PI http://privacyinternational.org/ en Cloud extraction technology: the secret tech that lets government agencies collect masses of data from your apps http://privacyinternational.org/long-read/3300/cloud-extraction-technology-secret-tech-lets-government-agencies-collect-masses-data <span class="field field--name-title field--type-string field--label-hidden">Cloud extraction technology: the secret tech that lets government agencies collect masses of data from your apps</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/43" typeof="schema:Person" property="schema:name" datatype="">staff</span></span> <span class="field field--name-created field--type-created field--label-hidden">Tuesday, January 7, 2020</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Photo by Rahul Chakraborty on Unsplash</p> <h3><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong><span>When government searches shift from the phone to the cloud: cloud extraction technology and ‘the future of mobile forensics’</span></strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h3> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Mobile phones remain the most frequently used and most important digital source for law enforcement investigations. Yet it is not just what is physically stored on the phone that law enforcement are after, but what can be accessed from it, primarily data stored in the Cloud. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Cellebrite, a prominent vendor of surveillance technology used to extract data from mobile phones, notes in its Annual Trend Survey that in approximately half of all investigations, cloud data ‘appears’ and that <span><em>‘[t]ypically, this data involves social media or application data that does not reside on the physical device.’</em></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>That it ‘<em>does not reside on the physical device</em>’ indicates that law enforcement is turning to ‘cloud extraction’: the forensic analysis of user data which is stored on third-party servers, typically used by device and application manufacturers to back up data.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Yet as law enforcement increasingly turns to cloud extraction to obtain data from apps, a YouGov poll revealed that in the UK 45.6% of people have not thought about where data created by apps on their phone is stored and 44.3% of people do not know or think that apps on their phone use cloud storage. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><img alt="graph describing whether apps on phone use cloud storage" data-entity-type="file" data-entity-uuid="7319699a-b4ef-4dd6-b0b4-f1d8b5ecd093" src="/sites/default/files/inline-images/Picture%201_1.png" /></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>As we spend more time using social media, messaging apps, store files with the likes of Dropbox and Google Drive, as our phones become more secure, locked devices harder to crack, and file-based encryption becomes more widespread, cloud extraction is, as a prominent industry player says, <span><em>“arguably the future of mobile forensics.” </em></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><strong><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“Private cloud-based data represents a virtual goldmine of potential evidence for forensic investigators.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></strong></p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>At Privacy International we have repeatedly <a href="https://privacyinternational.org/campaigns/phone-data-extraction">raised concerns</a> over risks of mobile phone extraction from a <a href="https://privacyinternational.org/explainer/3022/push-button-evidence-digital-forensics">forensics perspective</a> and highlighted the <a href="https://privacyinternational.org/news-analysis/3281/can-police-limit-what-they-extract-your-phone">absence of effective privacy and security safeguards</a>. Cloud extraction goes a step further, promising access to not just what is contained within the phone, but also to what is accessible from it.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><strong><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Your phone, with all the data there for exploitation, becomes the key to unlock your online personal and professional life. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>In this context, cloud extraction technologies make for disturbing reading as we grasp how much is held in remote servers and accessible to even those with limited forensic skills who nonetheless are now able to acquire push button technologies that can ‘grab it all’.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Greater urgency is needed to address the risks that arise from such extraction, especially as we consider the addition of facial and emotion recognition to software which analyses the extracted data. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>There is a failure to inform the public about new surveillance technologies deployed by the state; an absence of clear, accessible legal frameworks; a lack of discernible action by governments and little to protect the public from data exploitation. The seeming wild west approach to highly sensitive data carries the risk of abuse, misuse and miscarriage of justice. It is a further disincentive to victims of serious offences to hand over their phones, particularly if we lack even basic information from law enforcement about what they are doing. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Cloud extraction technologies are deployed with little transparency and in the context of very limited public understanding: this report brings together the results of Privacy International’s open source research, technical analyses and freedom of information requests to expose and address this emerging and urgent threat to people’s rights. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><a><span>What is mobile phone extraction</span></a></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Mobile phone extraction tools are devices and software that allow the police to download data from mobile phones, including: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <ul><li><span><span><span>Contacts</span></span></span></li> <li><span><span><span>Call data – who we call, when, and for how long</span></span></span></li> <li><span><span><span>Text messages</span></span></span></li> <li><span><span><span>Stored files – photos, videos, audio files, documents, etc</span></span></span></li> <li><span><span><span>App data – what apps we use and the data stored on them</span></span></span></li> <li><span><span><span>Location information</span></span></span></li> <li><span><span><span>Wi-fi network connections – which can reveal the locations of any place where we’ve connected to wi-fi, such as our workplace and properties we’ve visited. </span></span></span></li> </ul><p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Mobile phone extraction entails the physical connection of the mobile device that is to be analysed and a device that extracts, analyses and presents the data contained on the phone. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>However not only does it provide what is contained on the device itself, it can be a gateway to the Cloud and to external sources of information. If you extract logins, passwords and tokens from the examined device, these can be used to validate credentials to extract cloud stored data.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><a><span>What is cloud extraction</span></a></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Cloud extraction (or cloud analytics) is the ability to access, extract, analyse and retain data stored in the Cloud, a term widely used by technology companies to refer to the storage of data remotely, from applications or devices, typically on a third company’s servers. Examples include Dropbox, Slack, Instagram, Twitter, Facebook, Google products such as My Activity, Uber and Hotmail. We explore the types of data that can be extracted in more detail below. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>As cloud storage is increasingly used for social media, internet-connected devices and apps, cloud extraction opens the door to a huge amount of personal information. In reports on the explosion of cloud-based data, it is said that by 2025, 49 percent of data will be stored in public cloud environments. Cisco Global Cloud Index forecasts the growth of global data centre and cloud-based IP traffic and predicts an increase in use of public cloud data centers by 2021. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><img alt="social media usage" data-entity-type="file" data-entity-uuid="462bfdbe-167a-4a9e-8ac0-d61426842219" src="/sites/default/files/inline-images/Picture%202.png" /></p> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“The lion’s share of data from mobile applications are stored within the cloud. With this being said, it should be understandable that there is a massive amount of user data available for collection.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Cellebrite’s UFED Cloud Analyzer, for example, uses login credentials that can be extracted from the device to then pull a history of searches, visited pages, voice search recording and translations from Google web history and view text searches conducted with Chrome and Safari on iOS devices backed-up iCloud. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>By acquiring the login credentials, it allows its users to then continue to track the online behaviour of the device’s user even if you are no longer in possession of the phone.</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong><img alt="oxygen forensics tweet" data-entity-type="file" data-entity-uuid="1dfce8a8-d9d6-46ad-96cf-4e40ee43cbf6" src="/sites/default/files/inline-images/Picture%203.png" /></strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p> </p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><a><span>How does it work</span></a></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>There are a number of ways to access Cloud data <span><em>“independent of the status or configuration of the mobile device”</em></span></span><span>, which makes it attractive from a forensics perspective. The first involves applying known user credentials provided by an individual, i.e. when the individual submits voluntarily their login details. The second method is by extracting data from a phone and then using the tokens found on the device or found on another device such as a laptop, where a user might have authentication tokens saved by a browser. The third method involves collecting data in the public domain.</span><span> </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“When a user authenticates successfully to an app or cloud service, the service <strong>returns a token</strong>, which is used to enable the user to access the service without having to enter his or her username and password again. A token is like a pass, and it is used, for example, when you open your Gmail account and it logs you in without requiring any interaction from you. Most tokens have an expiry set at the time of authentication, which varies per app or cloud server. Some are good for a single session only, others for two weeks, some for 30 days, and some forever if the user uses the app on the same mobile device.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p>The use of tokens avoids two factor authentication (2FA) being triggered by logging in, which would ordinarily inhibit access to data. 2FA, the process in which a user is prompted to confirm a code sent to an independent device, such as their mobile phone, is a key security feature. However, even if 2FA is triggered, Oxygen Forensics Cloud Extractor states it can notify the investigator and “several options are provided to bypass the additional steps.”</p> <h3><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><em><span>Tools used to obtain tokens beyond the mobile</span></em></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h3> <h4><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Elcomsoft’s GTEX tool can search a computer for authentication tokens </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h4> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><em><span>“</span></em></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><em><span>Passwordless authentication into Google Account is available if Google Chrome is installed on the user’s computer, and the user signed in to at least one Google service via the browser. The new Google Token Extractor (GTEX) tool automatically searches the user’s computer for authentication tokens saved by the Google Chrome browser. Once the user signs in to their Google Account in a browser session, these tokens enable seamless access to Google services without the need to re-enter the password</span></em></span><em><span>.”</span></em></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h4><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Cellebrite’s PC Cloud Collector </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h4> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><em><span>“is an independent tool that creates tokens from a suspect’s PC using the cookies in the browsers and the applications that are installed on that PC.</span></em></span><em><span>”</span></em></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h4><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>UFED Cloud Analyser 7.6</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h4> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><em><span>“extends its password collector functionality to include passwords save on mobile web browsers. Examiners can now retrieve password logins from various sites using the password collector to collect the maximum amount of data about a suspect or victim. This is accomplished by leveraging a person’s login details which have been saved in their browser when they access their online accounts.”</span></em></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h4><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Another similar tool is Oxygen Forensics’ KeyScout to find passwords and tokens on a PC</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h4> <p><span><em><span><span><span><span><span><span><span><span><span><span><span><span>“KeyScout installs a flash card and collects credentials from Windows PCs. The collected credentials can then be imported into Oxygen Forensic Cloud Extractor for immediate use</span></span></span></span></span></span></span></span></span></span></span></span></em></span><em><span><span>.”</span></span></em></p> <p><em><span><span><img alt="mobile phone extraction" data-entity-type="file" data-entity-uuid="78e1b6fc-5f3a-4cf2-8156-190c8272dedd" src="/sites/default/files/inline-images/Picture3_2-2.png" /></span></span></em></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Forensics tools not only offer a simple way to access cloud stored data, they provide more data than an individual can access using their own username and password. Elcomsoft, for example, argues that </span><span><em><span>“even if proper authentication credentials are available [such as user name and password], access to evidence stored in the Cloud is not a given.</span></em></span><em><span>” </span></em><span>Elcomsoft compared the amount of data they could obtain </span><span>using Elcomsoft Phone Breaker to what they could get when without using forensic tools. They argue that using their tool is not only simple and quick but can access more data from the Cloud, than can be accessed even when username and password are known. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Reports suggest that there are other ways to gain access to cloud-based accounts using tokens. In July 2019, the Financial Times reported that malware sold by NSO Group’s, Pegasus, can carry out cloud extraction by copying authentication keys from an infected phone, allowing a separate server to then impersonate the phone, including its location. NSO Group refuted the report.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Despite companies such as Amazon, Apple, Google and Microsoft commenting to the FT’s story on NSO Group, <a href="https://privacyinternational.org/news-analysis/3302/big-tech-companies-must-protect-customer-data-legal-backdoors">it is unclear what their position is in relation to cloud extraction technologies used by law enforcement</a>. Google told the FT that it found <em>“no evidence of access to Google accounts or systems”</em> with respect to Pegasus. Given the number of forensics companies openly promoting access to Google products however, it must be aware this is a significant issue for the security of their customers’ data. <a href="https://privacyinternational.org/news-analysis/3302/big-tech-companies-must-protect-customer-data-legal-backdoors">We have written Google and other companies asking for their position on cloud extraction technologies</a>. The reality is that in many cases their customers do not know this technology exists and it is being used against them in a vacuum of legal safeguards. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><a><span>What types of data can be obtained?</span></a></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Claims by surveillance companies regarding what the types of data can be accessible via cloud extraction are as impressive as they are concerning. Cellebrite’s Cloud Analyser, for example, claims to <span><em>“extract, preserve and analyze public domain and private social media data, instant messaging, file storage, web-pages and other cloud-based content using a forensically sound process”.</em></span></span><span> This </span><span>includes a whole suite of Google products, whose ‘History’ function alone enables:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p>"insights into the subject’s intentions and interests by pulling out the history of text searches, visited pages, voice search recordings and translations from Google web history and viewing text searches conducted with Chrome and Safari on iOS devices backed-up iCloud.” – Cellebrite</p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Forensic experts claim to be able to acquire undelivered messages, unanswered calls, information about messages deleted from private and group chats, profile pictures and status messages of the account owner and contacts, original messages embedded into the reply and broadcast messages</span><span>. </span><span>The data relates not only to the user of the services but their friends, family, colleagues and anyone the user interacts with. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span> </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>The below images show a comparison by Cellebrite of the amount of data you can extract from a phone compared to what you can extract from Cloud sources, showing significantly more in relation to social media, emails, file sharing and location and search history from the latter. Notably <em><span>“Minute by Minute location information, searches and visited websites”</span></em></span><span> using Google’s time-stamped Location History and Google My Activity data and backups. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><img alt="comparison mobile and cloud data" data-entity-type="file" data-entity-uuid="6493d61c-4fcf-4539-8e0a-820c348ab8d0" src="/sites/default/files/inline-images/Picture%204.png" /></p> <p><img alt="comparison cloud and mobile extraction" data-entity-type="file" data-entity-uuid="8d0d345b-166c-40d8-a8ec-420cae152b7c" src="/sites/default/files/inline-images/Picture%205.png" /></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Oxygen Forensics, who developed Oxygen Forensics Detective forensic analysis tool, have built-in Oxygen Forensic Cloud Extractor to acquire </span><span><em><span>“data from the most popular cloud services”</span></em></span><span> including WhatsApp, iCloud, Google, Microsoft, Mi Cloud, Huawei, Samsung, E-Mail (IMAP) Servers and more. </span><span><em><span>“Also various social media services are supported to include but limited to: Facebook, Twitter, Instagram, and many more.”</span></em></span><span> It </span><span><em><span>“...supports, at the time of writing, 54 different types of cloud services, ranging from file storage, to messengers, drones, health apps, and social media.”</span></em></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Even if you use end to end encrypted messaging, if you back up your WhatsApp messages to the Cloud, they are accessible to law enforcement. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><img alt="oxygen forensics slide showing extracted data from WhatsApp messenger" data-entity-type="file" data-entity-uuid="c23581d6-4749-4d73-a6a3-b06196713e10" src="/sites/default/files/inline-images/Picture%206.png" /></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Magnet Forensics also provides a cloud extraction service, AXIOM Cloud, which </span><span><em><span>“supports approximately 25 cloud artefacts in nine parent services to include Apple Box, Dropbox, IMAP/POP, Facebook, Google, Instagram, Microsoft and Twitter. Each service is broken down into different subservices.”</span></em></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Looking at the types of data that can be extracted in more detail, Cellebrite’s Product Updates for Cloud Analyser show the increasing appetite for data from smart devices such as </span><span>Alexa and Google Home. Cellebrite’s UFED Cloud Analyzer 7.2 </span><span><em><span>“provides access to user requests including audio”</span></em></span><span>. As Cellebrite notes, </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p>"The Internet of Things (IoT) has created more ways to use data to make our lives easier, but it has also created more sources of digital intelligence for investigators to access in their criminal investigations.” – Cellebrite </p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Cellebrite is not the only mobile extraction company promoting access to data from home assistants. Oxygen Forensics views digital assistants as the new eye-witness with an estimated number of users of these devices projected to reach 1.8 billion by 2021:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“The valuable data extracted can contain a wealth of information to include: account and device details, contacts, user activity, incoming and outgoing messages, calendars, notifications, user created lists, created/installed skills, preferences, and more. One amazing feature in the software is the ability to extract the stored voice commands given to Alexa by the user. <strong>The users actual voice!</strong> The information extracted from Amazon will undoubtedly give tremendous insights into the user’s everyday activity, their contacts, shared messages, and valuable voice commands.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“When an Alexa user utters the wake word to perform a skill a recording of the query is sent to the user’s Amazon cloud account. The user specific request is processed and a response is returned to the device. Investigators, armed with Oxygen Forensic Cloud Extractor, can extract Amazon Alexa data to include these valuable recordings of that actual utterance by the user.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>As the number of devices connected to the internet and thus storing data in the cloud continues to grow, cloud extraction not only reaches into people’s homes but also their bodies with access to data from health wearables. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“Many of today’s users are into health wearables, from the Fitbit to the Apple Watch, which includes information such as heart rate, location, food intake, messaging and other valuable data that is often available only on the cloud service and not on the mobile device.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Cellebrite can access Fitbit </span><span><em><span>“user profile, logs, activities, goals, friends, heart rate, exercise track (speed, location, time etc.).”</span></em></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><img alt="booking data" data-entity-type="file" data-entity-uuid="e58b5f14-deff-4159-a2bd-6a171897ed1e" src="/sites/default/files/inline-images/Picture%207.png" /></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Another source of data relates to travel and location with UFED Cloud Analyzer 7.3 accessing Google location data and Booking.com </span><span><em><span>“user profile, purchase history, messages and searches”</span></em></span><span> and UFED Cloud Analyzer 7.6 supports extraction from the UBER App and can:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“gain passenger and driver profile data, pick-up and drop-off location logs, and the last 4 digits of a user’s credit card...retrieval of … credit card details that new users are required to fill in on their first login. As the passenger chooses their pickup location, desire destination, and available driver, each journey is well documented. Recorded routes are aggregated and then categorised by favourite destinations. The driver’s information includes the name and photo identification.” -- Cellebrite</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Given the popularity of Amazon and Facebook, these are obvious targets for cloud stored data. <span><span><span>As of the fourth quarter of 2018, Facebook had 2.32 billion monthly active users.</span></span></span></span> <span><span><span><span><span>Amazon had 300 million users in 2017</span></span></span></span></span><span><span><span><span><span>. An update for Cellebrite’s UFED Cloud Analyzer 7.5 includes </span></span></span></span></span><span><em><span>“five brand new capabilities that enable access to activity logs, search histories, pages, user group data and IP address records [for Facebook].”</span></em></span><span> The software can:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“... extract information from the stories and photos a suspect was tagged in to find new leads or new suspects. Additional data points include identification of connections made when liking a page or adding someone as a friend, as well as comments posted, articles read, videos seen, places visited and more.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span>For user data on groups and pages, UFED Cloud Analyzer 7.5 can also flag if a suspect is a member or administrator of a certain page or group.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span>This version can also surface the Facebook Log IP address records to allow you to identify a phone or computer’s location used to access an account.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>UFED Cloud Analyzer 7.5 “enables access to [Amazon’s] search history, purchase history and delivery addresses that can contribute vital digital evidence to an investigation.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“In this version, you can also view the last 4 digits of a credit card registered on an Amazon account, including the billing and shipping addresses.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“The buyers’ search history and wish list over time can indicate suspicious behaviour leading up to a crime.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Cloud extraction technologies also access data from drones, such as UFED Cloud Analyzer 7.6 which added DJI Drone App and SkyPixel social network. This: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><span><span><span><em><span><span><span><span><span><span><span><span><span><span><span>“</span></span></span></span></span></span></span></span></span></span></span></em><span><span><span><span><span><span><span><span><span><span><span>Allows examiners to access the app as well as the corresponding users account on the SkyPixel social network. User profile data and stored drone flight log data is retrievable and includes: date, distance, flight time, location, video and imagery. SkyPixel user profile can also assist examiners to verify if any collaboration was performed on specific videos as well as track tags, follows and more.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>As more and more companies rely on cloud storage for work related activities, accessible data which can be obtained from tokens on devices relates not just to personal life but includes their work. For example:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“Cellebrite delivers access to shared files and instant messaging data from Slack, the popular communication tool of the business community.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>UFED Cloud Analyzer 7.9 also includes support for Snapchat and Instagram enhancements. This is relevant when we consider below the growing facial recognition capabilities inbuilt into analytics software that analyse extracted data both from mobile phones and obtained via cloud extraction. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“Snapchat is a global multimedia messaging app that enables users to share pictures and messages that are only available for a short time before they become inaccessible to their recipients. To date, Snapchat has 190 million daily active users worldwide and more than 400 million Snapchat stores are created per day. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span>UFED Cloud Analyzer 7.9 introduces first-time support for the Snapchat application, with access using tokens retrieved from any Android device. With this version, you can retrieve backed up files, also known as Memories, and review direct message communications between contracts. Get access to the contact information of the account and password protected My Eyes Only files.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“This version of UFED Cloud Analyzer introduces comprehensive support for the Instagram application. On top of already supported data sets in previous versions, you can now view responses to posts which include images and videos. You can also get access to all data associated with chat messages including sharing of post/story, likes, comments within a message.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p><img alt="oxygen forensics message" data-entity-type="file" data-entity-uuid="2822b6b6-e04e-4fc8-a6e8-07ff6c90b57a" src="/sites/default/files/inline-images/Picture%2010.png" /></p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><a><span>Facial Recognition and Cloud extraction</span></a></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>The analysis of data extracted from mobile phones and other devices using cloud extraction technologies increasingly includes the use of facial recognition capabilities. If we consider the volume of personal data that can be obtained from cloud-based sources such as Instagram, Google photos, iCloud, which contain facial images, the ability to use facial recognition on masses of data is a big deal. That it is potentially being used on vast troves of cloud-stored data without any transparency and accountability is a serious concern.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>In August 2017 Cellebrite introduced what it called “advanced machine learning technology” for its analytics platform, which can be used to analyse data extracted from the cloud and which included face recognition and matching.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>From July 2019, Oxygen Forensics JetEngine module, which is built into the Oxygen Forensic Detective, provides the ability to categorise human faces. Not only do Oxygen provide the categorisation and matching of faces within extracted data, facial analytics allows them to categorise gender, race and emotion recognition.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Lee Reiber, Oxygen’s chief operating officer said the tool can <em>“search for a specific face in an evidence trove, or cluster images of the same person together. They can also filter faces by race or age group, and emotions such as “joy” and “anger”.”</em></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><img alt="oxygen promotion on facial recognition" data-entity-type="file" data-entity-uuid="0f2b8973-d56a-4ce0-8bab-586fa837a973" src="/sites/default/files/inline-images/Picture%2011.png" /></p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Continual tracking</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Once you have a users’ credentials, not only can you obtain their cloud-based data, you can track them using their cloud-based accounts. For example, the capabilities of Cellebrite’s Cloud Analyzer include the ability, once you have an individual’s credentials, to: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>“T<span><span>rack online behaviour. Analyse posts, likes, events and connections to better understand a suspect or victim’s interests, relationships, opinions and daily activities.”</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> </blockquote> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>This offers a very private insight into an individual’s life. The individual themselves will never know that someone has access to and may be using their cloud profile. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><img alt="cellebrite cloud analyzer" data-entity-type="file" data-entity-uuid="4bec438f-7abb-47a0-9a7f-45816b72f9e0" src="/sites/default/files/inline-images/Picture%2012.png" /></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>The short- or long-term monitoring of activity, particularly without possession of the phone and outside of what is on the device, is highly intrusive, and presents yet another worrying worrying aspect of cloud extraction capabilities. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Not only can you track and monitor behaviour, messages and location data at any time, with their login credentials or ability to access their cloud-based accounts, you may be able to send messages, impersonate them, send mail with illegal content to someone else. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><a><span>Conclusion</span></a></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>There is an absence of information regarding the use of cloud extraction technologies, making it unclear how this is lawful and equally how individuals are safeguarded from abuse and misuse of their data. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>The volume of data that can be extracted from cloud services, the inclusion of facial recognition technology to analyse images and the implications for the large number of people whose personal data will be obtained even just extracting cloud data related to one individual make this a subject that deserves far greater transparency and accountability.  </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>This is part of a dangerous trend by law enforcement agencies and we want to ensure globally the existence of transparency and accountability with respect to new forms of technology they use. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Recommendations </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>A search of a person’s cloud-based data can be more invasive than a search of their home, not only for the quantity and detail of information but also the historical nature of legacy data and the future data that can continue to be analysed in the cloud. The state should not have unfettered access to the totality of someone’s life and the use of cloud extraction requires the strictest of protections. Therefore, Privacy International recommends that:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <ul><li><span><span><span>An immediate independent review be initiated into the use by law enforcement of cloud-analytics by relevant policing bodies and border control with consultations taken from the public, civil society and industry as well as government authorities. </span></span></span></li> <li><span><span><span>The police must have a warrant issued on the basis of reasonable suspicion by a judge before forensically examining any cloud-based data, or otherwise accessing any content or communications data stored therein. </span></span></span></li> <li><span><span><span>A clear legal basis must be in place to inspect, collect, store and analyse data from cloud-based services which provides for </span><span>adequate safeguards to ensure intrusive powers are only used when necessary and proportionate</span><span>. It must be considered whether such intrusive technology should only be used in serious crimes. </span> </span></span></li> <li><span><span><span>Guidance aimed at the public regarding their rights and what such extractions involves must be published and provided to persons whose devices are to be analysed. </span></span></span></li> <li><span><span><span>Individuals be informed that their cloud-based data has been extracted, analysed and retained.</span></span></span></li> <li><span><span><span>Anyone who has their cloud-based data examined should have access to an effective remedy where any concerns regarding lawfulness can be raised. </span></span></span></li> <li><span><span><span>There must be independent oversight of the compliance by law enforcement of the lawful use of these powers.</span></span></span></li> <li><span><span><span>Cyber security standards should be agreed and circulated, specifying how data must be stored, how long it is to be retained, when it must be deleted and who can access it. </span></span></span></li> <li><span><span><span>All authorities who use these powers must purchase relevant tools through procurement channels in the public domain and regularly update a register of what tools they have purchased, including details on what tools they have, the commercial manufacturer and expenditure amounts. </span></span></span></li> <li><span><span><span>Technical standards be created and followed to ensure there is a particular way of obtaining data that is repeatable and reproducible, to ensure verification and validation. This should be accompanied, for example, by a clearly documented process. </span></span></span></li> <li><span><span><span>Technical skill is required as with this unprecedented amount of data comes the need for highly skilled forensic investigators. Consideration must be given to the risk of miscarriage of justice if raw data is misinterpreted or individuals cannot afford experts to review the data. </span></span></span></li> <li><span><span><span>Testing, trialling and deployment of cloud extraction technologies must be accompanied by impact assessments, adequate safeguards and engagement with the public and civil society. </span></span></span></li> </ul><p> </p> <h2><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Currently supported cloud services</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></h2> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><img alt="table1" data-entity-type="file" data-entity-uuid="bdc08700-5691-4471-9eac-2327ae58bfe3" src="/sites/default/files/inline-images/Screenshot%202019-12-06%20at%2016.49.56.png" /><img alt="table2" data-entity-type="file" data-entity-uuid="5a6aa2f2-ee2d-4aa8-8977-0b2f85e9ddc5" src="/sites/default/files/inline-images/Screenshot%202019-12-06%20at%2016.50.02.png" /><img alt="table2" data-entity-type="file" data-entity-uuid="cca00e34-ac79-4dd7-86e1-a5419b1d5750" src="/sites/default/files/inline-images/Screenshot%202019-12-06%20at%2016.50.07.png" /></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><img alt="table2" data-entity-type="file" data-entity-uuid="3bacad07-a782-461f-881f-872e073a4d9f" src="/sites/default/files/inline-images/Screenshot%202019-12-06%20at%2016.50.11.png" /></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><img alt="table2" data-entity-type="file" data-entity-uuid="a2c94f3a-236d-4e8f-bc25-e422920fedab" src="/sites/default/files/inline-images/Screenshot%202019-12-06%20at%2016.50.16.png" /></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><em>[references in pdf below]</em></p></div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/defending-democracy-and-dissent" hreflang="en">Defending Democracy and Dissent</a></div> </div> </div> <div class="field field--name-field-attachments field--type-file field--label-inline"> <div class="field__label">Attachments</div> <div class="field__items"> <div class="field__item"> <span class="file file--mime-application-pdf file--application-pdf"> <a href="http://privacyinternational.org/sites/default/files/2019-12/3.12.2019%20Cloud%20Analytics%20LONG%20READ%20FINAL.pdf" type="application/pdf; length=3694388">3.12.2019 Cloud Analytics LONG READ FINAL.pdf</a></span> </div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/police-unlocking-your-data-cloud" hreflang="en">Police unlocking your data in the cloud</a></div> </div> </div> <div class="field field--name-field-targeted-adversary field--type-entity-reference field--label-above"> <div class="field__label">More about this Adversary</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/584" hreflang="en">Cellebrite</a></div> </div> </div> <div class="field field--name-field-audience-and-purpose field--type-entity-reference field--label-above"> <div class="field__label">Audiences and Purpose</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/628" hreflang="en">Feeding our followers</a></div> <div class="field__item"><a href="/taxonomy/term/630" hreflang="en">Helping experts with our analyses</a></div> <div class="field__item"><a href="/taxonomy/term/632" hreflang="en">Influence key stakeholders</a></div> </div> </div> Tue, 07 Jan 2020 00:00:01 +0000 staff 3300 at http://privacyinternational.org …it can ensure that the law is applied in the same manner to everyone http://privacyinternational.org/case-study/3346/it-can-ensure-law-applied-same-manner-everyone <span class="field field--name-title field--type-string field--label-hidden">…it can ensure that the law is applied in the same manner to everyone</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/43" typeof="schema:Person" property="schema:name" datatype="">staff</span></span> <span class="field field--name-created field--type-created field--label-hidden">Thursday, January 23, 2020</span> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/tallie-robinson-vs-fjU4sQos-unsplash%20copy.jpg" width="3008" height="2000" alt="two women kissing" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/tallie-robinson-vs-fjU4sQos-unsplash%20copy_0.jpg" width="3008" height="2000" alt="two women kissing" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/tallie-robinson-vs-fjU4sQos-unsplash.png" width="1024" height="681" alt="two women kissing" typeof="foaf:Image" /> </div> </div> <div class="clearfix text-formatted field field--name-field-text-block-1 field--type-text-long field--label-above"> <div class="field__label">Text block 1</div> <div class="field__item"><p><span><span><strong><em><span><span><span>The law is the same for everyone and should be applied in the same manner to all.</span></span></span></em></strong></span></span></p> <p><span><span><span><span><span>Discriminatory laws on the basis of sexual orientation across the globe exist in stark opposition to the principle that the law should be the same for each and every one of us. We are all entitled to the same protections against any discrimination. Equality before the law dictates that there must be a reasonable justification to regulate any aspect of a person’s life.</span></span></span></span></span></p> <p><span><span><span><span><span>Laws discriminating on the basis of sexual orientation interfere with our private lives and development. There can be no justification for criminalising the consensual sexual behaviour of adults in private.</span></span></span> <span><span><span>Heterosexuals are not regulated in the same manner.</span></span></span></span></span></p> <p><span><span><span><span><span>The changes in the UK and Irish criminal law codes demonstrate the link between the two. In the UK, the </span></span></span><a href="https://www.bl.uk/collection-items/the-criminal-law-amendment-act-1885"><span><span>Criminal Law amendment Act 1885</span></span></a><span><span><span> provided that any ‘homosexual activity’ between men was illegal. Alan Turing and Michael Pitt-Rivers, amongst others, were actually tried under this provision. Eventually, the government commissioned a report, known as the </span></span></span><a href="https://www.parliament.uk/about/living-heritage/transformingsociety/private-lives/relationships/collections1/sexual-offences-act-1967/wolfenden-report-/"><span><span>Wolfenden report</span></span></a><span><span><span><span>, to consider the revision of </span></span></span></span><span><span><span> “homosexual offences and prostitution.” The report, released in 1957, held that there must be a private realm of morality, which is not the law’s business and recommended that ‘homosexual acts’ between two consenting adults should no longer be a criminal offence. Eventually that lead to the </span></span></span><a href="https://www.legislation.gov.uk/ukpga/1967/60"><span><span>decriminalisation</span></span></a><span><span><span> of sex between men.</span></span></span></span></span></p> <p><span><span><span><span><span>A few years later in Northern Ireland, in 1981, Jeff Dudgeon brought the </span></span></span><a href="https://rm.coe.int/168007ff47"><span><span>first successful case</span></span></a><span><span><span> against the criminalisation of sex between men before the European Court of Human Rights. The Court held that private sexual conduct, which is a vital element of an individual’s personal sphere, cannot be prohibited merely because it may shock or offend others. This case set the legal precedent that ultimately resulted in the requirement that no Council of Europe member state could criminalise homosexual behaviour. </span></span></span></span></span></p> <p><span><span><span><span><span>There is still a long way to go at a global level, as of 2019, </span></span></span><a href="https://edition.cnn.com/2019/04/03/world/same-sex-laws-map-intl/index.html"><span><span>70 UN member states</span></span></a><span><span><span> still criminalise gay sex. However, privacy still paves the way forward. In India, the biggest democratic state in the world, the colonial era law criminalising homosexuality was </span></span></span><a href="https://www.theguardian.com/world/2018/sep/06/indian-supreme-court-decriminalises-homosexuality"><span><span>overturned</span></span></a><span><span><span><span> in 2018</span></span></span></span><span><span><span>. The Supreme Court stated in their judgement that “</span></span></span><a href="https://www.independent.co.uk/news/world/asia/india-sexual-orientation-freedom-sexuality-fundamental-right-ruling-openly-lgbt-gay-lesbian-a7913681.html"><span><span>sexual orientation is an essential attribute of privacy</span></span></a><span><span><span>” and as a result, discrimination on the basis of sexual orientation was unconstitutional. </span></span></span></span></span></p> <blockquote> <p><span><span><span><span><em><span><span><span>All are equal before the law and are entitled without any discrimination to equal protection of the law. All are entitled to equal protection against any discrimination in violation of this Declaration and against any incitement to such discrimination. </span></span></span></em><strong><span><span><span>Article 7, Right to equality before the law</span></span></span></strong></span></span></span></span></p> </blockquote> <p><span><span><span><span><em><span><span><span>* </span></span></span></em></span></span></span>Photo by <a href="https://unsplash.com/@tallierobinson?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Tallie Robinson</a> on <a href="https://unsplash.com/?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span></p></div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/lgbtiq" hreflang="en">LGBTIQ+</a></div> <div class="field__item"><a href="/topics/protecting-civic-spaces" hreflang="en">Protecting Civic Spaces</a></div> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/id-identity-and-identification" hreflang="en">ID, Identity and Identification</a></div> <div class="field__item"><a href="/what-we-do/realise-our-rights-live-dignity" hreflang="en">Realise Our Rights to Live with Dignity</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/safeguarding-peoples-dignity" hreflang="en">Safeguarding Peoples&#039; Dignity</a></div> </div> </div> <div class="field field--name-field-education-course field--type-entity-reference field--label-above"> <div class="field__label">Education material</div> <div class="field__items"> <div class="field__item"><a href="/education/right-privacy" hreflang="en">Right to Privacy</a></div> </div> </div> <div class="field field--name-field-resource-type field--type-entity-reference field--label-above"> <div class="field__label">Web Resource</div> <div class="field__items"> <div class="field__item"><a href="/type-resource/privacy-matters" hreflang="en">Privacy Matters</a></div> </div> </div> Thu, 23 Jan 2020 14:32:09 +0000 staff 3346 at http://privacyinternational.org Podcast: Heartbeat International and anti-abortion data exploitation http://privacyinternational.org/video/3345/podcast-heartbeat-international-and-anti-abortion-data-exploitation <span class="field field--name-title field--type-string field--label-hidden">Podcast: Heartbeat International and anti-abortion data exploitation</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">tech-admin</span></span> <span class="field field--name-created field--type-created field--label-hidden">Thursday, January 23, 2020</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>In this podcast Sara Nelson of PI’s <a href="https://privacyinternational.org/campaigns/reproductive-rights-and-privacy-project">Reproductive Rights and Privacy Project</a> talks about the US based international anti-abortion organisation Heartbeat International and the technologies they are developing for their international network of affiliate organisations. We also discuss what reproductive rights are and why PI is working on the topic:</p> <p><iframe allowfullscreen="" frameborder="0" height="315" sandbox="allow-same-origin allow-scripts" src="https://media.privacyinternational.org/videos/embed/2238f616-7f19-4210-9732-1aa2170f198d" width="560"></iframe></p> <p>Music by Glass Boy, find more of their work here: glassboy.bandcamp.com/album/enjoy (creativecommons.org/licenses/by-nd/3.0/)</p> </div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/Wire%202020-01-23%20at%209.22.06.png" width="880" height="622" alt="Heartbeat International and anti-abortion data exploitation" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/Wire%202020-01-23%20at%209.22.06_3.png" width="880" height="622" alt="Heartbeat International and anti-abortion data exploitation" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/Wire%202020-01-23%20at%209.22.06_1.png" width="880" height="622" alt="Heartbeat International and anti-abortion data exploitation" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/sexual-and-reproductive-health" hreflang="en">Sexual and reproductive health</a></div> </div> </div> Thu, 23 Jan 2020 12:01:50 +0000 tech-admin 3345 at http://privacyinternational.org The Hindsight Files 2020: Much More Than Politics http://privacyinternational.org/news-analysis/3343/hindsight-files-2020-much-more-politics <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div id="field-language-display"><div class="js-form-item form-item js-form-type-item form-type-item js-form-item- form-item-"> <label>Language</label> English </div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em><span>Photo by <a href="https://unsplash.com/@element5digital?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Element5 Digital</a> on <a href="https://unsplash.com/s/photos/democracy?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span></em></p> <p>On New Year's Day, the Twitter account @HindsightFiles began publishing internal communications and documents from the now defunct SCL Group, dating from 2014-2018. They came from the hard drive of Brittany Kaiser, who held several senior positions at SCL Group including at one of its subsidiaries, Cambridge Analytica, and featured in the Netflix documentary <a href="https://privacyinternational.org/news-analysis/3106/review-great-hack-documentary">"The Great Hack".</a></p> <p>Privacy International first investigated Cambridge Analytica in 2017. We <a href="https://privacyinternational.org/long-read/954/texas-media-company-hired-trump-created-kenyan-presidents-viral-anonymous-attack">questioned the company's role in the Kenyan President's electoral campaign</a> and the production of a series of online videos making incendiary claims about the opposition in a volatile political climate. Since then, thanks to the <a href="https://privacyinternational.org/long-read/1681/cambridge-analytica-and-facebook-are-part-industrial-sector-exploits-your-data">much-publicised</a> Cambridge Analytica/Facebook scandal of 2018, we have learned much more about the ecosystem of companies where <a href="https://privacyinternational.org/legal-action/challenge-hidden-data-ecosystem">data exploitation is the business model</a>, of which Cambridge Analytica was just one of many. The first Hindsight Files cover Kenya, Brazil, Malaysia, the USA (in files marked Iran and Bolton) and the second release covers Ghana. While protecting democracy is the reason Brittany Kaiser gives for releasing these documents, there is more to the files than politics and elections.</p> <p>In order for companies like SCL Group to be able to carry off their bold claims of being able to change people's behaviour they need data, and lots of it, so we need to look at where they are getting it from. From information in The Hindsight Files, the different research projects SCL Group undertook meant the company held a lot of insights into people's behaviour and lots of data.</p> <p>For example, a 92 page proposal to Tullow Oil, the largest oil and gas exploration and production company in Africa, is particularly revealing (see document 1 below). In 2012, Tullow Oil announced it had discovered oil in Turkana County in the north west of Kenya. Perhaps anticipating tension with Turkana's communities, at some point in 2015 SCL drafted a proposal for "research and consultancy" services in Kenya and also Ghana.</p> <p>At first the proposal starts out describing PR services <em>"to understand how best to engage positively with its host communities"</em> through large-scale quantitative and qualitative research. But the goals of this research into the behaviours of local communities is hardly positive, as the goals of this extensive and detailed research is to better manipulate the people of Turkana. The proposal states,</p> <p><em>"Additional deliverables will include comprehensive recommendations on the best cognitive and emotional strategies to influence and modify Turkana attitudes and behaviour. Also included will be conclusions on potential spoilers’ weaknesses and recommendations on how best to utilise these to the Tullow Oil’s advantage."</em></p> <p>It is not clear if Tullow Oil went through with this proposal, but it will not come as a great surprise to most that an oil company would consider contracting this kind of company employing these kinds of tactics in a region described by SCL as, <em>"the very least developed of Kenya’s counties and the Turkana themselves amongst its most idiosyncratic and fractious communities"</em>.</p> <p>The proposed research violates even the most basic of research ethics guidelines, with SCL looking to actively mislead research participants as to the purpose of their questioning. They state that, <em>“All research will be presented to respondents as an academic research study”</em>, which is clearly misleading. The proposal does not mention any security arrangements for the data collected, privacy policy or any consideration that the information they are collecting is sensitive, let alone the psychological profiles to be compiled.  At the time, Kenya had no data protection law, meaning the company could collect any kind of information with no limitations or safeguards and do what they liked with it. For example, they could keep the data and feed it into future work on, say, elections.</p> <p>From The Hindsight Files, this is what appears to have happened in Ghana. Several documents reference that SCL were commissioned by the Ministry of Health in 2014 to conduct a large study on health practices and requirements in Ghana. SCL conducted 30,000 household surveys, in 97 constituencies, across 10 regions. In a later report to the ruling National Democratic Congress (NDC) party, research based on 30,000 surveys etc, <em>"allowed SCL to model the future vote distribution within each constituency in Ghana based on how respondents said that they would vote should there be an election tomorrow"</em> (see document 2 below).</p> <p>According to documents, SCL's work for the NDC included a negative campaign ultimately trying to get opposition supporters not to vote (see document 3 below). A further unaddressed letter on SCL Group letterhead boasts,</p> <p><em>"We hold a large scale data set relating to various aspects of public health in Ghana, including people’s perceptions of healthcare facilities, health insurance, and factors influencing access to medicine and treatment. We also hold data on themes including which national and local issues are important to people, their perceptions of the state of the economy, popular media channels, and key influencers. In addition we have detailed demographic data". </em></p> <p>The letter goes on, <em>"SCL can offer expert data analytic services which could assist you [the unamed recipient] in several ways"</em> (see document 4 below). It is worth remembering that the Ministry of Health in Ghana paid for the dataset that SCL is selling.</p> <p>Another disappointing find in these files is that organisations like UNICEF and the United Nations Development Programme (UNDP) commissioned SCL to conduct extremely sensitive research from 2009-2012. In a section on "recent relevant projects", the Tullow Oil proposal states UNICEF commissioned SCL to produce a communication strategy on preventing child marriage and enhancing the protection of girls.  UNDP commissioned three studies- one on disarmament in South Sudan in 2011 and two studies on youth radicalisation in Somalia and Egypt. There are glowing references from government agencies in the UK and the USA relating to counter-terrorism projects.</p> <p>In all the current cache of files we've so far found no mention of data protection, data security, or even an acknowledgement that the data is sensitive, as data relating to people's health cetainly is. It seems organisations have sleepwalked into giving SCL a huge amount of sensitive data without seemingly knowing what they will do with it.</p> <p>Knowing what we know now about SCL Group and how they progressively ramped up their data collection methods, culminating in the 2018 Facebook/Cambridge Analytica scandal, organisations that have used their services should be coming clean about what happened to the data collected. While many believe that Cambridge Analytica and others are merely peddling snake oil disguised by clever marketing, this doesn't make the underlying intrusions into people's privacy or the potential to stoke tensions or even conflict in fragile regions any less real. More files are expected to be published, but already a solid picture is forming that nobody should be using companies like SCL or others to carry out such sensitive research, especially in places where no protection exists for the people being studied.</p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/element5-digital-T9CXBZLUvic-unsplash.jpg" width="4000" height="2667" alt="ballot box image" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/element5-digital-T9CXBZLUvic-unsplash_0.jpg" width="4000" height="2667" alt="ballot box image" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/element5-digital-T9CXBZLUvic-unsplash_1.jpg" width="4000" height="2667" alt="ballot box image" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/expose-data-exploitation-data-profiling-and-decision-making" hreflang="en">Expose Data Exploitation: Data, Profiling, and Decision Making</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/learning-topics/data-and-elections" hreflang="en">Data and Elections</a></div> <div class="field__item"><a href="/topics/data-exploitation" hreflang="en">Data Exploitation</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/challenging-corporate-data-exploitation" hreflang="en">Challenging Corporate Data Exploitation</a></div> </div> </div> <div class="field field--name-field-target field--type-entity-reference field--label-above"> <div class="field__label">Target Stakeholders</div> <div class="field__items"> <div class="field__item"><a href="/target/industry" hreflang="en">Industry</a></div> </div> </div> <div class="field field--name-field-attachments field--type-file field--label-hidden field__items"> <div class="field__item"><table data-striping="1"> <thead> <tr> <th>Attachment</th> <th>Size</th> </tr> </thead> <tbody> <tr class="odd"> <td> <span class="file file--mime-application-pdf file--application-pdf"> <a href="http://privacyinternational.org/sites/default/files/2020-01/1.%20SCL_Group_-_Tullow.pdf" type="application/pdf; length=22257480">1. SCL_Group_-_Tullow.pdf</a></span> </td> <td>21.23 MB</td> </tr> <tr class="even"> <td> <span class="file file--mime-application-pdf file--application-pdf"> <a href="http://privacyinternational.org/sites/default/files/2020-01/2.%20Ghana_Elections_Campaigns_2015_16e.pdf" type="application/pdf; length=18960921">2. Ghana_Elections_Campaigns_2015_16e.pdf</a></span> </td> <td>18.08 MB</td> </tr> <tr class="odd"> <td> <span class="file file--mime-application-pdf file--application-pdf"> <a href="http://privacyinternational.org/sites/default/files/2020-01/3.%20NPP_Base_Campaign_Summary.pdf" type="application/pdf; length=48101">3. NPP_Base_Campaign_Summary.pdf</a></span> </td> <td>46.97 KB</td> </tr> <tr class="even"> <td> <span class="file file--mime-application-pdf file--application-pdf"> <a href="http://privacyinternational.org/sites/default/files/2020-01/4.%20Ghana_data_letter.pdf" type="application/pdf; length=484523">4. Ghana_data_letter.pdf</a></span> </td> <td>473.17 KB</td> </tr> </tbody> </table> </div> </div> <div class="field field--name-field-type-of-impact field--type-entity-reference field--label-above"> <div class="field__label">Type of Impact</div> <div class="field__items"> <div class="field__item"><a href="/impact/global-standard-data-protection-law" hreflang="en">A Global Standard for Data Protection Law</a></div> </div> </div> <div class="field field--name-field-legal-proceedings field--type-entity-reference field--label-above"> <div class="field__label">Legal Action</div> <div class="field__items"> <div class="field__item"><a href="/legal-action/challenge-hidden-data-ecosystem" hreflang="en">Challenge to Hidden Data Ecosystem</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/enhancing-data-protection-standards" hreflang="en">Enhancing Data Protection Standards</a></div> </div> </div> <div class="field field--name-field-education-course field--type-entity-reference field--label-above"> <div class="field__label">Education material</div> <div class="field__items"> <div class="field__item"><a href="/education/risks-data-intensive-systems" hreflang="en">The risks of data-intensive systems</a></div> </div> </div> <div class="field field--name-field-targeted-adversary field--type-entity-reference field--label-above"> <div class="field__label">More about this Adversary</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/605" hreflang="en">Cambridge Analytica</a></div> </div> </div> <div class="field field--name-field-date field--type-datetime field--label-above"> <div class="field__label">Date</div> <div class="field__item"><time datetime="2020-01-22T12:00:00Z" class="datetime">Wednesday, January 22, 2020</time> </div> </div> </div> </div> Wed, 22 Jan 2020 14:55:58 +0000 staff 3343 at http://privacyinternational.org All about PI’s work on reproductive rights and privacy http://privacyinternational.org/long-read/3340/all-about-pis-work-reproductive-rights-and-privacy <span class="field field--name-title field--type-string field--label-hidden">All about PI’s work on reproductive rights and privacy</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">tech-admin</span></span> <span class="field field--name-created field--type-created field--label-hidden">Wednesday, January 22, 2020</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em><span>Photo by <a href="https://unsplash.com/@rhsupplies?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Reproductive Health Supplies Coalition</a> on <a href="https://unsplash.com/s/photos/reproductive?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span></em></p> <p>Today we are excited to spotlight our Reproductive Rights and Privacy Project!</p> <p>The Project is focused on researching and exposing organisations that collect and exploit the information of those seeking to exercise their reproductive rights. Working together with PI partners, other international grassroots organisations and NGOs, PI is researching and advocating against this data exploitation.</p> <h2>So, what are reproductive rights?</h2> <p>Sexual and reproductive rights, which are contained within Economic, Social, Cultural, and Environmental Rights, include the right to access to contraception, the right to safe and legal abortion, the right to sexual health information including about contraception and abortion, and other reproductive health services.</p> <p>Also of relevance are issues including <a href="https://www.washingtonpost.com/health/2019/07/02/medication-abortions-cant-be-reversed-law-forcing-doctors-say-they-can-be-is-headed-court/">disinformation</a> in sexual health information, burdensome processes or costs to accessing reproductive healthcare, <a href="https://www.theguardian.com/us-news/2019/nov/29/ohio-extreme-abortion-bill-reimplant-ectopic-pregnancy">non-medical and dangerous processes</a> being introduced into reproductive healthcare legislation, aid money (for example <a href="https://www.guttmacher.org/tags/global-gag-rule">US aid money</a>) having strings attached that require international recipients to promulgate biased health information, and <a href="https://www.teenvogue.com/story/things-to-know-about-birth-control-trans-non-binary">discrimination</a> in providing reproductive healthcare, whether the discrimination is based on income, location, race or ethnicity, gender identity, sexuality, or otherwise.</p> <h2>How do reproductive rights connect to the right to privacy?</h2> <p>The right to privacy is one of the precedents used to establish reproductive rights, and it is established by several international and regional legal instruments. The primary link between the two stems from the fact that laws and policies which impede upon individuals’ rights to access sexual and reproductive health services may also interfere with individuals’ right to privacy and to make autonomous decisions as it pertains to their health and fertility. Such reproductive rights are necessary for the bodily autonomy.</p> <h2>Tell me about how reproductive rights are established…</h2> <ul><li><strong>The Right to Health</strong> is in part established by Articles 10 and 12 of the International Covenant on Economic, Social and Cultural Rights. This refers to all persons’ right to the highest attainable standard of health and includes the right to sexual and reproductive health. With respect to sexual and reproductive health, states have an obligation to eliminate discrimination accessing these services, ensure free and informed consent, reduce infant and maternal morbidity and mortality, ensure that dangerous practices do not impede pre-and post-natal care and access to contraception, and protect vulnerable or marginalized groups of society.</li> <li><strong>The Right to Non-Discrimination and Equal Treatment in Law</strong> is in part established by Article 2 of the International Covenant on Economic, Social and Cultural Rights, Article 1 of the American Convention on Human Rights, and Articles 1 and 2 of the Convention on the Elimination of All Forms of Discrimination against Women. This right refers to every person’s right to enjoy human rights without discrimination. With respect to reproductive rights, the Convention on the Elimination of All Forms of Discrimination Against Women prohibits all expressions of discrimination against women. Laws or policies that inhibit women’s right to control their fertility, by restricting access to Sexual and Reproductive Health services or by requiring women to have their husband’s consent to access sexual and reproductive health services violate this right.</li> <li><strong>The Right to Life</strong> is in part established by Article 3 of the Universal Declaration of Human Rights, Article 6 of the International Covenant on Civil and Political Rights, and Article 4 of the American Convention on Human Rights. This right pertains to signatory states’ obligations to implement positive actions to protect life. According to the World Health Organization(WHO), in 2017 approximately 810 individuals died every due to avoidable causes during pregnancy and childbirth. Preventing individuals from accessing the vital sexual and reproductive health services that will allow them to prevent or delay pregnancy or ensure a healthy pregnancy increases their risk of mortality, and represents a violation of this right.</li> <li><strong>The Right to Physical Integrity</strong> is in part established by Article 7 of the International Covenant on Civil and Political Rights and Article 5 of the American Convention on Human Rights. This right refers to individuals’ right to freedom from torture and other cruel, inhumane, or degrading treatment and to be free from medical or scientific intervention, except with their full consent. This right necessitates every persons’ right to exercise control over their own bodies, including with regard to their sexual and reproductive life. Rape, forced abortion, forced sterilization, female genital mutilation, and domestic abuse may all constitute violations of this right.</li> <li><strong>The Right to Marry and Establish a Family</strong> is in part established by Article 23 of the International Covenant on Civil and Political Rights, Article 19 of the International Covenant on Economic, Social and Cultural Rights, and Article 16 of the Convention on the Elimination of All Forms of Discrimination. This right refers to couples’ right to choose if they would like to have children, become pregnant and have a child, as well as their right to choose the number, timing, and spacing of their children. In 1990, the Human Rights Committee which monitors the International Covenant on Civil and Political Rights published a General Comment specifying that any signatory state sponsored family planning policies should not be discriminatory or compulsory, in line with Article 23.</li> <li><strong>The Right to Privacy</strong> is established by Article 17 of the International Covenant on Civil and Political Rights, Article 16 of the Children’s Rights Convention, Article 22 of the Disability Rights Convention, Article 8 of the European Convention on Human Rights, Article 10 of the Convention on Human Rights and Biomedicine, and Article 11 of the American Convention on Human Rights. This right includes the right to confidentiality in the provision of sexual and reproductive health services, especially as it pertains to potentially sensitive issues like HIV/AIDS status, pregnancy, and visits to sexual and reproductive health service providers. This is particularly important for vulnerable groups like adolescents, people living with HIV, and people living with disabilities. This right may be violated by policies which require women to have their husband’s consent for sterilization or those which require health personnel to disclose individuals who have undergone abortion.</li> </ul><p>This work is part of a broader programme of work aimed at safeguarding the dignity of people by challenging current power dynamics, and redefining our relationship with governments, companies, and within our own communities. As an enabling right, privacy plays an important role in supporting the exercise of reproductive rights as recognised in international human rights law.</p> <h2>So, what’s next?</h2> <p>With others, we are continuing to document instances where those seeking to exercise their reproductive rights or access reproductive healthcare have had their data exploited. We are collecting evidence with international partners to show the variance in how reproductive rights are being curtailed and to highlight the experiences of different people in different places.</p> <p>Some of the Projects recent work:</p> <ul><li>We filed a <a href="https://privacyinternational.org/news-analysis/3312/pis-submission-uk-governments-consultation-new-legal-framework-abortion-services">submission</a> to the UK Government’s consultation on a new legal framework for abortion services in Northern Ireland.</li> <li>We <a href="https://privacyinternational.org/long-read/3096/how-anti-abortion-activism-exploiting-data">showed how</a> Heartbeat International is developing and promoting data exploitative technologies to its international network of affiliate anti-abortion crisis pregnancy centres.</li> </ul><p>If you are an organisation that works on this or a similar issue, <a href="mailto:saran@privacyinternational.org">please reach out to us</a> and tell us about your organisation’s work.</p></div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/sexual-and-reproductive-health" hreflang="en">Sexual and reproductive health</a></div> <div class="field__item"><a href="/topics/data-exploitation" hreflang="en">Data Exploitation</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/reproductive-rights-and-privacy-project" hreflang="en">Reproductive Rights and Privacy Project</a></div> </div> </div> Wed, 22 Jan 2020 13:26:36 +0000 tech-admin 3340 at http://privacyinternational.org MONITORYOU: the MilliONs beIng spenT by the eu on develOping surveillance tech to taRget YOU http://privacyinternational.org/long-read/3341/monitoryou-millions-being-spent-eu-developing-surveillance-tech-target-you <span class="field field--name-title field--type-string field--label-hidden">MONITORYOU: the MilliONs beIng spenT by the eu on develOping surveillance tech to taRget YOU</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/43" typeof="schema:Person" property="schema:name" datatype="">staff</span></span> <span class="field field--name-created field--type-created field--label-hidden">Monday, January 20, 2020</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em>Editor's Note: There have been significant concerns raised within Privacy International's headquarters regarding the unorthodox capitalisation in the title of this piece. The structure reflects the naming conventions among EU-funded research projects, as displayed below.</em></p> <p> </p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>The European Union (EU) spends billions on research and development aimed at driving economic growth and jobs, as well as furthering the bloc’s broader agenda. Within the current budget, known as Horizon 2020 and covering the years 2014-2020, some €80 billion has been made available for research in a huge number of areas, ranging from finding cures for diseases to helping keep the earth viable for life.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>From the same budget, it also funds a lot of projects aimed at developing surveillance technology. Successive research budgets have <a href="https://ec.europa.eu/programmes/horizon2020/en/what-horizon-2020">ploughed billions</a> in euros to surveillance companies, government security agencies, and universities to conduct research and develop products to complement EU and national internal security policies. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Much of the funding goes to companies which sell surveillance tech to governments or to government agencies which themselves carry out surveillance. This not only furthers surveillance capabilities; it takes money away from other vital research. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Privacy International has argued that some of the types of surveillance being supported, such as <a href="https://privacyinternational.org/topics/facial-recognition">facial recognition</a> and <a href="https://privacyinternational.org/topics/mass-surveillance">mass surveillance</a> fundamentally violate international human rights laws. Others, such as the forensic <a href="https://privacyinternational.org/campaigns/phone-data-extraction">extraction</a> of data from devices, must only be conducted within a highly regulated framework, which many jurisdictions lack. It is unclear how some of the funded projects being supported – such as those aimed at monitoring potential <a href="https://privacyinternational.org/campaigns/protecting-migrants-borders-and-beyond">migrants</a> to Europe – comply with EU rules, including on data protection. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>This is a matter of concern as much of this technology may soon be trialled or eventually commercialised and sold on the open market - ironically at the same time as European Parliamentarians are pushing to <a href="https://www.computerweekly.com/news/252433519/European-Parliament-votes-to-restrict-exports-of-surveillance-equipment">reign in</a> the European surveillance trade. As the current research budget is set to expire, it will soon be replaced by a new round, which is expected to further <a href="https://www.nature.com/articles/d41586-019-01567-y">boost</a> spending on security and military research. </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Below is a list of some of these research projects which are ongoing as of January 2020.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> <div class="field field--name-field-repeating-image-and-text field--type-entity-reference-revisions field--label-hidden field__items"> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><h4>__________________</h4> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Prediction and Visual Intelligence for Security Information <span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>(PREVISION)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>: €8m (2019-2021)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: A</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span> predictive platform running analytics through data obtained from "online social networks, the open web, the Darknet, CCTV and video surveillance systems, traffic and financial data sources, and many more"</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/833115">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-22%20at%2010.23.47.png" width="831" height="297" alt="PREVISION" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Prediction and Visual Intelligence for Security Information<span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span> (ROXANNE) </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution:</strong> €7m (2019-2022)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: Project aimed at identifying people in intercepted communications using face &amp; speech identification, soon to be trialled in 9 countries</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/833635">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2013.09.26.png" width="794" height="223" alt="ROXANNE" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><strong>Name</strong>: Fighting Crime and TerroRism with an IoT-enabled Autonomous Platform based on an Ecosystem of Advanced IntelligEnce, Operations, and InveStigation Technologies (<span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>CREST)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution:</strong> €7m (2019-2022)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: A predictive analytics platform monitoring online content and data from "Internet of Things" (IoT) devices, and for sharing "digital evidence based on blockchain" technology§</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/833464">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2013.44.34.png" width="803" height="254" alt="CREST" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>InterCONnected NEXt-Generation Immersive IoT Platform of Crime and Terrorism DetectiON, PredictiON, InvestigatiON, and PreventiON Services <span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>(CONNEXION)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>: €5m (2018-2021)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: a predictive policing tool relying on social media, 'dark web', and IoT data </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/786731">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2013.23.32.png" width="796" height="350" alt="CONNEXION" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Migration-Related Risks caused by misconceptions of Opportunities and Requirement (MIRROR)</p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>:  €5.1m (2019-2022)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: to monitor social and other media to find "misperceptions and targeted misinformation campaigns" among people possibly looking to migrate to Europe, and to make sure border agencies counteract "media manipulation"</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/832921">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2014.39.45.png" width="785" height="188" alt="MIRROR" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><strong><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Name: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></strong>Understand the Impact of Novel Technologies, Social Media, and Perceptions in Countries Abroad on Migration Flows and the Security of the EU &amp; Provide Validated Counter Approaches, Tools and Practices<span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span> (</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>PERCEPTIONS)</p> <p><strong><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>EU Contribution:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></strong><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span> €4.9m (2019-2022)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><strong><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Description:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></strong><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span> </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Monitoring social media to identify perceptions influencing migration to Europe which "might also even lead to security threats, risks or radicalisation."</span></p> <p><strong><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>Description From <a href="https://cordis.europa.eu/project/id/833870">Project Page</a>:</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></strong></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2014.46.16.png" width="802" height="252" alt="PERCEPTIONS" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>From mobile phones to court – A complete FORensic investigation chain targeting MOBILE devices (FORMOBILE)</p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>€6.9m (2019-2022)</span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Another mobile phone extraction system, which will also develop "tools" for "the acquisition of previously unavailable mobile data, unlocking mobile devices, as well as the decoding and analysis of mobile data"</span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/832800">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2013.59.43.png" width="789" height="169" alt="FORMOBILE" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: Autonomous swarm of heterogeneous RObots for BORDER surveillance (ROBORDER)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>: €8m (2017-2021)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: Development of unmanned robots (air, land, sea and underwater) to monitor borders</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/740593">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-21%20at%2012.42.24.png" width="794" height="197" alt="ROBORDER" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Multimedia Analysis and Correlation Engine for Organised Crime Prevention and Investigation<span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span> (MAGNETO) </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>: €5.3 (2018-2021)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: Data analytics platform to conduct tasks like relationship mapping in large datasets and predicting threats</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/786629">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2013.18.27.png" width="791" height="241" alt="MAGNETO" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Advanced tools for fighting oNline Illegal TrAfficking <span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>(ANITA)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>: 4.9m</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span> (2018-2021)</p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: Data analytics programme monitoring data from the internet and crypto-currencies</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/787061/en">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2013.32.37.png" width="756" height="260" alt="ANITA" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Intelligence Network and Secure Platform for Evidence Correlation and Transfer <span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>(INSPECTr)  </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>: €6.9m (2019-2022)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: Another analytics platform for "gathering, analysing, prioritising and presenting key data to help in the prediction, detection and management of crime"</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From<a href="https://cordis.europa.eu/project/id/833276"> Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2014.10.33.png" width="787" height="171" alt="INSPECTr" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Novel Social Data Mining Platform to Detect and Defeat Violent Online Radicalization<span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span> (INSIKT)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>: €1.5m (2017-2020)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: Software developed by a Spanish companies which scrapes through social media to identify terrorist propaganda </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/767542">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2013.37.32.png" width="779" height="159" alt="INSIKT" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Lawful evidence collecting and continuity platform development <span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span>(LOCARD)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>: €6.8m (2019-2022)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: A forensics system to extract data from devices for use in court, which also includes "a crawler to detect and correlate online deviant behaviour"</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/832735">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2013.51.43.png" width="797" height="297" alt="LOCARD" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Video analysis for Investigation of Criminal and TerrORIst Activities (VICTORIA)</p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>: €5m (2017-2020)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: An automatic surveillance video analysis system </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/740754">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-20%20at%2014.26.37.png" width="774" height="226" alt="VICTORIA" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Name</strong>: Analysis System for Gathered Raw Data (ASGARD)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>EU Contribution</strong>: €12m (2016-2020)</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description</strong>: </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>This project will develop, maintain and evolve a tool set for the extraction, fusion, exchange and analysis of Big Data, including cyber-offense data for forensic investigation</p> <p><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><span><strong>Description From <a href="https://cordis.europa.eu/project/id/700381">Project Page</a>:</strong></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></p></div> </div> </div> <div class="field__item"> <div class="paragraph paragraph--type--image-and-text-repeating paragraph--view-mode--default"> <div class="field field--name-field-fieldset-image field--type-image field--label-hidden field__item"> <img src="/sites/default/files/flysystem/2020-01/Screenshot%202020-01-22%20at%2008.47.55_0.png" width="754" height="126" alt="ASGARD project page" typeof="foaf:Image" /> </div> <div class="clearfix text-formatted field field--name-field-fieldset-text field--type-text-long field--label-hidden field__item"><p><strong>__________________</strong></p> <p>The descriptions of these projects may make the research funded appear innocuous and simply contributing in extending the work police and intelligence agencies are already doing. However, there are serious concerns with regard to these projects, including but not limited to the degree of invasiveness to our privacy, the lack of an appropriate framework or protections both for conducting this research as well as for the deployment of the tools and the lack of safeguards. It is alarming that the EU is spending all this money securitising research at the expense of other vital areas that could actually make our lives better.</p> <p>There have been consistent calls by Parliamentarians, civil society, and academics to reform the programme, by for example excluding companies and authorities complicit in human rights abuses, such as I<a href="http://www.eccpalestine.org/european-researchers-and-academics-protest-involvement-of-israeli-arms-companies-in-eu-research-programs/">sraeli arms companie</a>s. While the result has been the development of ethical approval process, as Statewatch <a href="http://statewatch.org/analyses/marketforces.pdf">argues</a>, it does not "overcome the political environment and objectives in which it is framed", which sees the development of surveillance and security capabilities as the goal in itself, rather than something which can be avoided.</p> <p>More Resources:</p> <ul><li>Statewatch <a href="http://www.statewatch.org/Targeted-issues/ESRP/security-research.html#horizoneurope">Observatory</a> on the European security-industrial complex</li> <li> <p>Privacy International Campaign: <a href="https://privacyinternational.org/campaigns/challenging-drivers-surveillance">Challenging the Drivers of Surveillance</a></p> </li> </ul><p><strong>Photo</strong>: <strong>European Union, 2014</strong></p></div> </div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/learning-topics/migrants" hreflang="en">Migrants</a></div> <div class="field__item"><a href="/learning-topics/tech-border" hreflang="en">Tech at the Border</a></div> <div class="field__item"><a href="/topics/communications-surveillance" hreflang="en">Communications Surveillance</a></div> <div class="field__item"><a href="/topics/surveillance-industry" hreflang="en">Surveillance Industry</a></div> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-inline"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/demand-humane-approach-immigration" hreflang="en">Demand a Humane Approach to Immigration</a></div> <div class="field__item"><a href="/what-we-do/investigate-surveillance-powers-and-industry-sustaining-them" hreflang="en">Investigate Surveillance Powers and the Industry Sustaining Them</a></div> <div class="field__item"><a href="/what-we-do/research-advanced-surveillance-technologies" hreflang="en">Research Advanced Surveillance Technologies</a></div> <div class="field__item"><a href="/what-we-do/track-surveillance-industry-and-trade" hreflang="en">Track the Surveillance Industry and Trade</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/contesting-government-data-and-system-exploitation" hreflang="en">Contesting Government Data and System Exploitation</a></div> <div class="field__item"><a href="/strategic-areas/government-exploitation" hreflang="en">Government Exploitation</a></div> <div class="field__item"><a href="/strategic-areas/safeguarding-peoples-dignity" hreflang="en">Safeguarding Peoples&#039; Dignity</a></div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/challenging-drivers-surveillance" hreflang="en">Challenging the Drivers of Surveillance</a></div> <div class="field__item"><a href="/campaigns/phone-data-extraction" hreflang="en">Phone Data Extraction</a></div> <div class="field__item"><a href="/campaigns/police-spy-tech-public-places" hreflang="en">Police spy tech in public places</a></div> <div class="field__item"><a href="/campaigns/protecting-migrants-borders-and-beyond" hreflang="en">Protecting migrants at borders and beyond</a></div> </div> </div> <div class="field field--name-field-targeted-adversary field--type-entity-reference field--label-above"> <div class="field__label">More about this Adversary</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/690" hreflang="en">Funders</a></div> </div> </div> <div class="field field--name-field-audience-and-purpose field--type-entity-reference field--label-above"> <div class="field__label">Audiences and Purpose</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/628" hreflang="en">Feeding our followers</a></div> <div class="field__item"><a href="/taxonomy/term/626" hreflang="en">General purpose news for news-seeking audience</a></div> <div class="field__item"><a href="/taxonomy/term/627" hreflang="en">Informing the concerned</a></div> </div> </div> Mon, 20 Jan 2020 17:10:57 +0000 staff 3341 at http://privacyinternational.org Advocate General’s Opinion: national security mass retention regimes are incompatible with EU Law http://privacyinternational.org/news-analysis/3334/advocate-generals-opinion-national-security-mass-retention-regimes-are <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div id="field-language-display"><div class="js-form-item form-item js-form-type-item form-type-item js-form-item- form-item-"> <label>Language</label> English </div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><span><span><span>Today Advocate General (AG) Campos Sánchez-Bordona of the Court of Justice of the European Union (CJEU), issued his opinions (</span><a href="http://curia.europa.eu/juris/documents.jsf?num=C-623/17"><span><span>C-623/17</span></span></a><span>, </span><a href="http://curia.europa.eu/juris/documents.jsf?num=C-511/18"><span><span>C-511/18 and C-512/18</span></span></a><span> and </span><a href="http://curia.europa.eu/juris/documents.jsf?num=C-520/18"><span><span>C-520/18</span></span></a><span>) on how he believes the Court should rule on vital questions relating to the conditions under which security and intelligence agencies in the UK, France and Belgium could have access to communications data retained by telecommunications providers.</span></span></span></p> <p><span><span><span>The AG addressed two major questions:<br /> (1) When states seek to impose obligations on electronic communications services in the name of national security, do such requirements fall within the scope of EU law?<br /> (2) If the answer to the first question is yes, then what does EU law require of the national schemes at issue, which include: a French data retention regime, a Belgian data retention regime, and UK regime for the collection of bulk communications data?</span></span></span></p> <p><span><span><span>The AG’s short answers to those questions are:<br /> (1) Yes, EU law applies whenever states seek to impose processing requirements on electronic communications services, even if those obligations may be motivated by national security concerns; and<br /> (2) Accordingly, the national regimes at issue must all comply with the CJEU’s previous judgments in <em>Digital Rights Ireland and Others</em>, Cases C-293/12 and C-594/12 (“Digital Rights Ireland”), and <em>Tele2 Sverige and Watson and Others</em>, Cases C-203/15 and C-698/15 (“Tele2/Watson”). None of them do, which leads the AG to advise that none of the regimes are compatible with EU law.</span></span></span></p> <p><span><span><span>The AG’s opinion is an affirmation of the basic principle at the heart of  Privacy International’s work: national security measures must be subject to the rule of law and respect our fundamental rights.</span></span></span></p> <p><span><span><span>Privacy International initiated the challenge to the </span><a href="https://privacyinternational.org/legal-action/cjeu-bulk-challenge"><span><span>UK bulk communications data regime</span></span></a><span>, and intervened in the challenge to the </span><a href="https://privacyinternational.org/legal-action/fdn-and-others-v-france-french-data-retention"><span><span>French data retention law</span></span></a><span>.</span></span></span></p> <h2><span><span><strong><span>Does EU Law apply?</span></strong></span></span></h2> <p><span><span><span>Central to all three opinions is the question of whether EU law applies when member states are acting to protect their national security. The AG concludes that the national security context does not disapply EU law. Instead, one must look to the effect of the proposed requirement - data retention or collection - on electronic communications services. Requiring these service providers to retain and/or transmit data to the security and intelligence agencies (SIAs) falls under EU law because such practices qualify as the “processing of personal data”.</span></span></span></p> <p><span><span><span>Stating this principle in the negative, the AG says: “The provisions of the directive will not apply to <em>activities</em> which are intended to safeguard national security and are undertaken by the public authorities themselves, without requiring the cooperation of private individuals and, therefore, without imposing on them obligations in the management of business” (UK Case C-623/17, paragraph 34/79) (emphasis in original).</span></span></span></p> <h2><span><span><strong><span>Is the UK Bulk Communications Data Regime compatible with EU law?</span></strong></span></span></h2> <p><span><span><span>In the UK case, Privacy International challenged the bulk acquisition and use of communications data by GCHQ and MI5). </span><a href="https://privacyinternational.org/legal-action/bulk-personal-datasets-bulk-communications-data-challenge"><span><span>That case</span></span></a><span> began in the Investigatory Powers Tribunal (IPT), which referred to the CJEU the questions that the AG is addressing. The IPT asked the CJEU to decide, first, whether requiring an electronic communications network to turn over communications data in bulk to the SIAs falls within the scope of European Union law; and second, if the answer to the first question is yes, what safeguards should apply to that bulk access to data?</span></span></span></p> <p><span><span><span>As noted above, the AG’s answer to the first question is yes, which brings the second question into play. In short, the AG declares that the UK bulk communications and data retention regime (as implemented under section 94 of the Telecommunications Act 1984) “does not satisfy the conditions established in the <em>Tele2 Sverige and Watson</em> judgment, because it involves general and indiscriminate retention of personal data” (UK Case C-623/17, paragraph 37).</span></span></span></p> <p><span><span><span>The AG re-emphasises that access to retained data “must be subject to prior review by a court or an independent administrative authority” (UK Case C-623/17, paragraph 139). The value of this authority lies in its commitment “to both safeguarding national security and to defending citizens’ fundamental rights” (Id.).</span></span></span></p> <p><span><span><span>The AG further endorses the application of the other conditions from the <em>Tele2/Watson</em> judgment, including:</span></span></span></p> <ul><li><span><span><span><span>the requirement to inform affected parties, unless this would compromise the effectiveness of the measure; and</span></span></span></span></li> <li><span><span><span><span>the retention of the data within the European Union.<br /> (UK Case C-623/17, paragraph 43)</span></span></span></span></li> </ul><h2><span><span><strong><span>Is the French Data Retention Regime compatible with EU law?</span></strong></span></span></h2> <p><span><span><span>The French case similarly asked whether general and indiscriminate data retention was permissible under EU law for the purposes of combating terrorism.</span></span></span></p> <p><span><span><span>The AG concluded that the French regime amounts to generalised and indiscriminate data retention and as such it is not compatible with EU law (French Cases C-511/18 and C-12/18, paragraph 111). The French legislation at issue imposes a one-year retention obligation on all electronic communications operators and others with regard to all data of all subscribers for the purpose of the investigation, finding, and prosecution of criminal offenses.</span></span></span></p> <p><span><span><span>The AG reiterates the conclusion of the <em>Tele2/Watson</em> judgment that the fight against terrorism or similar threats to national security cannot justify generalised and indiscriminate retention of data. He suggests that data retention should be targeted and permissible only if certain criteria are satisfied, e.g. targeting a specific group of people or a particular geographical area (French Cases C-511/18 and C-12/18, paragraph 133). The Belgian opinion elaborates on possible types of targeting criteria. On the question of access to retained data, he advises that access should depend on previous authorisation of a judicial or independent administrative authority following a reasoned request by the competent authorities.</span></span></span></p> <p><span><span><span>The AG, furthermore, concluded that that real-time collection of traffic and location data of individuals suspected to be connected to a specific terrorist threat would be permissible under EU law so long as it does not impose on the service providers an obligation to retain additional data beyond what it is already required for billing or marketing services. Independent authorisation is also necessary for accessing this data (French Cases C-511/18 and C-12/18, paragraphs 142-3).</span></span></span></p> <p><span><span><span>Similarly to the UK Opinion above the AG reaffirms the requirement to inform affected parties, unless this would compromise the effectiveness of the measure that was already established in Tele2/Watson case and concludes that the French law is not compatible with the EU requirements (French Cases C-511/18 and C-12/18, paragraph 153).</span></span></span></p> <h2><span><span><strong><span>Are AG’s opinions the judgments of the CJEU?</span></strong></span></span></h2> <p><span><span><span>The AG’s opinions are not binding on the CJEU. The Court will issue its opinion in the coming months.</span></span></span></p> <h2><span><span><strong><span>What comes next?</span></strong></span></span></h2> <p><span><span><span>Following the CJEU judgment, each case will be sent back to each state’s national courts. If the CJEU agrees with the Advocate General, then national courts will have to apply the CJEU judgment and accordingly find domestic regimes incompatible with EU law.</span></span></span></p> <p>*<span>Photo by <a href="https://unsplash.com/@chrisyangchrisfilm?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Chris Yang</a> on <a href="https://unsplash.com/?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span></p></div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/chris-yang-1tnS_BVy9Jk-unsplash.jpg" width="5472" height="3648" alt="people" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/chris-yang-1tnS_BVy9Jk-unsplash_0.jpg" width="5472" height="3648" alt="people" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/chris-yang-1tnS_BVy9Jk-unsplash_1.jpg" width="5472" height="3648" alt="people" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/modernise-rule-law-and-strengthen-surveillance-safeguards" hreflang="en">Modernise the Rule of Law and Strengthen Surveillance Safeguards</a></div> <div class="field__item"><a href="/what-we-do/fight-data-retention-law" hreflang="en">Fight Data Retention Law</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/communications-data-retention" hreflang="en">Communications Data Retention</a></div> <div class="field__item"><a href="/topics/communications-surveillance" hreflang="en">Communications Surveillance</a></div> <div class="field__item"><a href="/topics/mass-surveillance" hreflang="en">Mass Surveillance</a></div> </div> </div> <div class="field field--name-field-location-region-locale field--type-entity-reference field--label-above"> <div class="field__label">Location</div> <div class="field__items"> <div class="field__item"><a href="/location/european-union" hreflang="en">European Union</a></div> <div class="field__item"><a href="/location/united-kingdom" hreflang="en">United Kingdom</a></div> <div class="field__item"><a href="/location/france" hreflang="en">France</a></div> <div class="field__item"><a href="/location/belgium" hreflang="en">Belgium</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/defending-democracy-and-dissent" hreflang="en">Defending Democracy and Dissent</a></div> <div class="field__item"><a href="/strategic-areas/government-exploitation" hreflang="en">Government Exploitation</a></div> </div> </div> <div class="field field--name-field-resource-type field--type-entity-reference field--label-above"> <div class="field__label">Web Resource</div> <div class="field__items"> <div class="field__item"><a href="/type-resource/legal-cases" hreflang="en">Legal Cases</a></div> </div> </div> <div class="field field--name-field-type-of-impact field--type-entity-reference field--label-above"> <div class="field__label">Type of Impact</div> <div class="field__items"> <div class="field__item"><a href="/impact/communications-data-surveillance-restrained" hreflang="en">Communications Data Surveillance Restrained</a></div> <div class="field__item"><a href="/impact/fighting-mass-surveillance-post-snowden-era" hreflang="en">Fighting Mass Surveillance in the Post-Snowden Era</a></div> <div class="field__item"><a href="/impact/surveillance-and-rule-law" hreflang="en">Surveillance and the Rule of Law</a></div> </div> </div> <div class="field field--name-field-legal-proceedings field--type-entity-reference field--label-above"> <div class="field__label">Legal Action</div> <div class="field__items"> <div class="field__item"><a href="/legal-action/cjeu-bulk-challenge" hreflang="en">CJEU Bulk Challenge</a></div> </div> </div> </div> </div> Wed, 15 Jan 2020 18:02:06 +0000 staff 3334 at http://privacyinternational.org Preliminary Statement: Advocate General's Opinion Advises that Mass Surveillance Regime is Unlawful http://privacyinternational.org/press-release/3332/preliminary-statement-advocate-generals-opinion-advises-mass-surveillance-regime <span class="field field--name-title field--type-string field--label-hidden">Preliminary Statement: Advocate General&#039;s Opinion Advises that Mass Surveillance Regime is Unlawful</span> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/user/43" typeof="schema:Person" property="schema:name" datatype="">staff</span></span> <span class="field field--name-created field--type-created field--label-hidden">Wednesday, January 15, 2020</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><em>Photo by <a href="https://unsplash.com/@moino007?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">DDP</a> on <a href="https://unsplash.com/?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></em></p> <p>Today the Advocate General (AG) of the Court of Justice of the European Union (CJEU), Campos Sánchez-Bordona, issued his opinion on how he believes the Court should rule on vital questions relating to the conditions under which security and intelligence agencies in the UK, France and Belgium could have access to communications data retained by telecommunications providers.</p> <p>The AG advises the following:</p> <ul><li>The UK’s collection of bulk communications data violates EU law.</li> <li>The French and Belgium data retention schemes also violate EU law.</li> </ul><p>In the UK case, Privacy International challenged the bulk acquisition and use of communications data by the Security and Intelligence Agencies (SIAs) (that is GCHQ, MI5 and MI6). <a href="https://privacyinternational.org/legal-action/cjeu-bulk-challenge">That case</a> began in the Investigatory Powers Tribunal (IPT), which referred to the CJEU the questions that the AG is today addressing. The IPT asked the CJEU to decide, first, whether requiring an electronic communications network to turn over communications data in bulk to the SIAs falls within the scope of European Union law; and second, if the answer to the first question is yes, what safeguards should apply to that bulk access to data?</p> <p>The French case similarly asked whether general and indiscriminate data retention was permissible under EU law.</p> <p>The AG’s opinion is not binding on the CJEU. The Court itself will issue its judgment in the coming months.</p> <p>This is a preliminary statement from PI regarding the opinion. PI will later issue a longer analysis.</p> <p>Caroline Wilson Palow, Legal Director of Privacy International, said:</p> <blockquote> <p>We welcome today’s opinion from the Advocate General and hope it will be persuasive to the Court. The opinion is a win for privacy. We all benefit when robust rights schemes, like the EU Charter of Fundamental Rights, are applied and followed. If the Court agrees with the AG’s opinion, then unlawful bulk surveillance schemes, including one operated by the UK, will be reined in.</p> </blockquote></div> <div class="field field--name-field-location-region-locale field--type-entity-reference field--label-above"> <div class="field__label">Location</div> <div class="field__items"> <div class="field__item"><a href="/location/united-kingdom" hreflang="en">United Kingdom</a></div> <div class="field__item"><a href="/location/france" hreflang="en">France</a></div> <div class="field__item"><a href="/location/belgium" hreflang="en">Belgium</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/mass-surveillance" hreflang="en">Mass Surveillance</a></div> <div class="field__item"><a href="/topics/communications-data-retention" hreflang="en">Communications Data Retention</a></div> </div> </div> <div class="field field--name-field-image field--type-image field--label-above"> <div class="field__label">Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/ddp-wGB98bd8UOc-unsplash.jpg" width="6000" height="4000" alt="droits" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-legal-proceedings field--type-entity-reference field--label-above"> <div class="field__label">Legal Action</div> <div class="field__items"> <div class="field__item"><a href="/legal-action/bulk-personal-datasets-bulk-communications-data-challenge" hreflang="en">Bulk Personal Datasets &amp; Bulk Communications Data challenge</a></div> </div> </div> Wed, 15 Jan 2020 11:10:40 +0000 staff 3332 at http://privacyinternational.org Senior Google engineer reveals privacy bombshell in Android’s preinstalled apps http://privacyinternational.org/news-analysis/3330/senior-google-engineer-reveals-privacy-bombshell-androids-preinstalled-apps <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div id="field-language-display"><div class="js-form-item form-item js-form-type-item form-type-item js-form-item- form-item-"> <label>Language</label> English </div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><hr /> <h5>Privacy International is currently running a campaign on pre-installed apps. <a href="https://privacyinternational.org/petition#bombshell">If you believe that Google should stop allowing manufacturers and vendors from exploiting our devices, take a look at our petition</a></h5> <hr /> <p>Maddie Stone, formally a Senior reverse engineer and tech lead on the Android security team, shockingly revealed a number of examples of how pre-installed apps on Android devices can undermine users privacy and security in her BlackHat USA talk in August 2019. The video of the talk only recently became <a href="https://www.youtube.com/watch?v=U6qTcpCfuFc">available</a> to the public in late December 2019.</p> <p>The apps in question come preloaded on a device when it is purchased and often can't be removed. Stone reveals a litany of abuses carried out by smartphone manufacturers around the world, discovered following analysis by Google of devices to be distributed by their Android <a href="https://www.android.com/intl/en_uk/certified/partners/">partner</a>. Some of the findings demonstrate the contempt that some manufacturers hold their users privacy and security in.</p> <p>Almost every manufacturer, including Google, disabled Google Play Protect without warning the user in order to bypass an issue in provisioning devices, a feature in newer versions of Android that is supposed to stop apps behaving maliciously and ultimately protect user privacy and security. Other manufacturers left code on their devices that would allow anyone to execute code remotely - allowing any malicious actor aware of this able to read the contents of your phone without ever needing to physically access to it and without the user knowing. Some manufacturers even modified the Android OS and API’s to allow them to get access to every URL that was accessed on the devices, for unclear purposes, a clear breach of users trust and privacy.</p> <p>Stone even explains how, astonishingly, pre-installed apps are used via supply chain interference from malware developers to distribute their code. There is no need to trick a user into installing malware if it already comes packaged and pre-installed on a phone.</p> <p>Most disappointing of all is the fact that this presentation shows Google has known about this problem for some time, brought to light by one of its own respected engineers, but has yet to act. We cannot find a single reason why Google continues to enable an ecosystem that exploits people who own Android phones when the dangers have been so clearly articulated.</p> <p>Privacy International along with 50 other NGO’s around the world demand Google adopt better practices and stop manufacturers from exploiting people. We have reasonable asks and believe it is absolutely within Google's power to make these positive changes. If you believe that Google should curtail the exploitative practices of manufacturers, you should sign our <a href="https://privacyinternational.org/petition">petition</a>.</p> <h2>The issues</h2> <h3>Google Play Protect</h3> <p>The disabling of Google Play Protect makes it possible for known malicious apps to be installed and provides no warning to the user, it also means that pre-installed apps aren’t being held to the same standards as those which are available through Google Play, Google’s app store.</p> <blockquote> <p>“Just about everyone was doing this, disabling [Google Play Protect] silently”, “[including] GMScore, Google had done [disabled Google Play Protect] as well”</p> </blockquote> <p>Stone states “just about everyone was doing this, disabling it silently”, she continues “[including] GMScore, Google had done it as well” (GMScore is Googles Play Service itself). While there are detections in place for the disabling of Google Play Protect, they don’t apply in the same way to pre-installed apps due to the apps already privileged status and ability to communicate using API’s above those which would trip the detection.</p> <p>Some manufacturers left the setting disabled, however Stone states “while most tried to re-enable this setting, it wasn’t all the time, and there was also sometimes a race condition which meant it couldn’t be re-enabled” making it impossible for Google Play Protect to be turned back on. The problem was resolved in the Android Open Source Project (AOSP) security update January 2019 (<a href="https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/fe4c71a7a3a8a2184b3096203aa9240e01af621e">CVE-2018-9586</a>) however this doesn’t acknowledge the long tail of Android devices, hundreds of thousands of devices will be in the wild with owners unaware that there device doesn’t have even the most basic malware protection enabled.</p> <h3>Multi-app Collusion</h3> <p>One of the issues highlighted by Stone is known as &quot;multi-app&quot; collusion, something which is relatively unique to pre-installed apps. This is when two apps work in concert to do things they can't do on their own.</p> <p>Stone uses the example of two apps that have a shared context, one which has permissions to send text messages, but doesn’t contain any code to do so, and another which has the code to send text messages to a number (for example a premium rate one), but doesn’t have the permissions to send texts. Its the ability of these apps to use their shared context, and to work in harmony that allows them to exploit the user, in this case to perpetrate message fraud.</p> <p><img src="/sites/default/files/2020-01/mstone-ma-collusion.png" alt="" /></p> <p style="font-size:16px"> <a href="https://github.com/maddiestone/ConPresentations/blob/master/Blackhat2019.SecuringTheSystem.pdf">Image courtesy Maddie Stone via GitHub</a> </p> <h3>Remote Code Execution</h3> <p>Stone examines the Remote Code Execution (RCE) through backdoors, these are bits of code that exist (or were destined to exist) on the device, both examples stem from oversight on the part of the integrator rather than deliberate malice, for example leaving diagnostic and remote management software on the device in a unprotected manner allowing for remote code execution.</p> <h3>URL logging</h3> <p>URL Logging is where a manufacturer has modified the Android OS and API’s to allow them to get access to every URL that was accessed on the devices, a clear breach of users trust and privacy. This kind of behaviour, according to Stone's slides, would of been detected by Google Play Protect as Spyware. However as stated previously Google Play Protect could be disabled silently.</p> <h3>Malware</h3> <p>Stone discusses supply chain issues with regards to pre-installed apps. Unlike conventional malware where the developer has to convince the user to install their app (generally through deception, e.g Phishing or imitation attacks), a malware developer only needs to convince a the device manufacture to include their code, and it will be automatically shipped to thousands of users. As stated previously, it will also gain many of the benefits of being pre-installed, such as having privileged access and being included on a read-only file system making it impossible for a user to delete.</p> <blockquote> <p>“Chamois” botnet, which masqueraded as a “mobile payment solution” or an “advertising SDK”</p> </blockquote> <p>In her example Stone talks about “Chamois” botnet, which masqueraded as a “mobile payment solution” or an “advertising SDK” (see <a href="https://privacyinternational.org/appdata">Privacy International’s other work on SDKs</a>). She goes on to discuss the diversity of Android OEM’s and how some are “longtail” selling devices for “$30, $40 devices and have almost a negative margin”. She explains that the inclusion of a free advertising SDK can be alluring to these OEM’s and the malware developers “threat actors” as Stone puts it, know this.</p> <p>Stone's revelations about the scale of malpractice amongst manufacturers raises serious concerns about Google's certification process. If you think it's time Google took it's responsbility to users seriously and enforce that manufacturers behave better, sign our <a href="https://privacyinternational.org/petition">petition</a>.</p> </div> <div class="field field--name-field-large-image field--type-image field--label-above"> <div class="field__label">Large Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/Pi-Android-mock-up-2-1-photo.png" width="1920" height="1080" alt="A mock phone advert with &quot;Sharing is Caring&quot; as a tagline" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-image field--type-image field--label-above"> <div class="field__label">List Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/Pi-Android-mock-up-2-1-photo_0.png" width="1920" height="1080" alt="A mock phone advert with &quot;Sharing is Caring&quot; as a tagline" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-list-icon field--type-image field--label-above"> <div class="field__label">List Icon</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/Pi-Android-mock-up-2-1-photo_1.png" width="1920" height="1080" alt="A mock phone advert with &quot;Sharing is Caring&quot; as a tagline" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-issue field--type-entity-reference field--label-above"> <div class="field__label">What PI is fighting for</div> <div class="field__items"> <div class="field__item"><a href="/what-we-do/expose-invisible-data-placed-beyond-our-control" hreflang="en">Expose Invisible Data Placed Beyond Our Control</a></div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"><a href="/topics/adtech" hreflang="en">AdTech</a></div> <div class="field__item"><a href="/topics/cyber-security" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/topics/data-exploitation" hreflang="en">Data Exploitation</a></div> </div> </div> <div class="field field--name-field-location-region-locale field--type-entity-reference field--label-above"> <div class="field__label">Location</div> <div class="field__items"> <div class="field__item"><a href="/location/united-states-america" hreflang="en">United States of America</a></div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-above"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><a href="/strategic-areas/challenging-corporate-data-exploitation" hreflang="en">Challenging Corporate Data Exploitation</a></div> </div> </div> <div class="field field--name-field-resource-type field--type-entity-reference field--label-above"> <div class="field__label">Web Resource</div> <div class="field__items"> <div class="field__item"><a href="/type-resource/action" hreflang="en">Action</a></div> </div> </div> <div class="field field--name-field-target field--type-entity-reference field--label-above"> <div class="field__label">Target Stakeholders</div> <div class="field__items"> <div class="field__item"><a href="/target/industry" hreflang="en">Industry</a></div> </div> </div> <div class="field field--name-field-type-of-intervention field--type-entity-reference field--label-above"> <div class="field__label">Related work PI does</div> <div class="field__item"><a href="/how-we-fight/tech-research" hreflang="en">Tech Research</a></div> </div> <div class="field field--name-field-attachments field--type-file field--label-hidden field__items"> <div class="field__item"><table data-striping="1"> <thead> <tr> <th>Attachment</th> <th>Size</th> </tr> </thead> <tbody> <tr class="odd"> <td> <span class="file file--mime-image-png file--image"> <a href="http://privacyinternational.org/sites/default/files/2020-01/mstone-ma-collusion.png" type="image/png; length=128971">mstone-ma-collusion.png</a></span> </td> <td>125.95 KB</td> </tr> </tbody> </table> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-above"> <div class="field__label">What PI is Campaigning on</div> <div class="field__items"> <div class="field__item"><a href="/campaigns/privacy-shouldnt-be-luxury" hreflang="en">Privacy shouldn&#039;t be a luxury</a></div> </div> </div> <div class="field field--name-field-education-course field--type-entity-reference field--label-above"> <div class="field__label">Education material</div> <div class="field__items"> <div class="field__item"><a href="/education/researching-privacy" hreflang="en">Researching Privacy</a></div> </div> </div> <div class="field field--name-field-targeted-adversary field--type-entity-reference field--label-above"> <div class="field__label">More about this Adversary</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/578" hreflang="en">Google</a></div> </div> </div> <div class="field field--name-field-date field--type-datetime field--label-above"> <div class="field__label">Date</div> <div class="field__item"><time datetime="2020-01-13T12:00:00Z" class="datetime">Monday, January 13, 2020</time> </div> </div> </div> </div> Mon, 13 Jan 2020 15:34:37 +0000 tech-admin 3330 at http://privacyinternational.org An open letter to Google http://privacyinternational.org/advocacy/3320/open-letter-google <div class="node node--type-advocacy-briefing node--view-mode-token group-one-column ds-2col-stacked-fluid clearfix"> <div class="group-header"> <div class="field field--name-field-image field--type-image field--label-above"> <div class="field__label">Image</div> <div class="field__item"> <img src="/sites/default/files/flysystem/2020-01/Pi-Android-mock-up-1-1-photo-min_2.png" width="1920" height="1080" alt="Man taking a picture with his phone" typeof="foaf:Image" /> </div> </div> <div class="field field--name-field-targeted-adversary field--type-entity-reference field--label-above"> <div class="field__label">More about this Adversary</div> <div class="field__items"> <div class="field__item"><a href="/taxonomy/term/578" hreflang="en">Google</a></div> </div> </div> </div> <div class="group-left"> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><b>Privacy International and over 50 other organisations have submitted a letter to Alphabet Inc. CEO Sundar Pichai asking Google to take action against exploitative pre-installed software on Android devices.</b></p> <p>You can find the letter below. <a href="https://privacyinternational.org/petition#open">Add your voice to this campaign by signing our petition</a> if you believe that its time Google stopped enabling exploitation.</p> <p>Note: This letter is also available in <a href="/node/3322">French</a> and <a href="/es/node/3320">Spanish</a></p> <hr /><h2>Dear Mr. Pichai,</h2> <p>We, the undersigned, agree with you: privacy cannot be a luxury offered only to those people who can afford it.</p> <p>And yet, Android Partners - who use the Android trademark and branding - are manufacturing devices that contain pre-installed apps that cannot be deleted (often known as "bloatware"), which can leave users vulnerable to their data being collected, shared and exposed without their knowledge or consent.</p> <p>These phones carry the "Google Play Protect" branding, but <a href="https://haystack.mobi/papers/preinstalledAndroidSW_preprint.pdf">research shows that 91% of pre-installed apps do not appear in Google Play</a> – Google’s app store.</p> <p>These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model. This means permissions can be defined by the app - including access to the microphone, camera and location - without triggering the standard Android security prompts. Users are therefore completely in the dark about these serious intrusions.</p> <p>We are concerned that this leaves users vulnerable to the exploitative business practices of cheap smartphone manufacturers around the world.</p> <p>The changes we believe are needed most urgently are as follows:</p> <ul><li>Individuals should be able to permanently uninstall the apps on their phones. This should include any related background services that continue to run even if the apps are disabled.</li> <li>Pre-installed apps should adhere to the same scrutiny as Play Store apps, especially in relation to custom permissions.</li> <li>Pre-installed apps should have some update mechanism, preferably through Google Play and without a user account. Google should refuse to certify a device on privacy grounds, where manufacturers or vendors have attempted to exploit users in this way.</li> </ul><p>We, the undersigned, believe these fair and reasonable changes would make a huge difference to millions of people around the world who should not have to trade their privacy and security for access to a smartphone.</p> <p>We urge you to use your position as an influential agent in the ecosystem to protect people and stop manufacturers from exploiting them in a race to the bottom on the pricing of smartphones.</p> <p><span><span><span>Yours sincerely,</span></span></span></p> <table border="0" cellpadding="2" cellspacing="2" style="width: 100%;"><tbody><tr><td> <p>American Civil Liberties Union (ACLU)</p> <p>Afghanistan Journalists Center (AFJC)</p> <p>Americans for Democracy and Human Rights in Bahrain (ADHRB)</p> <p>Amnesty International</p> <p>Asociación por los Derechos Civiles (ADC)</p> <p>Association for Progressive Communications (APC)</p> <p>Association for Technology and Internet (ApTI)</p> <p>Association of Caribbean Media Workers</p> <p>Australian Privacy Foundation</p> <p>Center for Digital Democracy</p> <p>Centre for Intellectual Property and Information Technology Law (CIPIT)</p> <p>Citizen D</p> <p>Civil Liberties Union for Europe</p> <p>Coding Rights</p> <p>Consumer Association the Quality of Life-EKPIZO</p> <p>Datos Protegidos</p> <p>Digital Rights Foundation (DRF)</p> <p>Douwe Korff, Emeritus Professor of International Law, London Metropolitan University and Associate of the Oxford Martin School, University of Oxford</p> <p>DuckDuckGo</p> <p>Electronic Frontier Foundation (EFF)</p> <p>Forbrukerrådet // Norwegian Consumer Council</p> <p>Foundation for Media Alternatives</p> <p>Free Media Movement (FMM)</p> <p>Freedom Forum</p> <p>Fundación Karisma</p> <p>Gulf Centre for Human Rights (GCHR)</p> <p>Hiperderecho</p> <p>Homo Digitalis</p> <p>IJC Moldova</p> <p>Initiative for Freedom of Expression- Turkey (IFox)</p> <p>Irish Council for Civil Liberties</p> <p>Media Foundation for West Africa</p> <p>Media Institute of Southern Africa (MISA)</p> <p>Media Policy and Democracy Project (University of Johannesburg)</p> <p>Media Policy Institute (MPI)</p> <p>Media Watch</p> <p>Metamorphosis Foundation for Internet and Society</p> <p>Open Rights Group (ORG)</p> <p>Palestinian Center For Development &amp; Media Freedoms (MADA)</p> <p>Panoptykon</p> <p>Paradigm Initiative</p> <p>PEN Canada</p> <p>Philippine Alliance of Human Rights Advocates (PAHRA)</p> <p>Privacy International</p> <p>Public Citizen</p> <p>Red en Defensa de los Derechos Digitales (R3D)</p> <p>Syrian Center for Media and Freedom of Expression (SCM)</p> <p>TEDIC</p> <p>The Danish Consumer Council</p> <p>The Institute for Policy Research and Advocacy (ELSAM)</p> <p>The Tor Project</p> <p>Unwanted Witness</p> <p>Vigilance for Democracy and the Civic State</p> </td> </tr></tbody></table><p> </p> </div> <div class="field field--name-field-repeating-image-and-text field--type-entity-reference-revisions field--label-inline"> <div class="field__label">Repeating Image and Text</div> <div class="field__items"> <div class="field__item"><div class="paragraph-formatter"><div class="paragraph-info"></div> <div class="paragraph-summary"></div> </div> </div> </div> </div> </div> <div class="group-footer"> <div class="field field--name-field-partner field--type-entity-reference field--label-inline"> <div class="field__label">Our Partner organisation</div> <div class="field__items"> <div class="field__item"><div about="/partners/asociacion-por-los-derechos-civiles" id="taxonomy-term-131" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/asociacion-por-los-derechos-civiles"> <div class="field field--name-name field--type-string field--label-hidden field__item">Asociación por los Derechos Civiles</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>The Association for Civil Rights (ADC) is a non-governmental organisation based in Buenos Aires that promotes civil and social rights in Argentina and other Latin American countries. It was founded in 1995 with the aim of fostering a legal and institutional culture to guarantee fundamental rights, based on respect for the constitution and democratic values.</p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/argentina" hreflang="en">Argentina</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/latin-america" hreflang="en">Latin America</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="http://adc.org.ar/">http://adc.org.ar/</a></div> <div class="field__item"><a href="https://adcdigital.org.ar/acerca-de/">https://adcdigital.org.ar/acerca-de/</a></div> </div> </div> </div> </div> </div> <div class="field__item"><div about="/partners/centre-intellectual-property-and-information-technology-law" id="taxonomy-term-370" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/centre-intellectual-property-and-information-technology-law"> <div class="field field--name-name field--type-string field--label-hidden field__item">Centre for Intellectual Property and Information Technology Law</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>The Centre for Intellectual Property and Information Technology Law (CIPIT) is a Centre established under Strathmore Law School in Kenya. Launched in 2012, CIPT conducts evidence-based research and training in intellectual property, information technology law, and policy. </p> <p> </p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/kenya" hreflang="en">Kenya</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/africa" hreflang="en">Africa</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="https://www.cipit.org">https://www.cipit.org</a></div> <div class="field__item"><a href="https://twitter.com/StrathCIPIT">Twitter: @StrathCIPIT</a></div> </div> </div> </div> </div> </div> <div class="field__item"><div about="/partners/coding-rights" id="taxonomy-term-69" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/coding-rights"> <div class="field field--name-name field--type-string field--label-hidden field__item">Coding Rights</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Coding Rights is a Brazilian-based think tank that aims to advance the enforcement of human rights in the digital world. Its goal is to ensure that policy-making affecting technological development and digital rights is informed by actual technological knowledge, and that technological development is guided by fundamental human rights. </p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/brazil" hreflang="en">Brazil</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/latin-america" hreflang="en">Latin America</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="https://www.codingrights.org/">https://www.codingrights.org/</a></div> </div> </div> </div> </div> </div> <div class="field__item"><div about="/partners/datos-protegidos" id="taxonomy-term-338" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/datos-protegidos"> <div class="field field--name-name field--type-string field--label-hidden field__item">Datos Protegidos</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Datos Protegidos is a Chilean-based non-profit organisation that promotes and defends the right to privacy and the protection of personal data. It participates in public debates and undertakes research to promote a society that respects the dignity, non-discrimination and freedom of people.</p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/chile" hreflang="en">Chile</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/latin-america" hreflang="en">Latin America</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="https://datosprotegidos.org">https://datosprotegidos.org</a></div> <div class="field__item"><a href="https://twitter.com/datospersonales">Twitter: @datospersonales</a></div> </div> </div> </div> </div> </div> <div class="field__item"><div about="/partners/digital-rights-foundation" id="taxonomy-term-133" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/digital-rights-foundation"> <div class="field field--name-name field--type-string field--label-hidden field__item">Digital Rights Foundation</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Digital Rights Foundation (DRF) is a research and advocacy NGO based in Pakistan that focuses on how Information and Communication Technologies (ICTs) can support human rights, democratic processes and digital governance. It works towards a world where all people, and especially women, are able to safely exercise their right of expression. </p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/pakistan" hreflang="en">Pakistan</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/asia" hreflang="en">Asia</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="http://www.digitalrightsfoundation.pk">http://www.digitalrightsfoundation.pk</a></div> </div> </div> </div> </div> </div> <div class="field__item"><div about="/partners/foundation-media-alternatives" id="taxonomy-term-137" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/foundation-media-alternatives"> <div class="field field--name-name field--type-string field--label-hidden field__item">Foundation for Media Alternatives</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>The Foundation for Media Alternatives (FMA) is a non-profit service institution that supports citizens and communities—in particular civil society organisations and other development stakeholders—in their strategic use of Information and Communication Technologies (ICTs). It was founded in 1987 and is based in Manila.</p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/philippines" hreflang="en">Philippines</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/asia" hreflang="en">Asia</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="http://www.fma.ph">http://www.fma.ph</a></div> </div> </div> </div> </div> </div> <div class="field__item"><div about="/partners/fundacion-karisma" id="taxonomy-term-138" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/fundacion-karisma"> <div class="field field--name-name field--type-string field--label-hidden field__item">Fundación Karisma</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Founded in 2003, Fundación Karisma is a civil society organisation dedicated to supporting and disseminating the good use of technologies in digital environments, social processes and public policies in Colombia and the region, with a human rights focus. It also undertakes legal and technological activism in coalitionwith local, regional and international partners.</p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/colombia" hreflang="en">Colombia</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/latin-america" hreflang="en">Latin America</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="http://karisma.org.co/">http://karisma.org.co/</a></div> </div> </div> </div> </div> </div> <div class="field__item"><div about="/partners/hiperderecho" id="taxonomy-term-367" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/hiperderecho"> <div class="field field--name-name field--type-string field--label-hidden field__item">Hiperderecho</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Hiperderecho is a non-profit Peruvian organisation dedicated to facilitating public understanding and promoting respect for rights and freedoms in digital environments. It seeks to spread the liberating capacity of technology to develop or enhance digital spaces so that all Peruvians can exercise their rights and strengthen their citizenship. </p> <p> </p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/peru" hreflang="en">Peru</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/latin-america" hreflang="en">Latin America</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="https://hiperderecho.org">https://hiperderecho.org</a></div> <div class="field__item"><a href="https://twitter.com/Hiperderecho">Twitter: @Hiperderecho</a></div> </div> </div> </div> </div> </div> <div class="field__item"><div about="/partners/red-en-defensa-de-los-derechos-digitales" id="taxonomy-term-141" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/red-en-defensa-de-los-derechos-digitales"> <div class="field field--name-name field--type-string field--label-hidden field__item">Red en Defensa de los Derechos Digitales</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>The Red en Defensa de los Derechos Digitales (R3D) is a Mexican organisation dedicated to the defence of human rights in the digital environment. It uses various legal and communication tools for policy research, strategic litigation, and advocacy and campaigns, with particular attention to freedom of expression, privacy, and access to knowledge.</p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/mexico" hreflang="en">Mexico</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/latin-america" hreflang="en">Latin America</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="https://r3d.mx">https://r3d.mx</a></div> <div class="field__item"><a href="https://twitter.com/R3Dmx">Twitter: @R3Dmx</a></div> </div> </div> </div> </div> </div> <div class="field__item"><div about="/partners/tedic" id="taxonomy-term-143" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/tedic"> <div class="field field--name-name field--type-string field--label-hidden field__item">TEDIC</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>TEDIC is a Paraguayan non-governmental organisation that develops open civic technology, supported by its work in communications and alternative advocacy. It also promotes and defends digital rights in favour of a free Internet culture, with the aim of establishing a collaborative society where digital rights are exercised and respected.</p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/paraguay" hreflang="en">Paraguay</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/latin-america" hreflang="en">Latin America</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="https://www.tedic.org">https://www.tedic.org</a></div> <div class="field__item"><a href="https://twitter.com/TEDICpy">Twitter: @TEDICpy</a></div> </div> </div> </div> </div> </div> <div class="field__item"><div about="/partners/institute-policy-research-and-advocacy-elsam" id="taxonomy-term-144" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/institute-policy-research-and-advocacy-elsam"> <div class="field field--name-name field--type-string field--label-hidden field__item">The Institute for Policy Research and Advocacy (ELSAM)</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>The Institute for Policy Research and Advocacy (ELSAM) is a civil society organisation that works to enhance the democratic political order in Indonesia by empowering civil society. Founded in 1993, it actively participates in efforts to promote human rights through policy and legal research, advocacy, and training.</p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/indonesia" hreflang="en">Indonesia</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/asia" hreflang="en">Asia</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="http://elsam.or.id/">http://elsam.or.id/</a></div> </div> </div> </div> </div> </div> <div class="field__item"><div about="/partners/unwanted-witness" id="taxonomy-term-145" class="taxonomy-term vocabulary-partners"> <h2><a href="/partners/unwanted-witness"> <div class="field field--name-name field--type-string field--label-hidden field__item">Unwanted Witness</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Founded in 2012, Unwanted Witness is a Ugandan-based civil society organisation that seeks to create secure, uncensored online platforms for human rights activists. It aims to contribute to good governance through effective online activism, networking and capacity-building. It also advocates for the strengthening of mechanisms related to freedom of expression and accountability.</p></div> <div class="field field--name-field-country-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Country of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/uganda" hreflang="en">Uganda</a></div> </div> </div> <div class="field field--name-field-region-of-operation field--type-entity-reference field--label-above"> <div class="field__label">Region of Operation</div> <div class="field__items"> <div class="field__item"><a href="/location/africa" hreflang="en">Africa</a></div> </div> </div> <div class="field field--name-field-website field--type-link field--label-above"> <div class="field__label">Website</div> <div class="field__items"> <div class="field__item"><a href="http://www.unwantedwitness.or.ug">http://www.unwantedwitness.or.ug</a></div> </div> </div> </div> </div> </div> </div> </div> <div class="field field--name-field-target field--type-entity-reference field--label-inline"> <div class="field__label">Target Stakeholders</div> <div class="field__items"> <div class="field__item"><div about="/target/industry" id="taxonomy-term-153" class="taxonomy-term vocabulary-target"> <h2><a href="/target/industry"> <div class="field field--name-name field--type-string field--label-hidden field__item">Industry</div> </a></h2> <div class="content"> </div> </div> </div> </div> </div> <div class="field field--name-field-campaign-name field--type-entity-reference field--label-inline"> <div class="field__label">What PI is campaigning on</div> <div class="field__items"> <div class="field__item"><div about="/campaigns/privacy-shouldnt-be-luxury" id="taxonomy-term-728" class="taxonomy-term vocabulary-campaigns"> <h2><a href="/campaigns/privacy-shouldnt-be-luxury"> <div class="field field--name-name field--type-string field--label-hidden field__item">Privacy shouldn&#039;t be a luxury</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p>Your phone contains your photos, your calendar, your contacts, a record of where you've been and who you've spoken to, your emails, your social media, the notes and reminders you write to yourself, your health and fitness data, shopping lists and period apps - our phones reveal who we are.</p> <p>You might think you own your phone - but there is data on your phone that you can't access, you can't delete and possibly is being silently leaked to companies you've never heard of.</p> <p><span><span>Privacy is a fundamental right guaranteed under the Universal Declaration of Human Rights, at least in theory. </span></span><span><span>For those who live in the data wild west and can only afford cheap phones as their <a href="https://www.idrc.ca/en/project/understanding-digital-access-and-use-global-south">sole way to access the internet</a>, we're now also seeing that privacy is becoming a luxury that few can afford. While buying a recent Apple phone will guarantee you a secure Operating System (OS) and good encryption, buying a brand new cheap phone will leave you with an OS with vulnerabilities left unpatched for years, and apps that share your personal data.</span></span></p> <p> </p></div> </div> </div> </div> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-inline"> <div class="field__label">Learn more</div> <div class="field__items"> <div class="field__item"> <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> </div> </div> </div> </div> </div> <div class="field field--name-field-programme field--type-entity-reference field--label-inline"> <div class="field__label">Strategic Area</div> <div class="field__items"> <div class="field__item"><div about="/strategic-areas/challenging-corporate-data-exploitation" id="taxonomy-term-1" class="taxonomy-term vocabulary-programmes"> <h2><a href="/strategic-areas/challenging-corporate-data-exploitation"> <div class="field field--name-name field--type-string field--label-hidden field__item">Challenging Corporate Data Exploitation</div> </a></h2> <div class="content"> <div class="clearfix text-formatted field field--name-description field--type-text-long field--label-hidden field__item"><p><strong>We want to see a world where we are in control of information about us. </strong></p></div> </div> </div> </div> </div> </div> </div> </div> Wed, 08 Jan 2020 00:02:00 +0000 caitlinb 3320 at http://privacyinternational.org