During the 5th hearing of Civil Liberties (LIBE) committee inquiry on massive electronic surveillance held on October 3rd, members of the European Parliament have condemned the “deplorable conduct” of the British Government Communications Headquarters (GCHQ) after their chief Sir Iain Lobban declined the invitation to collaborate to the investigations.
The main topic of this last hearing was the recent revelations from the US whistleblower Edward Snowden that the British intelligence agency (GCHQ) would have been responsible of cyber attack against the Belgian state-owned telephone company – which is also a major supplier of communications services to EU institutions in Brussels.
In a response to the members of the LIBE committee, the GCHQ states that “the activities of intelligence services are the sole responsibility of each Member State and fall outside the competences of the Union. For that reason, and with respect, the UK must decline your invitation for the Director of GCHQ to attend your hearing”. Sir Jon Cunliffe – who signed the letter – reassured MEPs that the British intelligence agencies are subject to robust oversight and they their activities adhere to strict principles of necessity, proportionality and legality.
MEPs Sophie in’t Veld (ALDE, NL), who chaired the hearing, commented on this response referring to a “policy of the empty seats” on behalf of governments who “are not willing to give account of their surveillance activities to EU citizens.” She also blamed the US and Dutch administration who also declined invitations to speak during previous hearings.
No evidence of privacy violation
During this 5th hearing, Belgacom Secretary General Dirk Lybaert testified that last June internal experts discovered that “a digital attack complex and unknown virus entered the Belgacom IT system”. Following this, on July 19th Belgacom launched an official complaint to the federal prosecutors, which is now investigating in collaboration with the Belgian computer crime unit and state security services to determine the origin of the attack. “We have a great responsibility that the perpetrator is punished and we are providing total assistance to the investigations”, said Lybaert.
Lybaert also reassured MEPs that there has been no concerning access into the Belgacom network information system and that the malware penetrated just 124 out of its 26,000 IT systems. According to Lybaert there is no evidence that customers’ personal data have been compromised, but they will continue to investigate and monitor the security of their networks. Belgacom Vice-President Geert Standaert added that malware was “extremely sophisticated”, but they took all the necessary measures to detect the virus and prevent further attacks.
Belgian data protection chief Frank Robben, also confirmed that on the basis of the information collected so far, there is no proved privacy violation. Although investigations are still going on, he regretted that the data protection authority doesn’t have the power to investigate nor the technological skills necessary to understand where the attack came from. “We need the proper technological expertise to handle this kind of incidents and an European body that can react to these very sophisticated cyber attacks”, said Robben.
However, both Belgacom managers reiterated that there are no facts that could confirm or deny any of the “speculations” reported by media about a potential involvement of the GCHQ in this incident.
MEPs harsh reaction
High frustration among the MEPs who – although welcomed the clarifications provided by the speakers – expressed serious concerns about the implications on the privacy of EU’s citizens and of their own communications.
Jan Albrecht (Greens, GR) talked about “an extraterritorial aggression coming from an EU entity” and deplored the unacceptable behaviour of the UK government. “We are in the middle of a crisis in the application of the data protection law”, added the german MEP who is also responsible for the reform of the EU Data Protection Regulation – that the European Parliament will vote next october 21.
Many of them feared a potential “international incident”, if it will be proved that a state entity has launched a cyber crime attack against a telecommunications system which is also part of the infrastructure of the European Union. “Spy activities from a power into another normally lead to war”, warned MEP Gomez (S&D, PT). “This is a kind of attack that a single company or country would be unable to withstand on its own”, said Claude Moraes (S&D, UK) rapporteur for the LIBE inquiry.
“We’re talking about a massive, sophisticated attack (…) we want to know if the GCHQ has been listening to our phone calls”, added the chairperson in’t Veld. The chairperson concluded underlying that despite the European Parliament doesn’t have proper investigations power, they will offer their full support to the belgian authority.
The sixth hearing of this inquiry took place in Strasbourg on October 7th where Members of the LIBE committee discussed a potential revision of the EU-US Safe Harbour Agreement – which established a framework to ensure that U.S. organizations provide adequate protection for personal data from the EU.
This, together with the upcoming vote on the Data Protection Regulation, could represent an historical moment for data protection in the EU and a golden opportunity for the European Union to not only re-established the rule of law, but to set high standards for the protection of private life of every individual.
Stay tuned for the next post of our series on the LIBE inquiry on massive electronic surveillance. In the meantime, read our posts of the previous inquiry here.
LIBE Series Posts