It’s been a remarkable week to be at the Privacy Law Scholars Conference – a week when there have been some of the most interesting and potentially most important revelations relating to privacy for a long while.
Dramatic revelations – first on Verizon
Yesterday was particularly dramatic. First there was the revelation that the NSA has had access to the records of Verizon, one of the US’s biggest phone providers. This access covered what has been described in some places as ‘meta-data’ and in others as ‘traffic data’ – the key being that it didn’t include the content of the calls, so the NSA could claim not to have been ‘listening in’. As with the debate over the Snoopers’ Charter in the UK, this is a classic bit of misinformation – the meta-data can in many ways be even more revealing than the content, particularly in the light of modern profiling techniques, but this is a bit of a side issue really.
This first revelation was later extended to suggest that it was highly likely that the same was true of other phone companies, but that the information had not (yet) been leaked – and I have to say that sounds eminently likely. Why would the NSA choose just one provider? If they believed the information was likely to be helpful, and had a legal mechanism that would enable them to get it (via the ‘secret’ FISA courts – see here for the court order in relation to Verizon), why would they restrict themselves to just one provider, however large?
The second, potentially even more interesting (and damaging) piece of news was the suggestion, in both the Guardian and the Washington Post, that the NSA has direct access to the files/servers of many of the biggest players in the internet – Facebook, Google, Apple, Microsoft, Yahoo, Skype, YouTube, AOL, PalTalk – through a programme called ‘PRISM’. The suggestion, effectively, was that the NSA had a kind of ‘backdoor’ into these systems, giving both real-time access to communications and full access to files and records. Quite what this really means, quite how true it is, whether the companies knew about it (most have flatly denied the latter) has yet to be verified, but will doubtless be the subject of huge scrutiny. I’m not going to write about it here – I’m neither qualified or knowledgeable enough to do so, and the jury is still out in any case – but the reaction from the authorities has been very interesting and revealing.
There are a number of aspects to it that bear thought. The first is the question of legality – essentially, if the whole thing is ‘legal’ does that make it ‘OK’. The second is the question of targeting. One of the immediate responses by the authorities was to say that it was ‘aimed at only non-US people’, as though that would mean that it wasn’t a problem. The third is that it was ‘No Big Deal’ in any case (see this report in Forbes).
My suspicion from the first few reports of the story is that this is very likely to have been legal – indeed, to still be legal. The US authorities have extensive powers along these lines – the particular suggestion is that it is Section 702 of the Foreign Intelligence Surveillance Act (see here for example). Would ‘legality’ mean that this kind of thing is ‘OK’? Actually, for me, quite the opposite – it would make the whole thing even more worrying. It would demonstrate quite how extensive and intrusive – and oppressive – the legal powers available to the authorities are. It would be a reminder for people in the UK how dangerous it is to grant any government loose, open-ended powers of surveillance, and then to ‘trust’ them to use them responsibly and in a limited way. They won’t. They’ll take the powers they’re granted and see how far they can stretch them. That, amongst other things, is why the Communications Data Bill (the Snoopers Charter), with its very much open ended powers, was (and remains) such a bad idea.
Focus on ‘Foreigners’
This second question – whether it’s ‘OK’ so long as it’s only non-US citizens that are targeted – is one that many non-Americans might be surprised by, but is fairly common in the US. In general, the US tends to support ‘civil liberties’ rather than ‘human rights’ – and that means that the protection it gives to its citizens is generally far, far stronger than that it gives to foreigners. It is understandable – any government’s primary consideration should be its own people – but the implications are deeply worrying. For those of us from outside the US, it means we’re ‘fair game’. For those within the US, it means that effectively the US is giving carte blanche to other countries to spy on them: if the US feels it’s OK to spy on the citizens of China, for example, then aren’t they saying that it would be OK for China to spy on the citizens of the US? And won’t China take advantage of the moral authority they’re given to do that?
It should be noted, too, that the words used are ‘targeted’ or ‘aimed’ – the suggestion is that they’re ‘aiming’ the surveillance only at non-US people, but US people may get caught as part of the collateral damage. That, I suspect, will be worrying for many Americans, even if they don’t think we foreigners are worthy of protection – or that protection for our privacy, protection against being spied on, is something to do with our humanity rather than the nations of which we’re citizens.
What’s more, the latest suggestion in the Guardian is that the US authorities have allowed UK authorities access to the PRISM system – and it is more than likely that there are similar deals for other ‘friendly powers’.
It IS a big deal!
This is the last part – and the one that most bothers me. Much of the reaction suggests that the whole thing is a bit of a storm in a teacup, that we should all be willing to accept this kind of thing so long as it keep us ‘safe’. That much I categorically deny. Having our internet traffic monitored, having our files scrutinised and data about us gathered is something that we should all be concerned about. It matters. It’s a human rights issue. The effects are potentially very significant, and not just for privacy.
The timing of this whole thing is remarkable – it comes just days after Frank La Rue, the UN Special Rapporteur on Freedom of Expression and Opinion, presented his report to the UN, a report whose key conclusion was that:
“The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas.”
It’s a conclusion that for those of us in the field is not surprising – but it is worth repeating. Internet surveillance chills free expression. It limits free speech. It stifles freedom of thought. It IS a big deal. A very big deal indeed. If this report about PRISM is even partially true – and there are signs that the US authorities are admitting to much of it – then it is a huge deal. We need to take it very seriously indeed.