akides, that isn't quite a perfect fit for the cloud situation, but it's sort of the best that we've got. And then in 2008, there was a foreign intelligence surveillance court of review judgment about the Protect America Act. And this is the case that we now actually know is about Yahoo, what's called in-ray redacted. And of course, a lot of information has now been declassified and come out, but it was actually Yahoo challenging the terms of this Protect America Act. And the judgment came down, actually, just after the Pfizer 702 Act had been passed. So in the unredacted parts, and this is very surprising because almost all references to this sort of thing are redacted, especially in the newly declassified FISC stuff. It's said that there's no Fourth Amendment protection for foreign powers reasonably believed to be located outside the US. And further, probable cause as a term meaning a 50% likelihood that you're guilty, a 50% likelihood that there is sufficient evidence to show that you are the person the police are looking for in some criminal affair. When I noticed this in 2010, and it appeared on the US court service website for about six months and then disappeared, but fortunately had been cashed by the Federation of American Scientists. There was there in black and white, again in the under redacted parts, this extraordinary idea that if you're a foreigner outside the US, probable cause doesn't become probable cause of any criminality. It just becomes probable cause that you're foreign. And that's the sufficient trigger to begin surveillance. So what I'm going to show you next is a little short video clip. It's a clip primarily with Jamil Jaffa of the American Civil Liberties Union, a very fine privacy advocate at the forefront of challenging some parts of this from the point of view of Americans over the past few years. And he's talking in front of a house Judiciary Subcommittee hearing in the middle of 2012 because then FISA 702 was expiring, it needed to be renewed, and this is how the dialogue went. Let me see if you and I can agree on something. Does the Fourth Amendment apply to foreign targets in foreign lands? I don't think that's the question presented by- No, no, no, no, that's my question. So promise you it's the right question because that's my question. I don't think it does. Does it apply? I don't think it does. When you say you don't think it does. Well, in the circumstance of this statute, I don't think it does, right? And we certainly haven't made the argument that it does. Does the Fourth Amendment, I'm gonna talk about the statute, does the Fourth Amendment apply to foreign nationals in foreign land? It does not. Does the Second Amendment apply? I don't know the first law, but I think no. Eighth? I think it would depend on the circumstance. Women's suffrage, does that apply? No. Okay, that's my point, they don't. So we're not talking about foreign, we're not talking about surveillance of foreign nationals in foreign lands, right? You don't think there's constitutional communications? That's my second point. So the significance of that is that Jamil Jaffa, doing the best job he could as an advocate, was really driven back against the wall to admit that there is no constitutional protection for foreigners in foreign lands as the charming Texas congressman put it. And also that the US Congress was laughing. They were laughing at the idea that you have privacy rights. That is the climate of political debate in the US. As anyone who's followed, the coverage will know. So I had a bit of luck. I was invited to join some academics writing a report commissioned by the European Parliament on fighting cyber crime and protecting privacy in the cloud and probably the reason this report was commissioned was to sort of increase the sort of cyber drumbeat of we must have more intense surveillance laws. But I explained all this to my academic colleagues and they thought it was so important they let me write the middle section of the report about all of this, pretty much the analysis I've shown you and some more. And this was published in October 2012. And 12, the dates wrong, actually, that should say January 2013. And then of course nothing happened. Nobody reads these European Parliament reports. It just sort of sat there on the website for two or three months. And I was actually then watching the renewal of the FISA legislation. When did they decide to do that, Congress? Well, between Christmas and New Year, obviously. So I was watching it on the c-span and I just got fed up. So I started calling up all the journalists that I remembered from my old civil society days, not much luck, offered the story to the Guardian, no interest. To other British newspapers, to the Washington Post, the New York Times, no interest. And then Ryan Gallacher, who of course is now working on the intercepts with Green Glean World, wrote a very tight 800 word summary which then created a little bit of interest in the blogosphere, about 1500 tweets in a week. And then, at least from Europe, the general reaction was, how can this possibly be possible? What on earth do we have data protection law for? If this is going on? The US blog reaction was much less, but typically, oh, those Europeans are kind of upset that we can spy on them. Who's gonna stop us? And that was from a self-described American civil libertarian. So how did all this happen? How is it the case that thousands of European policy makers and data protection officials all over Europe apparently didn't understand this was happening? Well, I think for almost everyone in this room, what I'm about to say next is going to be slightly incredible, but we as technologists understand that if you want to encrypt data yourself and you control the algorithm, you control the implementation of the software and you control the key, and then you put that data somewhere else that's reasonably safe. But if you want to compute with that data, the meaning of cloud computing, you want to do useful work with that data in somebody else's data center thousands of miles away, well, there is no technical way to protect that. Because even if the data is encrypted on disk when it passes through the CPU, it has to be in plain text to do useful work. Before somebody mentions homomorphic encryption, the cryptographers I talk to tell me that it's always going to be orders of magnitude too slow. The general purpose computing. And amazingly, as far as I can see, European policymakers did not understand this. They bought a whole lot of encryption, blah, blah, blah, from the industry that said, yes, of course we protected it, it's encrypted, isn't it? And yes, we have very good security measures and security policies, of course it's impossible. In fact, the cloud is more secure. But apart from that, the general structure of the lobbying from the US government in particular was that US law offers very good protection to its citizens by the Fourth Amendment as good or better than many European countries, which is true. Therefore, don't worry about the US cloud. But of course you can see the fallacy. Once the data in Europe goes to US jurisdiction, it's totally vulnerable to laws like Pfizer 702. What was also happening from about 2009 is a whole slew of what I call cloud wash. Various documents from the US mission to the EU and the proxies of the State Department, a law firm, deeply dubious, Hogan levels produced a number of frankly deceptive, quasi legal analyses that were pure propaganda, respectable law firms like Linklates and even the European data protection supervisor was making speeches at an event organized by one of the main US lobbyists talking about using new data protection mechanisms to streamline data into the cloud. In NISA, had a very inglorious role in this, which I'll come back to, and then various other usual suspects. None of those materials at all, I've now got a collection about 30 before Snowden, mentioned Pfizer at all, not even the original Pfizer. There was a lot of concern about the Patriot Act, but the Patriot Act turns out not to have actually been the key point of vulnerability for cloud computing. So sort of restating what I just said, is cloud mass surveillance a real risk? Well, what we know from what's been declassified by Snowden so far, is that so far the cloud companies have not been asked to, as it were, internalize the mass surveillance. So far it appears that they have been presented with a particular selector, and you've all read enough about what those can be, I won't label the point. But what I want you to think about for the future is this problem. We agree, I think, that you cannot protect data in cloud computing with encryption. But the new forms of cloud computing platform as a service, you have an entire way of writing software where, as it were, under the hood, if you write the algorithm once, then the platform is supposed to take care of scaling that in a few milliseconds from one CPU perhaps to thousands of CPUs. And it's that elasticity of cloud computing, which is probably going to be one of the key competitive advantages for cloud computing in future. So imagine that you want to intercept that. Well, you have to intercept it at the level where the data makes sense, which could be somewhere in quite a deep software stack. So it's really not much use plugging in a deep packet inspection box onto the cables connecting the data center because you might have to have 1,000 of those DPI boxes on standby. If the capacity of the algorithm that is actually running then scales onto how many thousand CPUs, you're going to need that much extra DPI capacity to surveil it unless you use coercive powers to force the cloud provider to basically build the surveillance into the software. You build in surveillance sub-routines at the necessary levels of the stack so that however that application scales, the surveillance capacity is already there in software. So I don't know, and it appears we have no evidence that this has been done already, but it seems to be the writing is on the wall that if governments are going to be wanting to surveil cloud computing systematically, they're going to have to exercise those sorts of powers. And I guess the point I'd like to make, 702 already provides those powers even if they have not been used to that extent already. So I now want to talk more about the European side of the affair and what's been happening with European data protection regulation. As I think almost all of you will know, there is a new data protection regulation being hung up in European legislators for about two years. And of course discussions continued after Snowden about what form this should take. And one whole part of that regulation is concerned with the legal means of exporting EU data outside and particularly to the US. So in the current data protection directive, there are basically these ways of doing it. You can get somebody's consent. You can rely on safe harbor. You can form a contract with specially approved clauses with the person that you want to export the data to. And then there's also something new-ish called binding corporate rules. Binding corporate rules essentially allows sort of corporation to make up their own scouts on a charter, we really will obey this and we'll invent some sanctions on ourselves if anybody breaks the rules. And this is sanctified by data protection authority. And these were invented actually for fairly reasonable purposes if a global corporation wanted to do all their human resources processing in one center and therefore collect data from all around the world to do that, this was sort of a template idea behind a BCR. But then, I think very dangerously, data protection authorities in cahoots with the big cloud providers thought it would be a very good idea to extend this idea of binding corporate rules to so-called data processors. Data processors being entities which supposedly have no decision-taking power over the data they process. They're really just acting on instructions from data controllers. So somebody, and I've got a shrewd idea who it is, had the brilliant idea, well let's adapt this old-fashioned BCR idea for fairly tame purposes to cloud computing. And then we've got a template which can basically be the primary vehicle for legitimating cloud computing in European terms. So the rough idea is Microsoft Google whoever gets their BCRs certified once they are certified in the new regulation, the data protection authority must accept them, they wouldn't have any discretion as they do today, and then data can be transferred into particularly US-controlled clouds. And then all questions of mass surveillance just disappear into what I call a puff of audit because Article 29 Working Party, the Committee of European Data Protection Authorities were so naive that they imagined that somehow a private security auditor, if they were inspecting a data center and they noticed Room 641A, and they said, oh, what's behind there? Can I have a look in there? And they'd be told, no, of course you can't. In fact, it's classified information that you even noticed that. If you tell anyone about that, you'll go to jail for espionage. Well, data protection authorities were so naive that they thought somehow private security audit could detect these risks of foreign mass surveillance. So this diagram is supposed to show the sort of risk matrix of EU data sovereignty. And on the left, you've got three kinds of information. Criminal law enforcement, which probably should include most terrorism cases, sort of bona fide national security, which in European terms, we think of as being the vital interests of the state. And then essentially foreign policy and political spying for national advantage. And then in terms of the columns, you have intra-EU transfers and then EU data in the US. So the red zone is not covered by the Fourth Amendment. It's not covered by EU data protection. It's not covered by Council of Europe Convention 108. It's certainly not covered by the cyber crime treaty. And of course, it's not covered by the European Convention of Human Rights because the US doesn't recognize that. So all of this data for 15 or so years has been completely unprotected. Well, the story moves on. I'm going to have to accelerate a bit. In January, President Obama made a flagship speech to try and address these concerns. And of course, he's in an impossible position because in the one hand, he has to assure the American people that FISA 702 in particular is no threat to Americans because it's designed to spy on foreigners. But then at the same time, he has to find somewhere reassuring the rest of the world. So what he came up with was a very well-written, very well-crafted speech, but the meat beneath the speech was a new Presidential Policy Directive, PPD 28. And basically, there's a real gotcha of a footnote. So footnote nine says, this directive is not intended to alter the rules applicable to US persons in Executive Order 12333, which I'll have to mention. The FISA or other applicable law. Just as a brief digression, Executive Order 12333 was created by Reagan and essentially it is a policy directive which covers NSA activities spying entirely outside the United States. When you're basically just spying on foreigners, there's no reason to believe Americans are involved. You may have NSA agents infiltrating data centers in some foreign country. That's what EO 12333 is about and it's policy. It's not law. And there's a reason for that we'll come back to. So in other words, in the small print, well in the footnote, all of the reassurances in PPD 28 are basically worthless from the point of view of establishing any kind of equality of rights. There's still going to be discrimination by US nationality. If you're a US person, then a law enforcement authority would need a particular justified FISC warrant to that higher legal standard and necessity and if you're not a US person, basically the NSA just adds your selectors to a list. Then we had a report from the so-called Privacy and Civil Liberties Oversight Board which essentially has no mandate to look out for the interests of non-Americans at all. Their analysis of the situation of non-Americans occupied five pages out of 196 and frankly I think it's misleading tautologist credulous junk. And there have been a vast amount of FISC declassification since, not all of which I've analyzed, but basically there is this tendency that a lot of the stuff that is redacted, you can tell from the context the stuff that's redacted is about the situation of non-Americans. So who did I warn exactly? Actually I first got an opportunity to try and get some interest from the Open Society Foundation way back in January 11th. And I explained to that committee, not to Soros and Person what the score was, made quite an impact on them, but they didn't do anything. They said they only fund existing NGOs and they've done nothing. In fact, Soros has done nothing about surveillance issues in Western Europe in the entire time Open Society Foundation has been operating. If anybody doubts that, I asked Soros that in person in March at a conference I attended and he didn't tonight. I also warned Privacy International in June. They said they had no resources and I tried again in October and still no interest in Privacy International. And that pains me particularly since I've known the guys in Privacy International and worked with them for 15 years and I'm genuinely baffled by what's happened to Privacy International recently. I also, in September, when I'd actually left Microsoft, warned Edry and DG Justice at cabinet level, the Polish Data Protection Authority, who did nothing and basically put one footnote of my slide deck I'd showed him in an academic article he wrote. He, of course, has now become the deputy European Data Protection Supervisor. The Greens were very helpful and I have nothing but praise for particularly Ralph Bendrath and Jan Albrecht and they are straight shooters and I'm very grateful to the help they've given me. In September 2012 I had an opportunity to make a speech at the European Academy of Law where Peter Hustings was there, his deputy, now EDPS, Giovanni Bottarelli, representatives from the EU Council, the person in charge of the International Transfer Section from the Coneal and therefore de facto Article 29 and I basically explained all of this in 54 slides with a great deal more legal analysis. Again, stunned silence but total in action. At a different conference, I made an ESA aware of all this and then had some correspondence with the head of an ESA who basically said they had no mandate to act, that this is all excluded from their mandate by national security exemptions but then of course after Snowden it would seem to be politically impossible for an ESA to say that so an ESA concocted really rather a bogus and a meretricious document sort of implying that they had factored in these sort of risks to their pre-Snowden cloud analysis and that's totally untrue. I had an opportunity to make a speech to the European Parliament into Parliamentary Forum for civil liberties in October 2012 against stunned silence. The Portuguese DPA put up their hand and said can we have some details please and then I tried to get in contact with the Portuguese DPA. No response. And then in February 2013 that was when I made the presentation of the European Parliament Report that I mentioned before in September and that did make an impact and immediately afterwards the Libre Committee asked me to draft some amendments for the new data protection regulation but I'm afraid they were mostly ignored or diluted. And then just before Snowden in May DG Connect in charge of cloud policy I've been beating them up as well they finally organised a forum at the offices of Digital Europe. Digital Europe are essentially the trade association for electronics, IT and software companies largely dominated by US and UK companies and basically DG Connect said well Kasper we're not going to think about this but look if you can convince those hard-nosed bastards at Digital Europe then we'll take you seriously and basically they laughed at me just before Snowden. So what has been the EU Commission's cloud policy up to date? It was run by Neely Crows out of DG Connect and the official EU policy document published around 2012 essentially rejected the idea to make any pan-European cloud which was sort of safe because there was no enthusiasm from member states basically the member states didn't really trust each other any more than the US and that sort of collapsed the idea to the extent it was ever seriously considered. There was a steering board composed of industry bigwigs and then various bits of candy floss about trusted cloud Europe yada yada and then a new after Snowden and then a new group was set up to try and streamline cloud contracts and I actually joined that for a while until I realized there was no interest whatsoever in drafting anything which would make surveillance harder or build in sort of deterrence. That just wasn't the agenda at all. It was simply about making essentially cloud less treacherous from a contractual point of view which is useful work but nothing to do with stopping surveillance. A particularly pernicious idea is if you have a cloud contract with a provider then that provider should be able to basically subcontract what they've contracted with you sort of recursively. So you can glue on a sub-provider and a sub-provider and a sub-provider onto that which could of course be in different countries. So you would have absolutely no idea where the data was flowing and Article 29 the data protection authorities were pushing this idea and I sharply criticized that and I said well Kasper you don't understand our job is not to stop any kind of processing our job is to find a legal basis to allow it to happen and that is the mentality still in the core part of the European data protection authorities. So really there has been no substantive change whatsoever in EU cloud policy since Snowden but when you listen to the speeches certainly before the new commission of Neely Cruz and Vivienne Raiding you would hear it is vital that we get a strong new data protection regulation so that we can deal with all of this surveillance stuff which is completely false. What did Parliament do? Well after they asked me for some amendments when Snowden happened the Parliament phoned me up and said Kasper it's all true would you like to write the briefing note for the official European Parliament inquiry which I did and there's a reference to that at the back of the slide deck and if you want to read one thing about all of this then I'd encourage you to read that. It's only 30 pages but I think it's one of the best pieces of work I've done. So after Snowden basically the Leber committee, the civil liberties committee went into a sort of perder, a lockdown. There was one particular politician who insisted on this Baroness Ludford of the Liberal Democrats who marvelously lost her seat of the last election so we don't have to worry about her anymore. Not unfortunately on these accounts but just the luck of the draw and the Liberals are so unpopular but anyway for reasons which are too politically complicated to go into now essentially Leber cut itself off from all advice, any interchange really with what they were cooking up the sort of compromise they were cooking up and so what emerged out of this perder was so-called Article 43A and this was a restoration of a clause which was lost and an ultimate draft of a draft was actually published by the commission in 2012 and what it said is that in the case where you put some data in the cloud and then the US for example law enforcement wants to get direct access from that cloud provider well the cloud provider has got to tell and get permission from the data protection authority to do that. So it sets up a deliberate conflict of law because you remember if somebody had done that in respect to the FISA law they would have been in contempt of the FISC court and possibly endangering themselves under the Espionage Act so that's putting the companies in a terrible, terrible squeeze except well think about it on the one hand you've got contempt of the FISC court very very powerful court in the US and potentially espionage charges on the other hand you've got fines and a very long dubious process of enforcement by very ponderous European data protection authorities the fines might get quite big but then again they might not so which are you going to choose? So it's not a credible deterrent and that was a key part of the advice and amendments that I drafted for the parliament but they wouldn't go for it one good thing the parliament did do is they removed these BCRs for processes but it's likely the commission and the council and Article 29 because it's their sort of baby will want them put back well this is a bit outside the scope of the talk but I want to say that there's a lot wrong apart from this with the new data protection regulation I've reluctantly come to the view from having thought and it was motherhood and apple pie that this is going to be a curse on personal freedom this is going to be an irreversible bureaucratisation of everyday life I probably will skip going through all the things which are wrong here except just maybe the ultimate point in the new regulation which is going on four times as much text as the original directive there are 450 references to this term of art processing processing can mean computing with data or storing with data but as we now know but they didn't know in 1981 when somebody had the bright idea to munch these two ideas together we now know that you can protect stored data with encryption but you can't protect computed data with encryption so this entire regulation is built on conceptual sound each of these 450 references is inherently ambiguous but that is conflating to completely incommensurable information security situations one of which which is tractable with technology and the other which is not that's how messed up it is conceptually so to come right up to date the 1929 Working Party came out just this month with their opinion 51 page opinion on the whole surveillance thing expanding from a shorter opinion they published last year it's a very muddy piece of work it's really a long letter of self-expulpation by why they couldn't reasonably being expected to do anything about this to date but they do make some interesting statements the exemption in the EU treaties offers no possibility to invoke the national security of a third country alone in order to avoid the applicability of EU law and this is a sort of rebuff to the carve out in the EU treaties for national security but of course that is the national security of member states not of a third country and DPAs may suspend data flows on their existing powers particularly in Germany hint-hint but they haven't done so so far and they're also waiting the outcome of the Maxtrem case which we haven't got time to talk about now but they also article 43a this conflict of law the commission's idea now put back by the parliament after being lobbied away just before the publication of the original regulation they don't like it they say it may be a step in the right direction that's going to be the solution to all problems but here's the bombshell right at the bottom and it's not obvious they say that if there is any such article 43a they don't want the job basically it would be the interior ministry of each country which would take that decision whether to approve or deny the transfer not the independent data protection authority they don't want the job in other words within the sort of conclave of article 29 they have failed to reach any consensus that this problem of foreign intelligence surveillance is really anything that should be done by them and we can maybe have a question or two about that article 29 also evades their own responsibility for this mess back in 2005 in one of their working party documents dealing with all of this they said that one of the reasons they were inventing these BCR contract structures was so that transfers they called repeated mass or structural which was their sort of code for this sort of thing precisely because of its importance should somehow be carried out within these legal frameworks they were inventing but nine years later they say exactly the opposite they say that these instruments which they invented should not be the basis for these massive structural or repetitive transfers so in other words article 29 in their folly they got this whole ball rolling in the mid-2000s as if these preposterous legal mechanisms could possibly contain these risks and now they contradict themselves and walk away without acknowledging their absurdity they also didn't mention the discrimination by nationality in U.S. law which I stressed and in fact in 150 opinions since 9-11 they never even mentioned the concept of foreign intelligence at all the other bits I don't probably have time to explain right now but what they did do at a big conference in the beginning of the month is publish a political statement sort of 15 points of political belief which sound very right on they are in fact the sort of thing that privacy activists do say and espouse but really this is a decoy this is a decoy to try and distract attention the fact they cannot achieve any solidarity amongst themselves for deciding that they actually have a responsibility to enforce the existing law to shut down data flows to make the United States pay a price and the U.S. is exceptionally exceptionalist if you look at references in surveillance law the discrimination by citizenship and nationality rather than the geography of the communication path well there's about 40 in U.S. law counting up Pfizer and Patriot and Pfizer the First and Fourth Amendment special protections the U.K. has zero surprisingly Germany has one which is a profound embarrassment and I hope I get a question about that because in ECHR human rights are supposed to be equal but actually part of the German G10 law is very analogous to 702 Canada has about two, New Zealand two, Australia two and I haven't been able to discover any others at all and the U.S. has 40 so what have NGOs done at Brazil that Mundial and Istanbul IGF nobody said one word about discrimination by nationality I was tweeting like crazy kind of kicking their shins the subject was never even raised by anybody CDT, ECU, EFF have done very little on non-U.S. person rights I'm sure there are people here who will quarrel about access has done more than most Epic said not one word about Pfizer in 18 years of visiting the EU and helping us with our privacy problems Edry has done nothing before or after Snowden and I've mentioned privacy international already is a real treaty with the U.S. even possible supposing we got the sort of guarantees that we would like to have the criminalization of data protection and defences there is a serious fundamental problem which is that spying on foreigners abroad is an inherent presidential authority Congress cannot restrain that presidential authority so in other words if Obama today makes a promise and says we changed policy we're going to rewrite EO1233P much more strongly than PBD28 you can't trust that because a future president or the same president could tomorrow in secret renounce that policy so it's not even clear that a legally binding treaty is possible unless you change the U.S. Constitution and generally what I've been recommending for a couple of years now is a three-prong strategy for EU response firstly you work out essentially which data flows more valuable to the U.S. than they are to Europe and you begin shutting them down as in a trade war secondly you need a long-term EU industrial policy to develop software and cloud services and I think also critically that should include a secure operating system for individuals or much more secure operating system for individuals you might have seen on the beginning of the slides and I'm now a policy advisor to the Cubes OS project and I do think if you haven't heard of Cubes and you worried about your security of your own laptop you should check it out that's all I'll say and thirdly we need whistleblower protection because it's only through Edward Snowden's courage that we know at least that anyone is taking this seriously now and we don't know that the next whistleblower is going to be as altruistic as Snowden so we need to actually give them watertight asylum and probably some incentives, probably some rewards I actually proposed to the parliament that the whistleblower should get 25% of any fines that are currently exacted on a controller now that sounds an enormous amount but you've got to remember that person is likely to be an American either somebody working for a corporation or working for the NSA and they are going to need bodyguards and protection from extraordinary rendition and kidnapping back to a sort of quantanimo for the rest of their lives so that's why the incentives have to be enormous to provide a credible deterrent so now is welcome to the meta-panopticon it is unfortunately true that most people don't think they have anything to hide from their government but people vote for politicians and they have to have trust in public officials they have to trust that public officials are acting impartially in their national interest and in their collective interest so how now are people going to know that that is the case because any politician or official in Europe now knows that the NSA and probably GCHQ knows every detail of their private life every indiscretion, everything rash emails sent via Gmail any phone call implication deducible through traffic analysis well anyone with half a brain cell in position of power in the EU now knows their private life is up for grabs their career could be ruined with one tabloid news story or their promotion ruined if they show perhaps too much anti-American bias and that comes to the attention of the US and they sort of arrange for the other guy to get promoted well how do we know that's not going to happen because even if it doesn't happen we might reasonably suspect that that may happen so that is a profoundly corrosive idea for democracy but it's something that we now have to deal with it we cannot deal with it by not thinking about it and as I put at the end of my report David Snowden have put in the minds of the public cannot now be unthought thank you very much okay we can take about 10 minutes for Q&A so if you have a question find a microphone preferably one of those and also I have a signal angel in the back and she is she has a question yes hello Kasper so we have a ton of questions for you and the IOC and they were really excited about your talk and I mean I just start with one so can you name three countries whose laws are equally balanced in protecting its citizens as well as foreigners so which countries could we yeah take as an example for laws in Europe or in Germany so I think one important distinction is to make is what has been going on in reality as we now know from Snowden and then there is what the law is in theory so in every European country I believe apart from Germany the laws are equal there is nothing in European laws apart from Germany where it says if you are a French citizen or if you are a Slovakian or a Czech citizen you get better protection in respect to privacy and surveillance what almost every other country's laws say is they differentiate between purely domestic communications starting and beginning in one country and communications which cross the border of that country so that is the way that most laws make that distinction but you may say well does that make a difference yes it does for cloud computing but the stark contrast is if you have any American data in Europe then that data is equally protected by European data protection and human rights law and American could come over here and start taking a case through European data protection authorities or European courts without any trouble at all if they thought their privacy was being unjustifiably infringed the converse is not true all EU data as I hope I have demonstrated in the US you have no legal rights and that is the asymmetry created by cloud computing before cloud computing the rough assumption in the build up of these international laws for 50 or 100 years was that territory was roughly congruent with jurisdiction what cloud computing does is it just floats those two apart and creates this vast asymmetry the mic over there okay so thanks for the talk in Germany the parliament finally decided to open up an investigation commission after the Snowden revelations and so they got witnesses from the German intelligence services but not much came out because all the details are classified which would hold us proof and the government also protects them and it appears that somehow the intelligence services operate in some sort of room that is independent of the law now you pointed out how in the US they would be what they could do within the boundaries of the law now my question is do they even care or more formally put how likely would you think that the US agencies would feel bound by the US laws at all so I think that they do feel bound by the US laws there was a great John Oliver the daily show quip which is the amazing thing Mr. President is not nobody saying that you broke the law the amazing thing is that you didn't have to and I do think that when you read the texture of what NSA lawyers have said and the texture of the P club reports and so forth they are in a sense legal overload we're now getting kind of bombed with thousands and thousands of pages of American legalese but the trouble is none of it has any relevance for us it is all about because that is the only rights which exist it is all about protecting the rights of Americans and there simply are no rules that are defined for anybody else thank you the microphone over there please hi I have a question about the role of jurisdiction in the area of cloud computing and as I'm sure you know Microsoft is challenging a ruling in the states about access to data held in the EU and I'm just wondering what your views are on that is it sort of PR snake oil or is there something like a positive role that US companies can do for challenging this global surveillance so as I say I'm very glad you asked me that as you can imagine getting fired from by Microsoft for trying to warn them about 702 I do find it kind of amusing that now Microsoft is painting itself as the champion of privacy and I'm afraid this case is not about protecting the sovereignty of European data this is about protecting the sovereignty of Microsoft but the short answer is the substance of that case is only about the stored communications act a part of ECPA 1986 in other words it only deals with criminal law enforcement so even if Microsoft won that case and actually hope they won't because then that will kind of shore up this rotten system that we have today but even if they won that case it would do nothing to prevent surveillance under EO 1233 or Pfizer it's completely orthogonal to that we'll take another question from the internet so hello okay so two questions in the same direction the question is that I mean the US are quite powerful in comparison to Europe so one of your examples was to not give them any data anymore that they really really want to have something to trade of so how do you think that will work is there any possibility that this will be the case so when I first started recommending this policy a couple of years ago basically everyone said it was crazy and they said there is no capacity for this in Europe we don't have enough software houses we don't have enough people who could build and invest in data centers it's completely crazy but what I heard from the commission just two weeks ago is that what they're hearing now is actually European providers particularly telcos are securing up to now provide European based data centers and of course another consequence of what I said is people should now be using open source software for security because this problem of actually pushing software updates and through a software update any security infrastructure you've got being able to be toast because you just don't know what's in the update of course open source is no panacea but tools like static analysis for getting the bugs out of open source are much more effective than when we last had this debate 12, 13 years ago so from all points of view there is just a massive advantage now in everybody particularly governments switching to open source cloud computing indigenously hosted in the EU if you do that of course the NSA can still try and break in but if the NSA is trying to break in you can at least defend by conventional means and you're in essentially a totally different situation and if you've handed all of that data over on a plate for the inspection of 702 I think we've got time for two more questions Thanks for the speech your claim is that article 43 does not work because of the asymmetrical nature of the crime and punishment the punishment for spying is 20 years in prison etc but it does not apply to European citizens operating in Europe so could article 43 not be shored up by saying anyone who provides cloud services in Europe has to have a non-American citizen working in the role of getting the information about the back and forth that's required by article 43 and then the asymmetry does not exist anymore if that's a word there are a couple of problems one is that it's by no means clear that the espionage act can only be used against American citizens and the second point is that there is the scope of American law extends not just to US based companies but to any company that does business with the US so theoretically a 702 order could be put on to Deutsche Telekom or Franz Telekom or whoever but from my experience working in a very big corporation now having my judgment is the US would not serve a 702 on a European company because the whole purpose would be secrecy and I think that maybe naive but a European corporation staff of European lawyers they would not put up with that they would ensure that essentially they would cry for help from their own government from data protection authorities so I think in practical terms there is very substantially less risk for a European company even if it is a big business in the US to be subject to this law but I'm afraid putting the responsibility just on a European citizen won't necessarily do it and the last question do you think over here do you think there is any way an American company can set up a cloud offering that really, legally protects their customers data from let's say the US legally spying on them sure yeah I mean just use a European company running free software physically located in the territory of Europe and you protect that as well as you can but not for an American company no there is no way out for an American company something about which I'm terribly terribly sad thank you so much Kaspar I hope that there will be a result that is bigger than stand silence