It’s been a remarkable week to be at the Privacy Law Scholars Conference – a week when there have been some of the most interesting and potentially most important revelations relating to privacy for a long while.
Dramatic revelations – first on Verizon
Yesterday was particularly dramatic. First there was the revelation that the NSA has had access to the records of Verizon, one of the US’s biggest phone providers. This access covered what has been described in some places as ‘meta-data’ and in others as ‘traffic data’ – the key being that it didn’t include the content of the calls, so the NSA could claim not to have been ‘listening in’. As with the debate over the Snoopers’ Charter in the UK, this is a classic bit of misinformation – the meta-data can in many ways be even more revealing than the content, particularly in the light of modern profiling techniques, but this is a bit of a side issue really.
This first revelation was later extended to suggest that it was highly likely that the same was true of other phone companies, but that the information had not (yet) been leaked – and I have to say that sounds eminently likely. Why would the NSA choose just one provider? If they believed the information was likely to be helpful, and had a legal mechanism that would enable them to get it (via the ‘secret’ FISA courts – see here for the court order in relation to Verizon), why would they restrict themselves to just one provider, however large?
Then PRISM…
The second, potentially even more interesting (and damaging) piece of news was the suggestion, in both the Guardian and the Washington Post, that the NSA has direct access to the files/servers of many of the biggest players in the internet – Facebook, Google, Apple, Microsoft, Yahoo, Skype, YouTube, AOL, PalTalk – through a programme called ‘PRISM’. The suggestion, effectively, was that the NSA had a kind of ‘backdoor’ into these systems, giving both real-time access to communications and full access to files and records. Quite what this really means, quite how true it is, whether the companies knew about it (most have flatly denied the latter) has yet to be verified, but will doubtless be the subject of huge scrutiny. I’m not going to write about it here – I’m neither qualified or knowledgeable enough to do so, and the jury is still out in any case – but the reaction from the authorities has been very interesting and revealing.
There are a number of aspects to it that bear thought. The first is the question of legality – essentially, if the whole thing is ‘legal’ does that make it ‘OK’. The second is the question of targeting. One of the immediate responses by the authorities was to say that it was ‘aimed at only non-US people’, as though that would mean that it wasn’t a problem. The third is that it was ‘No Big Deal’ in any case (see this report in Forbes).
Legality
My suspicion from the first few reports of the story is that this is very likely to have been legal – indeed, to still be legal. The US authorities have extensive powers along these lines – the particular suggestion is that it is Section 702 of the Foreign Intelligence Surveillance Act (see here for example). Would ‘legality’ mean that this kind of thing is ‘OK’? Actually, for me, quite the opposite – it would make the whole thing even more worrying. It would demonstrate quite how extensive and intrusive – and oppressive – the legal powers available to the authorities are. It would be a reminder for people in the UK how dangerous it is to grant any government loose, open-ended powers of surveillance, and then to ‘trust’ them to use them responsibly and in a limited way. They won’t. They’ll take the powers they’re granted and see how far they can stretch them. That, amongst other things, is why the Communications Data Bill (the Snoopers Charter), with its very much open ended powers, was (and remains) such a bad idea.
Focus on ‘Foreigners’
This second question – whether it’s ‘OK’ so long as it’s only non-US citizens that are targeted – is one that many non-Americans might be surprised by, but is fairly common in the US. In general, the US tends to support ‘civil liberties’ rather than ‘human rights’ – and that means that the protection it gives to its citizens is generally far, far stronger than that it gives to foreigners. It is understandable – any government’s primary consideration should be its own people – but the implications are deeply worrying. For those of us from outside the US, it means we’re ‘fair game’. For those within the US, it means that effectively the US is giving carte blanche to other countries to spy on them: if the US feels it’s OK to spy on the citizens of China, for example, then aren’t they saying that it would be OK for China to spy on the citizens of the US? And won’t China take advantage of the moral authority they’re given to do that?
It should be noted, too, that the words used are ‘targeted’ or ‘aimed’ – the suggestion is that they’re ‘aiming’ the surveillance only at non-US people, but US people may get caught as part of the collateral damage. That, I suspect, will be worrying for many Americans, even if they don’t think we foreigners are worthy of protection – or that protection for our privacy, protection against being spied on, is something to do with our humanity rather than the nations of which we’re citizens.
What’s more, the latest suggestion in the Guardian is that the US authorities have allowed UK authorities access to the PRISM system – and it is more than likely that there are similar deals for other ‘friendly powers’.
It IS a big deal!
This is the last part – and the one that most bothers me. Much of the reaction suggests that the whole thing is a bit of a storm in a teacup, that we should all be willing to accept this kind of thing so long as it keep us ‘safe’. That much I categorically deny. Having our internet traffic monitored, having our files scrutinised and data about us gathered is something that we should all be concerned about. It matters. It’s a human rights issue. The effects are potentially very significant, and not just for privacy.
The timing of this whole thing is remarkable – it comes just days after Frank La Rue, the UN Special Rapporteur on Freedom of Expression and Opinion, presented his report to the UN, a report whose key conclusion was that:
“The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas.”
It’s a conclusion that for those of us in the field is not surprising – but it is worth repeating. Internet surveillance chills free expression. It limits free speech. It stifles freedom of thought. It IS a big deal. A very big deal indeed. If this report about PRISM is even partially true – and there are signs that the US authorities are admitting to much of it – then it is a huge deal. We need to take it very seriously indeed.
Paul Bernal's Blog 
Reblogged this on Stop The Cyborgs.
Another sensible blog here on a difficult and troubling subject matter.
My guess is the leak is related to the American attitude to surveillance of its own commercial, military and “diplomatic” activities: The US has stated publicly that a cyber attack on “its” systems would be considered an act of war! http://www.forbes.com/sites/reuvencohen/2012/06/05/the-white-house-and-pentagon-deem-cyber-attacks-an-act-of-war/ Right now there is the meeting with the Chinese authorities regarding cyber security/snooping http://www.reuters.com/article/2013/06/07/us-usa-china-idUSBRE9560B120130607 All of which adds up to a very interesting timing of the leak. Your point on legality is interesting. My questions are: In an open democracy where the rule of law is preeminent – How are any kind of secret courts allowed? How can such courts be allowed to pass judgements on others? And most importantly where will this end up?
For me. the snooping powers of the state are large and deep enough already. Anyone who is suspected of crimes can expect to be targeted for their data, quite rightly so. Another question comes to mind here and that is on the blurring of big government and big corporations. Who are increasingly mixed up in this. From Bildeberg to globalisation MNC’s/TNC’s the WTO, the IMF and World Bank all have one view. Open borders, “free” trade and so on. Until the pendulum swings the other way. Then the big powers pull up the draw bridge. Add to this now the social media platforms, the internet, emails and so on and the plot thickens. China and Iran are the bogey men. The West always needs a fear factor and a perceived enemy. I could go on but my my point is loosely made. Basically the rich global elite are divvying up the cake in their own interests. We, if lucky may get the crumbs that fall from the high (bilderberg) table. And hey! how we fight each other to get those crumbs. Watching you watching me.
Great blog. Once power is given, it’s impossible to take it back. As we say give ’em an inch and they will take a mile. This is an unbelievable affront to freedom of speech. Listening now to Obama say that it’s a trade off to stay safe, BO says established government procedure that we should feel alright about, Classified program, doesn’t welcome leaks. Once again it’s our fault, Again, keep sounding the alarm, maybe UK can stop before it starts for you.
Thanks, once again, for your insights and interventions, Paul. I enjoyed your post on Google Glass and have duly noted your correctness in imploring your readers to not look at these issues as ‘storms in a teacup’ and recognize them as something far more substantial.
Something I have been pondering over the past year, and especially so in lieu of David Lyon’s comments on social media surveillance at the Congress in Victoria, Canada this week, as well as Christopher Soghoian’s dissertation on third party service providers and law enforcement surveillance published last summer, is the extent to which security regimes and their practitioners are data-mining, per se. Something I have noted throughout the past 48-hours’ worth of mainstream media publications (i.e Washington Post; The Guardian; The Economist; the Business Insider; Mashable; TechDirt) is that PRISM mines meta-data as opposed to communications content – as you suggest. I agree with you that this information is exceedingly more important for our consideration and analysis then comm content; the ability to generate profiles and the implications of data-doubling opens up all sorts of frightening new securitization assemblages. Assuming that our internet actions, for example, can be captured, collected and striated into behavioral profiles, implies to me that PRISM indeed mines data much like some of the third party service providers already perform. A few weeks ago I mentioned to you via twitter Google Analytics’s ja.gs cookie which makes the rendering of behavioral profiles possible in ways that are not only profitable and entertaining for those who have a stake in such practices, but levies a potential avenue or technique for securitization that I suspect security regimes are already performing or are interested in developing.
The articles this past 48-hours have been, understandably so, vague with regards to the specificities of how data mining via PRISM takes place, but the cues are behavioural profile construction, web site activity and other metadata information. And so my questions fall in line a bit with some of those you have raised here: empirically speaking and leaving theory aside for a moment, how do we substantiate PRISM’s data-mining practices with those already being performed by third party service providers? Again, I turn to Google Analytics, Facebook Exchange and even DataLogix and the intense rates at which these companies are pursued by law enforcement agencies (ok – I get that the NSA has been demonstrated as interested in these companies this week, but Soghoian’s dissertation reveals a longstanding relationship between the state and these companies already and specifically for surveillance purposes). Secondly, and more directly concerning your points on foreignness, to what extent does data-mining for securitization purposes necessarily preclude the possibility of Americans escaping the gaze of these practices? There is a tension here between the consciousness of these practices in not ‘pinpointing’ Americans and the inevitability that comes with collecting meta-data in the first place; American, Canadian, British, Iranian, whatever the nationality and geophysical whereabouts seems irrelevant giving the extents to which the NSA has been and continues to monitor and record all traffic that enters the internet relay dishes along the coasts of the US.
Thanks very much for entertaining my thoughts and questions here. I really appreciate your interventions and look forward to your comments.
” The effects are potentially very significant, and not just for privacy.”
I’m not convinced, because no one has yet elaborated on what effects are potentially significant. Please give concrete examples. I’m not being a troll or argumentative, I genuinely want to know.
Well, one place to start might be Frank La Rue’s report on the impact of Internet surveillance on freedom of expression etc… Try looking here:
http://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=13400&LangID=E
Hi Paul, thanks for the link. I read it several times to ensure that I didn’t miss anything. However, with all due respect, my question still stands – what effects are potentially significant? What danger is there to freedom of speech, with the intelligence gathering that various states and governments are conducting? Frank La Rue’s report used the Arab Spring as an example, and yet as I recall, the revolutions against the governments were successful – and social media was one of the primary tools used for revolting.
Especially in the USA, what reasons do the everyday civilians have for fearing that their correspondences are under surveillance? Just 4 days ago, the RCMP (Royal Canadian Mounted Police) used intelligence gathering to foil an independence day bomb plot in British Columbia. I would greatly appreciate a very specific and concrete example of what abuses can come from a government of the people that has access to private information. Respectfully – Migo
Sorry not to have time for a detailed response, but a couple of points. Firstly, part of the reason the Arab Spring revolutions were successful (in these terms) was that Internet surveillance failed. In Tunisia, for example, the government attempts to hack into Twitter and Facebook were discovered and reversed by the hacker community, and a further hack brought down the Tunisian government websites… that wouldn’t be possible with the kind of surveillance put forward here.
As for impact in the US, well, take a look at my later blog – it’s about the UK, but the point matches the US situation too.
https://paulbernal.wordpress.com/2013/06/23/communications-surveillance-protest-and-control/
There’s much, much more to it, but so little time…
Oh, and I could have added the Chinese dissidents tracked down, arrested and imprisoned after ‘cooperation’ with Yahoo over their email accounts, and Mexican bloggers tracked down, kidnapped and beheaded by the drugs cartels – the Internet surveillance link to the latter unproven, but the suspicion clear and the opportunity of using Internet surveillance to locate people in such circumstances direct
Thanks for your great information, the contents are quiet interesting.I will be waiting for your next post.
data entry service