Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Snowden NSA Revelations Complicate European Privacy Law Reboot

As European legislators work to rewrite privacy laws, one security expert says a full fix requires Europe to offer local alternatives to Google, Microsoft, and other US online services.

InfoSecurity Europe -- London -- The leak of top-secret information pertaining to the National Security Agency's surveillance programs last year by Edward Snowden continues to have political ramifications throughout Europe and especially at the Brussels headquarters of the European Union.

That fact was brought home time and again by participants at this week's Infosecurity Europe conference in London.

Lead British data protection regulator David Smith, deputy commissioner at the UK Information Commissioner's Office, said that the revelations over the NSA's surveillance apparatus have contributed to a delay in the closely watched, ongoing rewrite of Europe's 1995 Data Protection Act. That law details both the privacy rights of European citizens and related rules that businesses must follow.

"There's no doubt it's had an effect on the negotiations," Smith said during a keynote presentation. "In one general way, it's just affected the climate in which the discussions in Brussels are taking place."

Last year, many EU officials hoped to hammer out new privacy rules before the end of 2013. Politicians have promised that the rules will cut compliance costs for businesses while increasing privacy protections for citizens. At the same time, the rules will likely force businesses to comply with more stringent standards on data protection, notification, and consent gathering.

But the "Snowden revelations," as Smith dubbed them, helped derail that timetable. "I'd be astounded if it gets passed this year, I think it might get passed next year in 2015, and then there will be two years, essentially, to bring it into force." But he cautioned that the rewrite process might well stretch further into the future. "Every prediction I've made on this, it's taken longer than I've suggested."

One wrinkle is that EU legislators, who tend to be quite focused on civil rights, have yet to agree on exactly how they should respond to the NSA surveillance revelations. "People are saying the new regulation should address the Snowden revelations and national security access, not just by the US," said Smith. "Trying to build that into the regulation is an added complication." The latest draft of the new law is already more complex than its 1995 predecessor.

From a privacy rights perspective, one complication for European lawmakers is the participation by many of their governments in the very same NSA programs. The Prism program, for example, is a joint effort by the "five eyes" electronic eavesdropping alliance: the United States, Australia, Canada, New Zealand, and the United Kingdom. Furthermore, the NSA and its five-eyes equivalents aren't the only signals intelligence agencies working in Europe.

"Every country has been at it, including the ones who want to get together and form coalitions to combat state-sponsored cybercrime," Graham Cluley, an independent security analyst, said during an Infosecurity Europe panel discussion on cybercrime. "I'm slightly amused by the fact that we have one booth here at the conference, who I won't name, but they're based in Cheltenham," he said, referring to the location of Government Communications Headquarters (GCHQ), the British signals intelligence agency. Snowden's leaks said that the agency used NSA-developed technology to hack into Belgium's largest telecommunications firm, Belgacom, and monitor its customers.

Likewise, Mikko Hypponen, chief research officer at F-Secure in Finland, said during a keynote presentation at the Infosecurity Europe conference that, even though it's easy to blame the United States for its "rude behavior" -- acting like it owns the Internet and "not respecting the privacy rights of foreigners, when we make up 96% of the planet" -- Europeans must also blame themselves.

"Many of these problems are the result of the fact that we Europeans have been unable to provide alternative services to these American services," Hypponen said, referencing the likes of Amazon, Apple, Facebook, Google, and Microsoft. Thus, even though many Europeans know full well that the US government has a legal right to access any information handled by domestic businesses -- be that data emails or location data -- they use the US services anyway.

Hypponen ascribed the problem in part to Europe too often failing to hang on to homegrown technical talent. "The very first thing they do when they start a company is, they move to Silicon Valley. That's how we, Europe, have failed."

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...
CVE-2020-29072
PUBLISHED: 2020-11-25
A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js.
CVE-2020-26241
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) co...
CVE-2020-26242
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.
CVE-2020-26240
PUBLISHED: 2020-11-25
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on...