Public reactions and press coverage
A Restore the Fourth rally was held in more than 80 cities and in every US state on 4 July 2013, with more than 10,000 people estimated to have gathered in protest against mass electronic surveillance. On 26 October 2013, a second Washington DC rally was staged by Stop Watching Us. Protests have been held in other parts of the world as well, both in support of Snowden and to protest against indiscriminate data collection by the NSA and its partners. Major online actions, The Day We Strike Back, and Reset the Net took place on 11 February 2014 and 5 June 2014.
In the months following the initial June 2013 revelations, there has been massive coverage of NSA surveillance programs, whistleblowers and privacy issues in the press. Media coverage of privacy issues has been significantly more extensive than in 2006, when news was buzzing about President Bush’s warrantless wiretapping program, Mark Klein’s testimony on AT&T cooperation with the US government and revelations of US access to SWIFT records since 9/11.
US legislative proposals, lawsuits and investigations
The two main sections of the US Code that enable the NSA surveillance programs are commonly referred to as Section 215 and Section 702.
Section 215 is part of the Patriot Act of 2001, Title II, which amends the Foreign Intelligence Surveillance Act (FISA) of 1978. This allows the FBI to apply to the FISA court for an order obliging third parties (including service providers such as Google, Yahoo or Facebook) to turn over “tangible things (including books, records, papers, documents and other items)” for investigations “to protect against international terrorism or clandestine intelligence activities.”
Section 702 is part of the FISA Amendments Act (FAA) of 2008, which gives “procedures for targeting certain persons outside the United States other than United States persons”. Although Section 702 does not allow for targeted collection of US-person data, programs authorised under Section 702 have enormous databases that inevitably contain US-person data. NSA documents revealed by Edward Snowden have shown that the NSA has subsequently used these databases to allow itself to search for US persons and analyse their metadata.
In all, members of Congress have made close to thirty legislative proposals for reforming FISA and increasing transparency with respect to surveillance since June 2013. The initiative with most momentum was the USA Freedom Act, which was introduced by Rep James Sensenbrenner and Senator Patrick Leahy in October 2013 and attracted 152 co-sponsors. The original version of the legislation sought to restrict surveillance of US persons, promising to end bulk domestic metadata collection under Section 215 and place restrictions on the use of US persons’ data gathered under Section 702.
However, the version of the bill eventually approved by the House Judiciary Committee on 7 May 2014 included significant compromises, prompting the ACLU to note that, even if it became law, “further reforms will be necessary to bring government surveillance authority in line with the Constitution.” The version of the bill voted on by the House itself on 22 May 2014 was significantly weaker than even this compromse position – so much so that 76 of the original 152 co-sponsors of the USA Freedom Act actually voted against it. A new version of the Bill introduced in the Senate on 29 July 2014 initially received a warmer reception from civil liberties advocates.
Following closer analysis of the bill, a group of civil liberties advocates including NSA whistleblowers Thomas Drake and Bill Binney came out against it, writing in an open letter of 15 September 2014 that:
the USA FREEDOM Act has significant potential to degrade, rather than improve, the surveillance status quo. At best, even if faithfully implemented, the current bill will erect limited barriers to Section 215, only one of the various legal justifications for surveillance, create additional loopholes, and provide a statutory framework for some of the most problematic surveillance policies, all while reauthorizing the PATRIOT Act.
The bill eventually fell in a Senate vote on 18 November 2014. The White House has announced its intention to initiate similar legislation before the Patriot Act’s Section 215 authority expires in June 2015. In the meantime, a new bipartisan bill, the Surveillance State Repeal Act was introduced by Representatives Mark Pocan and Thomas Massie in March 2015 in anticipation of that same deadline, although it is thought unlikely to garner wide support.
On 19 June 2014, the US House of Representatives voted to defund two major NSA surveillance programs. The House banned searches of Americans’ communications without warrants under the Foreign Intelligence Surveillance Act and mandates for technological companies to facilitate electronic surveillance. The ban is an amendment to a defence appropriations bill and has yet to be replicated in the Senate.
At least seven constitutional suits have been launched in the US as a result of Snowden’s revelations. Of these, the petition of the Electronic Privacy Information Center to the US Supreme Court to have the Verizon FISA Court order vacated was denied on 18 November 2013. An Idaho district court reluctantly dismissed Verizon customer Anna Smith‘s challenge to the indiscriminate collection of her call data (Smith v Obama) on 6 June 2014. Other cases (among them First Unitarian Church of Los Angeles v NSA, Paul v Obama and Wikimedia v NSA) are still pending.
Two contrasting judgments issued in December 2013 – in Klayman v Obama and ACLU v Clapper – increase the likelihood that the US Supreme Court will eventually have to decide whether domestic metadata collection is compatible with the Fourth Amendment’s prohibition of “unreasonable searches and seizures.” On 16 December, in the first of those two judgments, Judge Richard Leon ruled that the collection of metadata was “almost Orwellian” and “probably unconstitutional.”
On 7 May 2015 the Second Circuit Court of Appeals ruled that bulk phone metadata collection was illegal, but on the basis that Section 215 of the Patriot Act did not provide the basis for it, rather than on constitutional grounds. “The text of section 215”, the court ruled, “cannot bear the weight the government asks us to assign to it.” Edward Snowden welcomed the ruling as “a radical sea change in the level of resistance that the United States government has faced thus far.”
Hearings in these cases and their appeals are ongoing. On 28 August 2015, the DC Circuit Court of Appeals overturned Judge Richard Leon’s ruling of December 2013, but on standing grounds rather than a substantive consideration of the constitutional status of bulk collection. After parties were added to the proceedings who were customrs of Verizon Business Services and therefore documented to be the subject of metadata collection, Judge Leon ruled on 9 November 2015 that the NSA programme was indeed unconstitutional and that collection of the records of those suing the government should cease.
Internal US reviews and investigations
Three investigations into surveillance programs and capabilities have been announced in the US since June 2013. The Privacy and Civil Liberties Oversight Board (PCLOB), originally created in response to a recommendation by the 9/11 Commission report, has issued a letter to Attorney General Eric Holder and Director of National Intelligence James Clapper requesting updated procedures and guidelines on privacy and civil liberties protections. The PCLOB has no subpoena powers and no authority to obtain information. The Board’s report was published on 23 January 2014, a week after President Obama’s major speech on the NSA, and called for an end to the bulk collection of domestic metadata.
The PCLOB’s second report, published on 1 July, took a more forgiving approach to the collection of data under Section 702 while acknowledging that “certain aspects of the Section 702 program push the entire program close to the line of constitutional reasonableness.” The Board’s reasoning has been criticised.
Chair of the Senate Select Committee on Intelligence Dianne Feinstein also announced a series of hearings to take place to review NSA surveillance programmes.
On 12 August 2013 President Obama announced an “independent group” to review “capabilities, particularly our surveillance technologies… how we can maintain the trust of the people, how we can make sure that there absolutely is no abuse in terms of how these surveillance technologies are used, [and] ask how surveillance impacts our foreign policy”. The Review Group issued its report on 18 December 2013. Obama made his formal response in a speech of 17 January 2014, in which – while acknowledging that “surveillance technology and our reliance on digital information is evolving much faster than our laws” – he proposed very modest changes to the way the NSA handles domestic metadata. Further small changes announced on 3 February 2015 still leave many Review Group recommendations untouched.
UK Intelligence and Security Committee inquiry
The Intelligence and Security Committee (ISC) is a committee of Parliamentarians appointed by the British Prime Minister to oversee the activities of the UK intelligence community. On 17 October 2013 the ISC announced that it was broadening the scope of its inquiry into “the legislative framework governing the intelligence agencies’ access to private information”. The ISC had already concluded on 17 July 2013 that the GCHQ’s alleged circumvention of UK law through use of the NSA PRISM program was “unfounded”, but their October press statement acknowledged that it was “proper to consider further whether the current statutory framework governing access to private communications remains adequate”. The ISC had begun to hear testimony, in closed session, in May 2014, followed by three “open evidence sessions” in October.
The ISC’s independence and ability to adequately scrutinise Britain’s security services was the subject of sustained criticism during a House of Commons debate on 31 October 2013. Liberty, Privacy International and Big Brother Watch have said that the ISC investigation is “deeply flawed.” On 7 November 2013 the ISC held an unprecedented public hearing with GCHQ Director Sir Iain Lobban and the heads of the two other UK intelligence agencies. It later emerged that all questions had been agreed in advance. On 9 May 2014, the House of Commons Home Affairs Select Committee published a report that was highly critical of the UK’s system of surveillance oversight, the official reaction to Edward Snowden’s revelations and the ISC in particular.
The ISC report, published on 12 March 2015, clears the UK’s intelligence agencies of wrongdoing, but calls for a new Act of Parliament to regulate GCHQ, MI5 and MI6. The ISC report reflects a new consensus in the UK that a new law is required – this clearly would not have happened without the contribution of Edward Snowden.
With the passage of the Data Retention and Investigatory Powers Act in July 2014, the UK’s independent reviewer of terrorism legislation, David Anderson QC, has also been asked to conduct an inquiry into surveillance powers and their regulation. David Anderson has previously warned about the dangers of the UK’s expansive definition of terrorism. He is due to report before May 2015.
Dutch CTIVD inquiry
On 4 July 2013, the Dutch Parliament requested that the Review Committee on the Intelligence and Security Services (CTIVD) conduct an inquiry into the activities of the Dutch security services GISS and DISS. The conclusions of the inquiry were published in March 2014 and are also available in English. The Committee found that, while there was no systemic failure on the part of Dutch agencies, powers were being used in ways not forseen by legislators, that privacy protections were insufficient and some actions of the services were unlawful. The Committee also recommended that relationships with international agencies that involve the sharing of raw data be reviewed.
Brazil Senate investigates NSA spying in Brazil
An Investigative Parliamentary Commission was formed by the Brazilian Senate on 3 September 2013. The committee has 180 days to investigate claims involving NSA surveillance of Brazil, particularly the communications of President Rousseff and her top aides. During the committee’s first meeting an application for federal protection of journalist Glenn Greenwald and his partner David Miranda was approved. Greenwald and Miranda have been subject to harassment and threats for their involvement and reporting on NSA surveillance.
European Parliament Civil Liberties Committee investigates electronic surveillance
An overwhelming vote in the European Parliament initiated an in-depth investigation into US surveillance operations and European cooperation with US intelligence agencies. The investigation was handled by the Committee on Civil Liberties, Justice and Home Affairs (LIBE), which held 15 public hearings. At the beginning of 2014, the inquiry voted to invite Edward Snowden to give testimony via videolink. Snowden had previously given a statement to an earlier inquiry hearing, presented by Jesselyn Radack from the Government Accountability Project. Edward Snowden confirmed that he would be happy to give further testimony to the Inquiry, which was delivered in writing and published in March 2014. The Committee’s report was adopted by the European Parliament on 12 March 2014, but amendments aimed at guaranteeing European protection for Edward Snowden did not pass.
Australian Senate inquiry into revision of the Telecommunications Act
On 12 December 2013, the Australian Senate approved a motion to refer a review of the 1979 Telecommunications (Interception and Access) Act – which was heavily modified after 11 September 2011 – to the Legal and Constitutional Affairs References Committee. This was the latest of several attempts by the Australian Greens to launch an inquiry into surveillance in Australia and the motion eventually passed without government support. The Committee is currently taking written submissions and will hold hearings before it is due to report on 10 June 2014. In March 2014, it was reported that the Greens intended to call Edward Snowden as a witness.
German Bundestag launches NSA Investigation Committee
Folllowing months of negotiations, on 14 March 2014 SPD deputy Christine Lambrecht announced that the German Bundestag would be launching an official committee of inquiry (Untersuchungsausschuss) into allegations of NSA surveillance in Germany. The inquiry, said Lambrecht, would also seek to determine what reforms were necessary to ensure the privacy of German citizens’ electronic communications. The Committee of Inquiry held its first hearing on 3 April 2014. The committee was initially chaired by Clemens Binninger, who also chairs the Parliamentary Control Commission responsible for overseeing the German intelligence services. Binninger resigned less than a week in, expressing his opposition to Edward Snowden being called as a witness.
The committee duly voted to invite Edward Snowden to give public testimony on 8 May 2014. Nevertheless, the prospect remains highly controversial, with the German government going to considerable lengths to try and prevent Edward Snowden travelling to Berlin. On 1 August, Glenn Greenwald announced that he would not testify before the committee unless it found “the courage to do what it should obviously do – interview Snowden in person, on German soil, regardless of how the U.S. Government would react.” The issue was brought to Germany’s Constitutional Court. The case, brought by Germany’s 127 Green and Die Linke MPs and members of the NSA Investigation Committee, argued that the federal government is “obliged legally to create the possible conditions for the examination of the witness Edward Snowden.” On Friday 12 December, the Constitutional Court declined to hear the case.
On 3 July 2014, the Investigation Committee heard testimony from NSA whistleblowers Bill Binney and Thomas Drake. On the following day, it was announced that a BND employee had been arrested – reportedly on suspicion of selling information about the Committee’s activities to the United States. On 7 July unnamed US officials confirmed the CIA’s involvement and a second suspected US spy in Germany was being questioned. The affair has provoked widespread outrage on both ends of the political spectrum in Germany and, on 10 July, the German government expelled the CIA chief of station. In September, AP reported that the impact of the scandal had been felt on CIA operations across Europe.
While there has been criticism of the restricted disclosure of documents to the Investigation Committee – and the heavy redaction of documents that have been handed over – the work of the Committee has already added to our understanding of mass surveillance as it has been conducted in Germany. In October 2014, Suddeutsche Zeitung, together with WDR and NDR revealed that not only did the German security services tap Europe’s largest internet exchange for the NSA, they passed on their own citizens’ data to the US agency. This reporting, which implies gross breaches of German law and by-passing of parliamentary oversight mechanisms, was based on documents requested by the Investigation Committee. Subsequent testimony has confirmed the findings. On 16 October, Peter Altmaier from the Geman Chancellor’s office warned that he would consider initiating legal action if there were further leaks from “persons unknown.”
On 2 February 2015, Die Zeit reported that the BND collects 220 million metadata records a day. Die Zeit‘s investigation was based in part on public testimony delivered to the inquiry. In the same week, it was reported that the UK was threatening to end its cooperation with the BND if documents were provided to the inquiry, a move which members of the investigatory panel have interpreted as an attempt to intimidate their inquiry.
In April 2015, Der Spiegel reported that the committee had found that the BND had provided signals intelligence to the NSA matching tens of thousands of search terms – including those relating to German interests and those of its European allies. According to Die Zeit the agency failed to alert its government oversers to the fact this was happening, for fear of dangering ongoing intelligence sharing arrangements. Germany has reportedly moved to limit its transfer of internet data to the NSA as a result of the scandal but a lack of record keeping means that the full extent of the BND’s cooperation may never be known. It has been speculated that the head of the BND will be forced to resign over the scandal, which opinion polls show has threatened the credibility of German Chancellor Angela Merkel.
WikiLeaks has published transcripts from the inquiry’s first ten months of unclassified hearings, together with summaries of each hearing in English.
Council of Europe prepares reports on whistleblowing and mass surveillance
The Parliamentary Assembly of the Council of Europe (PACE), which comprises 318 members of national parliaments drawn from the Council of Europe’s 47 member states, has appointed Dutch parliamentarian Pieter Omtzigt to prepare reports on mass surveillance and whistleblowing, to be delivered before the end of 2014. The PACE Committee on Legal Affairs and Human Rights held a first hearing on 8 April, at which Edward Snowden gave evidence by video link. A second hearing on whistleblower protection was held on 24 June 2014 and Edward Snowden again testified live by videolink.
The draft mass surveillance report, which was debated and approved by the Council of Europe’s Legal Affairs Committee on 27 January 2015 condemns the practice as a violation of fundamental freedoms, finding the UK in particular to be in breach of the European Convention on Human Rights.
UN to investigate GCHQ spying on climate negotiations
Following the revelation that GCHQ had targeted successive international climate summits, embedding intelligence agency employees within their diplomatic delegations, on 3 November 2014 UN Secretary General Ban Ki-moon said that he would launch an investigation. Previous reporting based on documents in the Snowden archive has shown that the NSA also disseminated signals intelligence information about governments’ negotiating positions at the 2009 Climate Change Summit in Copenhagen to departments within the US government.
New Zealand Greens lodge complaint with Inspector General
Following the revelation of New Zeland’s full take collection in the South Pacific, on 6 March 2015 that country’s Green Party lodged an official complaint with the office responsible for overseeing the GCSB, the Inspector General of Intelligence and Security. The complaint alleges that the GCSB is violating the law by monitoring New Zealanders’ communications, a point that was effectively conceded by former GCSB director Bruce Ferguson, who stated that excluding these records would be “mission impossible”. On 26 March 2015, the Inspector General Cheryl Gwyn announced that she would indeed be launching an inquiry.
International legal challenges
NGOs file claims with UK Investigatory Powers Tribunal
Privacy International filed a claim with the Investigatory Powers Tribunal (IPT) on 8 July 2013. Claims have also been filed by Amnesty International, the ACLU, Pakistan-based Bytes for All, the Canadian Civil Liberties Association, the Egyptian Initiative for Personal Rights, the Hungarian Civil Liberties Union, the Irish Council for Civil Liberties and the Legal Resources Centre. The IPT, set up under the Regulation of Investigatory Powers Act 2000 (RIPA), is the only domestic forum that considers complaints against UK intelligence agencies. The tribunal’s ability to be truly independent of those it oversees has been questioned. The IPT usually hears cases in secret and is not required to make the reasons for its decisions public. Its decisions cannot be appealed in any UK court.
The three claims note that while UK authorities must comply with RIPA if they intercept domestic calls, there is no legal regime preventing UK authorities soliciting the same data from US authorities who have been intercepting communications of non-US persons. The complaints contend that absence of such safeguard breaches Articles 8 and 10 of the European Convention on Human Rights (ECHR) – the rights of privacy and free expression. The claims also challenge the interception of data on fibre-optic cables (Tempora) and the sharing of that data with US authorities. The claims were heard in an open hearing on 14 -18 July 2014; which appear to have been followed by a number of closed sessions.
On 5 December 2014, the IPT ruled that GCHQ’s interception of fibre optic cables could be legal in principle. A second ruling in the same case on 6 February 2014 found that, prior to the disclosure of secret policies forced by the case, GCHQ was acting illegally. While the ruling will not change GCHQ practices going forward, this is the first time the IPT has ever ruled against the UK intelligence services.
In June 2015, the IPT found that GCHQ had unlawfully spied on Amnesty International and the South African Leal Resources Center, but did not confirm that the communications from the two groups, or the other eight human rights groups party to the case were part of those unlawfully shared by NSA to GCHQ.
In September 2015, Human Rights Watch brought a case before the IPT on that specific issue of whether records were unlawfully shared between NSA and GCHQ.
Privacy International and the other NGOs involved in the case lodged an appeal against the December ruling with the European Court of Human Rights in April 2015. Earlier cases brought against the UK at the Strasbourg court were adjourned so that the IPT hearings could go ahead first; as of November 2015 that adjournment was lifted.
Four further claims have been lodged with the IPT. On 4 May 2014 it was announced that the Green Party’s two UK Parliamentary representatives, Caroline Lucas MP and Baroness Jones of Moulsecoomb, had lodged a complaint about their communications being surveilled under Tempora. This breach of Parliamentary privilege would be in contravention, not only of ECHR Articles 8 and 10, but also of the Wilson Doctrine that no Parliamentary communications should be intercepted. The British Government confirmed in July 2013 that the Wilson Doctrine applied to electronic communications and that it was still in force. On 22 October 2014 another UK MP, George Galloway of the Respect Party, announced that had launched legal proceedings at the IPT on this issue.
In October 2015, the IPT ruled that, contrary to a long series of Parliamentary assurances, the Wilson doctrine “is not enforceable in English law” but “a political statement in a political context, encompassing the ambiguity that is sometimes to be found in political statements.”
On 13 May 2014, Privacy International announced that it had filed a second legal complaint with the IPT. Privacy International argues that GCHQ’s use of hacking tools is overly invasive, enabling “covert, complete, real-time physical and electronic surveillance, as well as historical surveillance, of everything that person does, sees and says.” This, argues Privacy International, is conducted without clear legal authority on an enormous scale and in breach of Articles 8 and 10. In anticipation of the judgment in this case, the UK Home Office published its “draft equipment interference code of practice” for hacking operations on 6 February 2015. Moreover, just before the IPT hearings began in May 2015, the UK Government revealed that legislation had been introduced, without consultation, in order to protect GCHQ from prosecution. The IPT’s ruling, issued on 12 February 2016, found that GCHQ’s conduct had been within the law, based on the content of those documents released during the course of legal proceedings. The IPT also endorsed the use of thematic warrants, that could apply to enormous numbers of people, for instance whole cities.
A third complaint, lodged by seven ISPs and Privacy International with the IPT on 2 July 2014, challenges GCHQ’s targeting of internet service providers like Belgacom in order to gain access to network infrastructure. In a blog post announcing the action, Privacy International explained that “while the claimants were not directly named in the Snowden documents, the type of surveillance being carried out allows them to challenge the practices in the IPT because they and their users are at threat of being targeted.” Documents released ahead of this case being heard at the IPT in December 2015 show that there is minimal oversight over GCHQ’s hacking operations, both in the UK and overseas.
On 16 February 2015, Privacy International invited individuals to participate in a joint application to the Investigatory Powers Tribunal to ask if their records were unlawfully shared with GCHQ by the NSA. The IPT later clarified that individuals and groups would have to submit their own applications; Privacy International have produced an online platform to generate an application for submission to the IPT.
Following Max Schrem’s successful Europe vs Facebook challenge at the European Court of Justice, Kevin Cahill is trying to challenge the use of PRISM in the UK. In January 2015, he brought a case to the Investigatory Powers Tribunal arguing that two police forces and the Information Commissioner’s Office had failed to investigate his complaints. Two IPT judges ruled that while they could not order other public authorities to start an investigation, they could write and request that they consider doing so.
In June 2015, Privacy International launched a legal challenge at the IPT to the British government’s use of bulk personal datasets, databases that contain population-scale records. Disclosure in this case revealed a shockingly casual attitude to the use of these databases – MI6 employees were cautioned against using the UK travel database for filling in their expense claims. On 17 October, the Investigatory Powers Tribunal found that bulk personal datasets had been used illegally for over a decade.
Proceedings in these cases and others have forced the disclosure of GCHQ policies on data sharing, computer network exploitation, social media and legal privilege. These policies confirm details in reporting based on the documents Edward Snowden disclosed.
UK surveillance challenged in the European Court of Human Rights
A legal challenge was filed in the European Court of Human Rights (ECtHR) against the UK government by Big Brother Watch, Open Rights Group and English PEN, together with German internet activist Constanze Kurz in October 2013. The challenge (Big Brother Watch and Others v United Kingdom) asks the court to declare unrestrained surveillance by the UK government to be a breach of the rights and privacy of internet users under the European Convention on Human Rights (ECHR). It also challenges the adequacy of UK oversight provisions under the Convention.
A legal opinion commissioned by UK Parliamentarians in early 2014 suggests that currrent UK law may indeed be incompatible with the ECHR.
In January 2014, it was announced that the court was fast-tracking the case and had asked the UK government to show how its practices complied with the law. The UK government had until May 2014 to file its response.
In a separate legal challenge, on 9 September 2014 Privacy International announced that it would be challenging GCHQ’s blanket exemption from the UK’s Freedom of Information Act. Privacy International argues that there is a particular public interest in disclosure of the UKUSA Agreement and any subsequent documents that set out the ground rules for the Five Eyes alliance.
Following the news that UK police had obtained the phone metadata of journalists reporting on an ongoing police scandal in order to determine their sources, on 12 September 2014 the Bureau of Investigative Journalism (TBIJ) filed a case at the ECHR challenging the lack of protections for journalists and their sources in the UK’s surveillance procedures. At present, British police and public bodies make around half a million metadata (communications data) requests a year, without the need for any kind of further authorisation.
Like Big Brother Watch & Others v United Kingdom, the court has designated the TBIJ case a “piority” and the two cases will likely be heard in tandem. As of 20 January 2015, the court had completed its initial investigation and asked the UK government for its response, which it has to give by 6 May.
This notwithstanding, the various cases against the UK at the ECtHR were adjourned to allow for domestic challenges at the Investigatory Powers Tribunal. The first phase of these had concluded by December 2015 and the UK government had until 21 March 2016 to file a formal response with the Strasbourg court.
In September 2016, the ACLU, Amnesty, Privacy International and seven other NGOs launched a direct challenge to bulk data collection at the European Court of Human Rights in Strasbourg. The suit challenges the UK’s interception and collection of data from undersea cables with landing sites in the country and the sharing of bulk data collected “upstream” in the United States, arguing that the collection of data on this scale represents an unacceptably broad interference with the right to privacy guaranteed under Article 8 of the European Convention.
British Columbia Civil Liberties Association challenges constitutionality of Canadian surveillance
The British Columbia Civil Liberties Association (BCCLA) has filed a lawsuit against the Communications Security Establishment Canada (CSEC), arguing that CSEC surveillance activities violate the Charter of Rights and Freedoms protection against unreasonable search and seizure, as well as infringe upon freedom of expression. The lawsuit was filed at the British Columbia Supreme Court on 22 October 2013.
Dutch challenge to sharing of bulk data
On 6 November 2013 a coalition of Dutch individuals and organisations filed a suit against Ronald Plasterk, the Dutch Minister of the Interior. The organisations that are a party to the case include the Dutch Association of Criminal Defense Lawyers (NVS), the Dutch Association of Journalists (NVJ), the Internet Society Netherlands and the Privacy First Foundation. Citizens v Plasterk challenges the sharing of information gathered by the NSA in bulk with the Dutch intelligence service AIVD, on the grounds that the sharing is used as a means of circumbenting domestic privacy laws. In a 23 July 2014 judgment, the District Court in The Hague ruled that, while this possibility could not be excluded, exchange of bulk data with foreign intelligence services could not be jeopardised due to the “overriding importance of national security”. The ruling is being appealed.
La Quadrature du Net challenges French surveillance laws
On 19 Feburary 2015, La Quadrature du Net announced that it was launching a legal challenge against a French government administrative decree on access to metadata, which was passed at the end of 2014. The surveillance provisions of the 2014-2019 Military Planning Act, which was passed by executive decree, was widely interpreted as an attempt to put long-standing practices on a legal footing. La Qaudrature du Net is joined in its challenge by the FFDN federation of non-profit ISPs.
Europe v Facebook
Austrian law student Max Schrems launched a class action against facebook to test whether EU data protection laws are really enforceable in practice. The initial challenge consisted of 22 complaints filed with the data protection commissioner in Ireland, where Facebook’s European headquarters is based. One of these complaints, concerning Facebook’s cooperation with the PRISM programme, was rejected by the Irish Data Protection Commissioner in July 2013.
The PRISM complaint was then being pursued at the European Court of Justice, the court in Luxembourg that ultimately rules on issues of EU law. A hearing on 24 March 2015 focused on whether PRISM was anticipated in Europe’s safe harbour privisions. The court’s ruling, in October, found that safe harbour was illegal and PRISM a violation of Europeans’ fundamental rights. National data protection authorities across the EU are now obliged to examine complaints against facebook seriously, but the European Commission itself has failed to develop an effective replacement for its discredited safe harbour arrangements.
Complaints concerning US violation of local privacy laws
In mid-July 2013 the International Federation for Human Rights and the Human Rights League filed a complaint with the Public Prosecutor of the Tribunal de Grande Instance in Paris, which hears civil cases not assigned to any particular jurisdiction. The complaint asserts that the recently revealed NSA programs may have violated several French privacy laws under the French Criminal Code, including “fraudulent access to an automated data processing system, collection of personal data by fraudulent means and wilful violation of the intimacy of the private life”. On 28 August 2013 the Prosecutor’s office in Paris said it had launched a preliminary investigation following the complaint, which would determine if there is enough evidence for a formal investigation.
A formal complaint was filed in Hesse, Germany in June 2013. The German Federal Prosecutors’ Office confirmed that they were “looking into” whether NSA surveillance within Germany had violated any laws protecting German citizens. Although the Prosecutors’ Office spokesperson said that more criminal complaints surrounding this issue were likely, they did not indicate whether a formal investigation would be launched. There was renewed speculation in early 2014 that the Public Prosecutor may launch a formal investigation into a separate complaint that the NSA surveilled Angela Merkel’s phone, speculation that was confirmed in June. At his annual press conference on 11 December 2014, prosecutor Harald Range confirmed that an investigation was ongoing.
On 3 February 2014, the Chaos Computer Club and the International League for Human Rights announced that they had lodged a further complaint with the German Federal Prosecutors’ Office, together with a request that Edward Snowden be called as an expert witness in any resulting legal action.
In December 2013, the Swiss government approved a request from the Federal Prosecutor’s Office to open a criminal investigation into allegations of espionage by the US and other countries in Switzerland. Chief Federal Prosecutor Michael Lauber told the Swiss newspaper Zentralschweiz am Sonntag that it would be difficult for him to make progress on the investigation without Edward Snowden’s participation and that this would need to happen “in person.” In September 2014, the Swiss press reported on a legal opinion from the country’s Attorney General that may open the way for Edward Snowden to safely travel to Switzerland to take part in this investigation.
In addition to this criminal investigation, the Swiss Federal Parliament has mandated the formation of a Commission of Experts to determine the country’s response to the Snowden revelations, although this has not yet started to take evidence.
In March 2015, Austria’s six parliamentary groups signed a resolution calling for action against NSA and GCHQ surveillance from the country’s government and at the European level. On 5 May Austria’s Interior Ministry announced that it had filed a criminal complaint against entities or persons unknown for “secret intelligence activities to the detriment of Austria.”
Franco-German defence and aerospace company Airbus announced on 30 April 2015 that it was initiating a criminal case against persons unknown following reports of US industrial espionage assisted by Germany’s BND. Luxembourg’s government followed suit in May.
Furthering transparency and public awareness
Declassification of Intelligence Community information
On 9 August 2013 President Obama gave a press conference addressing concerns over US surveillance programs. The President described steps he would take to ensure greater transparency, including setting up a Review Group to investigate how surveillance impacts foreign policy and asking the Intelligence Community to open as much information as possible to the public about its surveillance operations. As a result, numerous declassified documents have been released on a new Intelligence Community website. In particular, a number of documents, including FISA Court opinions related to Section 215 of the Patriot Act, were released following a long EFF lawsuit. Another substantial release was an October 2011 FISA Court opinion ruling that some of the NSA surveillance actions were unconstitutional. The release was also due in part to the EFF’s FOIA (Freedom of Information Act) initiative.
Motion requesting FISA Court (FISC) interpretation of Section 215
A June 2013 publication of a Verizon court order revealed that the company was ordered by FISC to give the NSA phone metadata for every call made in a three-month period. In response, the ACLU and Yale Law School’s Media Freedom and Information Access Clinic filed a motion requesting FISC’s interpretation of the meaning, scope and constitutionality of Section 215.
Public opinion polls
A number of recent polls questioned Americans about their views on the NSA, government protections of civil liberties, and whether NSA programs need to be reviewed. A Pew Research Center poll concluded that 56% of Americans think federal courts do not provide adequate limitation on what data the US government can collect. Another poll from Quinnipiac University found that 45% of voters felt the government had “gone too far” in restricting civil liberties in pursuit of anti-terrorism policies, whereas 25% of respondents to the same survey in 2010 selected “gone too far”. Quinnipiac University polling also shows that a growing majority of the US public views Edward Snowden as a whistleblower. Polling from the Economist/YouGov, the Guardian, Gallup and CBS all show similar results.
Tech industry impact
US companies complying with government requests for data have felt a financial blow in Snowden’s wake, as users switch to those more protective of their information. The financial impact has been felt most deeply in US companies’ trade overseas.
In August 2013, technology firm Forrester Research projected a 25% loss of industry revenue, about $180 billion. IBM said it is “spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe.” In November, Cisco Systems predicted a 10% revenue drop in its second fiscal quarter, citing NSA revelations in its difficulty to sell products abroad.
Other companies are capitalizing on users’ privacy demands and taking advantage of exposed companies’ losses. Runbox, an email provider in Norway, reported “a 34 percent annual increase in customers after news of the NSA. surveillance,” as the company prides itself on refusing to comply with foreign court orders.
Government and corporate rifts
Foreign governments, particularly US allies, are breaking with major corporations known to provide foreign users’ data to the NSA. In September 2013, Brazilian President Dilma Rousseff initiated a plan to avoid relying on US-based tech companies, such as Microsoft, after it was revealed that the NSA spied on her personally and Brazilians generally using Facebook and Google data. On 26 June 2014 the German government cancelled its contracts with Verizon, specifically citing privacy concerns emerging from the NSA revelations as the cause. China removed US suppliers including Cisco from its approved state purchases list in February 2015.
In response to these pressures, in January 2014 Microsoft announced its plan to move its data centers overseas and then asked the US government to keep search warrants within its own national borders. In March the same year, Yahoo similarly moved its headquarters to Ireland so that the British government could not force the company to hand over its data. Cisco has announced measures to reduce the impact of NSA interdiction.
Revelations about the NSA’s efforts to defeat encryption in September 2013 confirmed that the NSA manipulated the National Institute of Standards and Technology (NIST) 2006 standard, in particular the pseudorandom number generator Dual EC_DRBG. NIST issued a statement saying it would not deliberately weaken the cryptography standard, but did not deny the NSA’s involvement. On 14 July 2014, a NIST advisory group recommended that the body should be more sceptical of NSA advice in the future, advising that “NIST may seek the advice of the NSA on cryptographic matters but it must be in a position to assess it and reject it when warranted.” NIST asked for comments on a new proposed development process for cryptographic standards in January 2015.
These compromised standards found their way into commercial software. In September 2013, RSA Security warned its customers to stop using the default random number generator included in its BSafe toolkit and Data Protection Manager products. It later emerged that the NSA had paid RSA $10 million to make Dual EC_DRBG standard in its software. RSA’s Chief Technologist was quoted saying “We could have been more skeptical of NSA’s intentions.”
Responding to criticism, particularly from the mathematical community, NSA Director of Research Michael Wearsheimer wrote in January 2014 that “With hindsight, NSA should have ceased supporting the dual _EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor… In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable.”
Transparency reports of government orders
Google and Microsoft individually initiated petitions in June and July of 2013, requesting permission to publish information about national security requests they had received from the US government. Motions regarding the same issue were also filed at the FISA Court. Several rounds of negotiations between the two companies and the US Department of Justice continued over the course of the summer, throughout which the companies agreed to extend the government’s deadline for replying to the lawsuits. In September 2013 Google and Microsoft resolved to continue their litigation in the FISA Court, requesting an open hearing.
Following the result of Google and Microsoft’s negotiations with the US government, Yahoo and Facebook filed similar motions to the FISA Court to request disclosure of information on national security orders the companies have received. Linkedin and Dropbox followed suit a short time later.
On 27 January 2014 it was announced that a settlement had been reached and companies will now be able to report limited information about the FISA Court orders and National Security Letters they receive. In February 2014, Twitter’s Manager of Global Legal Policy wrote that the company felt that the disclosure rules were still inadequate and was considering further legal action. After several months of failed negotiations, Twitter launched a suit on First Amendment grounds on 7 October 2014.
The move towards partial transparency has been shared by telecommunications companies. On 6 June 2014, Vodafone published a law enforcement disclosure report explaining that its “customers have a right to privacy which is enshrined in international human rights law and standards and enacted through national laws,” yet it cannot refuse to comply with government orders for data, because “governments can remove our licence to operate.” BT has refused to follow Vodafone, AT&T and Verizon in releasing its own transparency report.
Increased use of encryption
Snowden’s revelations have shown that tech companies were not doing enough to protect their users from passive surveillance. At his first live videolink appearance on 10 March 2014 at SXSW, Edward Snowden said that end-to-end encryption would be the way toward “making mass surveillance impossible at the network level.” While full end-to-end encryption remains a challenge, in the year after the first revelations were published we have seen the first industry moves in that direction.
On 3 June 2014, Google released the source code for a Chrome extension that would enable end-to-end encryption of emails sent in Gmail, which Yahoo has subsequently said it will also support. Google made encrypting its data center links a priority after reports showed that GCHQ was using these links as part of its upstream data collection. The EFF’s Encrypt The Web Report tracks the extent to which individual companies are implementing their security recommendations. In June 2014, eight companies – Google, Microsoft, Yahoo, Twitter, Facebook, Dropbox, Sonic.net and SpiderOak – were in the process of implementing all of EFF’s security recommendations and Yahoo was “implementing SSL encryption by default for all its services this year.” A number of news websites, including the New York Times, have pledged to move to https by the end of 2015.
This divide was highlighted in February 2015 when the CEOs of Google, Facebook and Yahoo declined to attend the President’s Cybersecurity Summit at Stanford University. Apple CEO Tim Cook, who did attend the summit, gave a strong defence of “privacy and security” in his keynote speech. Obama went on to acknowledge the tensions about encryption in a subsequent interview.
In September 2015, the New York Times reported that Apple had refused to subvert the end-to-end encryption on its iMessage system, after receiving a court order (the company did hand over other messages stored on iCloud, which were not encrypted).
Studies show that internet users are availing themselves of these new services and are more aware about how to encrypt their communications. According to broadband network equipment company Sandvine’s Global Internet Phenomena Report for 2014, before the Snowden revelations, “encrypted traffic accounted for 2.29 percent of all peak hour traffic in North America.” As Wired reports, that number jumped nearly 60% over the course of the year, with the equivalent figure by May 2014 being 3.8 percent: “But that’s a small jump compared to other parts of the world. In Europe, encrypted traffic went from 1.47 percent to 6.10 percent, and in Latin America, it increased from 1.8 percent to 10.37 percent.”
A 24-country survey carried out in late 2014 suggested that 60% of internet users had heard about Edward Snowden’s revelations and that, of those, 39% had taken steps to improve their online security and privacy as a result. A separate 2014 survey found a 34% increase in the use of encryption by businesses.
The Snowden revelations have also led to changes of policy from the international standards bodies. The Montevideo Statement on the Future of Internet Cooperation released on 7 October 2013 involved a notable response to NSA monitoring and surveillance revealed by Edward Snowden from organisations responsible for maintaining the technical infrastructure of the internet. The group consisted of leaders of all major internet organisations worldwide, including ICANN (the Internet Corporation for Assigned Names and Numbers), the Internet Engineering Task Force and the World Wide Web Consortium. The statement “expressed strong concern over the undermining of the trust and confidence of internet users globally due to recent revelations of pervasive monitoring and surveillance”.
On 14 November 2014, the Internet Architecture Board announced that it “now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic.” The move towards recommending ‘opportunistic encryption’ has been described as a “fundamental rethink” on the part of the organisation.
At the United Nations
In December 2013, the UN General Assembly adopted a joint German-Brazilian resolution calling for online privacy rights to be respected. Delegates from the Five Eyes intelligence sharing alliance succeeded in weakening some of the resolution’s key provisions, notably the link drawn between extraterritorial surveillance and human rights violations. In publishing the report on surveillance commissioned by the General Assembly on 16 July 2014, the UN’s senior human rights official Navi Pillay said “we owe a great deal” to Edward Snowden and suggested that the US should drop attempts to prosecute him.
The UN General Assembly adopted a second resolution, again drafted by Germany and Brazil, on the Right to Privacy in the Digital Age on 18 December 2014. A reference to metadata surveillance as an intrusive act was reportedly removed at the request of the US and its Five Eyes allies. Germany’s ambassador to the UN emphasised the call in the resolution for the UN Human Rights Committee to mandate a special rapporteur to monitor surveillance issues.
In October 2014, the UN Special Rapporteur on counterterrorism Ben Emmerson QC issued a report concluding that mass surveillance programmes “pose a direct and ongoing challenge to an established norm of international law” – namely, Article 17 of the UN’s International Convenant on Civil and Political Rights.
Germany and Brazil led an attempt to appoint a new UN Special Rapporteur on the Right to Privacy at the 28th session of the UN Human Rights Council. The Council voted unimously to adopt the resolution in March 2015 and Joseph Cannataci was appointed as rapporteur (an earlier candidate was rejected for being insufficiently critical of US surveillance) . The move was supported by 63 international human rights organisations and will lead to privacy violations being monitored and publicised at the international level on a more systematic and regular basis. In his first interview in the post, Cannataci – a professor of law at the University of Malta – called for a “Geneva Convention for the Internet”, saying that the situation with surveillance is worse than George Orwell envisioned in his novel 1984.
A third UN Special Rapporteur, David Kaye – whose mandate covers free expression – has prepared two reports which in part draw on the Snowden revelations, calling for international standards on encryption and the protection of whistleblowers.
In the European Union
A draft proposal for a new EU Data Protection Directive, to repeal and replace the existing one, was released in January 2012. The draft was voted on by the European Parliament in March 2014, although at present the Council of Ministers of the European Union has yet to reach consensus. While the European Parliament was considering the draft legislation, new information from media reports on US espionage since June 2013 proved to be influential, particularly with the initiation of an investigation by the Committee on Civil Liberties, Justice and Home Affairs (LIBE) into mass electronic surveillance of EU citizens.
During the third hearing of the European Parliament’s LIBE Inquiry into mass electronic surveillance of European citizens, the Terrorist Finance Tracking Program (TFTP), which allows the US access to certain SWIFT records, was questioned. In particular, European Commissioner Cecilia Malmström indicated that if the NSA did breach the SWIFT database outside of the agreement, the Commission would consider revoking the TFTP agreement. The European Parliament later issued a non-binding resolution calling for the suspension of the TFTP agreement, which passed by 280 votes to 254, with 30 abstentions.
Information revealed by Edward Snowden gave new impetus to Brazil’s Marco Civil da Internet, which had been debated and discussed by Brazil’s Congress and public since 2009 and was finally passed on 25 March 2014. The bill is aimed at establishing principles and rights for use of the internet in Brazil, including protecting net neutrality and civil rights. A provision that would have required large service providers such as Google to maintain data centres within Brazil’s borders was removed from the bill, but companies will now be subject to Brazilian law in cases that involve information on Brazilians, even if the data is stored on servers abroad.
Brazil has indicated that it will increase its efforts to maintain data sovereignty. Proposals under consideration include laying underwater fibre-optic cable directly to Europe and other South American countries without passing through the United States. Brazilian President Dilma Rousseff also announced that a secure email system called SERPO would be created for the federal government.
US officials threatened to revoke Ecuador’s trade preferences while the country considered granting Edward Snowden political asylum. In response, Ecuador renounced the trade benefits and offered to fund human rights training for the US. President Rafael Correa said that the US had used the trade preferences as “blackmail”.
Officals at the US Department of Justice have told USA Today that a huge DEA phone records programme – which tracked and stored data relating to international phone calls placed by US persons – was halted as a result of Edward Snowden’s revelations. In effect, collection was halted because the DOJ determined that the justification for the NSA’s own bulk collection programme was its national security rationale, and that the continued existence of a law enforcement bulk collection programme could only undermine that.
In September 2015, Director of National Intelligence James Clapper stated that an NSA phone call collection programme relating to Afghanistan had been shut down, at the request of the Afghan government, as a result of Snowden’s disclosures. The programme referred to appears to be SOMALGET, in which the full audio of every phone call made in the country was recorded and stored. Then Afghan President Hamid Karzai reportedly cancelled a meeting with President Obama two days after WikiLeaks revealed that Afghanistan was one of the countries subjected to this kind of collection. Clapper’s remarks leave it unclear whether this collection has really come to an end, or if it has been resumed under the new Afghan government.
In October 2015 the Inter-Parliamentary Union passed a resolution calling on member Parliaments (of which there are 166) to ensure surveillance laws and practices no not violate human rights. The Assembly expressed concern “that mass surveillance programmes regarding digital communications and other forms of digital expression constitute violations of the right to privacy, including when conducted extraterritorially, and endanger the rights to freedom of expression and information, as well as other fundamental human rights, including the rights to freedom of peaceful assembly and of association, thus undermining participative democracy”.
In January 2016, Canada’s Communications Security Establishment (CSE) called a temporary halt to intelligence sharing with its Five Eyes partners while it established better protections for the metadata of Canadian citizens. Concerns about the guidance CSE operates under have been made repeatedly since Edward Snowden brought the extent of metadata sharing to light.