I dont want to live in a world where everything I say, everything I do, everyone I talk to, every expression of creativity and love or friendship is recorded.
US legislative proposals, lawsuits and investigations
Legislative reform
The two main sections of the US Code that enable the NSA surveillance programs are commonly referred to as Section 215 and Section 702.
Section 215 is part of the Patriot Act of 2001, Title II, which amends the Foreign Intelligence Surveillance Act (FISA) of 1978. This allows the FBI to apply to the FISA court for an order obliging third parties (including service providers such as Google, Yahoo or Facebook) to turn over “tangible things (including books, records, papers, documents and other items)” for investigations “to protect against international terrorism or clandestine intelligence activities.”
Section 702 is part of the FISA Amendments Act (FAA) of 2008, which gives “procedures for targeting certain persons outside the United States other than United States persons”. Although Section 702 does not allow for targeted collection of US-person data, programs authorised under Section 702 have enormous databases that inevitably contain US-person data. NSA documents revealed by Edward Snowden have shown that the NSA has subsequently used these databases to allow itself to search for US persons and analyse their metadata.
In July 2013, a legislative attempt to limit the bulk collection of domestic metadata under Section 215 powers (the Amash Amendment) was defeated by a narrow margin.
In all, members of Congress have made close to thirty legislative proposals for reforming FISA and increasing transparency with respect to surveillance since June 2013. The initiative with most momentum was the USA Freedom Act, which was introduced by Rep James Sensenbrenner and Senator Patrick Leahy in October 2013 and attracted 152 co-sponsors. The original version of the legislation sought to restrict surveillance of US persons, promising to end bulk domestic metadata collection under Section 215 and place restrictions on the use of US persons’ data gathered under Section 702.
However, the version of the bill eventually approved by the House Judiciary Committee on 7 May 2014 included significant compromises, prompting the ACLU to note that, even if it became law, “further reforms will be necessary to bring government surveillance authority in line with the Constitution.” The version of the bill voted on by the House itself on 22 May 2014 was significantly weaker than even this compromse position – so much so that 76 of the original 152 co-sponsors of the USA Freedom Act actually voted against it. A new version of the Bill introduced in the Senate on 29 July 2014 initially received a warmer reception from civil liberties advocates.
Following closer analysis of the bill, a group of civil liberties advocates including NSA whistleblowers Thomas Drake and Bill Binney came out against it, writing in an open letter of 15 September 2014 that:
the USA FREEDOM Act has significant potential to degrade, rather than improve, the surveillance status quo. At best, even if faithfully implemented, the current bill will erect limited barriers to Section 215, only one of the various legal justifications for surveillance, create additional loopholes, and provide a statutory framework for some of the most problematic surveillance policies, all while reauthorizing the PATRIOT Act.
On 19 June 2014, the US House of Representatives voted to defund two major NSA surveillance programs. The House banned searches of Americans’ communications without warrants under the Foreign Intelligence Surveillance Act and mandates for technological companies to facilitate electronic surveillance. The ban is an amendment to a defence appropriations bill and has yet to be replicated in the Senate.
Constitutional challenges
At least six constitutional suits have been launched in the US as a result of Snowden’s revelations. Of these, the petition of the Electronic Privacy Information Center to the US Supreme Court to have the Verizon FISA Court order vacated was denied on 18 November 2013. Others (Smith v Obama, First Unitarian Church of Los Angeles v NSA, Paul v Obama) have yet to be decided.
Two contrasting judgments issued in December 2013 – in Klayman v Obama and ACLU v Clapper – increase the likelihood that the US Supreme Court will eventually have to decide whether domestic metadata collection is compatible with the Fourth Amendment’s prohibition of “unreasonable searches and seizures.” On 16 December, in the first of those two judgments, Judge Richard Leon ruled that the collection of metadata was “almost Orwellian” and “probably unconstitutional.”
Internal US reviews and investigations
Three investigations into surveillance programs and capabilities have been announced in the US since June 2013. The Privacy and Civil Liberties Oversight Board (PCLOB), originally created in response to a recommendation by the 9/11 Commission report, has issued a letter to Attorney General Eric Holder and Director of National Intelligence James Clapper requesting updated procedures and guidelines on privacy and civil liberties protections. The PCLOB has no subpoena powers and no authority to obtain information. The Board’s report was published on 23 January 2014, a week after President Obama’s major speech on the NSA, and called for an end to the bulk collection of domestic metadata.
The PCLOB’s second report, published on 1 July, took a more forgiving approach to the collection of data under Section 702 while acknowledging that “certain aspects of the Section 702 program push the entire program close to the line of constitutional reasonableness.” The Board’s reasoning has been criticised.
Chair of the Senate Select Committee on Intelligence Dianne Feinstein also announced a series of hearings to take place to review NSA surveillance programmes.
On 12 August 2013 President Obama announced an “independent group” to review “capabilities, particularly our surveillance technologies… how we can maintain the trust of the people, how we can make sure that there absolutely is no abuse in terms of how these surveillance technologies are used, [and] ask how surveillance impacts our foreign policy”. The Review Group issued its report on 18 December 2013. Obama made his formal response in a speech of 17 January 2014, in which – while acknowledging that “surveillance technology and our reliance on digital information is evolving much faster than our laws” – he proposed very modest changes to the way the NSA handles domestic metadata.
International investigations
UK Intelligence and Security Committee inquiry
The Intelligence and Security Committee (ISC) is a committee of Parliamentarians appointed by the British Prime Minister to oversee the activities of the UK intelligence community. On 17 October 2013 the ISC announced that it was broadening the scope of its inquiry into “the legislative framework governing the intelligence agencies’ access to private information”. The ISC had already concluded on 17 July 2013 that the GCHQ’s alleged circumvention of UK law through use of the NSA PRISM program was “unfounded”, but their October press statement acknowledged that it was “proper to consider further whether the current statutory framework governing access to private communications remains adequate”. The ISC had begun to hear testimony, in closed session, in May 2014.
The ISC’s independence and ability to adequately scrutinise Britain’s security services was the subject of sustained criticism during a House of Commons debate on 31 October 2013. Liberty, Privacy International and Big Brother Watch have said that the ISC investigation is “deeply flawed.” On 7 November 2013 the ISC held an unprecedented public hearing with GCHQ Director Sir Iain Lobban and the heads of the two other UK intelligence agencies. It later emerged that all questions had been agreed in advance. On 9 May 2014, the House of Commons Home Affairs Select Committee published a report that was highly critical of the UK’s system of surveillance oversight, the official reaction to Edward Snowden’s revelations and the ISC in particular.
With the passage of the Data Retention and Investigatory Powers Act in July 2014, the UK’s independent reviewer of terrorism legislation, David Anderson QC, has been asked to conduct an inquiry into surveillance powers and their regulation. David Anderson has previously warned about the dangers of the UK’s expansive definition of terrorism. He is due to report before May 2015.
Dutch CTIVD inquiry
On 4 July 2013, the Dutch Parliament requested that the Review Committee on the Intelligence and Security Services (CTIVD) conduct an inquiry into the activities of the Dutch security services GISS and DISS. The conclusions of the inquiry were published in March 2014 and are also available in English. The Committee found that, while there was no systemic failure on the part of Dutch agencies, powers were being used in ways not forseen by legislators, that privacy protections were insufficient and some actions of the services were unlawful. The Committee also recommended that relationships with international agencies that involve the sharing of raw data be reviewed.
Brazil Senate investigates NSA spying in Brazil
An Investigative Parliamentary Commission was formed by the Brazilian Senate on 3 September 2013. The committee has 180 days to investigate claims involving NSA surveillance of Brazil, particularly the communications of President Rousseff and her top aides. During the committee’s first meeting an application for federal protection of journalist Glenn Greenwald and his partner David Miranda was approved. Greenwald and Miranda have been subject to harassment and threats for their involvement and reporting on NSA surveillance.
European Parliament Civil Liberties Committee investigates electronic surveillance
An overwhelming vote in the European Parliament initiated an in-depth investigation into US surveillance operations and European cooperation with US intelligence agencies. The investigation was handled by the Committee on Civil Liberties, Justice and Home Affairs (LIBE), which held 15 public hearings. At the beginning of 2014, the inquiry voted to invite Edward Snowden to give testimony via videolink. Snowden had previously given a statement to an earlier inquiry hearing, presented by Jesselyn Radack from the Government Accountability Project. Edward Snowden confirmed that he would be happy to give further testimony to the Inquiry, which was delivered in writing and published in March 2014. The Committee’s report was adopted by the European Parliament on 12 March 2014, but amendments aimed at guaranteeing European protection for Edward Snowden did not pass.
Australian Senate inquiry into revision of the Telecommunications Act
On 12 December 2013, the Australian Senate approved a motion to refer a review of the 1979 Telecommunications (Interception and Access) Act – which was heavily modified after 11 September 2011 – to the Legal and Constitutional Affairs References Committee. This was the latest of several attempts by the Australian Greens to launch an inquiry into surveillance in Australia and the motion eventually passed without government support. The Committee is currently taking written submissions and will hold hearings before it is due to report on 10 June 2014. In March 2014, it was reported that the Greens intended to call Edward Snowden as a witness.
German Bundestag launches NSA Investigation Committee
Folllowing months of negotiations, on 14 March 2014 SPD deputy Christine Lambrecht announced that the German Bundestag would be launching an official committee of inquiry into allegations of NSA surveillance in Germany. The inquiry, said Lambrecht, would also seek to determine what reforms were necessary to ensure the privacy of German citizens’ electronic communications. The Committee of Inquiry held its first hearing on 3 April 2014. The committee was initially chaired by Clemens Binninger, who also chairs the Parliamentary Control Commission responsible for overseeing the German intelligence services. Binninger resigned less than a week in, expressing his opposition to Edward Snowden being called as a witness.
The committee duly voted to invite Edward Snowden to give public testimony on 8 May 2014. Nevertheless, the prospect remains highly controversial, with the German government going to considerable lengths to try and prevent Edward Snowden travelling to Berlin. On 1 August, Glenn Greenwald announced that he would not testify before the committee unless it found “the courage to do what it should obviously do – interview Snowden in person, on German soil, regardless of how the U.S. Government would react.” The issue has now been brought to Germany’s Constitutional Court. The case, brought by Germany’s 127 Green and Die Linke MPs and members of the NSA Investigation Committee, argues that the federal government is “obliged legally to create the possible conditions for the examination of the witness Edward Snowden.”
On 3 July 2014, the Investigation Committee heard testimony from NSA whistleblowers Bill Binney and Thomas Drake. On the following day, it was announced that a BND employee had been arrested – reportedly on suspicion of selling information about the Committee’s activities to the United States. On 7 July unnamed US officials confirmed the CIA’s involvement and a second suspected US spy in Germany was being questioned. The affair has provoked widespread outrage on both ends of the political spectrum in Germany and, on 10 July, the German government expelled the CIA chief of station. In September, AP reported that the impact of the scandal had been felt on CIA operations across Europe.
Council of Europe prepares reports on whistleblowing and mass surveillance
The Parliamentary Assembly of the Council of Europe (PACE), which comprises 318 members of national parliaments drawn from the Council of Europe’s 47 member states, has appointed Dutch parliamentarian Pieter Omtzigt to prepare reports on mass surveillance and whistleblowing, to be delivered before the end of 2014. The PACE Committee on Legal Affairs and Human Rights held a first hearing on 8 April, at which Edward Snowden gave evidence by video link. A second hearing on whistleblower protection was held on 24 June 2014 and Edward Snowden again testified live by videolink.
International legal challenges
NGOs file claims with UK Investigatory Powers Tribunal
Privacy International filed a claim with the Investigatory Powers Tribunal (IPT) on 8 July 2013. Claims have also been filed by Amnesty International, the ACLU, Pakistan-based Bytes for All, the Canadian Civil Liberties Association, the Egyptian Initiative for Personal Rights, the Hungarian Civil Liberties Union, the Irish Council for Civil Liberties and the Legal Resources Centre. The IPT, set up under the Regulation of Investigatory Powers Act 2000 (RIPA), is the only domestic forum that considers complaints against UK intelligence agencies. The tribunal’s ability to be truly independent of those it oversees has been questioned. The IPT usually hears cases in secret and is not required to make the reasons for its decisions public. Its decisions cannot be appealed in any UK court.
The three claims note that while UK authorities must comply with RIPA if they intercept domestic calls, there is no legal regime preventing UK authorities soliciting the same data from US authorities who have been intercepting communications of non-US persons. The complaints contend that absence of such safeguard breaches Articles 8 and 10 of the European Convention on Human Rights (ECHR) – the rights of privacy and free expression. The claims also challenge the interception of data on fibre-optic cables (Tempora) and the sharing of that data with US authorities. The claims will be heard in an open hearing on 14 -18 July 2014; it is likely this will be followed by a closed session.
Three further claims have been lodged with the IPT. On 4 May 2014 it was announced that the Green Party’s two UK Parliamentary representatives, Caroline Lucas MP and Baroness Jones of Moulsecoomb, had lodged a complaint about their communications being surveilled under Tempora. This breach of Parliamentary privilege would be in contravention, not only of ECHR Articles 8 and 10, but also of the Wilson Doctrine that no Parliamentary communications should be intercepted. The British Government confirmed in July 2013 that the Wilson Doctrine applied to electronic communications and that it was still in force.
On 13 May 2014, Privacy International announced that it had filed a second legal complaint with the IPT. Privacy International argues that GCHQ’s use of hacking tools is overly invasive, enabling “covert, complete, real-time physical and electronic surveillance, as well as historical surveillance, of everything that person does, sees and says.” This, argues Privacy International, is conducted without clear legal authority on an enormous scale and in breach of Articles 8 and 10.
A third complaint, lodged by seven ISPs and Privacy International with the IPT on 2 July 2014, challenges GCHQ’s targeting of internet service providers like Belgacom in order to gain access to network infrastructure. In a blog post announcing the action, Privacy International explained that “while the claimants were not directly named in the Snowden documents, the type of surveillance being carried out allows them to challenge the practices in the IPT because they and their users are at threat of being targeted”.
UK surveillance challenged in the European Court of Human Rights
A legal challenge was filed in the European Court of Human Rights (ECtHR) against the UK government by Big Brother Watch, Open Rights Group and English PEN, together with German internet activist Constanze Kurz in October 2013. The challenge (Big Brother Watch and Others v United Kingdom) asks the court to declare unrestrained surveillance by the UK government to be a breach of the rights and privacy of internet users under the European Convention on Human Rights (ECHR). It also challenges the adequacy of UK oversight provisions under the Convention.
A legal opinion commissioned by UK Parliamentarians in early 2014 suggests that currrent UK law may indeed be incompatible with the ECHR.
In January 2014, it was announced that the court was fast-tracking the case and had asked the UK government to show how its practices complied with the law. The UK government has until May to file its response and it is possible the court may rule before the end of 2014.
In a separate legal challenge, on 9 September 2014 Privacy International announced that it would be challenging GCHQ’s blanket exemption from the UK’s Freedom of Information Act. Privacy International argues that there is a particular public interest in disclosure of the UKUSA Agreement and any subsequent documents that set out the ground rules for the Five Eyes alliance.
Following the news that UK police had obtained the phone metadata of journalists reporting on an ongoing police scandal in order to determine their sources, on 12 September 2014 the Bureau of Investigative Journalism filed a case at the ECHR challenging the lack of protections for journalists and their sources in the UK’s surveillance procedures. At present, British police and public bodies make around half a million metadata (communications data) requests a year, without the need for any kind of further authorisation.
British Columbia Civil Liberties Association challenges constitutionality of Canadian surveillance
The British Columbia Civil Liberties Association (BCCLA) has filed a lawsuit against the Communications Security Establishment Canada (CSEC), arguing that CSEC surveillance activities violate the Charter of Rights and Freedoms protection against unreasonable search and seizure, as well as infringe upon freedom of expression. The lawsuit was filed at the British Columbia Supreme Court on 22 October 2013.
Dutch challenge to sharing of bulk data
On 6 November 2013 a coalition of Dutch individuals and organisations filed a suit against Ronald Plasterk, the Dutch Minister of the Interior. The organisations that are a party to the case include the Dutch Association of Criminal Defense Lawyers (NVS), the Dutch Association of Journalists (NVJ), the Internet Society Netherlands and the Privacy First Foundation. Citizens v Plasterk challenges the sharing of information gathered by the NSA in bulk with the Dutch intelligence service AIVD, on the grounds that the sharing is used as a means of circumbenting domestic privacy laws. In a 23 July 2014 judgment, the District Court in The Hague ruled that, while this possibility could not be excluded, exchange of bulk data with foreign intelligence services could not be jeopardised due to the “overriding importance of national security”. The ruling is being appealed.
Complaints concerning US violation of local privacy laws
In mid-July 2013 the International Federation for Human Rights and the Human Rights League filed a complaint with the Public Prosecutor of the Tribunal de Grande Instance in Paris, which hears civil cases not assigned to any particular jurisdiction. The complaint asserts that the recently revealed NSA programs may have violated several French privacy laws under the French Criminal Code, including “fraudulent access to an automated data processing system, collection of personal data by fraudulent means and wilful violation of the intimacy of the private life”. On 28 August 2013 the Prosecutor’s office in Paris said it had launched a preliminary investigation following the complaint, which would determine if there is enough evidence for a formal investigation.
A formal complaint was filed in Hesse, Germany in June 2013. The German Federal Prosecutors’ Office confirmed that they were “looking into” whether NSA surveillance within Germany had violated any laws protecting German citizens. Although the Prosecutors’ Office spokesperson said that more criminal complaints surrounding this issue were likely, they did not indicate whether a formal investigation would be launched. There was renewed speculation in early 2014 that the Public Prosecutor may launch a formal investigation into a separate complaint that the NSA surveilled Angela Merkel’s phone, speculation that was confirmed in June.
On 3 February 2014, the Chaos Computer Club and the International League for Human Rights announced that they had lodged a further complaint with the German Federal Prosecutors’ Office, together with a request that Edward Snowden be called as an expert witness in any resulting legal action.
On 21 September 2014, it was reported that Cologne’s Public Prosecutor had launched an investigation into a suspected cyberattack on the German satellite communications company Stellar.
In December 2013, the Swiss government approved a request from the Federal Prosecutor’s Office to open a criminal investigation into allegations of espionage by the US and other countries in Switzerland. Chief Federal Prosecutor Michael Lauber told the Swiss newspaper Zentralschweiz am Sonntag that it would be difficult for him to make progress on the investigation without Edward Snowden’s participation and that this would need to happen “in person.” In September 2014, the Swiss press reported on a legal opinion from the country’s Attorney General that may open the way for Edward Snowden to safely travel to Switzerland to take part in this investigation.
In addition to this criminal investigation, the Swiss Federal Parliament has mandated the formation of a Commission of Experts to determine the country’s response to the Snowden revelations, although this has not yet started to take evidence.
Furthering transparency and public awareness
Declassification of Intelligence Community information
On 9 August 2013 President Obama gave a press conference addressing concerns over US surveillance programs. The President described steps he would take to ensure greater transparency, including setting up a Review Group to investigate how surveillance impacts foreign policy and asking the Intelligence Community to open as much information as possible to the public about its surveillance operations. As a result, numerous declassified documents have been released on a new Intelligence Community website. In particular, a number of documents, including FISA Court opinions related to Section 215 of the Patriot Act, were released following a long EFF lawsuit. Another substantial release was an October 2011 FISA Court opinion ruling that some of the NSA surveillance actions were unconstitutional. The release was also due in part to the EFF’s FOIA (Freedom of Information Act) initiative.
Motion requesting FISA Court (FISC) interpretation of Section 215
A June 2013 publication of a Verizon court order revealed that the company was ordered by FISC to give the NSA phone metadata for every call made in a three-month period. In response, the ACLU and Yale Law School’s Media Freedom and Information Access Clinic filed a motion requesting FISC’s interpretation of the meaning, scope and constitutionality of Section 215.
Public opinion polls
A number of recent polls questioned Americans about their views on the NSA, government protections of civil liberties, and whether NSA programs need to be reviewed. A Pew Research Center poll concluded that 56% of Americans think federal courts do not provide adequate limitation on what data the US government can collect. Another poll from Quinnipiac University found that 45% of voters felt the government had “gone too far” in restricting civil liberties in pursuit of anti-terrorism policies, whereas 25% of respondents to the same survey in 2010 selected “gone too far”. Quinnipiac University polling also shows that a growing majority of the US public views Edward Snowden as a whistleblower. Polling from the Economist/YouGov, the Guardian, Gallup and CBS all show similar results.
Tech industry impact
Financial fallout
US companies complying with government requests for data have felt a financial blow in Snowden’s wake, as users switch to those more protective of their information. The financial impact has been felt most deeply in US companies’ trade overseas.
In August 2013, technology firm Forrester Research projected a 25% loss of industry revenue, about $180 billion. IBM said it is “spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe.” In November, Cisco Systems predicted a 10% revenue drop in its second fiscal quarter, citing NSA revelations in its difficulty to sell products abroad.
Other companies are capitalizing on users’ privacy demands and taking advantage of exposed companies’ losses. Runbox, an email provider in Norway, reported “a 34 percent annual increase in customers after news of the NSA. surveillance,” as the company prides itself on refusing to comply with foreign court orders.
Government and corporate rifts
Foreign governments, particularly US allies, are breaking with major corporations known to provide foreign users’ data to the NSA. In September 2013, Brazilian President Dilma Rousseff initiated a plan to avoid relying on US-based tech companies, such as Microsoft, after it was revealed that the NSA spied on her personally and Brazilians generally using Facebook and Google data. On 26 June 2014 the German government cancelled its contracts with Verizon, specifically citing privacy concerns emerging from the NSA revelations as the cause.
In response, in January 2014 Microsoft announced its plan to move its data centers overseas and then asked the US government to keep search warrants within its own national borders. In March the same year, Yahoo similarly moved its headquarters to Ireland so that the British government could not force the company to hand over its data.
Revelations about the NSA’s efforts to defeat encryption in September 2013 confirmed that the NSA manipulated the National Institute of Standards and Technology (NIST) 2006 standard, in particular the pseudorandom number generator Dual EC_DRBG. NIST issued a statement saying it would not deliberately weaken the cryptography standard, but did not deny the NSA’s involvement. On 14 July 2014, a NIST advisory group recommended that the body should be more sceptical of NSA advice in the future, advising that “NIST may seek the advice of the NSA on cryptographic matters but it must be in a position to assess it and reject it when warranted.”
These compromised standards found their way into commercial software. In September 2013, RSA Security warned its customers to stop using the default random number generator included in its BSafe toolkit and Data Protection Manager products. It later emerged that the NSA had paid RSA $10 million to make Dual EC_DRBG standard in its software. RSA’s Chief Technologist was quoted saying “We could have been more skeptical of NSA’s intentions.”
Transparency reports of government orders
Google and Microsoft individually initiated petitions in June and July of 2013, requesting permission to publish information about national security requests they had received from the US government. Motions regarding the same issue were also filed at the FISA Court. Several rounds of negotiations between the two companies and the US Department of Justice continued over the course of the summer, throughout which the companies agreed to extend the government’s deadline for replying to the lawsuits. In September 2013 Google and Microsoft resolved to continue their litigation in the FISA Court, requesting an open hearing.
Following the result of Google and Microsoft’s negotiations with the US government, Yahoo and Facebook filed similar motions to the FISA Court to request disclosure of information on national security orders the companies have received. Linkedin and Dropbox followed suit a short time later.
On 27 January 2014 it was announced that a settlement had been reached and companies will now be able to report limited information about the FISA Court orders and National Security Letters they receive. In February 2014, Twitter’s Manager of Global Legal Policy wrote that the company felt that the disclosure rules were still inadequate and was considering further legal action. After several months of failed negotiations, Twitter launched a suit on First Amendment grounds on 7 October 2014.
The move towards partial transparency has been shared by telecommunications companies. On 6 June 2014, Vodafone published a law enforcement disclosure report explaining that its “customers have a right to privacy which is enshrined in international human rights law and standards and enacted through national laws,” yet it cannot refuse to comply with government orders for data, because “governments can remove our licence to operate.” BT has refused to follow Vodafone, AT&T and Verizon in releasing its own transparency report.
Increased use of encryption
Snowden’s revelations have shown that tech companies were not doing enough to protect their users from passive surveillance. At his first live videolink appearance on 10 March 2014 at SXSW, Edward Snowden said that end-to-end encryption would be the way toward “making mass surveillance impossible at the network level.” While full end-to-end encryption remains a challenge, in the year after the first revelations were published we have seen the first industry moves in that direction.
On 3 June 2014, Google released the source code for a Chrome extension that would enable end-to-end encryption of emails sent in Gmail, which Yahoo has subsequently said it will also support. Google made encrypting its data center links a priority after reports showed that GCHQ was using these links as part of its upstream data collection. The EFF’s Encrypt The Web Report tracks the extent to which individual companies are implementing their security recommendations. In June 2014, eight companies – Google, Microsoft, Yahoo, Twitter, Facebook, Dropbox, Sonic.net and SpiderOak – were in the process of implementing all of EFF’s security recommendations and Yahoo was “implementing SSL encryption by default for all its services this year.” In September 2014, Apple published a new privacy policy that claimed it would no longer be able to unlock most iPads and iPhones for police. Shortly afterwards, Google made similar promises about Android.
Studies show that internet users are availing themselves of these new services and are more aware about how to encrypt their communications. According to broadband network equipment company Sandvine’s Global Internet Phenomena Report for 2014, before the Snowden revelations, “encrypted traffic accounted for 2.29 percent of all peak hour traffic in North America.” As Wired reports, that number jumped nearly 60% over the course of the year, with the equivalent figure by May 2014 being 3.8 percent: “But that’s a small jump compared to other parts of the world. In Europe, encrypted traffic went from 1.47 percent to 6.10 percent, and in Latin America, it increased from 1.8 percent to 10.37 percent.”
Worldwide influence
In December 2013, the UN General Assembly adopted a joint German-Brazilian resolution calling for online privacy rights to be respected. Delegates from the Five Eyes intelligence sharing alliance succeeded in weakening some of the resolution’s key provisions, notably the link drawn between extraterritorial surveillance and human rights violations. In publishing the report on surveillance commissioned by the General Assembly on 16 July 2014, the UN’s senior human rights official Navi Pillay said “we owe a great deal” to Edward Snowden and suggested that the US should drop attempts to prosecute him.
A draft proposal for a new EU Data Protection Directive, to repeal and replace the existing one, was released in January 2012. The draft is being negotiated and discussed by the European Parliament, the European Commission and the Council of the European Union. As the proposal is still under consideration new information from media reports on US espionage since June 2013 have been taken into account, particularly with the initiation of an investigation by the Committee on Civil Liberties, Justice and Home Affairs (LIBE) into mass electronic surveillance of EU citizens.
Information revealed by Edward Snowden gave new impetus to Brazil’s Marco Civil da Internet, which had been debated and discussed by Brazil’s Congress and public since 2009 and was finally passed on 25 March 2014. The bill is aimed at establishing principles and rights for use of the internet in Brazil, including protecting net neutrality and civil rights. A provision that would have required large service providers such as Google to maintain data centres within Brazil’s borders was removed from the bill, but companies will now be subject to Brazilian law in cases that involve information on Brazilians, even if the data is stored on servers abroad.
Brazil has indicated that it will increase its efforts to maintain data sovereignty. Proposals under consideration include laying underwater fibre-optic cable directly to Europe and other South American countries without passing through the United States. Brazilian President Dilma Rousseff also announced that a secure email system called SERPO would be created for the federal government.
The Montevideo Statement on the Future of Internet Cooperation released on 7 October 2013 involved a notable response to NSA monitoring and surveillance revealed by Edward Snowden from organisations responsible for maintaining the technical infrastructure of the internet. The group consisted of leaders of all major internet organisations worldwide, including ICANN (the Internet Corporation for Assigned Names and Numbers), the Internet Engineering Task Force and the World Wide Web Consortium. The statement “expressed strong concern over the undermining of the trust and confidence of internet users globally due to recent revelations of pervasive monitoring and surveillance”.
US officials threatened to revoke Ecuador’s trade preferences while the country considered granting Edward Snowden political asylum. In response, Ecuador renounced the trade benefits and offered to fund human rights training for the US. President Rafael Correa said that the US had used the trade preferences as “blackmail”.
During the third hearing of the European Parliament’s LIBE Inquiry into mass electronic surveillance of European citizens, the Terrorist Finance Tracking Program (TFTP), which allows the US access to certain SWIFT records, was questioned. In particular, European Commissioner Cecilia Malmström indicated that if the NSA did breach the SWIFT database outside of the agreement, the Commission would consider revoking the TFTP agreement. The European Parliament later issued a non-binding resolution calling for the suspension of the TFTP agreement, which passed by 280 votes to 254, with 30 abstentions.
