EU police body accused of unlawfully holding information and aspiring to
become an NSA-style mass surveillance agency

he EU�s police agency, Europol, will be forced to delete much of a vast
store of personal data that it has been found to have amassed unlawfully
by the bloc�s data protection watchdog. The unprecedented finding from the
European Data Protection Supervisor (EDPS) targets what privacy experts
are calling a �big data ark� containing billions of points of information.
Sensitive data in the ark has been drawn from crime reports, hacked from
encrypted phone services and sampled from asylum seekers never involved in
any crime.

According to internal documents seen by the Guardian, Europol�s cache
contains at least 4 petabytes � equivalent to 3m CD-Roms or a fifth of the
entire contents of the US Library of Congress. Data protection advocates
say the volume of information held on Europol�s systems amounts to mass
surveillance and is a step on its road to becoming a European counterpart
to the US National Security Agency (NSA), the organisation whose
clandestine online spying was revealed by whistleblower Edward Snowden.

Among the quadrillions of bytes held are sensitive data on at least a
quarter of a million current or former terror and serious crime suspects
and a multitude of other people with whom they came into contact. It has
been accumulated from national police authorities over the last six years,
in a series of data dumps from an unknown number of criminal
investigations.

The watchdog ordered Europol to erase data held for more than six months
and gave it a year to sort out what could be lawfully kept.

The confrontation pits the EU data protection watchdog against a powerful
security agency being primed to become the centre of machine learning and
AI in policing.

The ruling also exposes deep political divisions among Europe�s decision-
makerson the trade-offs between security and privacy. The eventual outcome
of their face-off has implications for the future of privacy in Europe and
beyond.

The EU home affairs commissioner, Ylva Johansson appeared to defend
Europol. �Law enforcement authorities need the tools, resources and the
time to analyse data that is lawfully transmitted to them,� she said. �In
Europe, Europol is the platform that supports national police authorities
with this herculean task.�

The commission says the legal concerns raised by the EDPS raise �a serious
challenge� for Europol�s ability to fulfil its duties. Last year, it
proposed sweeping changes to the regulation underpinning Europol�s powers.
If made law, the proposals could in effect retrospectively legalise the
data cache and preserve its contents as a testing ground for new AI and
machine learning tools.

Europol denies any wrongdoing, and said the watchdog may be interpreting
the current rules in an impractical way: �[The] Europol regulation was not
intended by the legislator as a requirement which is impossible to be met
by the data controller [ie Europol] in practice.�

Europol had worked with the EDPS �to find a balance between keeping the EU
secure and its citizens safe while adhering to the highest standards of
data protection�, the agency said.

Founded as a coordinating body for national police forces in the EU and
headquartered in The Hague, Europol has been pushed by some member states
as a solution to terrorism concerns in the wake of the 2015 Bataclan
attacks and encouraged to harvest data on multiple fronts.

In theory, Europol is subject to tight regulation over what kinds of
personal data it can store and for how long. Incoming records are meant to
be strictly categorised and only processed or retained when they have
potential relevance to high-value work such as counter-terrorism. But the
full contents of what it holds are unknown, in part because of the
haphazard way that EDPS found Europol to be treating data.

Only a handful of Europeans have become aware that their own data is being
stored and none is known to have been able to force disclosure. Frank van
der Linde, who was placed on a terror watchlist in his native Netherlands
and later removed, is one of the rare visible threads in an otherwise
unseen mesh.

The political activist, whose only serious run-ins with police amount to
breaking a window to gain entrance to a building and create a squat for
homeless people, was removed from the Dutch watchlist by authorities in
2019. But a year prior to this removal he had moved to Berlin, which
unknown to Van der Linde at the time prompted Dutch police to share his
data with German counterparts and Europol. The activist discovered his
entanglement with Europol only when he saw a partially declassified file
at Amsterdam city hall.

To get his personal data removed from any international databases he
turned to Europol. He was surprised when in June 2020 it responded saying
it had nothing he was �entitled to have access to�. The activist took his
complaint to the EDPS. �I don�t know if they deleted the data after Dutch
authorities updated them [that] they don�t consider me an extremist �
Europol is a black box.�

�The ease of getting on such a list is horrific,� Van der Linde said.
�It�s shocking how easily police share information over borders, and it�s
terrifying how difficult it is to manage to delete yourself from these
lists.�

Concerns over Europol�s treatment of sensitive data prompted the watchdog
to raise its own questions in 2019. Its initial findings in September of
that year showed that data sets shared with Europol were stored without
the proper checks to verify whether people scooped up in them ought to be
monitored or their data retained. Access to the ark is restricted to
authorised personnel and a lot of its content has been examined, cleansed
and used legally.

When Europol failed to convincingly answer the watchdog�s concerns, the
EDPS publicly admonished the police agency in September 2020 making clear
what was at stake: �Data subjects run the risk of wrongfully being linked
to a criminal activity across the EU, with all of the potential damage for
their personal and family life, freedom of movement and occupation that
this entails.�

The tussle that followed is captured in a series of internal documents
obtained under freedom of information laws. They show Europol stalling for
time and the watchdog telling them that they have failed to resolve �the
legal breach�. The police agency appears to be holding out for new EU
legislation to provide retrospective cover for what it has been doing
without a legal basis for six years.

The European Commission�s nervousness over a public clash was enough to
pull Monique Pariat, the EU�s director general for home affairs, into a
meeting between the two agencies in December 2021. Sources said the
watchdog had been encouraged to �tone down� its public criticism of
Europol.

But the head of EDPS, Wojciech Wiewi�rowski, told the Guardian that the
meeting was �the last moment for Europol to add some information that
wasn�t added in their last replies to our letter�.

As the meeting did nothing to answer Wiewi�rowski�s concerns on lawful
retention of data �there was no other way to solve the problem, for us� he
said, �than to issue a decision to erase the data which is over six
months�.

Niovi Vavoula, a legal expert at Queen Mary University of London, said:
�The new legislation is actually an effort to game the system. Europol and
the commission have been attempting an ex-post rectification of illegally
retaining data for years. But putting new rules in place does not legally
resolve previously illegal conduct. This is not how the rule of law works.�

Experts� concerns are not confined to Europol�s flouting of rules on data
retention. They also see a law enforcement agency that aspires to conduct
mass surveillance operations.

Members of the civil liberties, justice and home affairs committee of the
European parliament during a hearing in June 2021 compared the agency to
the NSA. Wiewi�rowski surprised attenders by endorsing the comparison in
relation to Europol�s practice of retaining data. He pointed out that
Europol was using similar arguments to those used by the NSA to defend
bulk data collection operations and mass surveillance as revealed by
Snowden.

�What the NSA said to Europeans after the Prism scandal started was that
they are not processing the data, they are just collecting it and they
will process it only in case it is necessary for the investigation they
are doing,� Wiewi�rowski told MEPs. �This is something that doesn�t comply
with the European approach to processing personal data.�

Eric Topfer, a surveillance expert at the German Institute for Human
Rights, has studied the proposed new Europol regulation and said it
foresees the agency pulling in data directly from banks, airlines, private
companies and emails. �If Europol will only have to ask for certain kinds
of information to have them served on a silver platter, then we are moving
closer to having an NSA-like agency.�

The struggle with EDPS over data storage is the latest evidence of Europol
favouring technosolutions to security concerns over privacy rights.
Europol�s boss, previously Belgium�s top cop, co-wrote an op-ed in July
2021 which argued that the needs of law enforcement agencies to extract
evidence from smartphones should trump privacy considerations. The article
argues for a legal right to the keys to all encryption services.

On Thursday, January 13, 2022 at 8:13:19 PM UTC+1, Fritz Wuehler wrote:
> EU police body accused of unlawfully holding information and aspiring to
> become an NSA-style mass surveillance agency

Na ja ... Hopefully Europol can protect its data better than the United States of America!

Recently there was a torrent available which contains a lot of data, per person, of
over 250 Million U.S. citizens, more than 200 GB worth of data.

Regards
Stefan

On Thu, 13 Jan 2022 20:12:19 +0100, Fritz Wuehler <fritz@spamexpire-202201.rodent.frell.theremailer.net> wrote:
>authorities

"Tiberivs Caesar divi Avgvsti filivs Augvstvs"

Gaius Octavius Thurinus was born to Gaius Octavius & Atia Balba Caesonia
at Ox-Heads (in 2006, ancient ruins of two-storey domus 'Palatine House'
discovered on slope overlooking Colosseum and Arch of Constantine, near
12E29:12,41N53:20, proposed actual birthplace), region of Palatine Hill,
"a little before sunrise" Wednesday 23 September 63 BC proleptic Julian.