James Ball aims to frame the debate around governmental surveillance in the US and the UK, explaining how privacy is being compromised online.
Making reference to large scale projects referred to as Prism, Ball describes how surveillance operates through an automated or semi-automated process made without warrant and administered by the FBI. He also explains the NSA have been lowering standards of encryption. This undermines general security of the web and means this agency is simultaneously in charge of raising and lowering security standards. Ball relates that the NSA are said to be working with commercial providers either overtly or covertly. Ball also points to extensive espionage programs on world leaders and politicians.
As Ball states, because of the automated nature of surveillance algorithms the average citizen could arbitrarily be investigated as a result of an unfortunate set of searches carried out. To Ball, the important thing is that cabinet ministers at the National Security Council, the European Court of Human Rights and the Security Council in America were not made aware of surveillance programs. To Ball, as we are a democratic society we should be involved in making important cultural decisions around issues such as privacy and surveillance.
Ball finishes his talk by explaining that the Guardian has been undertaking painstaking journalism on mass surveillance, checking and cross-referencing facts, and speaking with governments. What has been published so far is only a fraction of what has been read, and contains the most accurate possible information. He makes the point that following Snowdon and the hacking of Angela Merkel’s phone the US and Europe are discussing the issue of surveillance, and he urges the UK to do the same.
A legal expert on covert policing, Simon McKay gives an account of the history of legal challenge in the field. Mckay relates that spying on people without a judicial warrant has been widely contested over time in the US, and that Lord Bingham, the British judge and jurist, was concerned with the UK’s complicity within this.
McKay states that although in a country threatened by terrorism there is a temptation to ‘fight fire with fire’ by setting aside legal safeguards, the state may not use indiscriminate methods, as this would be to fall into the trap set by terrorism to democracy.
To McKay, not even Lord Bingham could have known the extent of the surveillance in the US and UK. In fact, if not for Edward Snowden, none of us could have known the contemporary extent of mass surveillance. The troubling thing is that at their core, agencies can receive and disclose intelligence in the interests of national security, and this is largely a matter for them to determine. Although surveillance activities are regulated by the Regulation of Investigatory Powers Act 2000, the recommendations within this act are voluntary unless a criminal act takes place.
There is a general safeguarding for lawful conduct in section 80 of the act which is little known. It requires no organisation to get authorisation for surveillance unless it would ammount to a criminal offence not to do so. McKay also makes the point that mass acquisition of communications or content data does not ammount to a criminal offence if the communications provider or a person with authority for running communications data systems gives their consent. This happens perennially in our jurisdiction.
To McKay, the practical effect of this legislation is that if the UK wishes to receive information from a foreign power or disclose information to a foreign power, it can do so without any authorisation. This form of liberal power carried with it the need for agencies to act with acute integrity, something Edward Snowden did not feel is happening.
William Hagues’ response to Snowden’s revelations has been that if people are not doing anything wrong they have nothing to fear. However, to McKay this position is inconsistent with both domestic and European law. In terms of domestic law, unless something is prohibited by the common law a citizen is entitled to engage in it. Meanwhile in European Law the principle of legality is enshrined in the notion that before a state can undertake intrusive techniques of surveillance a subject must understand its scope and reach. McKay also feels if agencies acquire mass data, they should also review it, so that true threats can be identified.
As a lawyer McKay wants to highlight the trampling of citizens’ rights, the perniciousness of surveillance and the complicity of the government in agencies acting contrary to the rule of law and without transparency or accountability; asking who guards the guardians. As Lord Bingham states: ‘as soon as men decide all means are permitted to fight an evil, their good becomes indistinguishable from the evil that they set out to destroy’.
Becky Hogge, Author of ‘Barefoot in Cyberspace’ is next to speak. Hogge begins by recalling the utopian visions of the internet during the 1990’s, and the Declaration of Independence of Cyberspace in 1996. At this time privacy was not a key topic of debate as users were keen to establish freedom to do things, rather than freedom from being surveilled. However, as a result of the UScentrism of early thinking and development around the internet, we should not be surprised to realise that privacy is not well protected: it reflects the framework of the US in relation to data protection.
John Perry Barlow and other proponents of completely free and unsanctioned internet during the 1990s argued that the internet could not be regulated. However, Lawrence Lessig forged a counter-argument, suggesting the internet was regulated in 4 separate ways: the law, markets, norms and code. Hogge wants to explore how these regulatory pressures have taken us to where we are today in terms of digital surveillance, and speaks about each term in turn.
In terms of coded internet architecture, everything we do leaves a data vapour, and we are overwhelmed with data in the information age. Further, we are mostly using client servers such as Google, which mean our data is not our own. As Hogge asserts, all these digital architectural tendencies lend themselves to surveillance.
In terms of markets, we can observe that the business models of the organisations handling our data are exactly the same as the NSA and GCHQ. Both aim to collect as much data as possible, and therefore speak one another’s language. Referring to the law, Hogge remarks that because fundamental rights to privacy have national security write outs, and because in the age of asymmetric warfare in the war on terror we are all potentially implicated, protections enshrined in human rights legislation are not good. Tackling norms slightly separately from the other terms, Hogge makes the point that it is exactly because surveillance activities offend widely held beliefs about privacy that we are at this event.
Hogge then questions which of the regulations we can work to turn around. In terms of code, it is argued that there is still a way to use encryption which is better than having no security features at all, and that there are independent projects in place in the peer to peer community which aim to keep data safe and locally stored.
In terms of the market privacy friendly products are anti-Google in that they work against data collation by corporations. Further, those who have been providing secure email facilities such as Edward Snowdon’s email provider, Lavabit have been investigated by governmental agencies.
However, there are developments according to law. A civil societies statement at the UN has asked for a rethinking of human rights legislation so national security measures can fall under its purview. Additionally, countries such as Brazil and Germany have been talking about possible national laws to keep data within their borders. This ‘splinternet’ would undermine the dreams of a free global network forged by internet pioneers, but as we can see these are slightly in tatters in any case. The other problem with a splinternet is that companies could not market information products globally in the same way.
However, Hogge ends her talk by suggesting that potentially none of this talk of privacy or free cyberspace matters. Citing a recent article by Evgeny Mozorov, Hogge relates that what we ought to consider is the wider impact of automated data gathering on democracy itself, and the trust we place in machines to give us answers which may be correct without being ethical.
Prof. Anthony Glees
Professor Anthony Glees has followed intelligence led policy since being a student 40 years ago. Glees suggests he is aware that his viewpoint will be very different to that of the other panellists. His position is that cyberspace should be regulated lawfully and that liberties should be protected whilst making liberal democracy secure. However, he also feels the Guardian has behaved disgracefully and that Snowdon is a criminal.
To Glees, intelligence agencies have a duty to protect us lawfully in Western Liberal Democracies and are not used for social and political control. Glees feels that the Guardian is engaged in a witch hunt of media spin, and that claims of mass surveillance or snooping are false. He does not think that data mining will reduce human rights, and thinks those who fear surveillance are either right wing libertarians, or narcissistic individuals who falsely believe that governmental powers are interested in their everyday life.
Glees states that all countries hack data, including Germany and the UK, and have done so throughout history. The only difference now is that the digital makes the process easier and more widespread. He feels that criminals ought to be surveilled in order that those who break the law and commit heinous acts can be investigated.
Glees ends his talk by making a distinction between mass surveillance and tracking specific people who cause marked damage. He states that our country is safer with intelligence led activity, including communications led intelligence and feels these agencies wanted to undertake their work lawfully. It is for this reason he feels we are being taken on a witch hunt.
Caspar Bowden was Chief Privacy Adviser for Microsoft for 9 years and has been warning about the law underlying Prism since 2011. This talk makes the point that EU regulation cannot protect our privacy because it is at odds with US law, and relates particularly to cloud computing. As Bowden states, cloud computing is not just a buzzword. It is parallel processing power which means your data is running through someone else’s CPU. This means encryption is futile when using a cloud-based service in the USA.
It was discovered in 2003 and revealed by an AT&T whistleblower in 2005 that information was being sent from AT&T back to the NSA on a wide scale through various switching centres. However this was reported as a parochial affair about Amercians invading the privacy of other Americans. Actually it was primarily about surveillance of the rest of the world, although this has not been covered by the press until recently.
The first surveillance act was passed in 1978 in the wake of the Watergate scandal, when it was discovered that the CIA was carrying out mass surveillance of Americans. This law has not been altered since, and authorises intelligence being taken ‘with respect to a foreign based organisation or foreign territory that relates to conduct of foreign affairs of US’. This can relate to just about anything, can refer to anyone who takes issue with US foreign policy. As Bowden states, this is probably the law which authorises the hacking of Angela Merkel’s phone.
The law that underlies Prism was passed in 2008 and is an amendment to the 1978 act. This combines 3 elements for the first time. The first element is that this law only targets non Americans outside the US, which is of course 95% of the population of the planet. It also includes remote computing services for the first time, meaning cloud computing. Thirdly, there is the purely political definition of foreign intelligence information above. It is in many ways a law which lends itself to mass surveillance of cloud computing. There is a double discrimination regarding nationality. It only targets non Americans outside the US. Also, the very definition of foreign intelligence information also inherently contains a key discrimination.
This is completely at odds with European and United Nations conceptions of human rights, which state everyone has a right to privacy, and that if this right is infringed the justification must objectively relate to the risk of damage an individual could cause. It certainly should not be about nationality.
This law is therefore about the rest of the world rather than the US. Further, although the 4th amendment states that there has to be a particular warrant for something to be searched, last year it emerged that this does not apply to data sent to America. This means Americans enjoy full protection, but when we send our data to the US we have no rights. There is no protection in place for non-Americans, and EU data protection companies have not done anything to change this so far.
The discussion saw many members of the audience directing questions to Anthony Glees, asking about his moral justifications and understanding of the legal complexities of the situation. Glees responded by reiterating his point of view that what is being undertaken is not illegal, and that we may not like the law but this is a different matter. Caspar Bowden responded to this point by stating that no American law had been broken, but that such surveillance was not legal here. Bowden also made the point that our own government has failed to protect us.
Another audience member was keen to ask about alternatives. James Bell responded, stating that there are servers out there to help with privacy and that some encryption is better than others. Ball also suggests that change must happen on a societal level, as opting out individually will not prevent data being harvested when communicating with others. Ball also mentioned a set of helpful tutorials on a url called prism break.
Another direction in the discussion related to the splinternet and what the panel felt about this. Hogge responded by suggesting this was only just beginning as a debate as the very notion of a boundaried cyberspace had been considered a negative thing to this point. To Hogge the debate is now shifting, and we are demanding better control over data which passes over certain territories.
A final question questioned if Western Liberal Democracies need to move forward in terms of policy around these issues to stay ahead of other countries such as Russia and China. James Ball responded to this, stating that the UK are lagging behind, and although policy always struggles to keep up with technological advances, at least the EU and the US are engaging in a legitimate debate, partly due to Snowdon’s revelations and the hacking of Merkel’s phone.
Write up by Alexandra Reynolds