ENDitorial: What could possibly go wrong?

By EDRi · December 5, 2012

This article is also available in:
Deutsch: [ENDitorial: Was soll denn schon schiefgehen? | https://www.unwatched.org/EDRigram_10.23_ENDitorial_Was_soll_denn_schon_schiefgehen?pk_campaign=edri&pk_kwd=20121205]

With the discussions on the proposed General Data Protection Regulation
in full swing and the first published opinions of some European Parliament
Committees, several themes of proposed changes emerge. One of these
can be paraphrased as “we shouldn’t bother controllers with too many
obligations, they know their stuff and want to do the right thing”.

Slightly more elaborate versions of this view have been used to justify
amendments aiming to cut documentation obligations, lessen requirements
on data breach notifications and information obligations. There also
seems to be an undercurrent of “in any case, it’s usually not that bad
if things go wrong”.

Indeed, how bad could it be if things go wrong? And do controllers
handle personal data responsibly? A few cases that made headlines in the
past years can provide examples.

Between 2005 and 2007, Deutsche Telekom used its own traffic data to spy
on journalists and trade union members of its own supervisory board in
order to stop leaks. According to the head of unit in charge of the spy
operation, this happened on behalf of the then-CEO and the chairman of
the supervisory board. Since then, this head of unit has been sentenced
to 3.5 years of prison, while the former CEO and the chairman of the
supervisory board claimed not to have known anything.

More recently, WhatsApp, a smartphone application for sending text
messages which is used around the globe to send more than a billion
messages per day, is currently in the news for an astounding row of
privacy gaffes. For starters, the service used to send messages without
encryption, so that exchanges could be easily spied upon. It seems that
whatsapp’s developers had been made aware about this security hole the
size of a barn door almost a year before they fixed it. Just a month
later, another security flaw was uncovered, allowing to take over
whatsapp accounts and send messages from compromised accounts using
simple tools – there was an app for that. Instead of fixing the problem,
whatsapp sent legal threats against the developers of the tools. Now,
two and a half months later, this other barn door is still wide open.

Between 2002 and 2005 Deutsche Bahn, a railway operator, screened
170 000 of its employees to find out about connections to subcontractors
and possible corruption. In 2006 and 2007, it also spied on employees’
e-mails to uncover whistleblowers, sifting through up to 150 000 e-mails
a day. The company’s CEO had to step down over these scandals, while
still denying that any wrongdoing had occurred. Later on, investigations
confirmed the suspicions and Deutsche Bahn was fined 1.12 Million Euro
in 2009. Sounds like a lot? That year, it took Deutsche Bahn about seven
hours to make that amount in pre-tax profit.

In 2007 to 2010, when sending cars around the world to collect images
for its service Street View, Google also collected information on
wireless networks to be used to make cell phone localisation more
precise. The software used also collected content sent over open WiFi
networks, collecting websites visited, passwords, e-mails and other
information. Google was not forthcoming in the investigations, first
denying that payload data had been collected, then talking about a
simple “mistake”, then blaming it on a rogue developer. In the end, it
turned out that the code in question was in fact documented, and that
oversight was “minimal”, to quote from the US Federal Communications
Commission’s investigation report, which fined Google 25 000 USD for
stonewalling the investigation.

In a different register, police authorities do not fare better. They
will be subject to a different text, a proposed Directive that contains
more lax rules than the Regulation. Here as well, egregious violations
can be found everywhere.

For example, officers of the Irish Police (Garda) used police databases
for their private interests, for example to run background checks on
their daughters’ boyfriends. In another case, a police officer used
retained telecommunications traffic data to snoop on her ex-partner.
Such cases have been discovered again and again over the years,
following a usual pattern: they become public, the Data Protection
Authority (DPA) investigates and conducts audits, finds wrongdoings, the
Garda promises to change, rinses and repeats. In one case, the Garda
also adopted a “code of practice”, endorsed by the DPA. It does not seem
to have helped much.

In Poland, the police, as well as the anti-corruption office and the
domestic intelligence agency, surveyed at least ten journalists of
various media between 2005 and 2007, using telecommunications traffic
data without court orders or any connection to ongoing investigations.
One of the journalists, of the influential Gazeta Wyborcza, wrote
several articles about well-known and sometimes controversial actions of
the anti-corruption office – the one that later on requested his traffic
data. After the case became public, an investigation was launched, but a
regional prosecutor’s office claimed to have found no wrongdoing. Only
after one of the spied journalists went to court, a meaningful
investigation got under way. The court ruled on the case in April 2012,
saying that the anti-corruption office violated the journalist’s
privacy, as well as the right to protection of journalistic sources.

In Dresden, Germany, the local police collected information on more or
less every mobile phone call made and SMS sent in the city, in total
almost one million connections, at the occasion of an anti-Nazi
demonstration. The police justified collecting the information with
several offences that occurred at the margins of the demonstration.
Saxony’s interior minister defended the measure as being
“proportionate”, even after it became public that the police also used
the data for totally unrelated investigations and had been told to stop
this by the local prosecutor’s office. Months after being formally
reprimanded by Saxony’s DPA, the police still used the data.

What all these examples, both from the private and the public sector,
show is that in many cases, incompetence or lack of oversight lead to
unacceptable shortcomings, while in others, it is straight-up malice. In
law-enforcement, there seems to be a widespread belief among
practitioners that “we’re the good guys”, which in turn sometimes leads
to abuses. So no, we cannot trust controllers to know their stuff and
to want to do the right thing. And yes, it can be bad if things go wrong.

Whatsapp case
http://www.h-online.com/security/news/item/Account-theft-still-possible-with-latest-WhatsApp-1760639.html
http://www.h-online.com/security/news/item/WhatsApp-no-longer-sends-plain-text-1674723.html
http://www.h-online.com/security/news/item/WhatsApp-threatens-legal-action-against-API-developers-1716912.html
http://www.h-online.com/security/news/item/WhatsApp-accounts-almost-completely-unprotected-1708545.html
http://www.androidpolice.com/2012/05/02/whatsappsniffer-shames-whatsapps-plaintext-unprotected-chat-transfer-protocol-shows-off-just-how-much-can-be-sniffed/

Deutsche Telekom case
http://www.wiwo.de/5239704-all.html
http://www.wiwo.de/5239730.html

Deutsche Bahn case
http://www.heise.de/newsticker/meldung/Deutsche-Bahn-zahlt-Rekordstrafe-wegen-Datenschutzverstoessen-837477.html
http://www.heise.de/ct/meldung/Bahn-Datenskandal-Arbeitsminister-bekraeftigt-Forderung-nach-Arbeitnehmerdatenschutz-Update-210207.html
http://www.n24.de/news/newsitem_4936517.html
http://www.sueddeutsche.de/wirtschaft/spitzel-affaere-bei-der-bahn-tiefensee-macht-druck-1.486385

Google Streetview case
http://www.wired.com/threatlevel/2012/05/google-wifi-fcc-investigation/

Irish police case
http://www.edri.org/edrigram/number10.21/irish-dpa-police-self-regulation

Surveillance of Polish journalists case
http://wyborcza.pl/1,76842,8842563,Inwigilacja_dziennikarzy_badana_od_nowa.html
http://wyborcza.pl/1,76842,9763653,CBA_i_billingi_dziennikarza__Gazety_.html
http://wyborcza.pl/1,75478,11625664,Precedensowy_wyrok__CBA_nie_moze__ot_tak_sobie__nas.html

Dresden police case
http://www.taz.de/!73222/
http://www.taz.de/!94114/
http://www.heise.de/newsticker/meldung/Saechsische-Polizei-nutzt-weiter-Mobilfunkdaten-1390019.html

(Contribution by EDRi interns Katarzyna Syska and Owe Langfeldt)