«Compiled and edited by Simon Davies June 2014 A Crisis of accountability 2 Contents Contents Acknowledgments ...»
A Crisis of Accountability
A global analysis of the impact of the
Compiled and edited by Simon Davies
A Crisis of accountability 2
About the publishing team
Introduction and background
The bigger picture
Country and sector reports
The European Union
Information about the contributors
A Crisis of accountability 3 Acknowledgments This report was made possible through the huge support and excellent
contributions from the following people, to whom we extend our gratitude:
Steve Anderson (Canada - OpenMedia.org), Carolina Botero (Colombia), Bruna Castanheira (Brazil), Gemma Galdon Clavell (Spain), Nighat Dad (Pakistan), Hauke Gierow (Germany), David Green (Electronic Frontier Foundation, US), Lauri Hirvonen (Finland, Electronic Frontier Finland), Tamir Israel (Canada), Lorena Jaume-PalasÌ (Germany), Otso Kassinen (Finland, Electronic Frontier Finland), Ephraim Percy Kenyanito (Kenya, Access Now), Melih Kirlidog (Turkey), Monserrat Laguna (Mexico), Cedric Laurant (Mexico), Raegan MacDonald (EU, Access Now), TJ McIntyre (Ireland), Joe McNamee (EU, European Digital Rights – EDRi), Peter Micek (EU), Jenny Ng (Australia), Kurt Westh Nielsen (Denmark), Ville Oksanen (Finland, Electronic Frontier Finland), Christopher Parsons (Canada), Shaikh Rafia (Pakistan), John Razen (Brazil), Gabriella Razzano (South Africa), Mike Rispoli (Privacy International, London), Paulo Rená (Brazil), Katitza Rodriguez (Electronic Frontier Foundation, US), Gideon Rop (Kenya), Pilar Saenz (Colombia), Amie Stepanovich (US), Katarzyna Szymielewicz (Poland), Jerome Thorel (France), Amalia Toledo (Colombia, Karisma Foundation), Niklas Vainio (Finland, Electronic Frontier Finland), Micheal Vonn (Canada), Rejo Zenger (Netherlands, Bits of Freedom).
Thanks also to the many other civil society organizations who provided advice and networking for this project.
A special thank you to Zarte Siempre, who assisted in the editing and proofing process and to Katitza Rodriguez of the Electronic Frontier Foundation (EFF) for such constant support throughout the project.
Our gratitude also goes to the Institute of Information Law of the University of Amsterdam and Law, Science, Technology & Social Studies (LSTS at the Vrie Universiteit of Brussels for their support.
About the publishing team This report was conceived and published by the Privacy Surgeon (www.privacysurgeon.org) a popular independent commentary and analysis site operated by veteran privacy specialist Simon Davies.
Publication is in association with both the Institute of Information Law of the University of Amsterdam and Law, Science, Technology & Social Studies (LSTS at the Vrie Universiteit of Brussels.
Simon Davies is widely acknowledged as one of the most experienced and influential privacy experts in the world, and is one of the pioneers of the international privacy arena. He is currently Associate Director with LSE Enterprise (London School of Economics) http://www.lse.ac.uk/businessAndConsultancy/LSEEnterprise/who.asp x and is also a visiting researcher with both IViR at the University of Amsterdam and LSTS at the Vrie Universiteit of Brussels, each of which hosted him during the gestation of this report.
The Privacy Surgeon has borne all costs and takes all liability associated with this report.
A Crisis of accountability 5 Executive summary
• The Snowden disclosures have triggered a noticeable shift in thinking across the world toward increased awareness of the importance of accountability, transparency and the rule of law with regard to both the activities of security agencies and the value of privacy. This shift - in many parts of the world - has empowered civil society, created a resurgence of interest in legal protections and sensitised media to key issues that have hitherto escaped public scrutiny at any substantial level.
• This shift notwithstanding, the overwhelming majority of countries assessed in this report have not responded in any tangible, measurable way to the Snowden disclosures that began in June 2013.
While there has been a notable volume of “activity” in the form of diplomatic representations, parliamentary inquiries, media coverage, campaign strategies, draft legislation and industry initiatives, there has – at the global level – been an insignificant number of tangible reforms adopted to address the concerns raised by the Snowden disclosures.
Two thirds of legal professionals and technology experts from 29 countries surveyed for this study reported that they could recall no tangible measure taken by government.
• While obfuscation and denial were reported across most governments, the UK in particular – as America’s principle operational and diplomatic security partner – was singled out because of its almost total disregard for any of the issues raised by the Snowden disclosures.
• The operational relationship between security services, law enforcement agencies and global police organisations such as INTERPOL remains largely unknown and – in terms of data policy – continues to be largely unaccountable. While important new information has been made public about how security agencies collect and exchange data within their own security community, almost nothing is known about the use of that information or the extent to which it is passed to law enforcement agencies.
• The small number of reforms that have been adopted by governments (most notably the US) appear to create no meaningful protections for personal data at the global level. While, for example, President Obama declared an interest in providing some protections for non-US persons, the protections themselves were marginal at best, and have so far failed to materialise. Indeed the available evidence indicates that the US administration has engaged in a global campaign to neutralise attempts by some governments to create reform of international security relationships.
A Crisis of accountability 6
• Despite a perception that the Snowden disclosures have became a global news story, reports from the majority of non-US nations indicate that media coverage in many countries has been minimal or nonexistent. Concern was expressed that the story was “owned” as a proprietary package by the Anglo-American press and was of little direct relevance to most parts of the world. This perception only shifted at the local level when such countries as Pakistan and Mexico were specifically cited in leaked documents.
• Possibly in part because of the predominant US focus in reporting, media coverage of the relevant issues has declined globally to less than two percent of the initial traffic of a year ago - and continues to diminish. As a consequence, public concern about the issues raised by the disclosures has – at best – reached a plateau. This drop-off is particularly steep in non-US and non-English language media.
• A significant number of corporations have responded to the disclosures by introducing a range of accountability and security measures (transparency reports, end-to-end encryption etc). Nonetheless, while acknowledging that these reforms are “a promising start” nearly sixty percent of legal and IT professionals surveyed for this report believe that they do not go far enough, with more than a third of respondents reporting that they felt the measures were “little more than window dressing” or are of “little value” outside the US.
• Civil society and the tech community have not adequately adapted to the challenges raised by the Snowden revelations. For example, the interface and the communications between policy reform (e.g. efforts to create greater accountability measures, privacy regulations) and technical privacy solutions (e.g. designing stronger embedded security) is worryingly inconsistent and patchy. Few channels of communication and information exchange exist between these disparate communities.
A Crisis of accountability 7 Introduction and background Anyone following the US and English-language media in the wake of the Snowden revelations might be forgiven for believing that the disclosures have created a vast impact on the world’s security services. The US, in particular, has engaged in a high-profile national debate of sufficient scale to bring some of the US-based intelligence entities to the brink of greater accountability.
Despite there being little in the way of tangible benefit for non-US persons, the US developments have created some important advances in security accountability.
Nonetheless, while being the most widely reported of all the elements of Snowden’s legacy, the US developments do not in any way represent the international situation. To understand the more common response by governments, one need look no further than the United Kingdom - America’s principle operational and diplomatic security partner - which has failed to engage the relevant issues in any meaningful way.
Indeed the intransigence of UK authorities reached such heights that in February 2014 – eight months after the first wave of disclosures by Snowden – the UK Parliament was forced to take the almost unprecedented step of issuing a formal summons to the security services watchdog, Sir Mark Waller, who had repeatedly refused to appear before the Parliament’s investigating committee.1 The Waller episode appears symptomatic of the UK government’s postSnowden mindset. The following month, the Privacy Surgeon lodged a formal plea with the Attorney General to use his prerogative to request a police investigation of UK spy agency GCHQ over apparent criminal violations of communications interception law. The lengthy request, written in collaboration with legal specialists, had no effect. Indeed the Attorney General’s office has not even responded to the correspondence.2 Government and oversight authorities in many countries have behaved in a similar vein, often with little or no international media coverage.
By the beginning of 2014 it had become clear to observers and analysts that the global response to the Snowden disclosures was erratic and often unknown. While, for example, Germany, Brazil and the European Parliament were quite active in establishing response mechanisms to address the revelations, the same could not be said of nations in many parts of the world – or indeed, in many parts of Europe.
1 http://www.theguardian.com/uk-news/2014/feb/27/mps-summon-security-serviceswatchdog-mark-waller-snowden 2 http://www.privacysurgeon.org/blog/incision/attorney-general-receives-plea-to-refer-gchqinterception-to-uk-police/ A Crisis of accountability 8 This report arose, therefore, from a growing awareness that a more comprehensive assessment of the global response to Snowden was required.
This analysis would help inform the global movement that has arisen to bring reform and accountability to security services. One primary aim is to provide media, campaigners, opinion leaders and the public with a reliable source that presents the facts in a comparative format.
There were many questions that needed to be addressed, including:
1. Outside of the US, have there been any concrete reforms undertaken by governments or other organisations?
2. In terms of the activity over the past year, what patterns and common threads, if any, can be deduced?
3. From this evidence, what lessons can be learned about how to take the reform agenda forward over the coming years?
This report is not cerned with opinion or aspiration. It describes concrete, measurable outcomes rather than simple “activity”. This entails not just citing, for example, that an inquiry was conducted or a parliamentary debate held, but whether a tangible measure has been implemented as a result of that activity.
The methodology chosen was to identify a number of trusted experts in selected countries that we believed would be representative of the global landscape. To this end correspondents were secured to present brief reports on Australia, Brazil, Canada, Colombia, France, Ireland, the EU, Netherlands, United States, United Kingdom, Pakistan, Kenya, Germany, Mexico, South Africa, Poland, Finland, Denmark and Spain together with a sector report on the response by industry.
To provide further input to these reports, an online survey was then conducted amongst nearly a hundred academics, legal professionals and IT experts in a further nineteen countries - Uruguay, Belgium, Italy, Serbia, Japan, Romania, India, Israel, Singapore, Portugal, Turkey, Greece, Burundi, the Philippines, Austria, Sweden, Slovenia, Bulgaria and Malaysia. These respondents – like the country correspondents – were asked to provide information on measurable reforms in their respective countries, together with their own assessment of the impact of the Snowden disclosures on public and government perspectives.
Analysis Global security relationships are complex, embedded and often inscrutable.
They have evolved over many decades, bolstered by secretive arrangements and an operational framework that is – at best – deeply opaque.
However, since June 2013, much has been learned about the workings of the security ecosystem. A critically important sliver of that arena has been opened up, in particular the data collection and analysis operations conducted by the US National Security Agency and its close allies.
For those who are not specialists in this field, one of the best evidence-based primers on the subject was recently published3 by the Electronic Frontier Foundation (EFF), outlining 65 key facts about the National Security Agency (NSA) that until 2013 were not known. This document is an effective starting point for anyone interested in the subject.