Category Archives: Human Rights

A Human Rights Response to Government Hacking - Access Now 201609


Recently we have seen several high-profile examples of governments hacking into consumer devices or accounts for law enforcement or national security purposes. Access Now released a report where we consider government hacking activity from the perspective of international human rights and conclude that based upon its serious interference with the rights to privacy, free expression, and due process, there should be a presumptive prohibition on all government hacking. There has yet to be an international public conversation on the scope, impact, or human rights safeguards for government hacking. The public requires more transparency regarding how governments decide to employ hacking and how and when hacking activity has had unanticipated impacts. Finally, we propose Ten Human Rights Safeguards for Government Hacking in pursuit of surveillance or intelligence gathering. The full report is available at:



We define hacking as the manipulation of software, data, a computer system, network, or other electronic device without the permission of the person or organization responsible for the device, data, or service or who is ultimately affected by the manipulation.

We consider government hacking in three categories based on the broad goal to be achieved:

  1. Messaging control: Hacking to control the message seen or heard, specifically by a particular target audience. to control a message, to cause damage, or to conduct surveillance.
  2. Causing damage: Hacking to cause some degree of harm to one of any number of target entities.
  3. Commission of surveillance or intelligence gathering: Hacking to compromise the target in order to get information, particularly on an on-going basis.

All government hacking substantially interferes with human rights, including the right to privacy and freedom of expression. While in many ways this interference may be similar to more traditional government activity, the nature of hacking creates new threats to human rights that are greater in both scale and scope. Hacking can provide access to protected information, both stored or in transit, or even while it is being created or drafted. Exploits used in operations can act unpredictably, damaging hardware or software or infecting non-targets and compromising their information. Even when a particular hack is narrowly designed, it can have unexpected and unforeseen impact.


Based on analysis of human rights law, we conclude that there must be a presumptive prohibition on all government hacking. In addition, we reason that more information about the history and the extent of government hacking is necessary to determine the full ramifications of the activity.

In the first two categories — messaging control and causing damage — we determine that this presumption cannot be overcome. However, we find that, with robust protections, it may be possible, though still not necessarily advisable, for the government to overcome the presumptive prohibition in the third category, government hacking for surveillance or intelligence gathering. We note that the circumstances under which it could be overcome are both limited and exceptional.

In the context of government hacking for surveillance, Access Now identifies Ten Human Rights Safeguards for Government Hacking, including vulnerability disclosure and oversight, that must both be implemented and complied with to meet that standard. Absent government compliance with all ten safeguards, the presumptive prohibition on hacking remains. In addition, the high threat that government hacking poses to other interests, defined in greater detail in our report, may (and probably should) necessitate additional limitations and prohibitions.

Government hacking threatens human rights embodied in international documents.

There should be a presumptive prohibition on all government hacking. In any instance where government hacking is for purposes of surveillance or intelligence-gathering, the following ten safeguards must all be in place and actually complied with in order for a government to successfully rebut that presumption.

Government hacking for the purposes of messaging control or causing damage cannot overcome this presumption.

1. Government hacking must be provided for by law, which is both clearly written and publicly available and which specifies the narrow circumstances in which it could be authorized. Government hacking must never occur with either a discriminatory purpose or effect;

2. Government actors must be able to clearly explain why hacking is the least invasive means for getting Protected Information in any case where it is to be authorized and must connect that necessity back to one of the statutory purposes provided. The necessity should be demonstrated for every type of Protected Information that is sought, which must be identified, and every user (and device) targeted. Indiscriminate, or mass, hacking must be prohibited;

3. Government hacking operations must never occur in perpetuity. Authorizations for government hacking must include a plan for concluding the operation. Government hacking operations must be narrowly designed to return only specific types of authorized information from specific targets and to not affect non-target users or broad categories of users. Protected Information returned outside of that for which hacking was necessary should be purged immediately;

4. Applications for government hacking must be sufficiently detailed and approved by a competent judicial authority who is legally and practically independent from the entity requesting the authorization and who has access to sufficient technical expertise to understand the full nature of the application and any likely collateral damage that may result. Hacking should never occur prior to authorization;

5. Government hacking must always provide actual notice to the target of the operation and, when practicable, also to all owners of devices or networks directly impacted by the tool or technique;

6. Agencies conducting government hacking should publish at least annually reports that indicate the extent of government hacking operations, including at a minimum the users impacted, the devices impacted, the length of the operations, and any unexpected consequences of the operation;

7. Government hacking operations must never compel private entities to engage in activity that impacts their own products and services with the intention of undermining digital security;

8. If a government hacking operation exceeds the scope of its authorization, the agency in charge of the authorization should report back to the judicial authority the extent and reason;

9. Extraterritorial government hacking should not occur absent authorization under principles of dual criminality;

10. Agencies conducting government hacking should not stock vulnerabilities and, instead, should disclose vulnerabilities either discovered or purchased unless circumstances weigh heavily against disclosure. Governments should release reports at least annually on the acquisition and disclosure of vulnerabilities. In addition to these safeguards, which represent only what is necessary from a human rights perspective, the judicial authority authorizing hacking activity must consider the entire range of potential harm that could be caused by the operation, particularly the potential harm to cybersecurity as well as incidental harms that could be caused to other users or generally to any segment of the population.

As encryption debate heats up, experts dissect Obama's surveillance policies - Daily Dot 20160408

As encryption debate heats up, experts dissect Obama's surveillance policies - Daily Dot 20160408

When FBI Director James Comey told an audience at Kenyon College on Wednesday that Americans should reconsider the value of unbreakable encryption in a world of persistent threats, he was addressing a conflict far broader than whether his agency could unlock a suspect's iPhone. He was wading into a debate over the course of national-security law that has emerged as one of the central conflicts of post-9/11 America.

On Friday morning, in one of the final events of Kenyon's biennial political-science conference, a panel of experts discussed the national-security approaches of Presidents George W. Bush and Barack Obama; the relationship between federal laws and local police practices; and the rhetoric of officials, like Comey, who consistently push for broader government power.

Charlie Savage, a national-security reporter at the New York Times, opened the discussion by recounting a discussion he had had with Greg Craig, President Obama's first White House counsel, about Obama's decision to preserve—and in some cases expand—the far-reaching surveillance state he inherited from President Bush. As Craig explained it, Obama's lawyers heard from the leaders of the intelligence community that the government's programs were both necessary and legal, and they stopped there.

“They didn’t ask, ‘Is this American?’” Savage said. The Obama team, intent on rectifying the perceived lawlessness and rhetorical overreach of the Bush administration, focused on grounding everything the government did in the law—brushing aside many civil-liberties questions, including whether a program comported with American traditions of liberty.

In his remarks at Kenyon, Savage reiterated the argument he made in his 2015 book Power Wars, about the difference between rule-of-law and civil-liberties critiques of national-security policy. When Obama’s liberal critics accused him of acting like Bush on surveillance issues, they meant it in a civil-liberties context. Obama's officials, Savage said, rejected this criticism because they were looking at things through a rule-of-law prism—and in that context, they believed, they were nothing like the Bush officials, who championed controversial legal theories about the commander-in-chief being able to override statutes in the name of national security.

Jameel Jaffer, deputy legal director at the American Civil Liberties Institute, took issue with Savage's framing and presented a different view of two ways to criticize national-security policy. Some people, he said, were concerned with how the Bush administration saw the relations between the branches of government (namely that Bush, as president, could trump Congress and the courts in national-security areas). Others were worried about how Bush's programs changed the relationship between government and citizenry.

People cared that Congress and courts weren’t involved in Bush's original warrantless-surveillance and military-detention programs, Jaffer said, but they cared more about the impact of those programs on their lives.

Jaffer's view was that the Obama administration “found statutory arguments to get to more or less the same place” as Bush on many national-security issues. Thus, he said, they could not be praised for caring more about the rule of law, per se, because, in his view, they simply construed the language of the laws to suit their policy goals.

When an administration essentially twists statutory language to permit it to do whatever it wants, Jaffer said, “the phrase ‘rule-of-law’ doesn’t fit comfortably with what you are actually doing.”

Chris Calabrese, vice president for policy at the Center for Democracy and Technology, agreed that Obama had “essentially ratified” Bush-era programs by declining to end them upon assuming office. What's more, Calabrese said, Obama's approval made the programs bipartisan, shielding them from many common political accusations while normalizing surveillance practices that, he said, would have appalled people had they foreseen them in 2002.

Calabrese also expanded the conversation to the state and local level. While the federal government develops technology like Stingray devices and policies like mass surveillance, local police often adopt these tools for their own work. Lawmakers, said Calabrese, must place the limits on these approaches, because at the investigative level, police will always do the most they can do; that is, after all, their job.

This interplay between federal and local tactics can profoundly affect a citizen's relationship with her government. Calabrese described a technique called "parallel construction," in which a spy agency learns something incriminating about an American and tells a law-enforcement agency how to discover it in a "clean" way that will be admissible in court. Americans arrested for crimes discovered in this manner cannot contest the real methods used to discover them, because those exist within national agencies that are subject to different rules.

Julian Sanchez, a senior fellow at the libertarian Cato Institute, sharply criticized Comey's Wednesday night remarks about encryption and its effects on investigative practices.

Comey was “rhetorically really masterful,” he said, using measured language to urge people to accept the need for a new “balance” between individual rights and government demands. By casting this balanced approach as the only rational one, Sanchez said, Comey implicitly characterized the status quo—itself the result of decades of laws and exemptions—as “absolutist.”

As an example, Sanchez noted that Comey had mentioned the Communications Assistance for Law Enforcement Act of 1994, which required companies to be able to comply with wiretaps but specifically excluded situations where companies did not control the ability to decrypt communications. Instead of accepting that CALEA was the result of a political compromise, Comey characterized it and the resulting legal environment as an absolutist position in favor of privacy.

Sanchez urged the audience to worry about this argument, saying that, when policymakers who grow uncomfortable with current surveillance law describe it as unacceptable and in need of rebalancing, this produces a “ratcheting toward ever-greater surveillance.”

"Architectures are stickier than rules," Sanchez said. “The architecture we construct on the premise that the legal restrictions on it will inhibit its use will outlast those rules. The rules can change much faster than the architecture.”

Mass surveillance silences minority opinions, according to study - The Washington Post 20160328

Mass surveillance silences minority opinions, according to study - The Washington Post 20160328

A new study shows that knowledge of government surveillance causes people to self-censor their dissenting opinions online. The research offers a sobering look at the oft-touted "democratizing" effect of social media and Internet access that bolsters minority opinion.

The study, published in Journalism and Mass Communication Quarterly, studied the effects of subtle reminders of mass surveillance on its subjects. The majority of participants reacted by suppressing opinions that they perceived to be in the minority. This research illustrates the silencing effect of participants’ dissenting opinions in the wake of widespread knowledge of government surveillance, as revealed by whistleblower Edward Snowden in 2013.

The “spiral of silence” is a well-researched phenomenon in which people suppress unpopular opinions to fit in and avoid social isolation. It has been looked at in the context of social media and the echo-chamber effect, in which we tailor our opinions to fit the online activity of our Facebook and Twitter friends. But this study adds a new layer by explicitly examining how government surveillance affects self-censorship.

Participants in the study were first surveyed about their political beliefs, personality traits and online activity, to create a psychological profile for each person. A random sample group was then subtly reminded of government surveillance, followed by everyone in the study being shown a neutral, fictional headline stating that U.S. airstrikes had targeted the Islamic State in Iraq. Subjects were then asked a series of questions about their attitudes toward the hypothetical news event, such as how they think most Americans would feel about it and whether they would publicly voice their opinion on the topic. The majority of those primed with surveillance information were less likely to speak out about their more nonconformist ideas, including those assessed as less likely to self-censor based on their psychological profile.

Elizabeth Stoycheff, lead researcher of the study and assistant professor at Wayne State University, is disturbed by her findings.

“So many people I've talked with say they don't care about online surveillance because they don't break any laws and don't have anything to hide. And I find these rationales deeply troubling,” she said.

She said that participants who shared the “nothing to hide” belief, those who tended to support mass surveillance as necessary for national security, were the most likely to silence their minority opinions.

“The fact that the 'nothing to hide' individuals experience a significant chilling effect speaks to how online privacy is much bigger than the mere lawfulness of one's actions. It's about a fundamental human right to have control over one's self-presentation and image, in private, and now, in search histories and metadata,” she said.

Stoycheff is also concerned about the quietly oppressive behavior of self-censorship.

“It concerns me that surveillance seems to be enabling a culture of self-censorship because it further disenfranchises minority groups. And it is difficult to protect and extend the rights of these vulnerable populations when their voices aren't part of the discussion. Democracy thrives on a diversity of ideas, and self-censorship starves it,” she said. “Shifting this discussion so Americans understand that civil liberties are just as fundamental to the country's long-term well-being as thwarting very rare terrorist attacks is a necessary move.”

Stoycheff has written about the capacity of online sharing tools to inspire democratic change. But the results of this study have caused her views to change. "The adoption of surveillance techniques, by both the government and private sectors, undermines the Internet's ability to serve as a neutral platform for honest and open deliberation. It begins to strip away the Internet's ability to serve as a venue for all voices, instead catering only to the most dominant," she said. She received no outside funding for the research or publication of this study, she said.

Some related references

Glynn, J.C., Hayes, F.A. & Shanahan, J. (1997). “Perceived support for ones opinions sand willingness to speak out: A meta-analysis of survey studies on the ‘spiral of silence’” Public Opinion Quarterly 61 (3):452-463.

Glynn, J.C. & McLeod, J. (1984). “Public opinion du jour: An examination of the spiral of silence, “ Public Opinion Quarterly 48 (4):731-740.

Noelle-Neumann, E. (1984). The Spiral of Silence: Public Opinion -- Our social skin. Chicago: University of Chicago.

Noelle-Neumann, E. (1991). The theory of public opinion: The concept of the Spiral of Silence. In J. A. Anderson (Ed.),Communication Yearbook 14, 256-287. Newbury Park, CA: Sage.

Simpson, C. (1996). “Elisabeth Noelle-Neumann’s ‘spiral of silence’ and the historical context of communication theory.”Journal of Communication 46 (3):149-173.

Taylor, D.G. (1982). “Pluralistic ignorance and the spiral of silence: A formal analysis,” Public Opinion Quarterly 46(3):311-335. See also: Kennamer, J.D. (1990). “Self-serving biases in perceiving the opinions of others: Implications for the spiral of silence,” Communication Research 17 (3):393-404; Yassin Ahmed Lashin (1984). Testing the spiral of silence hypothesis: Toward an integrated theory of public opinion. Unpublished dissertation, University of Illinois at Urbana-Champaign.

Crockford, Kade - Keep Fear Alive - The bald-eagle boondoggle of the terror wars - The Baffler 20160311

Crockford, Kade - Keep Fear Alive - The bald-eagle boondoggle of the terror wars - The Baffler 20160311


“If you’re submitting budget proposals for a law enforcement agency, for an intelligence agency, you’re not going to submit the proposal that ‘We won the war on terror and everything’s great,’ cuz the first thing that’s gonna happen is your budget’s gonna be cut in half. You know, it’s my opposite of Jesse Jackson’s ‘Keep Hope Alive’—it’s ‘Keep Fear Alive.’ Keep it alive.”
—Thomas Fuentes, former assistant director, FBI Office of International Operations

Can we imagine a free and peaceful country? A civil society that recognizes rights and security as complementary forces, rather than polar opposites? Terrorist attacks frighten us, as they are designed to. But when terrorism strikes the United States, we’re never urged to ponder the most enduring fallout from any such attack: our own government’s prosecution of the Terror Wars.

This failure generates all sorts of accompanying moral confusion. We cast ourselves as good, but our actions show that we are not. We rack up a numbing litany of decidedly uncivil abuses of basic human rights: global kidnapping and torture operations, gulags in which teenagers have grown into adulthood under “indefinite detention,” the overthrow of the Iraqi and Libyan governments, borderless execution-by-drone campaigns, discriminatory domestic police practices, dragnet surveillance, and countless other acts of state impunity.

The way we process the potential cognitive dissonance between our professed ideals and our actual behavior under the banner of freedom’s supposed defense is simply to ignore things as they really are.

They hate us for our freedom, screech the bald-eagle memes, and so we must solemnly fight on. But what, beneath the official rhetoric of permanent fear, explains the collective inability of the national security overlords to imagine a future of peace?

Incentives, for one thing. In a perverse but now familiar pattern, what we have come to call “intelligence failures” produce zero humility, and no promise of future remedies, among those charged with guarding us. Instead, a new array of national security demands circulate, which are always rapidly met. In America, the gray-haired representatives of the permanent security state say their number one responsibility is to protect us, but when they fail to do so, they go on television and growl. To take but one recent example, former defense secretary Donald Rumsfeld appeared before the morally bankrupt pundit panel on MSNBC’s Morning Joe to explain that intractable ethnic, tribal, and religious conflict has riven the Middle East for more than a century—the United States, and the West at large, were mere hapless bystanders in this long-running saga of civilizational decay. This sniveling performance came, mind you, just days after Politico reported that, while choreographing the run-up to the 2003 invasion of Iraq, Rumsfeld had quietly buried a report from the Joint Chiefs of Staff indicating that military intelligence officials had almost no persuasive evidence that Saddam Hussein was maintaining a serious WMD program. Even after being forced to resign in embarrassment over the botched Iraq invasion a decade ago, Rumsfeld continues to cast himself as an earnestly out-manned casualty of Oriental cunning and backbiting while an indulgent clutch of cable talking heads nods just as earnestly along.

And the same refrain echoes throughout the echelons of the national security state. Self-assured and aloof as the affluenza boy, the FBI, CIA, and NSA fuck up, and then immediately apply for a frenzied transfer of ever more money, power, and data in order to do more of what they’re already doing. Nearly fifteen years after the “Global War on Terror” began, the national security state is a trillion-dollar business. And with the latest, greatest, worst-ever terrorist threat always on the horizon, business is sure to keep booming.

The paradox produces a deep-state ouroboros: Successful terrorist attacks against the West do not provoke accountability reviews or congressional investigations designed to truly understand or correct the errors of the secret state. On the contrary, arrogant spies and fearful politicians exploit the attacks to cement and expand their authority. This permits them, in turn, to continue encroaching on the liberties they profess to defend. We hear solemn pledges to collect yet more information, to develop “back doors” to decrypt private communications, to keep better track of Muslims on visas, send more weapons to unnamed “rebel groups,” drop more cluster bombs. Habeas corpus, due process, equal protection, freedom of speech, and human rights be damned. And nearly all the leaders in both major political parties play along, like obliging extras on a Morning Joe panel. The only real disagreement between Republican and Democratic politicians on the national stage is how quickly we should dispose of our civil liberties. Do we torch the Bill of Rights à la Donald Trump and Dick Cheney, or apply a scalpel, Obama-style?

Safety Last

Both Democrats and Republicans justify Terror War abuses by telling the public, either directly or indirectly, that our national security hangs in the balance. But national security is not the same as public safety. And more: the things the government has done in the name of preserving national security—from invading Iraq to putting every man named Mohammed on a special list—actually undermine our public safety.

That’s because, as David Talbot demonstrates in The Devil’s Chessboard, his revelatory Allen Dulles biography and devastating portrait of a CIA run amok, national security centers on “national interests,” which translates, in the brand of Cold War realpolitik that Dulles pioneered, into the preferred policy agendas of powerful corporations.

Public safety, on the other hand, is concerned with whether you live or die, and how. Any serious effort at public safety requires a harm-reduction approach acknowledging straight out that no government program can foreclose the possibility of terroristic violence. The national security apparatus, by contrast, grows powerful in direct proportion to the perceived strength of the terrorist (or in yesterday’s language, the Communist) threat—and requires that you fear this threat so hysterically that you release your grip on reason. Reason tells you government cannot protect us from every bad thing that happens. But the endlessly repeated national security meme pretends otherwise, though the world consistently proves it wrong.

When it comes to state action, the most important distinction between what’s good for public safety (i.e., your health) and what’s good for national security (i.e., the health of the empire, markets, and prominent corporations) resides in the concept of the criminal predicate. This means, simply, that an agent of the government must have some reasonable cause to believe you are involved with a crime before launching an investigation into your life. When the criminal predicate forms the basis for state action, police and spies are required to focus on people they have reason to believe are up to no good. Without the criminal predicate, police and spies are free to monitor whomever they want. Police action that bypasses criminal predicates focuses on threats to people and communities that threaten power—regardless of whether those threats to power are fully legal and legitimate.

Nearly fifteen years after the “Global War on Terror” began, the national security state is a trillion-dollar business.

We can see the results of this neglect everywhere the national security state has set up shop. Across the United States right now, government actors and private contractors paid with public funds are monitoring the activities of dissidents organizing to end police brutality and the war on drugs, Israeli apartheid and colonization in Palestine, U.S. wars in the Middle East, and Big Oil’s assault on our physical environment. In the name of fighting terrorism, Congress created the Department of Homeland Security, which gave state and local law enforcement billions of dollars to integrate police departments into the national intelligence architecture. As a result, we now have nearly a million cops acting as surrogates for the FBI. But as countless studies have shown, the “fusion centers” and intelligence operations that have metastasized under post-9/11 authorities do nothing to avert the terror threat. Instead, they’ve targeted dissidents for surveillance, obsessive documentation, and even covert infiltration. When government actors charged with protecting us use their substantial power and resources to track and disrupt Black Lives Matter and Earth First! activists, they are not securing our liberties; they’re putting them in mortal peril.

Things weren’t always like this. Once upon a time, America’s power structure was stripped naked. When the nation saw the grotesque security cancer that had besieged the body politic in the decades after World War II (just as Harry Truman had warned it would) the country’s elected leadership reasserted control, placing handcuffs on the wrists of the security agencies. This democratic counterattack on the national security state not only erected a set of explicit protocols to shield Americans from unconstitutional domestic political policing, but also advanced public safety.

Mission Creeps

As late as the 1970s, the FBI was still universally thought to be a reputable organization in mainstream America. The dominant narrative held that J. Edgar Hoover’s capable agents, who had to meet his strict height, weight, and dress code requirements, were clean-cut, straight-laced men who followed the rules. Of course, anyone involved with the social movements of that age—anti-war, Communist, Black Power, American Indian, Puerto Rican Independence—knew a very different FBI, but they had no evidence to prove what they could see and feel all around them. And since this was the madcap 1970s, the disparity between the FBI’s glossy reputation as honest crusaders and its actual dirty fixation on criminalizing the exercise of domestic liberties drove a Pennsylvania college physics professor and anti-war activist named William Davidon to take an extraordinary action. On the night of the Muhammad Ali vs. Joe Frazier fight of March 8, 1971, Davidon and some friends broke into an FBI office in Media, Pennsylvania. They stole every paper file they could get their hands on. In communiqués to the press, to which they attached some of the most explosive of the Hoover files, they called themselves the Citizens’ Commission to Investigate the FBI.

Not one of the costly post-9/11 surveillance programs based on suspicionless, warrantless monitoring stopped Tsarnaev from blowing up the marathon.

When Davidon and his merry band of robbers broke into the FBI office, they blew the lid off of decades of secret—and sometimes deadly—police activity that targeted Black and Brown liberation organizers in the name of fighting the Soviet red menace. According to Noam Chomsky, the Citizens’ Commission concluded that the vast majority of the files at the FBI’s Media, Pennsylvania, office concerned political spying rather than criminal matters. Of the investigative files, only 16 percent dealt with crimes. The rest described FBI surveillance of political organizations and activists—overwhelmingly of the left-leaning variety—and Vietnam War draft resisters. As Chomsky wrote, “in the case of a secret terrorist organization such as the FBI,” it was impossible to know whether these Pennsylvania figures were representative of the FBI’s national mandate. But for Bill Davidon and millions of Americans—including many in Congress who were none too pleased with the disclosures—these files shattered Hoover’s image as a just-the-facts G-man. They proved that the FBI was not a decent organization dedicated to upholding the rule of law and protecting the United States from foreign communist threats, but rather a domestic political police primarily concerned with preserving the racist, sexist, imperialist status quo.

In a cascade of subsequent transparency efforts, journalists, activists, and members of Congress all probed the darker areas of the national security state, uncovering assassination plots against foreign leaders, dragnet surveillance programs, and political espionage targeting American dissidents under the secret counterintelligence program known as COINTELPRO. Not since the birth of the U.S. deep state, with the 1947 passage of the National Security Act, had the activities of the CIA, FBI, or NSA been so publicly or thoroughly examined and contested.

Subsequent reforms included the implementation of new attorney general’s guidelines for domestic investigations, which, for the first time in U.S. history, required FBI agents to suspect someone of a crime before investigating them. Under the 1976 Levi guidelines, named for their author, Nixon attorney general Edward Levi, the FBI could open a full domestic security investigation against someone only if its agents had “specific and articulable facts giving reason to believe that an individual or group is or may be engaged in activities which involve the use of force or violence.” The criminal predicate was now engraved in the foundations of the American security state—and the Levi rules prompted a democratic revolution in law enforcement and intelligence circles. It would take decades and three thousand dead Americans for the spies to win back their old Hoover-era sense of indomitable mission—and their investigative MO of boundless impunity.

False Flags

In the years following the 9/11 attacks, the Bush administration began Hoovering up our private records in powerful, secret dragnets. When we finally learned about the warrantless wiretapping program in 2005, it was a national scandal. But just as important, and much less discussed, was the abolition of Levi’s assertion of the criminal predicate. So-called domestic terrorism investigations would be treated principally as intelligence or espionage cases—not criminal ones. This shift has had profound, if almost universally ignored, implications.

Michael German, an FBI agent for sixteen years working undercover in white supremacist organizations to identify and arrest terrorists, saw firsthand what the undoing of the 1970s intelligence reforms meant for the FBI. And German argues, persuasively, that the eradication of the criminal predicate didn’t just put Americans at risk of COINTELPRO 2.0. It also threatened public safety. The First and Fourth Amendments, which protect, respectively, our rights to speech and association and our right to privacy, don’t just create the conditions for political freedom; they also help law enforcement focus, laser-like, on people who have the intent, the means, and the plans to harm the rest of us.

Think of it like this, German told me: You’re an FBI agent tasked with infiltrating a radical organization that promotes violence as a means of achieving its political goals—the Ku Klux Klan, for example. KKK members say horrible and disgusting things. But saying disgusting things isn’t against the law; nor, as numerous studies have shown, is it a reliable predictor of whether the speaker will commit an act of political violence. When surrounded by white supremacists constantly spouting hate speech, a law enforcement officer has to block it out. If he investigates people based on their rhetoric, his investigations will lead nowhere. After all, almost no white supremacist seriously intending to carry out a terrorist attack is all that likely to broadcast that intent in public. (Besides, have you noticed how many Americans routinely say disgusting things?)

Today, more than a decade after it shrugged off the Levi guidelines, the FBI conducts mass surveillance directed at the domestic population. But dragnet surveillance, however much it protects “national security,” doesn’t increase public safety, as two blue-ribbon presidential studies have in recent years concluded. Indeed, the Boston bombings, the Paris attacks, and the San Bernardino and Planned Parenthood shootings have all made the same basic point in the cold language of death. The national security state has an eye on everyone, including the people FBI director James Comey refers to as “the bad guys.” But despite its seeming omniscience, the Bureau does not stop those people from killing the rest of us in places where we are vulnerable.

The curious case of Boston Marathon bomber Tamerlan Tsarnaev demonstrates the strange consequences of sidelining criminal investigations for national security needs. In 2011, about eighteen months before the bombings, Tsarnaev’s best friend and two other men were murdered in a grisly suburban scene in Waltham, Massachusetts—their throats slashed, marijuana sprinkled on their mutilated corpses. These murders were never solved. But days after the marathon bombings, law enforcement leaked that they had forensic and cellphone location evidence tying Tamerlan Tsarnaev to those unsolved crimes. Not one of the costly post-9/11 surveillance programs based on suspicionless, warrantless monitoring stopped Tsarnaev from blowing up the marathon. But if the police leaks were correct in assigning him responsibility for the 2011 murders, plain old detective work likely would have.

If security agencies truly want to stop terrorism, they should eliminate all domestic monitoring that targets people who are not suspected of crimes. This would allow agents to redirect space and resources now devoted to targeting Muslims and dissidents into serious investigations of people actually known to be dangerous. It’s the only reasonable answer to the befuddling question: Why is it that so many of these terrorists succeed in killing people even though their names are on government lists of dangerous men?

After the terrorist attacks in November, the French government obtained greater emergency powers in the name of protecting a fearful public. Besides using those powers to round up hundreds of Muslims without evidence or judicial oversight, French authorities also put at least twenty-four climate activists on house arrest ahead of the Paris Climate Change Conference—an approach to squashing dissent that didn’t exactly scream liberté, and had nothing to do with political violence. As with the Boston Marathon and countless other attacks on Western targets, the men who attacked the Bataclan were known to intelligence agencies. In May 2015, months before the attacks in Paris, French authorities gained sweeping new surveillance powers authorizing them to monitor the private communications of suspected terrorists without judicial approval. The expanded surveillance didn’t protect the people of Paris. In France, as in the United States, the devolution of democratic law enforcement practice has opened up space that’s filled with political spying and methods of dragnet monitoring that enable social and political control. This is not only a boondoggle for unaccountable administrators of mass surveillance; it also obstructs the kind of painstaking detective work that might have prevented the attacks on the Bataclan and the marathon.

Our imperial government won’t ever admit this, but we must recognize that the best method for stopping terrorism before it strikes is to stop engaging in it on a grand scale. Terrorist attacks are the price we pay for maintaining a global empire—for killing a million Iraqis in a war based on lies, for which we have never apologized or made reparations, and for continuing to flood the Middle East with weapons. No biometrics program, no database, no algorithm, no airport security system will protect us from ourselves.

University Essex launches Human Rights, Big Data and Technology project - 20160302

University Essex launches Human Rights, Big Data and Technology project - 20160302

Are big data and technology threats to human rights?

The ESRC-funded ‘Human Rights, Big Data and Technology’ project maps and analyses the challenges and opportunities presented by the use of information and communications technology (ICT) and big data from a human rights perspective.

Modern computing methods, in particular so-called big data technology, constitute a paradigm shift in how we interact and communicate. However, as underscored by the Edward Snowden revelations, the collection and analysis of big data poses a risk to privacy. These revelations are part of a much bigger picture in which state surveillance and near ubiquitous non-state “soft-surveillance” occur on a routine, daily basis. This poses threats across a broad spectrum of rights, including to liberty, freedom of expression and equality and non-discrimination.

However the same technologies that potentially threaten rights also provide opportunities for their enhanced protection. For example, social media provides a platform for better documentation of human rights violations. Additionally, technology can demonstrate the effectiveness of rights-shaped policies in areas such as health promotion in order to influence resource allocation and budgets.

Edward SnowdenSnowden's revelations are part of a much bigger picture.

Drawing on the wide range of expertise of its interdisciplinary researchers and partner organisations, the project considers whether fundamental human rights concepts and approaches need to be adapted to meet the rapidly evolving technological landscape. The work also brings together practitioners in the fields of human rights and technology, international internet governance, the UN, technology industries, and academics, to assess existing regulatory responses and the need for reforms in order to maximise effective human rights protection.

This project is innovative in its holistic examination of the ways in which the use of ICT and big data both threaten rights and offer opportunities to strengthen their protection and implementation. Through this wide lens, the project will establish the need for a fundamental re-assessment of the theory and practice of human rights and will advance approaches to regulation in a constantly changing technological world.

Why your government doesn’t want you on a strict privacy diet, and what you can do about it - Open Democracy 20140806

Why your government doesn’t want you on a strict privacy diet, and what you can do about it - Open Democracy 20140806

As Snowden’s revelations have had little impact on our online habits, expecting national governments or the EU to stand up against electronic surveillance misses the point.

Flickr/Frédéric Poirot. Some rights reserved.

Individual responsibility is a dead-end

While the Snowden revelations have sent an unprecedented shockwave across the world, most of us have gone back to our old habits, checking our Gmail account with the morning coffee, making phone calls from our smartphones and occasionally browsing through Facebook looking for the odd or funny status update. Even though we know Google, Apple, Facebook and several other companies will hand that data directly to the NSA, and that the NSA is very likely to trade it in bulk with several European intelligence agencies. We now know for sure that our lives are tracked, and that every single one of our online clicks and keystrokes slowly builds a more detailed profile of us in the databases of intelligence agencies and advertising corporations in the US and in every member state of the European Union. Yet we do not really care and go on with our lives like nothing happened.

At the individual level, we already have several answers as to why this might be the case. Low digital literacy, the complexity of encryption, the habit of using easy to use commercial software as opposed to privacy-oriented yet more difficult one (compare Max OSX to Linux or TAILS, Internet Explorer to the TOR Browser) certainly matter. But more importantly, the problem of mass digital surveillance appears to have slipped in our subconscious.

Like a famous study in social psychology, we are behaving similarly to the inhabitants living near a nuclear plant. Although we are the most aware of the potential dangers of a radiological leak or a nuclear explosion that would severely hurt us and our families, we lead our lives convinced that nothing wrong can happen. In fact, the more we are made aware of the danger, the more confident we have become in the government’s reassurances that everything is under control, and that our privacy is not in danger. Comparisons with the dark days of East Germany’s secret police, the Stasi or Romania’s Securitate do not really work. There are no direct consequences of mass surveillance on our daily lives, so why should we really bother?

What should be done then? The main message that appears to emerge from Snowden’s interviews and Glenn Greenwald’s media interventions is the moralistic insistence on the individual responsibility of every one of us to ensure that we protect our data adequately. While we fully agree with these prescriptions, this bears the risk of ending in the long list of New Year’s resolutions, alongside with the promises to eat healthier foods, drink less and exercise more often. We might however also ask ourselves why it is that there is not more public outrage and mobilization around this issue. Where are the marches, demonstrations, the flash-mobs against mass surveillance? Why are there no more institutionalized and government-backed initiatives to put us on a stricter privacy diet, along with our five vegetables a day?

The EU is the master of its own problems

These questions are particularly salient in Europe. Publicly, François Hollande, Angela Merkel and several other European leaders were “shocked” and “appalled” by the revelations. In the meantime, we are now very aware of the fact that European intelligence services actively collaborated with the NSA and GCHQ, collecting themselves as much data as possible in order to gain bargaining power in the transatlantic intelligence-sharing cooperation game. This has been shown by some of us in a study for the European Parliament, and confirmed by the Moraes Report from the same institution. If not national governments, then whom should we expect to take measures?

The European Union has raised some hopes, through the activity of some key MEPs within the Committee on Civil Liberties of the European Parliament. The LIBE Committee conducted an enquiry on mass surveillance, asking critical questions to the European Commission and the representatives of the Union’s member states. The European Parliament, in turn, has been one of the few institutions to organise a hearing with Edward Snowden. These expectations are raised by the role that some within the European Union (EU) institutions have played in the past regarding previous occurrences of mass electronic interceptions, chiefly in the disclosure of the ECHELON programme. Yet this picture is misleading.

Thinking of the European Union as separate from national governments does not make much sense indeed. European states are member states. As such, their representatives participate on a daily basis in how the EU formulates its policies, and in turn EU policies are part of what national governments in member states do on a daily basis: Berlin, London, Paris or Rome are in Brussels as much as Brussels is present in national capitals. As we have argued elsewhere, the EU in this view is the master of its own problems.

The practice of mass surveillance underscores the limits of the existing and forthcoming EU data protection legislation, in particular with regard to data processing for law-enforcement and national security purposes, data processing by third countries, and cooperation in data processing between security and intelligence services and private service providers. National security, incidentally, is the only area of the founding Treaties establishing the Union where EU competence is explicitly ruled off.

Objectionable EU policies have also been formulated with regard to electronic surveillance. In April of this year the European Court of Justice (ECJ), prompted by the Irish High Court and the Austrian Constitutional Court, found the EU data retention directive adopted in 2006 to be invalid. The directive harmonised member state legislations on the retention by telecommunications operators of traffic and location data and their access by ‘competent national authorities’. It was found by the Court to constitute a particularly serious interference with the rights to privacy and data protection. The decision of the ECJ, incidentally, led the UK government to pass the emergency ‘DRIP’ legislation that extends rather than curtails the scope of data retention powers for UK authorities.

Some reactions from top EU policymakers after the Snowden revelations are telling in this respect. Viviane Reding, now former vice-president of the Commission and EU justice commissioner, argued in November 2013 for theestablishment of an EU intelligence service by 2020 “so we can level the playing field with our US partners”.

National security is a misnomer

Expecting the EU to counter national governments then, or national governments to stand up against electronic surveillance is missing the point. What the NSA revelations show is that state surveillance and national security are to some extent misnomers. Surveillance is not exercised exclusively by “the state”, national security is not ensured exclusively at the national level.

So how does the picture look like from this perspective? On the one hand, we should think of the surveillance apparatus as a loose coalition of institutions, bureaucracies and corporations that function as a network both within and across national borders. More often than not, professionals working within these networks have more interests in common than they do with other civil servants from their own state. In other words, the French external intelligence agency (DGSE), which does much of the bulk data collection work in France, has more interests in common with the GCHQ or even the NSA than it does with the French data protection authority CNIL.

These networks work together and reinforce each other: the GCHQ, for example, is known to have actively trained DGSE officials to lobby the French government in order to get more institutional and legal powers. These alliances are sometimes institutionalized and public, as in the UKUSA Agreement (also known as the “Five Eyes”, which include the UK, the US, Canada, Australia, New Zealand), sometimes less known (such as Alliance Base, which includes the UK, the US, Canada, France, Germany and Australia since 2001).

Who is on the other side, and who has the potential to keep these networks in check? The courts are certainly one possibility, but it should not be overstated. As noted by some, the abovementioned decision of the ECJ on the data retention directive does not rule out mass surveillance and in fact sets out “unusually detailed guidelines for the legislature” to adopt a data retention instrument compatible with fundamental rights. Parliamentary supervision and oversight by independent bodies (such as the CTIVD in the Netherlands, or the Intelligence and Security Committee of Parliament in the UK) do exist, but have proved to be limited if not supportive of surveillance measures (the case of the UK DRIP law comes again to mind). The search for support points within the EU institutions, in any case, is limited.

In addition to these institutional options, three factors might contribute to a change in practices of mass surveillance: a gradual change in public opinion, an evolution in technology, and a challenge to the current business model (this means both the rise of free software and an increased offer of paid services relying on a subscription rather than free services financed by advertising - Google’s current model). As such, change in the direction of more privacy might come from a loose coalition of actors with divergent agendas but a common interest in privacy: privacy-minded political movements; the free software, open source, hacktivist community and private entrepreneurs. If the environmentalist movement can serve as an example, it is possible to imagine the diffusion of a demand for privacy from a small core of political activists to the broader society, in particular through open-source or easy-to-use paid software.

The development of recent initiatives and the renewed popularity of old initiatives aimed at guaranteeing more privacy, such as the Mozilla Foundation(Firefox browser, Thunderbird mail client), the DuckDuckGo search engine, or the new services from the Dark Mail Technical Alliance (founded by the owners of Silent Circle and the defunct Lavabit), and ProtonMail (an encrypted mail initiative launched by MIT and CERN scientists) supports this hypothesis. While these activists and entrepreneurs were largely ignored until not long ago, the Snowden revelations have contributed to diffuse their concerns and to popularize their combination of technological and political commitment. These changes might, in the long run, alter Europe’s national and supranational institutions more than anything else.

A clear-eyed look at mass surveillance - Open Democracy 20140725

A clear-eyed look at mass surveillance - Open Democracy 20140725

The Snowden revelations on mass surveillance practices, especially by the US and UK, have triggered a global struggle over the right to privacy—and a report by the outgoing UN human-rights commissioner has set the terrain for the next phase.

What have the US and UK done in the past year to rein in mass surveillance? For the millions of global internet users, the answer is: not much. Despite worldwide outrage and debate, US talk of safeguards and reform has brought half-measures at best. The UK government has refused to answer the most basic questions about its intelligence gathering practices—and, in an astounding act of hubris, rushed through a law last week which extends surveillance powers.

The actions of the US and UK stand in stark contrast to a groundbreaking and forceful report released last week by the UN high commissioner for human rights, Navi Pillay, about privacy in the digital age. Many of her findings directly challenge US and UK arguments defending secret, mass surveillance.

Pillay found that mass surveillance was “emerging as a dangerous habit rather than an exceptional measure”. She said unchecked snooping could harm a range of human rights, including freedom of expression and association. The onus was on governments, she said, to demonstrate that their practices were necessary and proportionate. In other words, spying on everyone because you can doesn’t mean you should.

Pillay’s report followed sustained action from privacy advocates and a group of countries, led by Germany and Brazil, to press the US and UK to stop mass surveillance and safeguard the privacy of people around the world. Germany and Brazil, along with Austria, Liechtenstein, Mexico, Norway, and Switzerland, had led the drafting of the December 2013 UN General Assembly resolution calling for the high commissioner’s report—a resolution which the US and UK pushed, somewhat successfully, to water down.

Germany and Brazil’s continued leadership is crucial for keeping digital privacy on the UN human-rights agenda and driving real reform at the national level. The report will only strengthen their hand if they pursue a UN resolution on privacy later in 2014. Privacy advocates also need to scrutinise the practices of individual governments for conformity with the high commissioner’s recommendations. This is vital, not only in the face of US and UK inaction but also because many other countries are expanding their own electronic-surveillance capabilities. Unless mass surveillance becomes a global outlier, rather than the norm, privacy will disappear in the digital age.

A human-rights scorecard

Pillay’s report provides the clearest and most authoritative account to date of what the right to privacy requires—and an implicit rebuke of the US and UK’s deeply flawed defences. Privacy advocates and governments should use it as a scorecard for assessing protection of the right to privacy in all countries, starting with the US and UK.

Surveillance must be proportionate and necessary for a legitimate aim

The report applies the basic standards of international human rights law, which apply to interference with the right to privacy as with other rights: any intrusion must be necessary and proportionate to a legitimate aim, such as protecting national security or a similarly compelling state interest.

The revelations of the past year raise serious, unanswered questions about the necessity and proportionality of the US and UK surveillance practices. According to documents released by the former US National Security Agency contractor Edward Snowden, the US and UK have been intercepting the information of potentially millions of people, the vast majority of whom have no connection to terrorism or wrongdoing, as data flow along transatlantic fibre-optic cables.

In a recent analysis of a sample of intercepted communications, the Washington Post found that 90% of accounts swept up in NSA surveillance were not intended targets. Notably, US law allows the collection without a warrant of foreign communications which merely “relate to the foreign affairs of the US”—an extremely broad category. A recent opinion by the former internet-freedom director in the State Department, John Napier Tye, points out that US surveillance occurring outside its territory is subject to even fewer restrictions on the scale of collection, supporting concerns that US practices are excessively broad.

The US and UK governments contend that to find a needle in a haystack security agencies must collect the haystack. This approach seems in direct conflict with the principle of proportionality articulated by the high commissioner.

The US has taken almost no steps to curtail the scale and scope of information which the NSA can acquire about non-US persons outside the country. In January, in response to global outrage, the president, Barack Obama, announced new limitations on retention and use of information gathered through surveillance but did little to limit what could be gathered to begin with. The UK has refused to answer questions about the scale of its data-collection practices but what has been disclosed confirms what many had feared: not only is snooping happening on a mass scale but existing laws do little to protect privacy rights.

The onus is on governments to show their surveillance practices are not disproportionate—and so far the US and UK have failed.

Governments must respect everyone’s right to privacy

The high commissioner made clear that countries should respect the right to privacy, regardless of the nationality or location of those affected.

The US however denies it has any human-rights obligations to internet users beyond its borders, despite calls as recently as March from the UN Human Rights Committee to respect the privacy rights of all, at home and abroad. While it has adopted some safeguards for non-US persons as a matter of policy, these don’t go far enough to limit the scale of information collected abroad.

The UK Regulation of Investigatory Powers Act 2000 (RIPA) allows for government surveillance on broad grounds, with no independent scrutiny, and provides scant safeguards for people outside the country. In the new law hastily passed last week the UK actually extended the reach of its interception powers under RIPA to foreign internet and telecommunications companies which service UK customers. The changes meanwhile do nothing to address the lack of safeguards for people outside the UK.

Shifts in digital communications have made it especially easy for the US and UK to conduct broad, systematic surveillance of people beyond their borders. One internet company can hold the data of hundreds of millions of people worldwide and its home government may attempt to assert legal control over those data. The internet’s infrastructure often results in email being routed through several, unrelated countries—particularly the US—before it reaches the recipient.

If all governments followed the US and UK approach, they would have limited ability to protect the privacy of their own citizens against extraterritorial snooping by other countries. There would be nothing left of the right to privacy online.

Mere collection has impacts on privacy

US and UK intelligence officials contend there is no harm to privacy if personal information is gathered but not examined. The high commissioner made clear, however, that merely collecting information could interfere with privacy, regardless of whether it was ever viewed or used. Even the possibility that information in communications would be captured interfered with privacy because of the “potential chilling effect on rights”, including those of freedom of expression and association.

The report went further to recognise that metadata—data about communications—can reveal highly sensitive information, especially when digitised on a large scale. Because metadata enjoy less protection than the content of communications under many countries’ laws, including those of the US and UK, stronger safeguards are needed.

Mandatory data retention is neither necessary nor proportionate

The high commissioner confirmed that mandatory data-retention requirements for technology companies are neither necessary nor proportionate.

The European Court of Justice ruled in April that the EU’s blanket data-retention mandate breached the right to privacy, making the UK’s implementing regulations unenforceable. Such mandates require internet and mobile service providers to retain all customers’ communications data for a set period. The court said the EU mandate flouted proportionality by invading everyone’s privacy, regardless of whether they were suspected of any wrongdoing.

Yet the UK’s new emergency regulations preserve the government’s ability to compel telecommunications firms to retain personal data about all users in the country, ignoring the European court’s concerns.

Transparency, oversight and remedy

The high commissioner cited a “disturbing lack of governmental transparency” around surveillance laws, policies and practices, hindering accountability for unlawful snooping. She called for much greater transparency and emphasised that surveillance could not be justified by secret laws or policies which granted authorities too much discretion. The report also called for greater oversight by all branches of government, including the judiciary, as a check against abuse.

Intelligence officials in the US cite multiple layers of oversight in the executive, legislative, and judicial branches to protect against privacy violations. Yet its secretive foreign-intelligence court, by design, plays a very limited role in safeguarding the rights of people outside the US who may be swept up in NSA surveillance. Members of congressional committees set up to oversee national-security surveillance have also admitted to being surprised by some aspects of the programmes Snowden revealed.

The US and UK governments contend that to find a needle in a haystack security agencies must collect the haystack.
In 2008, Human Rights Watch joined Amnesty International and other human-rights and labour organisations to challenge the constitutionality of one NSA programme. HRW was denied standing because it could not prove that it was under surveillance, effectively shielding US national-security surveillance policies from judicial review. The Snowden revelations may now prompt the court to reconsider its conclusion.

In the UK, oversight and accountability mechanisms have also proved inadequate to prevent abuse of surveillance powers. A person who believes one of the intelligence agencies has breached their right to privacy can file a complaint before the Investigatory Powers Tribunal, a judicial body. But if the tribunal does not uphold the claim it does not reveal whether the person’s communications were intercepted—and its decisions cannot be appealed.

The UK’s new surveillance law provides for an independent review of this entire area by May 2015, including issues of oversight, transparency and privacy. But parts of the independent reviewer’s report which the prime minister considered “contrary to the public interest or prejudicial to national security” might be excluded from the version presented to Parliament. While this review may be helpful, it should have been completed before the UK passed the new law—not afterwards.

Responsibilities of technology companies

The high commissioner said that technology companies which complied with government requests for surveillance assistance without adequate safeguards risked complicity in any resulting human-rights abuses. She said internet and telecommunications companies should assess whether their own data-collection and privacy practices could bring human-rights harm to their users, implicitly drawing a connection between company data-collection practices and government access to data which companies hold.

In response to the Snowden revelations, technology companies have begun to reveal information about how governments are asking them to assist with surveillance. But much more scrutiny is needed to ensure that companies minimise the amount of data they collect from users in the first place, as a critical safeguard against government access to personal data.

Next steps

The high commissioner is expected to discuss the report’s findings during the UN Human Rights Council session in September and to formally present the report at the coming session of the General Assembly.

The report has armed Brazil, Germany and privacy activists worldwide with the ammunition to counter the flawed US and UK defences of mass surveillance. Brazil, Germany and their allies should ensure that any UN resolution they pursue directly incorporates the report’s recommendations and findings in the strongest language possible. They should resist any efforts to weaken the standards the report so soundly articulates and should reinforce the high commissioner’s call to countries to review immediately their national law and practice to ensure full conformity with international human-rights law.

Another resolution, however is just a first step.

The Snowden revelations focused on the surveillance practices of only a handful of countries. While many governments expressed outrage about snooping by the NSA and its British counterpart, GCHQ, many also may have privately responded with envy. Though few can match the resources of the NSA or the GCHQ, governments worldwide are expanding their own digital-surveillance capabilities.

In just one example, Human Rights Watch documented how the Ethiopian government had acquired mass-surveillance equipment, enjoying thereby nearly unfettered access to intercepted mobile calls. The government has used surveillance, under the pretense of anti-terrorism efforts, to silence political dissent and harass critics.

Digital surveillance is also going to get cheaper and more efficient. Protecting the right to privacy online requires sustained scrutiny of government surveillance practices worldwide.

International human-rights bodies have paid insufficient attention to the impact of surveillance on human rights. The Human Rights Council should create a dedicated special procedure—an independent expert for the right to privacy—to take the report’s recommendations forward. The expert should examine national surveillance programmes, identify best practices to protect privacy and make recommendations for meaningful national reforms.

What does mass surveillance do to Human Rights? - Open Democracy 20140512

What does mass surveillance do to Human Rights? - Open Democracy 20140512

Where such mass, weakly targeted surveillance techniques have been used in Europe, the Human Rights Court has found them inconsistent with the right to respect for privacy. Mass surveillance is by definition arbitrary.

There is on-going interest and surprise at the extent of mass surveillance which various governments, the US in the form of the NSA, the UK in the form of GCHQ and others, have been carrying out.

The confirmations by both the US and UK governments that everything has been carried out in accordance with their national law has only resulted in profound questions regarding the nature of the laws which permit these activities and whether they actually conform to internationally recognised standards of certainty and accountability which any government act must have in order to qualify as a law.

The Snowden revelations regarding mass surveillance have not only had very substantial political repercussions over 2013 and into 2014, but have also raised profound legal questions as a result. So many of these are issues and questions of great importance for democracies. A former member of the European Parliament commented at a conference in Brussels on April 3, 2014 that every candidate in the May 2014 European Parliament elections is conscious of the chilling effect that mass surveillance has had on them personally.

The fact that every email they have sent, every photo they have forwarded by email, is available to the intelligence service of a foreign country has a chilling effect on freedom of expression. Who can be sure that something which they casually put into a personal email could not be used to contradict one of their election promises, or some photo that they sent could not be used to compromise their probity as representatives? We cannot afford to underestimate the impact of mass surveillance on the correct operation of democracy.

Two interconnected but separate human rights issues arise as regards mass surveillance. The first, which is the most fundamental but the most frequently ignored, is the right of every person to respect for his or her private and family life. The second, which is generally the subject of more substantial political and media noise is the duty of states to protect personal data. Those political actors who have an interest in promoting the legality of mass surveillance usually put forward two arguments. The first is that national and international security is always an exception to both the duty of every state to respect people’s privacy and the duty to protect personal data. This is the most trenchantly defended of arguments as when this one falls away, those actors seeking to justify mass surveillance find themselves on very weak legal ground indeed. The second is that states’ obligations to protect personal data are subject to very different rules and requirements according to the political preferences of different states. Thus as there is no harmonization of the specific rules as to what is acceptable data protection internationally, states which are exercising their national and international security prerogatives only need to fulfil their own national data protection rules.

Before engaging directly with the arguments and examining how political actors dissatisfied with them have responded, let us very briefly clarify the relationship of the right to respect for privacy with that of data protection. The right to respect for a person’s privacy is an overarching international human right. It is found in Article 12 of the UN’s Universal Declaration of Human Rights (1948) and its legal form is found in the UN’s International Covenant on Civil and Political Rights (1966). Any interference with the privacy of a person must first and foremost be subject to the consent of that person. The right to consent or refuse use of personal data belongs to the individual not the state.

Where the state seeks to interfere with that right and to collect and use personal data which constitutes an intrusion into the privacy of the person concerned, such an interference must be justified by the state authorities. First it must be permitted by law and that law must be sufficient clear and public that everyone can know what it is and how to adjust their behaviour accordingly. Any exception permitted by law to a human right must be interpreted narrowly. It must have a legitimate objective and be necessary to achieve that objective only. There must be no alternative, which would be less intrusive into the life of the person which could instead be used. There must be judicial oversight of any state interference and a person affected by an interference must have access to justice to challenge that interference.

Mass surveillance by its very nature is not targeted at any person specifically, thus the possibility to justify the interference with the privacy of any person individually is an exceedingly difficult task. Where such mass, weakly targeted surveillance techniques have been used in Europe, the Human Rights Court has found them inconsistent with the right to respect for privacy. Mass surveillance is by definition arbitrary.

States’ duty to protect data arises from the person’s right to respect for his or her privacy. Where states interfere with people’s privacy, they must fulfil strict rules to justify that interference. This gives rise to the obligation of data protection. The duty to protect personal data arises when personal data is being used by state or private actors and is designed to ensure that the use is consistent with the individual’s right to respect for his or her privacy. It is for this reason that there are many different types of regime of data protection depending on the country one examines. How states go about protecting data is for them to determine: the key is that personal data must be protected because the individual has a right to respect for his or her privacy. The content of the human right to respect for privacy of the person is not variable.

The political struggle

Moving then from the state of human rights to the political struggle regarding mass surveillance, clearly the US authorities are faced with a dilemma in international human rights law, an area of which they have always been rather wary. The 1950s approach to international human rights law was to claim that the instruments do no more than set out 'principles' and are not ‘real’ law in any significant way and are certainly not available for people to rely upon. This political position has been undermined by the development of very precise international obligations, the establishment of Treaty Bodies with jurisdiction to receive and adjudicate on complaints by individuals regarding alleged breaches of their international human rights and the embrace of international human rights law by national courts. The 'principles' approach to international human rights law is no longer tenable. It is a figleaf deployed occasionally by states seeking to act arbitrarily.

As the Snowden revelations rose up the scale of international issues, a number of states, primarily led by the Brazilian and German authorities began to address the issue of how to deal with US mass surveillance and the interception of communciations. There was much discussion about bilateral negotiations and unilateral action (for instance, building new cables which avoid US territory) etc. However, it rapidly became evident that bilateral and unilateral approaches were not going to be satisfactory. In Europe, the fact that the UK authorities were carrying out mass surveillance for their US counterparts and others (the so-called Five Eyes) yet were not only members of the Council of Europe but also of the European Union, was only one example of the problem of unilateral or bilateral approaches. Clearly, only multilateral efforts were likely to bring results, where the weight of the USA and some of its collaborators could be counterbalanced by a loose alliance of other states. As soon as the issue is defined in this way, the obvious venue to commence a response is at the UN General Assembly and the territory on which to prepare the response is international human rights obligations – the prohibition of arbitrary interference with people's privacy.

This is the road which the Brazilian and German authorities have followed. By August 2013, moves were afoot for a resolution of the General Assembly. Five non-governmental organizations were closely linked with the efforts, Access, Amnesty International, Electronic Frontier Foundation, Human Rights Watch and Privacy International also applied pressure for a strongly worded resolution. The Brazilian and German authorities were by no means alone in their efforts to achieve agreement over a UN General Assembly Resolution. Many smaller states, most notably Austria, Hungary, Liechtenstein, Norway and Switzerland but also others, very strongly supported the work from the beginning, even seconding staff to assist with the workload. The matter was assigned to the General Assembly’s Third Committee and it is there that the tense negotiations on the wording of the Resolution took place. A text was adopted on 26 November in the Third Committee and on 18 December 2013 it was adopted without a vote in the General Assembly of the UN.

The Resolution is based on the right to respect for privacy in the Universal Declaration and the ICCPR with specific reference to the prohibition on arbitrary interference. It ties the right to privacy to the right to freedom of expression – if people are subject to mass surveillance they are no longer able to express themselves freely. The preamble to the Resolution insists on the negative impact that surveillance and the interception of communications, including extraterritorial surveillance and interception, on a mass scale, has on the exercise and enjoyment of human rights. The Resolution calls upon states to respect the right to privacy and prevent violations; to review their procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, including mass surveillance, interception and collection with a view to upholding the right to privacy and ensuring the full and effective implementation of all their obligations under international human rights law and to establish or maintain independent, effective domestic oversight mechanisms capable of ensuring the transparency and accountability of a state’s actions.

United Nations High Commissioner for Human Right, Navanethem Pillay.
United Nations High Commissioner for Human Right, Navanethem Pillay.

Most importantly, the Resolution directs the UN High Commissioner for Human Rights to present a report on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale and to report to the Human Rights Council in its twenty-seventh Session, in September 2014. The current High Commissioner, Navi Pillay, a South African jurist with a very impressive human rights career, was appointed to the post in 2008. She is no stranger to the problem of the right to privacy and mass surveillance, having already spoken on the subject at the Council in September.

The UN Human Rights Council (composed of 47 states elected by the General Assembly) has also already engaged with the issue. The matter was on the agenda of the twenty-fourth Session of the Council held in September 2013. The High Commissioner noted, at that meeting, that the threat which mass surveillance poses to human rights is among the most pressing global human rights situations today. Many state representatives present at that session had regard to the report of UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue on freedom of expression in the internet age (16 May 2011) which had already outlined many dangers of state surveillance and its impact on free speech.

What is perhaps surprising is that the September 2013 meeting of the Human Rights Council received so little press coverage. The meeting was well attended by state representatives and the discussions were incendiary in the condemnation of mass surveillance and interception of communications. Many state representatives attended the meeting with statements of condemnation of mass surveillance and interception of communications already prepared and agreed with neighbouring states on whose behalf they were mandated to speak.

While one might well expect the German representative to present a text on behalf of Austria, Hungary, Liechtenstein, Norway, and Switzerland, it is perhaps less obvious that Pakistan, speaking on behalf of Cuba, Venezuela, Zimbabwe, Uganda, Ecuador, Russia, Indonesia, Bolivia, Iran, and China, would also present an agreed text condemning the practices. While the counter move particularly in respect of this second set of countries is usually to attack them on the basis of their internal practices of surveillance and suggest, if not accuse, them of hypocrisy, the fact of the intervention nonetheless must be noted and the possibility that a group of states with serious disagreements among themselves would choose common ground on this subject.

The next step will be for the High Commissioner for Human Rights to prepare and present her report to the Human Rights Council in September 2014. Undoubtedly, her team will be presented with substantial amounts of information, evidence and legal argument to assist in the writing of the report.

In the meantime, our data continues to be hoovered up in industrial quantities. Private sector actors tell us that it is now cheaper to store data than to delete it – a potentially game-changing factor in the economics of mass surveillance. The compatibility of mass surveillance with human rights is already a matter of urgent concern. It is in all our interests that the UN continues its review of the compatibility of these practices with internationally agreed human rights standards.

This paper is based on a contribution to the article, 'After Snowden, rethinking the impact of surveillance' as part of a feature on Mass Surveillance co-authored with Zygmunt Bauman, Didier Bigo, R J B Walker, Vivienne Jabri and Paolo Esteves, to appear in the forthcoming issue of International Political Sociology, 2 (2014).

What will it take to end mass surveillance in the EU? - Open Democracy 20140723

What will it take to end mass surveillance in the EU? - Open Democracy 20140723

As European governments refuse to act on the issue of mass surveillance, it becomes clear that the fight against organised snooping on our private lives must take place at the EU rather than national level.

MEPs support asylum for Snowden. Flickr/greensefa. Some rights reserved.
MEPs support asylum for Snowden.

When the media reports containing startling revelations about the scale and scope of electronic surveillance conducted by the US National Security Agency (NSA) appeared in June 2013, Europe’s response was mixed. It quickly became clear that while European officials and Members of the European Parliament took the revelations and their impact on fundamental rights very seriously, no such response was forthcoming from national governments.

Many European politicians were justifiably outraged over the continuing flood of revelations about the US’ pervasive electronic surveillance programmes since June 2013. It rapidly became clear that the NSA programmes had swept up the communications of countless innocent European and other citizens without recourse against violations of privacy and freedom of expression rights.

Given the importance of the privacy rights established in the Charter of Fundamental Rights of the EU, which include an explicit right to the protection of personal data, the EU institutions’ actions were appropriate. The treaties that underpin the EU’s authority further emphasise that the Union’s international relations must be “guided by” basic democratic principles and respect for human-rights laws.

However, the same treaties that mandate that the EU consider human rights when conducting its foreign affairs also tie the Union’s hands when it comes to the regulation of national-security matters. The Treaty on European Union provides that “national security remains the sole responsibility of each Member State,” meaning that the Union cannot legislate in this area. Furthermore, the treaties explicitly deprive the Court of Justice of the EU (CJEU) of jurisdiction over cases involving a Member State’s efforts to safeguard its internal security. This means that even if the Union were to attempt to adopt measures restricting secret surveillance, those measures would very likely not be enforceable (as secret surveillance is assumed to be conducted for reasons of national security).

The European Commission responded immediately to the Snowden revelations and demanded clarification about the surveillance activities from US authorities. An EU-US dialogue was rapidly set up, but EU Member States were quick to curtail the EU-US discussions to exclude intelligence and national security matters – the sole responsibility of national governments.

Meanwhile, the European Parliament acted quickly and set up an inquiry into the electronic surveillance allegations, to be conducted by the Civil Liberties Committee (LIBE). CDT was the first civil society organization to give evidence to the inquiry, in September 2013. In our testimony to the inquiry we called for a trans-Atlantic process to develop a comprehensive understanding of the criteria that states should apply to government surveillance, especially where national security surveillance is concerned. We said that countries must bring greater transparency, proportionality and oversight to their electronic surveillance practices. Human rights principles, laid down in the European Convention on Human Rights and the International Covenant on Civil and Political Rights must be better respected in both jurisdictions, and an agreement on privacy between the two sides should be reached. This agreement should clearly define what constitutes adequate government access to data.

While the surveillance revelations exposed significant details about US surveillance programmes, they also revealed that many European states are employing similar tactics, even if on a smaller scale. Many recall that French President Hollande vocally called for an immediate stop to US spying on Europeans, but quickly muted his tone when the bulk collection programme of French intelligence was revealed. Similarly in Germany, NSA spying was a campaign issue during the September 2013 elections, and some politicians argued that EU-US trade talks should be suspended because of NSA practices. However, the revelations also demonstrated that German intelligence programmes were as technically advanced and invasive as those of the NSA, and that the two countries run electronic surveillance in close cooperation. In the UK, the government was not particularly shy about its massive surveillance capabilities, but insisted that there is proper oversight that fully respects citizens' privacy.

The European Parliament inquiry resulted in a resolution adopted in March 2014. The resolution is non-binding, but not irrelevant. It is an important political statement and it included several sensible recommendations. Notably, it demands an end to the bulk collection of data – echoing demands made by both private companies and civil society groups. Further, it calls on a number of Member States to bring their intelligence surveillance laws and practices into line with European and international human rights norms. It also proposed setting up a high-level group at European level to monitor progress. The parliamentary inquiry clearly demonstrated that the privacy problems associated with the surveillance practices could not be reduced to a simple ‘US agencies are spying on European citizens’ narrative. Expanding government access to citizens’ data, opaque and obscure laws, and insufficient judicial and democratic oversight are international problems, requiring international solutions

However, European governments have neither responded to the Parliament’s recommendations, nor to demands put forward by European civil society groups. In fact, several countries such as France and the UK have taken stepsto strengthen surveillance capabilities through legislative or administrative means.

There have been repeated calls by civil society groups and others for enhanced transparency about the ways by which European governments access personal data. These efforts were discussed at a recent ‘Transparency Summit’ co-hosted by CDT. European communications companies are increasingly publishing information about the mechanisms through which government agencies obtain access to their infrastructure.

Civil society groups should continue to file requests for information, and companies should redouble their efforts to inform their customers and users about government access to their data, and insist that the Member States comply promptly and meaningfully with data access requests.

However, at present, the information published about surveillance practices remains insufficient to create the necessary political pressure, and no government in Europe is being challenged seriously by its opposition on surveillance issues. In Germany, the public and political reactions to the surveillance revelations have been stronger than in other European countries. But even there, the larger issue—indiscriminate surveillance of ordinary citizens—did not generate the strongest response. Instead, it was the allegations of US spying on the German government and state institutions that generated most embarrassment and controversy.

Notwithstanding all of these challenges, attempts are being made to fight over-intrusive intelligence surveillance through litigation. Some civil society organizations have brought challenges against secret surveillance practices before their national courts; one example is a case that British, American and Pakistani NGOs have just argued before the UK’s Investigatory Powers Tribunal, claiming that GCHQ is not legally empowered to engage in mass communications surveillance. Litigants in the national courts, however, often face constraints that severely hinder their ability to present their cases, including (among other problems) an inability to view classified documents or a prohibition on pleading the case in open court.

Therefore, the real power to bring the intelligence agencies to account lies in cases brought at European level. The European Court of Human Rights (ECtHR) not only has by far the best-developed case-law of any international court where secret surveillance is concerned, it also does not face the competence restrictions that the CJEU does—it’s free to consider the compliance of national security-related matters with human rights (and frequently does so). In the post-Snowden era, litigants in the UK, Hungary, and Estonia have already brought cases before the ECtHR that challenge various aspects of secret surveillance; the UK case, Big Brother Watch and Others v. the United Kingdom, is especially significant since it arose directly from the Snowden revelations.

The CJEU, too, may have a role to play in this respect, notwithstanding the treaty-based restrictions on its jurisdiction over national security matters (see above). For example, the pending case of Schrems v. Data Protection Commissioner, which the Irish High Court recently referred to the Court, essentially raises the issue of whether national Data Protection Authorities in Europe have the power to examine if US-based internet service providers such as Facebook have the ability—in light of the NSA’s widespread and large-scale activities—to protect users’ privacy rights.

It is too early to tell if the different legal challenges will be successful. But clearly, the status quo is untenable. There are currently no European standards for electronic surveillance for national security: on oversight, judicial review, storage, data minimization, sharing etc. Citizens have no way to know if their communications are intercepted by an intelligence agency, or if it has been shared with another. Companies that provide communications and internet-based services across Europe and globally will continue to face conflicting legal mandates from different countries, and encounter difficulties in regaining users’ trust in the services they provide.

Here is an ironic situation. After all the ire and outrage expressed by European Union officials and MEPs about US spying on European citizens, we may face a situation where we know more about US surveillance than we do about European programmes. It may be that the judicial oversight and legal safeguards that apply to the NSA–insufficient as they may be–are better than those governing European intelligence agencies. This is an unusual state of affairs indeed.

Europe has a very active and relatively powerful human rights court that has set reasonably clear and firm standards for secret surveillance. And yet, EU Member States remain as intransigent as ever, and the prospect of meaningful public debate and reform of electronic surveillance schemes remains distant. One would think that the current state of affairs might be so embarrassing for European politicians who like to boast about Europe leading the world in protection of personal data, that they would take action.

In reality however, it is more likely that it will take a court judgment that is so clear and unambiguous that it leaves governments no alternative but to rein in electronic surveillance.

Challenging the era of mass surveillance - Open Democracy 20140806

Challenging the era of mass surveillance - Open Democracy 20140806

Protecting our fundamental rights against the destructive effect of mass surveillance is an essential task that should engage us all.

Disaffected NSA field station in Teufelsberg, Germany. Flickr/Koen Colpaert. Some rights reserved.
Disaffected NSA field station in Teufelsberg, Germany. Flickr/Koen Colpaert.

In just one month in 2013 the US National Security Agency (NSA) collected 97 billion pieces of intelligence from computer networks worldwide. It has snooped on 500 million German data connections–to the outrage of German nationals. The UK undertakes similar work, as Edward Snowden revealed. Our GCHQTempora programme neatly sidestepped national legislation to intercept transatlantic fibre-optic data cables on a mammoth scale.

Liberty's Shami Chakrabarti has pointed out that states tend to have a broader license to snoop abroad than at home, so we are seeing a subcontracting out of their dirty work to others, who can then claim to be protecting their own citizens. So where do universal human rights come into play?

The right to privacy and the right to protection by law against such interference are contained in Article 12 of the UN Declaration of Human Rights and are further elaborated in the UN Covenant of Civil and Political Rights. Article 8 of the European Convention on Human Rights concerns the right to private and family life–all EU Member States are parties to the Convention and the EU is negotiating its own participation. It is also included and expanded in the EU's Charter of Fundamental Rights:

Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority. (Article 8)

Since the Lisbon Treaty’s entry into force in 2009, the Charter forms a legal basis for EU law. If EU citizens are to benefit from these fundamental rights, protection is necessary.

Can the EU strengthen and better protect these rights?

As reactions to the Snowden revelations show, the EU has an important role to play. It may be the most effective level at which to protect the privacy and data protection of European citizens. Recent EU-level events offer some positive signs.

The European Parliament’s (EP) own Committee of Enquiry on the US NSA Surveillance programme, adopted in March 2014, is a comprehensive response to the NSA scandal. There are two strong strands that link to current debates.

Firstly, the long-standing concern the EP has had about the comparative weakness of the USA’s Data Protection system compared to that of the EU. The EP has repeatedly challenged the Commission (at times in the European Court of Justice) about the adequacy of agreements reached, on Passenger Name Records (PNR) for example. The EP has also called for the suspension of the Terrorist Finance Tracking Programme (TFTP) as a response to the NSA scandal and a lack of clarity about whether the NSA gained access to SWIFT financial messages. It’s a clear statement that if governments really want to co-operate on anti-terrorism measures, they need to respect the data privacy of citizens.

The EP report also makes the point that concerns about USA Data protection standards could threaten the Trans-Atlantic Trade and Investment Partnership (TTIP). As part of the TTIP negotiations the US has proposed an e-commerce chapter to increase levels of EU-US online trade of services and products. This inevitably means greater and freer data flows - and the collection and use of EU citizens' data by US companies primarily used to complying with US law. Greens think this is one of the many reasons to oppose TTIP, but for the EP as a whole to take this warning position is remarkable.

The EU is currently aiming to update and strengthen its own legislation via the Data Protection Regulation, which will regulate how companies handle the personal data of EU citizens. Rapporteur Jan Albrecht MEP's draft legislation received very strong Parliamentary approval in March 2014. Key provisions include the need for these companies to receive explicit permission before processing personal data or transferring it outside the EU, and non-compliance fines of up to EUR 100 million or 5% of global turnover (whichever is greater). The Regulation still needs to be agreed by Member States before becoming EU law. Pressure needs to be brought to bear in every capital.

The second strong strand of the EP’s USA-NSA report concerns mass surveillance per se. The EP

[s]ees the surveillance programmes as yet another step towards the establishment of a fully-fledged preventative state, changing the paradigm of criminal law in democratic societies...often not in line with democratic checks and balances and fundamental rights. (Para 12)

A key question is how the EP and national governments will react to the striking down of the EU Data Retention Directive in April 2014 by the European Court of Justice. The legislation required telecoms companies to store phone or online communication records for at least six months and up to two years.

Greens in the European Parliament had always been opposed to the Directive and voted against it, as did the Liberal Democrats at the time, precisely because of its privacy and civil liberties impacts. The UK Labour Government pressed hard for the legislation to be adopted, using its EU Presidency to that end. Before the ECJ made its ruling on the case brought by Digital Rights Ireland, the Advocate General delivered his opinion. He was clear that the Directive was incompatible with the EU Charter of Fundamental Rights, specifically 'the fundamental right of citizens to privacy'.

This is a clear case of the EU bringing in bad legislation–but also of EU instruments being used effectively to overturn the legislation. It shows that the EU has the potential to protect our privacy and data protection rights, but only if those rights-based instruments are strong and mechanisms are robust. It’s also worth noting that the original Directive only needed the approval of national governments–now the EP would also be fully involved. It remains to be seen whether the UK's legislative response to the strike-down (‘emergency legislation in peace-time’ as one MEP described it) will be compatible with EU protections.

Other areas of concern voiced in the USA-NSA report concern oversight mechanisms. If data is increasingly being transferred across borders, are national oversight systems alone going to be effective, not only for commercial purposes but in terms of the continuing tension between human rights and security claims? It is increasingly clear that too many countries have deferential systems, unwilling or unable to challenge national security structures. The EP thinks we need greater co-operation at least. It is planning a major conference on the issue next year.

Challenging mass surveillance in the post-Snowden landscape

The Snowden revelations have changed the landscape. Snowden is a divisive figure, for whom US prosecution looms large. The Green Group in the European Parliament called for him to be given international protection in the EU and nominated him for the Sakharov Prize, the EU's annual award for 'freedom of thought'–but there was no majority. But whatever individuals may feel about him, there needs to be a response to the issues raised. The European Parliament has a responsibility to carry on the work it has started, but it cannot do it alone.

Many of the important cases are being raised by civil society and concerned journalists, who need space to do this. Big issues are being decided about the way in which we will live our lives, while our relationship to the state will increasingly be shaped by the technologies we use. Protecting our fundamental rights is an essential task and one that should engage us all.