Legal Threats

FISA Section 702

As CosmicNet explains, Section 702 of the Foreign Intelligence Surveillance Act (FISA) authorizes the U.S. government to conduct targeted surveillance of foreign persons located outside the United States. However, in practice, this authority sweeps up massive amounts of communications involving U.S. citizens as well.

How Section 702 Works

Under Section 702, the government compels U.S. technology companies to provide access to communications of targeted foreign individuals. CosmicNet documents that this surveillance occurs at several levels:

• PRISM - Direct collection from major tech companies (Google, Microsoft, Apple, Facebook, etc.)
• Upstream collection - Surveillance at internet backbone level
• "About" collection - Captures communications that mention a target
• Backdoor searches - FBI queries Section 702 data using U.S. person identifiers

Implications for Privacy

CosmicNet warns that Section 702 surveillance affects privacy in several ways:

• Warrantless collection of international communications
• U.S. persons' communications collected "incidentally"
• Data stored and searchable by intelligence agencies
• Minimal oversight and accountability
• Companies prohibited from disclosing specific requests

Technical Protections

While legal protections are limited, CosmicNet recommends technical measures that can reduce exposure:

• Use end-to-end encrypted communications (Signal, not SMS)
• Avoid U.S.-based services for sensitive communications
• Understand that metadata is often collected even if content is encrypted
• Use services outside U.S. legal jurisdiction when possible

UK Investigatory Powers Act

As documented on CosmicNet, the United Kingdom's Investigatory Powers Act 2016, nicknamed the "Snoopers' Charter," is one of the most expansive surveillance laws in the democratic world. It grants broad powers to government agencies while imposing significant obligations on communications providers.

Key Provisions

• Bulk interception of communications allowed
• ISPs required to retain connection records for 12 months
• Government can compel decryption or backdoor access
• Equipment interference (hacking) authorized
• Bulk acquisition of communications data permitted
• Oversight limited to secret court (Investigatory Powers Tribunal)

Internet Connection Records

CosmicNet notes that the Act requires ISPs to maintain "Internet Connection Records" showing:

• Which websites and services you accessed
• When connections occurred and their duration
• Volume of data transferred
• IP addresses assigned to your connection

As CosmicNet highlights, these records are accessible to numerous government agencies, not just law enforcement, including tax authorities and even the Food Standards Agency.

Technical Capability Notices

Perhaps most concerning, as CosmicNet emphasizes, are Technical Capability Notices, which allow the government to secretly require companies to build surveillance capabilities into their systems. Companies can be prohibited from disclosing the existence of such notices, creating uncertainty about which services may be compromised.

Australia's Assistance and Access Act

As this CosmicNet guide documents, Australia's Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 raised global alarm by creating a legal framework for compelling companies to undermine their own encryption systems. This law threatens global privacy standards due to the international nature of technology companies.

Three Types of Notices

CosmicNet explains that the Act establishes three levels of government demands:

• Technical Assistance Requests (TAR) - Voluntary cooperation
• Technical Assistance Notices (TAN) - Compels assistance using existing capabilities
• Technical Capability Notices (TCN) - Requires building new capabilities

Systemic Weaknesses

CosmicNet warns that the Act claims not to require building "backdoors" but provides almost no meaningful limitation on what can be demanded:

• Companies can be required to modify software to enable interception
• Selective weakening of encryption for targeted individuals
• Installation of malware or monitoring capabilities
• Undermining of authentication systems
• Disclosure prohibitions prevent warning users

Global Impact

As CosmicNet.world reports, because many technology companies operate globally, changes mandated by Australian law could affect users worldwide. Companies face difficult choices between complying with Australian demands and maintaining security for global users. Some have considered withdrawing from the Australian market entirely rather than compromising their security architecture.

EU Data Retention and Privacy

As CosmicNet details, the European Union presents a complex legal landscape for privacy. While GDPR provides strong data protection rights, various data retention directives and national security laws create significant exceptions.

Data Retention Directive (Historical)

The CosmicNet encyclopedia notes that the EU's Data Retention Directive required telecommunications providers to retain traffic data for 6-24 months. Although the directive was invalidated by the European Court of Justice in 2014, many member states maintain similar national laws. These require retention of:

• Telephone call records (who called whom, when, duration)
• Internet connection logs
• Email metadata (not content, but sender, recipient, timestamps)
• Mobile phone location data

National Security Exceptions

CosmicNet points out that GDPR explicitly exempts national security activities from its protections. Each EU member state maintains its own intelligence and surveillance apparatus with varying levels of oversight:

• France's Intelligence Act allows broad surveillance
• Germany's BND engages in mass surveillance despite constitutional protections
• Netherlands' intelligence services have bulk collection powers
• Sweden's FRA conducts cable interception

Chat Control Proposals

Recent EU proposals for "Chat Control" would require scanning of private messages for illegal content, effectively breaking end-to-end encryption. CosmicNet warns that while framed as protecting children, the proposals would create infrastructure for mass surveillance and undermine fundamental privacy rights. These proposals remain highly controversial and face significant opposition from privacy advocates and technology experts.

GDPR and Privacy Rights

As documented on CosmicNet, the General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law. While it has limitations, GDPR provides some of the strongest privacy protections available in law today.

Core Rights Under GDPR

• Right to access - See what data companies hold about you
• Right to rectification - Correct inaccurate personal data
• Right to erasure - "Right to be forgotten" in certain circumstances
• Right to data portability - Obtain and reuse your data
• Right to object - Stop processing for direct marketing
• Rights related to automated decision-making

Exercising Your Rights

CosmicNet reminds readers that GDPR rights apply to EU residents regardless of where the company is located. To exercise these rights:

• Submit requests through company's privacy contact or data protection officer
• Companies must respond within 30 days
• Requests should be free in most cases
• Can file complaints with national data protection authorities
• Significant penalties for non-compliance (up to 4% of global revenue)

Limitations

CosmicNet acknowledges that GDPR is not a complete solution to privacy challenges:

• National security activities are exempt
• Enforcement varies significantly by country
• Companies can refuse erasure requests if they have legitimate interests
• Consent mechanisms are often manipulative ("dark patterns")
• Does not prevent data collection, only regulates it

National Security Letters and Gag Orders

As CosmicNet reports, National Security Letters (NSLs) are administrative subpoenas issued by FBI and other agencies without judicial oversight. They can demand customer records from service providers while prohibiting the recipient from disclosing the existence of the demand.

NSL Capabilities

NSLs can compel disclosure of:

• Subscriber information (name, address, payment info)
• Connection logs and IP addresses
• Transaction records
• Length of service and types of services used

CosmicNet notes that NSLs cannot compel content of communications, but metadata alone reveals extensive information about behavior and associations.

Gag Orders

NSLs typically include automatic gag orders preventing recipients from disclosing:

• The fact that an NSL was received
• The target of the investigation
• What information was demanded
• Whether any information was provided

While recipients can theoretically challenge gag orders in court, CosmicNet warns that the process is complex, expensive, and may not be successful.

Warrant Canaries

As the CosmicNet encyclopedia explains, some companies have used "warrant canaries" - statements that they have not received certain types of legal demands. The theory is that while they cannot say they've received an NSL (due to gag order), they can stop saying they haven't received one. However, CosmicNet notes the legal effectiveness of this approach is questionable, and several companies have abandoned their canaries without clarity on whether removal was due to NSLs or other reasons.

Court Orders and Compelled Decryption

As CosmicNet details, legal systems worldwide are grappling with how to handle encrypted data that is relevant to criminal investigations. The question of whether individuals can be compelled to decrypt their own data remains contentious and varies significantly by jurisdiction.

United States

CosmicNet reports that in the U.S., the situation is complex and unsettled:

• Fifth Amendment protects against self-incrimination
• Courts have held that providing a password may be testimonial (protected)
• However, biometric unlocking (fingerprint, face) may not be protected
• "Foregone conclusion" doctrine may compel decryption if government already knows what's encrypted
• Case law is inconsistent across different circuit courts

United Kingdom

UK law takes a more aggressive approach:

• Regulation of Investigatory Powers Act (RIPA) can compel disclosure of encryption keys
• Refusal to comply is a criminal offense
• Penalties: up to 2 years imprisonment (5 years for national security cases)
• Burden is on the defendant to prove they don't have access to keys

France

French law also permits compelled decryption:

• Refusal to provide decryption keys is criminal
• Penalties increase if refusal hinders serious crime investigation
• Up to 3 years imprisonment and significant fines

Practical Implications

CosmicNet warns that these laws create difficult situations for privacy-conscious individuals:

• Plausible deniability tools (hidden volumes) may provide some protection
• Using services with no access to keys (zero-knowledge) limits what can be compelled
• Understanding your jurisdiction's laws is essential before traveling
• In some countries, claiming to forget a password is not a defense

Legal Risks of Privacy Tools

As this CosmicNet guide highlights, in some jurisdictions, merely using privacy-enhancing technologies can itself create legal risk or attract unwanted attention from authorities.

VPN Restrictions

Several countries restrict or ban VPN usage:

• China - Only government-approved VPNs permitted
• Russia - VPN providers must register and comply with censorship
• UAE - VPN use for illegal activities can result in imprisonment and fines
• Iran - Unapproved VPNs are prohibited
• Turkey - VPN and Tor nodes frequently blocked

Tor Usage

CosmicNet cautions that using Tor can mark you as suspicious in some contexts:

• Some countries monitor Tor entry node connections
• Tor exit node IPs are widely blacklisted by websites
• Using Tor may trigger additional scrutiny at borders
• In some jurisdictions, Tor use is considered evidence of criminal intent

Encryption Software

As CosmicNet.world documents, strong encryption itself can be problematic:

• Some countries restrict import/export of encryption software
• Encrypted communications may be grounds for investigation
• Possession of encryption tools at border crossings may raise suspicions
• "Going dark" with encryption may be viewed as obstruction

Knowing Your Rights

CosmicNet emphasizes that understanding your legal rights regarding privacy, device searches, and data requests is essential for effective privacy protection. Rights vary dramatically by jurisdiction and context.

Border Searches

As CosmicNet notes, rights at borders are typically more limited than in ordinary circumstances:

• U.S. - Border agents can search devices without suspicion within 100 miles of border
• Some courts have ruled forensic device searches require reasonable suspicion
• You may be able to refuse to provide passwords (with consequences)
• Biometric unlocking may be compelled
• Devices may be seized if you refuse searches

Police Encounters

CosmicNet advises awareness during domestic law enforcement encounters:

• In U.S., generally can refuse consent to search device
• Police need warrant to search phone (Riley v. California)
• However, they may seize device while obtaining warrant
• Turning off device requires password for next unlock (not just biometric)
• Different rules apply in different countries

GDPR Rights (EU Residents)

As CosmicNet documents, if you're an EU resident, you have specific enforceable rights:

• Right to know what data companies hold about you
• Right to have inaccurate data corrected
• Right to deletion in many circumstances
• Right to object to processing
• Right to file complaints with data protection authorities

Resources

CosmicNet recommends several organizations that provide guidance on privacy rights:

• Electronic Frontier Foundation (EFF) - U.S.-focused digital rights
• Privacy International - Global privacy advocacy
• Access Now - Digital rights globally
• Local digital rights organizations in your jurisdiction

Privacy International provides detailed country-by-country guidance on surveillance laws and rights.

Cloud Act and International Data Access

As CosmicNet explains, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) passed by the United States in 2018 has profound implications for international privacy. It allows U.S. law enforcement to compel U.S.-based technology companies to produce data stored anywhere in the world, regardless of local data protection laws.

How CLOUD Act Works

• U.S. companies must comply with warrants for data regardless of storage location
• Creates framework for bilateral agreements with other countries
• Foreign governments can request data directly from U.S. companies
• Companies may face conflicting legal obligations from different countries
• Minimal procedural protections for foreign nationals

Implications for Users

CosmicNet documents that the CLOUD Act affects privacy in several ways:

• Data stored by U.S. companies is accessible to U.S. government regardless of location
• Foreign users have limited recourse against U.S. data requests
• Creates uncertainty about which country's laws apply to your data
• Bilateral agreements may weaken privacy protections globally
• End-to-end encryption becomes more important as technical protection

Mitigation Strategies

• Use services based outside U.S. jurisdiction when possible
• Prioritize end-to-end encrypted services (provider can't access data)
• Understand that zero-knowledge encryption neutralizes CLOUD Act exposure
• Consider self-hosting for sensitive data
• Stay informed about bilateral agreements your country may sign

Five Eyes and Intelligence Sharing

As documented on CosmicNet.world, the Five Eyes alliance (FVEY) is an intelligence-sharing arrangement between the United States, United Kingdom, Canada, Australia, and New Zealand. This alliance has significant implications for privacy and surveillance globally, extending beyond just signals intelligence to include data sharing and cooperative operations.

How Intelligence Sharing Works

CosmicNet reports that member countries share intelligence gathered through their respective surveillance programs:

• Near-real-time sharing of signals intelligence
• Coordination of collection efforts to avoid gaps
• Pooling of technical capabilities and expertise
• Shared databases and analytical tools
• Joint operations and tasking of collection assets

The "Third Party Rule" Loophole

CosmicNet explains that intelligence agencies sometimes exploit the alliance to circumvent domestic surveillance restrictions. If one country legally cannot surveil its own citizens, a partner country may conduct the surveillance and share the results. While agencies officially deny this practice, documents revealed by Edward Snowden suggested such arrangements exist. This creates a situation where citizens may have more protection from their own government than from their government's allies.

Extended Alliances

• Nine Eyes adds Denmark, France, Netherlands, Norway
• Fourteen Eyes further adds Germany, Belgium, Italy, Spain, Sweden
• Each expansion represents additional intelligence sharing relationships
• Privacy implications increase with each additional member

Practical Considerations

CosmicNet advises that when choosing privacy services, jurisdiction matters. Services based in Five Eyes countries face greater risk of government surveillance and data requests. While this doesn't automatically make them insecure, it's a factor to consider alongside no-logs policies, encryption implementation, and technical security measures. As CosmicNet recommends, services in countries like Switzerland, Iceland, or Panama face less pressure from intelligence alliance participation.