«Compiled and edited by Simon Davies June 2014 A Crisis of accountability 2 Contents Contents Acknowledgments ...»
The EFF summary does, however, focus primarily on US-based security activities. While these are of crucial to global privacy (or at least, the intrusion into privacy), there is much still to be discovered, both about the enabling international arrangements and the activities of individual non-US national security services.
It is equally true that the operational relationship between security services, law enforcement agencies and global police organisations such as INTERPOL remains largely unknown and – in terms of data policy – continues to be largely unaccountable. While important new information has been made public about how security agencies collect and exchange data within their own security community, relatively little is known about the use of that information or the extent to which it is passed to law enforcement agencies. That is, while the public now has a better understanding of how personal information is collected by agencies (particularly the NSA), relatively little is known about how that data is used beyond the point of collection. The accountability gap in the security realm is thus even greater than many inquiries and analysts have suggested.
Despite these shortcomings, the evidence presented in this report indicates that the Snowden disclosures have resulted in an overall change in public perception and a spike in political sensitivity around such issues as accountability of security services. While this has not so far translated universally into concrete reforms, the shift is an indication that an additional foundation stone may have been laid in some countries that will enable tangible reform.
3 https://www.eff.org/deeplinks/2014/06/65-65-things-we-know-about-nsa-surveillance-wedidnt-know-year-ago A Crisis of accountability 10 Reform, however, cannot be measured merely through the actions of government. Industry has to some extent responded in a proactive manner to institute a range of measures to improve privacy and security. At the time of publication of this report Vodafone, one of the world’s biggest mobile providers, is on the point of disclosing basic details of the “backdoor” access that security agencies have to its networks, allowing security bodies to listen in to any phone channel they choose.
In its report on the disclosure, the Guardian4 commented:
The company has broken its silence on government surveillance in order to push back against the increasingly widespread use of phone and broadband networks to spy on citizens, and will publish its first Law Enforcement Disclosure Report on Friday. At 40,000 words, it is the most comprehensive survey yet of how governments monitor the conversations and whereabouts of their people.
Such detailed transparency was unheard-of before the Snowden era. Clearly, there has been a significant shift in view amongst some corporations in response to what is perceived as an abuse of surveillance facilities by security
and law enforcement. Australian authorities, for example, made an extraordinary 685,757 requests for communications metadata in 2013, almost three times the number of requests per head of population made by the UK, and more than a hundred-fold greater than Germany.5 As the industry report below in this report observes, the move to transparency in the relations between corporations and government has been significant, but was not triggered exclusively by the Snowden disclosures. Indeed the transparency trend has been in progress since at least 2009. Of greater importance perhaps is the trend to the endemic strengthening of communications security. This development – pursued by a number of companies – goes beyond mere transparency and moves toward creating at least the beginning of a more privacy-secure communications ecosystem.
Whether this results in an escalation of the technology arms race is yet to be seen.
Critics are right to point out that the mere disclosure of information about the extent of systemic intrusion by security agencies is not, in itself, a sufficient response. Nonetheless, corporations have started to move, by degrees, to changing the dialogue around surveillance, particularly with regard to legal and ethical principles. This shift to some extent reflects the commercial market for privacy that has been evolving for some years.
This trend was eloquently expressed by Microsoft’s General Counsel Brad Smith on the first anniversary of the Snowden debut. Arguing that the US
needs to respect international sovereign protections6, Smith argued:
These concerns have real implications for cloud adoption. After all, people won’t use technology they don’t trust. We need to strike a better balance between privacy and national security to restore trust and uphold our fundamental liberties.
Civil Society has also responded with measures that will help build stronger constituencies and coalitions including such initiatives as the Thirteen Principles7 and the Don’t Spy on Us coalition.8 The bigger picture While this report is centred on reviewing measurable reforms, the authors understand that the one-year period being assessed is in many respects too short a time frame to gauge the true impact of the Snowden influence.
5 http://www.theguardian.com/business/2014/jun/06/vodafone-reveals-secret-wires-allowingstate-surveillance 6 http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/06/04/unfinishedbusiness-on-government-surveillance-reform.aspx 7 https://en.necessaryandproportionate.org/text 8 https://www.dontspyonus.org.uk/org A Crisis of accountability 12 Nevertheless, the period may be considered in terms of trends, i.e. whether the pace of reform has accelerated, slowed or reached a plateau.
In some respects - and despite the encouraging trends described above - the outcome for reform is not entirely positive. More than half the countries surveyed for this project reported that there has been little media or political activity as a result of the disclosures. Of the remainder, around a half identified tangible reforms that had been pursued, and most of those correspondents expressed concern that reform activity had slowed in recent months. Overall, around one sixteenth of countries are on target for even the most marginal reform of their security services.
This situation should not diminish the significance of the broader trend of public awareness and political activity. There have been several substantial outcomes, including action by the UN, the European Parliament and the White House. A noticeable geo-political shift has occurred, though this dynamic largely excludes Africa and Asia.
At this early stage it is difficult to determine the extent to which the disclosures have influenced other social and political developments. In Turkey, for example, the Snowden revelations came during the peak of the Gezi uprising.
Since it became obvious that there is almost no privacy in social media (which was heavily and effectively used in the events), the "occupiers" were A Crisis of accountability 13 concerned about how the collaboration between large ICT companies and the NSA might extend to the Turkish government. This resulted in an awareness of Internet privacy issues and some web sites that provide advise on privacy issues emerged.9 Many of the country assessments in this report highlight the significance of the shift in thinking over privacy and security issues, emphasising the real
potential for future reform. Spain, for example, observed:
There are signs that a debate has been sparked, at least in specific milieus and in relation to cybersecurity, social media and privacy concerns. And while the media and political passivity is an immediate challenge, general privacy concerns have managed to become the standard in technology reporting and policy. In this evolving context, every new revelation on the use and abuse of surveillance powers is contributing to strengthening the need for a true public debate on the possibilities and risks of the surveillance society.
Colombia also emphasised the broader influence of this change of perspective:
If Snowden's revelations have had some influence in Colombia it was to highlight the fact that intelligence decisions cannot be based solely on State security rationale. To some extent, these revelations have served to demonstrate that there are limits to state surveillance activities. It has also shown that there is a need to guarantee citizens' rights, as well as to establish civil society oversight mechanisms. Yet, it will take some time to translate this recognition to the domestic reality.
while Canada reinforced the interactive elements of the reform process:
In conclusion, the media and Parliament’s attention to signals intelligence has increased significantly, and these efforts have dovetailed with ongoing concerns over the scope and nature of privacyinvasive activities by domestic state agencies.
The disappointing media coverage in many parts of the world could be a result of either under-management or over-management of the Snowden disclosures. Despite a perception that the Snowden disclosures have became a global news story, reports from the majority of non-US nations indicate that media coverage in many countries has been minimal or non-existent. Concern was expressed that the story was “owned” as a proprietary package by the Anglo-American press and was of little direct relevance to most parts of the world. This perception only shifted at the local level when such countries as Pakistan and Mexico were specifically cited in leaked documents.
Possible shortcomings in the Guardian’s handling of the Snowden episode
could be explained by a business motivation to create roots in a more lucrative global market, particularly the US.10 Nonetheless – as the experience of such countries as Brazil has demonstrated in this report – the newspaper’s handling of the story has in some respects been highly effective, even if over-protective of the data.
Future action One challenge for the years ahead will be to extend this issue beyond the Trans-Atlantic domain and into a truly global context. This requires more than mere media attention and goes to the question of innovative, integrated strategy that binds all elements of the reform community. There are several key initiatives globally that will strengthen and streamline citizen-led initiatives to pressure governments and corporations to create better defences for privacy over the next few years.
The data in this report may help indicate some other important pathways to future action for reform. One of the most significant of these relates to interactivity between different strands of the reform community. Civil society and the tech community have not adequately adapted to the challenges raised by the Snowden revelations. For example, the interface and the communications between policy reform (e.g. efforts to create greater accountability measures, privacy regulations) and technical privacy solutions (e.g. designing stronger embedded security) are worryingly inconsistent and patchy. Few channels of communication and information exchange exist between these disparate communities. There was also a sense that reform strategy needed to become more effective – even aggressive – if further progress was to be made in the foreseeable future.
One response to these outcomes has been an informal agreement among several NGO’s to participate in a collaborative process over the summer called “Code Red”. This initiative will aim to build working interfaces that do not currently exist, and seek accelerated resources and funding for cuttingedge technical responses, legal challenges, direct action and innovative policy reform.
A further announcement about this initiative will be made in early September.
Country and sector reports Contributor biographies are set out in the final section of the report Australia Snowden’s disclosures affect Australia, as that country is one of the ‘FiveEyes’ alliance of intelligence partners. Australia’s electronic intelligence agency is called the Australian Signals Directorate (ASD), previously known as the Defence Signals Directorate. The disclosures showed that the Australian intelligence agency surveillance programs targeted Indonesia, East Timor, Malaysia and the Philippines, with information shared with the US.
They also show that Australia offered to share information on ordinary Australians with the Five-Eyes partners.11 This created concern amongst Australian legal, digital rights and civil liberties communities. Geoffrey Robertson QC argues that ASD breached the law in offering detailed information on Australian citizens to its foreign partners.12 Disclosures about Australia’s involvement received wide coverage in Australian media. The then Labor government Attorney-General, Mark Dreyfus, received secret briefings on PRISM in March 2013, months before Snowden revealed that information.13 Australian agencies were reported to have spied on Indonesian president Yudhoyono and his wife.14 Commercial * David Vaile (co-convenor, Cyberspace Law and Policy Community, UNSW) and Nigel Waters (Australian Privacy Foundation and Privacy International) are thanked for commenting on the draft of this report.