The long-besieged Privacy Shield agreement proposed by U.S. and European officials faces a new round of challenges following recent decisions by the U.S. Foreign Surveillance Intelligence Court (FSIC) and the Supreme Court.
A committee of the U.S. Supreme Court made changes last week to Rule 41 of the Federal Rules of Criminal Procedure, allowing judges to issue warrants outside his or her district. The change would grant expansive powers to law enforcement agencies to hack and access information on computers if device location information “has been concealed through technological means.” The change would also remove limitations on law enforcement agencies in investigations of Computer Fraud and Abuse Act (CFAA) violations if “the media are protected computers that have been damaged without authorization and are located in five or more districts.”
“Make no mistake: the Rule 41 proposal implicates people well beyond U.S. borders. This update expands the jurisdiction of judges to cover any computer user in the world who is using technology to protect their location privacy or is unwittingly part of a botnet,” wrote Electronic Frontier Foundation's (EFF) Rainey Reitman of the changes to Rule 41, on an EFF blog post. “People both inside and outside of the United States should be equally concerned about this proposal.”
These changes come as the EU regulatory bodies struggle to resolve challenges facing the Privacy Shield agreement, especially as U.S. lawmakers seek expansive surveillance powers that threaten European privacy concerns. The proposed Privacy Shield pact aims to replace the Safe Harbor agreement that was invalidated by a European court last year.
“Encrypting information is easy. Decrypting and accessing information when you need it is huge,” Nok Nok Labs CEO Phil Dunkelberger told SCMagazine.com. “When authorities start talking about weakening security to access information, it's a lose-lose situation.”
The DOJ unveiled a document last week demonstrating the U.S. FSIC's approval of 1,457 requests from the Federal Bureau of Investigation and the National Security Agency to intercept email and phone communications. The document showed that the intelligence court did not reject any request made by either agency.
“If the Justice Department cuts a deal with U.S. tech companies, it would not be an internationally binding agreement, because it does not adhere to the data breach laws in Europe. You can't force companies to turn over user information to intelligence authorities and at the same time threaten to throw CEOs in jail if there is a data breach,” said Dunkelberger, discussing the challenge of adhering to subpoenas such as the Justice Department's request of Apple, while also adhering to stricter data breach an regulations enacted in Europe. “That isn't working for us.”