PRISM && Excited Guardianista

Peter Fairbrother zenadsl6186 at
Sat Jun 8 12:31:53 BST 2013

On 07/06/13 11:56, Ian Batten wrote:
> The Graun are very excited about:
> The most interesting thing to me is that he slides they have say it has a budget of $20m per year.
> Given the likely costs of even the fairly anodyne proposals in the Data Communications Bill, either there a few zeros missing or the content of the project is being somewhat over-interpreted.

I think there are a few zeros missing ..

I hear BritGov has gotten some data from the PRISM program - but where's 
the quid pro quo?

It used to be, in the bad old echelon days, that if a UK spy bod wanted 
some data (often comms content, ie telephone taps) on a UK subject in 
the UK he would ask the Yanks to obtain it for him, and vice-versa. Is 
GCHQ spying on the Americans?

Also, as I read the DPA, if some EU private data is processed by being 
demanded by a US court because it's stored in a US cloud, then the data 
controller is guilty of an offence.

That's a bit uncertain and there may be those who disagree, eg there are 
exceptions for processing required by an enactment, but I take that to 
mean a UK or EU enactment, and not a US enactment.

and then there's 5.1.(a) {...this Act applies to a data controller in 
respect of any data only if .. the data controller is established in the 
United Kingdom and the data are processed in the context of that 
establishment}, which I take to mean normally or occasionally so 
processesed, and that if a specific processing is outside that context 
it is not excluded - but that's far from clear.

Or maybe it's still within that context, as it's processed from their 
cloud space.

Apart from those maybes, it looks to me like it's an offence.

Doesn't matter whether the controller processed it or not, or authorised 
the processing. it's still an offence under section 21(1) if processing 
as in 17.(1) happens without a relevant entry.

Of course, data controllers might just add "processing in accordance 
with a FISA warrant" in their DPA register entries - would that be 
allowed? I'm not very good on DPA.

-- Peter Fairbrother

More information about the ukcrypto mailing list