Access to surveillance data in the USA is being extended!

US is also expanding surveillance in Europe.

Parallel to the completion of the new data protection agreement “Privacy Shield” between Europe and the USA on Monday, the access rights of the secret services to intercepted data will be expanded enormously. An exclusive report from the New York Times states that the NSA will also grant other US intelligence agencies and the FBI access to raw data that has been tapped. What this regulation looks like is not yet known, but the transfer of raw data is an absolute novelty.

For EU negotiators, the top priority for “Privacy Shield” is precisely the restriction of access to intelligence services to the data of European citizens in the USA. This data protection regulation, which was received with skepticism in Europe, in no way ends the US mass surveillance, because "no new restrictions on data tapping have been made," the legal information specialist Walter Hötzendorfer told It only mentions restrictions that existed before. (See below)

Currently in
The agreement text for “Privacy Shield” met with great skepticism in Europe when it was presented on Monday, Privacy advocates described the deal as a “joke”

Restrictions that are not.

These access restrictions, which primarily affect U.S. citizens, can be found in two older Presidential Decrees called PPD-28 (Presidential Policy Directive 28) and Executive Order 12333. PPD-28 was passed in early 2014 in response to President Barack Obama's NSA scandal and provides for expanded internal control and supervisory rules. This is also pointed out in a letter from Robert Litt, the chief legal officer responsible for the entire secret service complex, which the Commission published on Monday together with the “Privacy Shield” draft.




This passage comes from a letter from the highest intelligence advocate Robert Litt and was also published by the European Commission.

Presidential Decree PPD 28 by 2014

PPD-28 concerns “Signals Intelligence en Gros”, ie the tapping of complete data streams, and lists the permitted areas of application. The spectrum ranges from “monitoring certain activities of foreign powers” ​​to countering terrorism and “cybersecurity” to discovering potential threats against the USA or one of its allies in general. The FBI can also legally access this data for “transnational crime” investigations, but only in a filtered form after the NSA has released it.

Planned access maximization

The presidential decree “Executive Order 12333 ″ from 1981 and the update 13470 from 2008.

That will change soon, because the executive decree “Executive Order 12333”, also mentioned by the EU in terms of data minimization, is currently undergoing an update. While PPD-28 originated from President Barack Obama, 12333 was put into effect by the then President Ronald Reagan as early as 1981 and was amended several times as a result, including during the past few months under President George W. Bush in 2008 with Decree 13470 identified this update as strengthening the role of the Supreme Intelligence Officer, who was also tasked with creating a framework for distributing data across agencies.



This passage in the EO 13470 decree, which is now being hammered, has received little attention for seven years. 2008 has already been announced to distribute raw data in the future.

Indeed, the most important point of 13470 is direct access for the CIA, FBI and other agencies of the secret service apparatus to raw data, which was intercepted by the NSA. “Intelligence” should be distributed by the NSA not only in “final”, ie in evaluated form, but also in the “form as collected”, it says in decree 13470. The top secret service officer is instructed to draw up a corresponding set of rules that Access from other organizations from the secret service complex to NSA raw data only possible.

Authenticity confirmed, text does not exist

The bundle of documents by the EU Commission on “Privacy Shield”. The agreement itself is called draft adequacy decision), the letter from Robert Litt can be found in Annex 6 (The documents were meanwhile all removed from public access !!)

After more than seven years, this basic set of rules has now obviously been completed, as Advocate General Robert S. Litt confirmed to the “New York Times”. Not much else is known about the content of the draft, which is only 21 pages long, but only the possibility of accessing raw data that was previously only allowed to be processed by the NSA represents a paradigm shift multiply, which can independently determine in the massive data sets of the NSA. How many other agencies can get this data is currently unclear. For “Privacy Shield” and the entire European data protection, it does not mean any good if the access options to raw data are multiplied in this way and evaluated for the entire secret service complex.

orf3 Institution / CC BY-NC-ND 2.0

CC BY-NC-ND 2: Advocate General Robert S. Litt

No legal protection against tapping attacks

“Privacy Shield” should have been available by the end of JanuaryMain disputes were apparently clarified only in the last two weeks

The “Privacy Shield” agreement, on the other hand, does not offer legal protection for Europeans, said Walter Hötzendorfer, legal and business information scientist at the University of Vienna. The legal framework for “Privacy Shield” alone is dubious, because it is extremely questionable what a mere publication of the documents in question in the “Federal Register” of the United States will bring about in terms of legal quality. "Skepticism is appropriate here," continued Hötzendorfer, because the data access by the NSA itself would in no way be minimized, but rather the possibilities for European citizens or companies to take legal action against this secret service processing of their data were extremely limited.


Walter Hötzendorferorf4

The “Foreign Intelligence Surveillance Act” (FISA), which regulates the tapping of fiber optic cables on American soil, does offer legal options to combat proven misuse of the data, as is also clear from paragraph 96 of “Privacy Shield”, says Hötzendorfer. "There is no possibility of complaints against the surveillance itself, which is already a fundamental interference, under FISA". Also those in paragraphs 96 f. US laws listed in the agreement limited the opportunities for Europeans to “not be an effective way for those affected” to “act against the surveillance's fundamental rights interference.”

The transatlantic difference

"In the EU, data is considered to be used if it is recorded, but in the US diction only after it has been evaluated using selectors," added Hötzendorfer. The fact that most of it is not read by people, but only the selected part or parts of it, is clear anyway for reasons of capacity, but it does not change the fact that it is undifferentiated mass monitoring of all communication processes via the respective channel.



This passage from the text of “Privacy Shield” also confirms that the access of data “in bulk” was in no way restricted, only its use is restricted by internal service regulations of the secret services.

Walter Hötzendorfer teaches and researches in the working group Legal Informatics the Department of International Law and International Relations at the University of Vienna

"This is a prerequisite for being able to make selections and is already a fundamental right interference according to European legal understanding." The ombudsperson provided in “Privacy Shield” also accepts individual complaints, said Hötzendorfer. The only thing that is checked is whether “US law has been complied with - whether the fundamental rights of the person concerned have been interfered with according to European understanding, but not”. Even if this complaint mechanism proves to be useful, the problem remains on a material level that the surveillance, as recognized by the ECJ as incompatible with EU fundamental rights, remains in place and is opposed to it, since it is lawful under US law is not able to defend itself. "


Published first on:

Created on:03/02/2016

Leave a Comment

Provide affiliate links