At the beginning of this year, I discussed a report written for the European Parliament, which warned that the US legal framework allowed the authorities there to spy on EU data held by any US cloud computing service. I also noted as an interesting fact that the NSA was building a huge new data centre, and that encryption might not offer the protection we thought.
Back then this was mostly regarded as wild speculation. The general message was "don't worry, everything's fine." Of course, in the wake of the leaks from Edward Snowden, we now know that nothing is fine, that our communications are being spied on and stored on a previously unimaginable scale, and that not only is encryption not as safe as we thought, but has been wilfully undermined by the US and UK governments so as to make spying on everyone easier.
One of the authors of that prescient EP report was Caspar Bowden, who has put together an updated look at the state of EU privacy in the light of the Snowden revelations. It's entitled "The US National Security Agency (NSA) surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens' fundamental rights" [.pdf] and is indispensable reading for anyone who wants to know where we stand and – more importantly – what we might be able to do.
Here's the summary:
The first section provides a historical account of US surveillance programmes, showing that the US authorities have continuously disregarded the human right to privacy of non-Americans. The analysis of various surveillance programmes (Echelon, PRISM) and US national security legislation (FISA, PATRIOT and FAA) clearly indicates that surveillance activities by the US authorities are conducted without taking into account the rights of non- US citizens and residents. In particular, the scope of FAA creates a power of mass- surveillance specifically targeted at the data of non-US persons located outside the US, including data processed by ‘Cloud computing', which eludes EU Data Protection regulation.
The second section gives an overview of the main legal gaps, loopholes and controversies of these programmes and their differing consequences for the rights of American and EU citizens. The section unravels the legal provisions governing US surveillance programmes and further uncertainties in their application, such as:
- serious limitations to the Fourth Amendment for US citizens
- specific powers over communications and personal data of "non-US persons";
- absence of any cognizable privacy rights for "non-US persons" under FISA
The section also shows that the accelerating and already widespread use of Cloud computing further undermines data protection for EU citizens, and that a review of some of the existing and proposed mechanisms that have been put in place to protect EU citizens' rights after data export, actually function as loopholes.
Finally, some strategic options for the European Parliament are developed, and related recommendations are suggested in order to improve future EU regulation and to provide effective safeguards for protection for EU citizens' rights.
Among the latter is a requirement that US Web sites offering services in the EU should be forced to carry a warning notice that data may be subject to surveillance. Unfortunately, most people will just click on "agree" when such things pop up, probably without even reading the details. More usefully, the report suggests that the Safe Harbour agreement under which EU personal data is exported to the US, should be revoked and re-negotiated in the light of what we now know about US surveillance activities.
Another idea is the following:
A full industrial policy for development of an autonomous European Cloud computing capacity based on free/open-source software should be supported. Such a policy would reduce US control over the high end of the Cloud e-commerce value chain and EU online advertising markets. Currently European data is exposed to commercial manipulation, foreign intelligence surveillance and industrial espionage. Investments in a European Cloud will bring economic benefits as well as providing the foundation for durable data sovereignty.
That's precisely what I advocated back in January, but there's an added urgency to moving to open source, since we know that commercial software companies have been complicit in weakening their products to allow the US and UK authorities to spy on users.
Bowden also makes the following interesting recommendation:
Systematic protection and incentives for whistle-blowers should be introduced in the new Regulation. Whistle-blowers should be given strong guarantees of immunity and asylum, and awarded 25% of any fine consequently exacted. The whistle-blower may have to live in fear of retribution from their country for the rest of the lives, and take precautions to avoid "rendition" (kidnapping). Ironically, US law already provides rewards of the order of $100m for whistle-blowers exposing corruption (in the sphere of public procurement and price-fixing).
I think this is a really great idea. Not only are whistleblowers accorded guarantees of immunity and protection, they would be able to profit from their public-spirited actions by sharing in the fines imposed. That would dramatically change the landscape in the computer world, since it would make it less easy for closed-source applications to hide backdoors of the kind we have learned about recently.
Like the earlier report that Bowden contributed to, this latest study is important, and I recommend that everyone read it in order to understand just how bad things are, and how we might start to rectify that. Here's the report's splendid peroration, which puts things in a historical context:
The thoughts prompted in the mind of the public by the revelations of Edward Snowden cannot be unthought. We are already living in a different society in consequence. Everybody now knows, that the US intelligence community might know any personal secret in electronic data sent in range of the NSA. These developments could be profoundly destabilising for democratic societies, precluding exercise of basic political and human rights, and creating a new form of instantaneous and coercive Panoptic power.
There is a historical symmetry between the incursions on the Fourth Amendment rights of Americans, and the disregard for the human right to privacy of everyone else in the world. In the period leading up the US War of Independence the British used "general warrants" which authorised any search without suspicion, and it was resentment against this power and its abuse that motivated the subsequent Fourth Amendment to the US Constitution.
FISA 702 (aka §1881a) is a general warrant to collect data and trawl for information related to US foreign affairs, but Americans' privacy is legallly sacrosanct (albeit in theory) unless the high legal threshold of "necessity" is met. What particularly galled the American revolutionaries was that ten years earlier a famous case in English law had prohibited such general warrants. They regarded it as hypocrisy that laws they did not write, and could not change, protected the privacy of their rulers, but not colonial subjects. The same principle is at stake today.