A wake up call?

A couple of years ago I was teaching a class in IT law, and the subject of surveillance came up. I tried not to let my own opinions colour the debate, and listened while one student after another talked quite happily about the benefits of things like CCTV, and how the needs of security and the fight against terror and crime meant that surveillance was a generally good thing, beneficial to society. The students were mostly from affluent Western countries – the UK and Western Europe for the most part – and they all seemed generally content with the situation. Eventually, however, one of the students stood up, and told the rest of them, to all intents and purposes, that they were all mad. He didn’t want the government watching him. He didn’t trust the police to use surveillance just for the ‘right’ purposes.

He wasn’t generally one of the most loquacious of my students – indeed, most of the time he was very quiet. He did, however, have one distinct advantage over the others when looking at this kind of thing: he came from one of the former Soviet republics in Central Asia, a place where the current government is in many ways even worse than before the fall of the Soviet Union. He knew, from first hand experience, the way that this kind of thing can be – and is – used in ways that control and oppress. He said, very directly, that you can’t trust a government.

The others said very little in response, except a weak attempt to say ‘well, our governments aren’t like yours’, to which he laughed, wryly. ‘They may not be now, but what about the future?’.

A wake up call?

That’s where the wake-up call comes. In yesterday’s election in Greece, the far right Golden Dawn party gained a disturbing 7% in the elections, and held rallies that had distinct echoes of Nazi Germany.

“No one should fear me if they are a good Greek citizen. If they are traitors – I don’t know,” their leader Nikolaos Michaloliakos told the media. The words, the images – and indeed the election results – have sent shivers down a lot of spines, not just in Greece but around the world.

Human Rights lawyer and blogger Adam Wagner (@AdamWagner1) tweeted about it (and later blogged – here):

“Anyone else think rise of European far right makes UK’s continued support of European human rights system seem quite sensible?”

He’s right. It does. It should remind us of the origins of a lot of the human rights conventions, declarations and so forth in the second half of the 20th Century: as a reaction to the atrocities of Second World War. We recognised the needs of people for protection from their own governments – because governments can’t be trusted to protect people at all times. Watching and listening to the spokespeople of the Golden Dawn should remind us very directly of that – as should, on a smaller scale, the calls from some of the Tory backbenches and some of the media for the government in the UK to move ‘to the right’.

Part of the ‘standard’ lurching to the right includes crackdowns on crime – and that, in turn, can often be used to justify more surveillance. It’s not hard to imagine the kinds of words that might be used to support this kind of thing – most directly, in this case, the proposed Communications Capabilities Development Programme (see the ORG summary here).

Moves like these should be resisted at all costs. Whatever systems we put into place will be hard to reverse – and won’t just be used by the ‘good guys’ to get the ‘bad guys’. Even if you do trust this current government (something which a lot of us find very hard to do), whatever we do will be available for others later. Whoever those others might be.

As Bruce Schneier put it, in one of my favourite quotes:

“It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state”

He’s right. We shouldn’t. Those election results from Greece should remind at that most forcefully. Wake up. Smell the coffee.

Scrambling for safety?

This afternoon I was at ‘Scrambling for Safety’ – a fascinating conference, focussing on the proposed ‘Communications Capabilities Development Programme’, aptly if not entirely accurately dubbed the ‘snoopers’ charter’ by the media. The conference was organised by Privacy International, the Open Rights Group, the Foundation for Information Policy Research and Big Brother Watch – and had a truly stellar line-up, from Ross Anderson and Shami Chakrabati to MPs David Davis, Julian Huppert and Tom Brake, David Smith from the ICO, Professor Douwe Korff, former Chief Police Officer Sir Chris Fox QPM, noted cryptographer Whit Diffie and industry expert and rep Trefor Davies. Some of the best and most expert people from many different areas in the field.

Overall, it was a remarkable conference – I’m not going to try to summarise what people said, just to pick out some of the key things I took away from the event. Some lessons, some observations, so confirmations of what we already knew – and, sadly, some huge barriers that will need to be overcome if we are to be successful in beating this hugely misguided and highly dangerous project.

  1. There are a LOT of people from all fields who are deeply concerned with this. The number of people – and the kind of people – who took their time to attend, at short notice, was very impressive.
  2. This problem really does matter – I know I go on about privacy and related subjects a lot, but when I attend an event like this, and listen to these kinds of people talk, it reminds me how much is at stake.
  3. The work of Privacy International, the Open Rights Group and Big Brother Watch needs to be applauded and supported! Getting this kind of an event to work in such a way was brilliant work – and Gus Hosein (PI), Eric King (PI), Jim Killock (ORG), Nick Pickles (BBW) and their colleagues did an excellent job.
  4. David Davis is a really impressive – and I say that as someone generally diametrically opposed to his political views. On this subject, he really does get it, and in a way that almost no other politician in this country gets it.
  5. As David Davis said, it really isn’t a party political issue – I’ve blogged before about this (here) but what happened at Scrambling for Safety made it even clearer than before. All the parties have their problems…
  6. …and one of them was made crystal clear, by the very, very disappointing performance of Tom Brake MP, a Lib Dem MP and spokesperson on the issue. He seemed to offer nothing but a repeat of exactly the kind of propaganda spouted by apologists for the security lobby ad nauseam over the last decade or more. In fact, he said pretty much everything that Gus Hosein, in his opening to the conference, said that official spokespeople would say by way of misdirection and obfuscation. If Tom Brake is a representative of the ‘better-informed’ of MPs, we really are in trouble. It wasn’t just that his performance seemed that of a ‘yes-man’ or ‘career politician’, but that he simply didn’t seem to understand the issues, concerns, or even the technology involved.
  7. Julian Huppert, also from the Lib Dems, was far more impressive – but of course he has no ‘official’ position. That seems to be the problem: anyone who understands this kind of thing is not ‘allowed’ to be involved in the decision-making process: or perhaps once they do get involved in any ‘official’ capacity, they lose (or have stripped away from them) the capacity for independent thought…
  8. The police are NOT the enemy here – in fact, former Chief Constable Sir Chris Fox was one of the most impressive speakers, putting a strong case against this kind of thing from the perspective of the police. In the end, the police don’t really want this kind of thing any more than privacy advocates do. This kind of universal surveillance, he said, could overwhelm the police with data and detract from the kind of real police work that can actually help combat terrorism. Sir Chris was supported by another police officer, one of the audience, a former Special Branch officer, who confirmed all Sir Chris’s comments.
  9. Sir Chris Fox also made what I thought was probably the most important observation about the whole counter-terrorism issue: that we have to accept there WILL be more terrorist incidents – but that this is balanced by the benefits we have from living in a free society.
  10. The problem of ignorance matters on all levels – and in many different directions: technological, legal, practical, political. That’s the real problem here. People are pushing policies that they don’t understand, to deal with problems with which they have no real experience or knowledge…. politicians, civil servants, etc, etc, etc
  11. I was very interested that Ross Anderson (who was excellent, as always) expects us to be able to defeat the CCDP – because once people understand what is at stake, they won’t accept it. He did, however, suggest that once we’ve defeated this, the next stage will be harder to defeat – that the security lobby will try to work through the providers directly, asking (for example) Google, Facebook etc to install ‘black boxes’ on their own systems, rather than through ISPs… and some of these providers will just do it… that’s harder to know about, and harder to combat.
  12. Last, but far from least, David Davis made the point that though people who know and understand these issues are few and far between (though very well represented at the conference!), they can punch above their weight – the very fact that ‘we’ know how to use social media etc means that we can have more of an impact than our numbers might suggest.

This last point is the one that I came away with the most. We really NEED to punch above our weight – there’s a huge job to do. There was a great deal of energy, enthusiasm and expertise evident at Scrambling for Safety, but even by the end of the afternoon it was losing a bit of focus. We need to be focussed, coordinated and ‘clever’ in how we do this. Surveillance must be kept in the headlines – and we mustn’t let the kind of misdirection and distraction that politicians and their spin-doctors use far too often distract us from fighting against this.

What’s more, again as David Davis said, we don’t just need to stop this CCDP, we need to reverse the trend. The powers in RIPA, the data retention already done under the Data Retention Directive, are already too much – they need to be cut back, not extended or ‘modernised’. It will be a huge task – but one worth doing.

The politics of privacy

Why is it that despite what looks like very strong public hostility, together with a powerful media opposition, the proposed UK government surveillance programme, the Communications Capabilities Development Programme (a description of which can be found on the Open Rights Group wiki here) is currently very likely to go ahead? The problem is a deep one, connected with the party politics of the UK. All three major political parties are deeply conflicted over the issues – and that conflict may well allow the proposal to be pushed through regardless of the opposition of the people and of the media.


The Tories, as very much the senior party in the Coalition, are to a great extend right behind the programme: after all, they’re the ones proposing it. In some ways the programme fits directly into some traditional Tory agendas: ‘Law and Order’ has long been central to Conservative politics, from the more extreme ‘hang ’em and flog ’em’ sections of the party to the slightly more rational ‘prison works’ mantra of Michael Howard et al. Moreover, a certain kind of old-fashioned patriotism could be said to fit in with the anti-terrorist agenda – and it’s easy to see the ‘if you’ve got nothing to hide, you’ve got nothing to fear’ argument used by those who essentially see criminals and terrorists as basically ‘evil’, distinct from and a threat to good, ordinary people.

On the other hand, there is another strong, traditional thread in Conservatism that goes directly against the idea of surveillance on this kind of scale and in this kind of way – and it should be no surprise that one of the most eloquent and consistent speakers against the programme has been David Davis. Civil liberties should be central to Conservative philosophy – and in particular the kind of civil liberties that protect against intrusion into privacy. An Englishman’s home is his castle, after all! What’s more, the kind of programme envisaged smacks of ‘big government’, and the ‘nanny state’, things that a Tory should instinctively reject. David Davis expresses this view very well – and I’m sure what he says resonates with a lot of Tory MPs and Tory supporters.

For the Tories, this civil libertarian attitude needs fostering and supporting.


Labour may well be even more conflicted over the issue than the Tories. On the one hand Labour is supposed to stand up for the little people against oppression and control, and there is a strong association between the left wing and the ideas of freedom that this kind of a programme deeply undermines.Anyone who remembers the Thatcher years knows all too well how the forces of the police and even military intelligence were used against the unions (and not just during the miners’ strike) and against ‘left wing’ groups such as CND – the recent scandal of long term police infiltration into environmental groups (including long term relationships between undercover officers and and activists) fits into this pattern.

…and yet there are three strong factors that make Labour far from certain to oppose the programme. Firstly, there’s an authoritarian streak on the left – it would be unfair to suggest it might be a touch ‘Stalinist’, but there’s a certain degree of a ‘command and control’ attitude from some, and a sense that government needs to take a grip of things in this kind of a way. Secondly, there’s the long term need of the Labour Party to counter the Tory argument that Labour are ‘soft’ on crime – this attitude verged on paranoia during the last Labour administration, and is still clear in the current Labour party. Thirdly, there’s the deep problem surrounding the ‘War on Terror’ and the Labour Party’s role in it: Tony Blair and Gordon Brown were more than complicit in the ‘War on Terror’, they drove it forward. These three factors produced a series of desperately authoritarian Home Secretaries, each bringing in more draconian and anti-civil libertarian measures than the last. David Blunkett, Charles Clarke and John Reid presided over some of the most appalling pieces of policy in living memory, from the push towards ID cards to the data retention measures that ultimately lie behind the current programme.

For Labour, the challenge is to break with the past – to admit (or at least recognise) that mistakes were made by the last administration, and to be brave enough to say that Blair and Brown got this wrong. That last part it really hard to do for politicians at the best of times…

The Lib Dems

In one way, the Lib Dems should be the least conflicted. These measures are pretty fundamentally ‘illiberal’, and the Liberal Democrats as a party should be simply and directly against them. A few short weeks before the last general election I heard Nick Clegg speak excellently at the Privacy International 25th Birthday Party, talking directly about the rise of the ‘database state’ under Labour and how directly opposed to such things he was both personally and politically. For the Lib Dems, there really shouldn’t be an issue – and if they were currently in opposition, against a majority Tory government, I’d be willing to bet a lot of money that as a party they’d oppose the measure.

…but they’re not in opposition. They’re part of the coalition, and that brings with it several pieces of baggage. First of all, they have to work with the Tories – and in particular, Nick Clegg has to work with David Cameron. Secondly, they have to appear ‘governmental’ – and Nick Clegg wants to look ‘statesmanlike’, which many politicians seem to think means doing the wrong, illiberal and unpopular thing, to appear more ‘responsible’. Thirdly, if they come out against this, many of their supporters may ask why they didn’t come out against other policies – student fees, privatising the NHS, welfare, legal aid etc – which were just as much against ‘liberal’ principles. To an extent they’re hoist with their own petard. They’re part of this government now, and may feel they have to ‘see it through’. There have already been so many ‘betrayals’, one more hardly makes any difference….

Three parties, alike in turmoil

So all three parties have their internal conflicts – which makes them ripe for the ‘security lobby’ to exploit. It should, however, also give us all a bit of an opportunity to bring about opposition. The excellent Privacy International, the Open Rights Group, Big Brother Watch and others are already working hard to oppose the current measures. One key could be to contact MPs directly – using http://www.writetothem.com/ for example. Whoever your MP might be – from whichever party – there is a way to try to convince them. If you’re writing to a Tory, emphasise the civil liberties aspects, talk about an Englishman’s Home. If you’re writing to a Labour MP, remember the way that surveillance undermines democracy, works against unions and progressive activism. If you’re writing to a Lib Dem, talk about traditional liberalism and liberty – and remind them that one betrayal need not lead to another.

I’d like to think that all this is possible – that we can harness the ‘good’ side of each of the parties, and not let ourselves be railroaded into something that, ultimately, I don’t think that many people, whatever their political persuasion, either want or believe that we really need. The politics of privacy are complex – one of the things that I have found particularly refreshing since I started working in the field is that is can unite people with otherwise very different political perspectives. Let’s hope that we can unite in this way successfully this time.

If you build it, they will come…

The proposed new surveillance programme – the Communications Capabilities Development Programme – in the UK has many disturbing aspects – from the whole idea that ‘security’ justifies almost any infringement of privacy to the re-emergence of the fundamentally flawed ‘if you’ve got nothing to hide you’ve got nothing to fear’ argument. The response on the internet has been impressive – I’ve read great blogs and tweets and heard excellent arguments from many directions.

One of the key areas of focus has been the question of whether the police, intelligence services or other authorities will have to obtain a warrant to get access to the data gathered – but while that is a crucial issues, and will rightly get a lot of attention, in one key way it is missing the point. It presupposes that it’s OK to gather the information, to monitor our communications etc, so long as access to that information is subject to appropriate due process, and held securely.

Can data ever be genuinely securely held?

That last point gives a clue to the fundamental problem. Held securely. Can data ever be held really securely? Whether that is even theoretically possible is a moot point: experience shows that it is, on a practical level, never the case. Where data is held, it is always vulnerable What is often forgotten is quite how many ways data can be (and is) vulnerable. People think about hacking – and this kind of database practically screams out ‘hack me’ – but other vulnerabilities are both more regular and potentially more dangerous. Human error. Human malice. Weaknesses in systems. Technical and technological errors. The use of insufficiently trustworthy subcontractors. Complacency. Changes of personnel. Disgruntled employees. Drives for cost-cutting. The possibilities are almost endless…

Even those who you would most expect to keep data secure have failed again and again. The HMRC child benefit disc loss in 2007 is notorious, but the MOD lost the entire database of current and past members of the armed forces – including addresses, bank details etc – simply by leaving a laptop in a car park. Swiss Banks, who should be the most careful about their data, lost huge amounts through the ‘work’ of a subcontractor doing systems work – data which was then sold to the German tax authorities to seek out tax evaders.

Risk from function creep

Perhaps even more dangerously, once the data exists, there’s an often almost overwhelming imperative to find a use for it – making ‘function creep’ all but inevitable. Cameras set up to prevent serious crime end up being used to monitor dog fouling, or even check out whether parents really live in the catchment areas for schools – and even ‘single purpose’ cameras like those monitoring the Congestion Charge in London will almost certainly soon be accessible to the police. When Swedish foreign minister Anna Lindh was murdered in 2003 a DNA database designed and set up for purely medical research was accessed in the hunt for her killer – without consent from those on the database. These are just some of the many examples of function creep – there are many more.

Risks from change of situation – or change of government

One thing I’ve seen when teaching about data security has been that those who’ve experienced life under oppressive regimes are often the clearest about why allowing governments access to information is a serious risk. I remember one particular class I taught, where most of the students were British, and seemed generally OK with allowing full police access to information. One student, however, came from Kazakstan, and after listening for a while he stood up and basically told everyone they were mad. He wouldn’t like the government to have any of this data – he’s seen what happens when they do. I’ve heard the same from many people from other former communist countries in Eastern Europe in particular.

We in the West have a tendency to be far too complacent about what our governments might do. We may trust our government now (though of course many of us don’t) but setting systems like this in place, building databases of information, is effectively providing them for all subsequent governments and authorities, whatever their complexion.

What’s more, when the situation changes, when emergencies become more acute, even a ‘good’ government ends up doing ‘bad’ things – and ‘popular opinion’ will often ‘support’ those kinds of bad things, as the Anna Lindh case illustrated quite disturbingly.

Risk from private/public ‘cooperation’

It would be highly surprising if the data gathered and held in this kind of situation was purely done by ‘public servants’. Whether the form is some kind of private/public partnership, the use of subcontractors or freelancers, or even by requiring the ISPs etc to do the actual data gathering, holding and analysing is far from clear, but the private sector will almost certainly be involved in one way or another. That brings in a whole new raft of potential vulnerabilities. Private sector companies are both naturally and generally appropriately driven by profit rather than security – and this can mean cutting the costs to the bone, particularly if competitive tendering is involved. It might also mean conflict of jurisdiction – if the ultimate owner of a company is in the US, for example, the PATRIOT Act could come into play. What happens if a private company goes into administration? What happens if the ownership changes? Each event introduces another vulnerability.

What does this all mean?

Ultimately, if we let the data be gathered and held, it is vulnerable. Those who want to ‘abuse’ it will come.

The only way for data not to be vulnerable is for it not to exist.

Though the idea of warrants/due process in terms of the use of the data is highly important, it would be better to put controls in place at the data gathering stage as well, or else we’re building a database that is just ripe for abuse.

We need to worry not just about the data use, but the gathering of data in the first place.

What that would mean is a very different approach to data collection: targeted rather than general data gathering. If you have to go through a process to justify gathering data, then you can only gather it in a targeted way. It also means that we should demand deletion of data after a period unless further procedures are passed to justify that further holding: more due process needed.

The very whisper of the words ‘terrorist’ or ‘paedophile’ should not be enough to make us forget the basics not just of civil liberties but of technological logic. Any kind of solution that allows data to be gathered without a warrant, and on a ‘universal’ basis, even if it has good controls at the ‘data use’ stage, is fundamentally flawed, and should be avoided.

No more place for privacy?

With the launch of Facebook Places in the UK, ‘location’ services have really hit the mainstream. With Facebook Places, people can ‘check in’ to indicate exactly where they are to their ‘friends’ (and probably quite a lot of others too, unless they’re very careful). It’s another step – and perhaps a very big one – along a path that some might suggest has an inevitable outcome: the end of privacy, at least as we know it.

Scott McNealy, CEO of Sun Microsystems, told journalists, way back in 1998 that “You have zero privacy anyway, get over it.”  Others, most recently and persistently Mark Zuckerberg, co-founder and CEO of Facebook, have suggested that the whole idea of that is simply outdated and now irrelevant – people just don’t care about it anymore.

Are they right? Is privacy dead – or at least dying? Should we just ‘get over it’, join all those many millions of happy Facebook customers who don’t care about privacy, and start enjoying all the advantages of having a truly ‘transparent’ life? Embrace such wonders as Facebook Places, and enjoy the pleasures of meeting people for coffee in unexpected places just through the medium of our smartphones – after all, it’s so much more convenient than having to call and arrange things. Of course there’s an obvious possible downside – but burglary’s not much of a danger as long as you have state of the art security systems, or a ravenous Rottweiler, or employ someone to housesit whenever you’re out.

That, however, is just the simplest and most obvious problem. The other, less obvious, but ultimately more important issue is what happens to all the data about where you are, where you’ve been, and so forth. The possibilities of using this data for profiling – and eventually predictive profiling – are immense, which presumably is why Facebook and many others are introducing products like this. They’ll be able to learn even more about you than they already can.

Do we care? Zuckerberg would suggest not, but there isn’t much evidence to back up his claims. McNealy would say that it doesn’t matter whether or not we care, there’s nothing we can do about it. Personally I don’t think either of them are right. Events like the fall of Phorm and Facebook’s own forced abandonment of their Beacon system, and the 30,000+ Germans who put their names to a challenge to data retention legislation, all suggest that there is still an appetite for privacy – and for some more control over what’s going on.

Will Facebook Places be a huge success? Will people just embrace it, without considering the downsides? It will be an interesting test….

Digital Economy Bill passes the Lords…

Just a brief note – further to last week’s post, the Digital Economy Bill has now passed its third reading in the House of Lords, and is expected to be rushed through the commons before the election (see the BBC report here). Do people really understand what’s happening here? And more to the point, even if they do, do they care? There will be active campaigning against it for sure – not least by the Open Rights Group – and it will be interesting to see how much opposition to the disconnection provisions can be raised in the face of the Government’s clear desire to get it done quickly. Will the UK demonstrate the kind of ‘active community’ that worked so well in Germany to deal with their data retention laws, as I mentioned a couple of weeks ago?

I certainly hope so – and at a time when an election is looming, the government should certainly be responsive to signs of popular resistance. Are we in the UK ready to stand up for freedom on and with the internet? Time will tell…

The good, the bad and the ugly side of privacy in Germany

Privacy advocates in the UK sometimes look across at Germany in wistful admiration – but is the story quite as rosy for privacy in Germany as it sometimes appears? Perhaps not, for though one recent event has shown Germany in its best light, as a beacon for privacy rights across Europe, another has demonstrated the opposite. Even Germany has an ugly side to how it deals with privacy.

First for the good. As reported widely (and in this case in out-law.com), this last week Germany’s highest court has suspended that country’s implementation of the EU Data Retention Directive by ruling that it violates citizens’ rights to privacy. This suspension comes after a class action suit brought by 35,000 German citizens – a level of citizen activity that would be close to miraculous in the UK, particularly for as issue such as privacy. The law by which the German government implemented the Data Retention Directive has been found unconstitutional, failing to include enough safeguards for the privacy of the individuals that is required under Germany’s constitution. A victory for privacy, albeit neither a complete nor a permanent one, since the court did not say that it would be impossible to implement the Data Retention Directive in a constitutionally acceptable way, just that this particular implementation was unconstitutional. Nonetheless, it is something about which German privacy advocates will feel justifiably proud – and many in other countries in Europe will hope signals changes elsewhere. It is hard to imagine, however, that it will be possible to achieve a similar result in the UK.

Then for the bad – or at least the ugly. A story reported far less widely, at least in the UK, is emerging concerning the German government’s use of data concerning the use by German citizens of Swiss banks for the purposes of tax evasion. This data has been acquired through various methods, most of which would probably be considered illegal – certainly from the perspective of the Swiss banks. Reuters has reported on the subject – it is a somewhat complex story, but the essence of it is that private data, detailing the banking activities of German citizens, has been offered for sale to a number of German states. Some of that data may have come from insider whistle-blowers, but some has also come from hackers – and earlier this year the German Federal Government gave states the go-ahead to buy the data if they want, whether or not the data has been obtained illegally. At least one state, the State of North Rhine-Westphalia, has bought the data, and is using it to flush out tax evaders. As Reuters reports, nearly 6,000 German tax evaders have ‘owned up’ to the tax evasion as a result of this evidence – and more could still be about to come out of the woodwork. As DSTG head Dieter Ondracek said, “If we get a signal from the politicians that it’ll only be possible for people to come clean this year, then we could have another 5,000 doing so with corresponding additional revenues,” Ondracek told Reuters. “Then a billion euros could be possible.”

This is not the first time that Germany has bought illegally acquired private data. Two years ago, something similar happened with bank data from Lichtenstein, effectively forcing the principality to relax its previously stringent bank secrecy laws. The current affairs over Swiss banking data might have a somewhat similar effect over the banking rules in Switzerland, though that of course could be a long way away – though already the Swiss have complied with a US request over tax evasion, and as reported in Reuters, Switzerland’s justice minister questioned on Sunday whether tax evasion should continue to be treated as a misdemeanour rather than a crime.

It is hard, of course, to generate much sympathy for people evading tax through the use of bank accounts in Switzerland – but that should not blind us to the significance of the events that are taking place. It’s not so much the nature of the data that’s significant, but the way in which is has been acquired. Getting data through the use of official requests from one government to another, as in the case of the US, is one matter, but paying money for data acquired illegally, and quite likely through hacking, is quite another, and sets a very uncomfortable precedent. Moreover, it provides a new and potentially large incentive to hackers to go after this kind of data. And if this kind of data, why not other data? Aside from the obvious problems of Germany’s potential obligations as a signatory of the Cybercrime Convention, there is an awkward parallel here with another recent event – the enormously publicised hacking of the gmail accounts of Chinese dissident groups. The Chinese government of course vigorously denies any involvement in the hack, but if it were to be offered data on illegal groups acquired by hacking, how different would it be for the Chinese government to buy it from the German government’s buying of this Swiss banking data?

From the perspectives of the two governments, they’re just seeking to root out people involved in illegal activities – for the Germans, tax evaders, for the Chinese, people involved in subversive (and illegal) activities. And in both cases, the fact that it might be possible to make money from selling this kind of data cannot help but be an incentive to try to acquire it. People in the West may have much more sympathy for Chinese dissidents than they do for German tax-evaders, but in some ways the principles are very much the same. Do we really want to set that kind of precedent?