New America Foundation

Lessons from the Summer of Snowden

The Hard Road Back to Trust

October 2013

Georg Mascolo visiting scholar, weatherhead center for international affairs at harvard university former public policy scholar, wilson center's global europe program

Ben Scott senior advisor, open technology institute

Introduction information systems. The right to privacy is The revelations of Edward Snowden have opened enshrined in Article 12 of the Universal a breach of trust between the United States and Declaration of Human Rights. Focused on the Europe that will not be closed easily or quickly. sanctity of privacy in the home, it extends to This rift reflects the results of a decade of actions correspondence and communication. And in the by US secret services (with the cooperation of information age - when our whole lives are many other governments) to conduct mass gradually migrating online - the digital surveillance (mostly) for counter-terrorism. The application of privacy rights becomes very broad. technologies they use have extraordinary, supra- national reach. And the invasion of privacy The network of networks that supports the required by these programs goes beyond what Internet spans the globe and optimizes the many citizens will comfortably tolerate now that it storage and processing of Internet data for cost is out of the shadows and under the heat lamp of and efficiency -- not privacy. All of that data media attention. Trust in the integrity of online passes through a server and a switch somewhere - communications - and especially those delivered - often outside the country. In short, the by American companies - is broken. globalization of communications has taken control over the right to privacy outside the power So now what? Both sides of the Atlantic have of the nation state to protect. The most powerful deep interests - political and economic - in nation states have turned this vulnerability into a repairing the damage. Yet the debate over strength to combat new threats to national solutions is polarized. It is divided between security, authorizing spy agencies to use critics demanding immediate termination of any surveillance technologies to build a massive kind of mass surveillance and the defenders of communications dragnet. the status quo. Neither of these choices appear to offer realistic answers. This was an open secret long before Edward Snowden made it public. Very few people knew To find realistic answers, we must begin by exactly how it was done. But after 9/11, most acknowledging a hard truth that Edward close observers of either technology markets or Snowden has demonstrated to Americans and intelligence agencies understood the high Europeans like: there is no political or economic probability that all forms of electronic power in the world that can guarantee privacy and surveillance that are possible, legal and affordable security in digital communications. The are likely happening. This is not exclusively an information systems of modern society are American business, but rather the practice of fundamentally insecure. We can never be many nations. The muted and often contradictory completely certain that no one is watching. reactions of many governments to the exposure of National Security Agency (NSA) programs The global architecture of the Internet that has indicates the scope of probable cooperation beautifully facilitated access to knowledge, between allied intelligence services. economic growth, and freedom of expression has at the same time weakened the liberty of Nonetheless, the shift from an open secret to a individual privacy. This is a fundamental - published secret is a game changer. It is a game perhaps existential - problem for modern changer because it exposes the gap between what

open technology institue page 2

governments will tolerate from one another intelligence sources, over 80 precent of under cover of darkness and what publics will information about terrorist threats comes from tolerate from other governments in the light of signals intelligence. Threats to public safety and day. Those governments that were complicit with national security are very real, and the the NSA are scrambling to re-align themselves interception of communications is a necessary with their voters. Meanwhile, Washington is and indispensable tool for law enforcement. building up its arsenal of justification. Major Though many Europeans are very critical of NSA commercial actors on both continents are practices, the EU is dependent on American preparing offensive and defensive strategies to intelligence capabilities in much the same way it battle in the market for a competitive advantage relies on American military power more generally drawn from Snowden’s revelations. And citizens to pursue common international security are organizing to demand sweeping change. Left objectives. unresolved, we risk that the logic of intelligence agencies -- which operate with a maxim of “trust Over the years, the nature of surveillance has no one” -- will begin to contaminate other areas of changed dramatically. The original form required political, governmental and social cooperation an evidence-based court order to intercept the among nations. communications of an individual suspect. Surveillance was authorized if it was necessary to To untangle this knotty dilemma, we have to start apprehend the suspect and the infringement on with a comprehensive review of how we got liberty was proportionate to the nature of the where we are and the nature of the challenges we crime or intelligence purpose. No other face. We must assess a series of novel policy individuals were implicated in this infringement problems inherent to the relationship between on privacy, except those who communicated with law and technology in modern signals the suspect. Today, this logic is reversed. We intelligence. Few have taken a comprehensive intercept huge quantities of communications view of the top-down and bottom-up political and from millions of people and then search the economic forces that must be engaged in any resulting database for information related to workable solution. And almost no one has suspects. Few would dispute that there are identified a path forward towards an international legitimate purposes for some kinds of standard that can realign both governments and surveillance. But, the infringement on the liberty publics around a trusted regime that balances of the innocent in the practice of mass liberty and security in the digital world. With surveillance has not been weighed against these humility before the scope of the task, we seek to legitimate purposes in the court of public address all of these issues in turn. opinion. There has been very little public debate in any country over whether this is justified or Background acceptable. When these issues do make Surveillance as a tool of law enforcement and headlines - e.g. “warrantless wiretapping” and the intelligence gathering is, of course, nothing new. Echelon scandal - public reactions have been And within appropriate limits, it is a powerful negative. tool to detect, expose, and thwart criminals and threats to national security. According to

new america foundation page 3

Two factors influenced this logical shift in system maximizing its effectiveness under the intelligence practices: new technology and the law in a post-9/11 world. What distinguishes attacks of September 11, 2001. The terrorist attacks American intelligence work from that of other dramatically expanded the threat profile for nations is not this logic, but rather resources, national security - not just for the US, but for all threat perception, and a firm belief in superior allied nations focused on Al Qaeda. The targets technology. This evolution must be understood were no longer conventional military assets, but in that context. thousands of individuals scattered around the globe plotting lethal attacks on civilians. To These programs moved well beyond the counter this threat, intelligence agencies interception of mass quantities of “upstream” developed and deployed new technologies to data on telephone and Internet networks. They intercept electronic communication on an solicited and compelled the partnership of unprecedented scale. And simultaneously, they Internet companies that store and process large operationalized new tools to store, sort, and quantities of information from the commercial analyze these mountains of information. On a market. The now notorious “Prism” program is mission to find individuals like the unassuming one example, although its reputation far exceeds young migrants to Germany who would later sit its scope of impact compared to other collection in the cockpits of hijacked airplanes, the needed methods. More insidious, the NSA reportedly breadth and depth of intelligence activities were worked to compromise the most common almost limitless. cryptographic standards. Firms that promised privacy through encryption quietly handed the This was a paradigm shift. The old logic of keys to the NSA under legal compulsion (or “necessary and proportionate” was stretched to voluntarily) or had them stolen. According to the meet the new demands. To find shadowy Snowden documents, the implementations of terrorists in lawless corners of the world, the encryption in common services like HTTPS, necessity of using all potential tools of Voice-over-IP, and 4G wireless networks have all surveillance was clear. And the scale of the been secretly unwound. Only the specially atrocities on 9/11 left few in doubt that whatever modified devices of high ranking government infringements on privacy were needed to capture officials - such as the German Chancellor - can perpetrators were proportionate to the crime. In hope to have trustworthy security. For everyone other words, after 9/11, there was a dramatic else in the mass market, it is mostly a fiction. change to the discussion over how to define necessary and proportionate. Nearly every And let us be clear that this was not just the increase in technological capability to collect, United States. Many countries developed these process, and operationalize intercepted capabilities to some extent. Each implemented communications was welcome. And though policies with a focus on reducing risks for its own restrictions were placed on these capabilities - it citizens. Looking back now, we can see that the was not a lawless free-for-all - the scope of secret programs to increase surveillance to operations expanded steadily. This increase in improve national security almost certainly the capabilities of American intelligence over the achieved that outcome. But these practices also last decade was not the work of power-hungry opened vulnerabilities. The backdoors built into spies. It was the work of a national security secure systems can be used by anyone with the

open technology institue page 4

skill to find them. And the pursuit of criminals in big data inevitably sweeps innocents into the A comprehensive review of national surveillance mix and jeopardizes public trust in a government laws is beyond our presents scope, but we can that would undermine personal privacy without a draw basic conclusions that will suffice for our word of public debate. purposes here. Though it may come as a surprise to many European citizens, the laws used to Novel Policy Problems authorize surveillance programs in EU countries The NSA is the undisputed champion of the are comparable to those in the US. Foreigners surveillance world. Just as Silicon Valley are legitimate targets for surveillance under companies dominate the Internet marketplace, broadly defined national security purposes. In American agencies dominate the business of many cases, this is not limited to counter- electronic surveillance. It requires huge terrorism but applies to foreign intelligence resources to fulfill this mission, and only a few information more generally as it relates to public countries can afford to maintain and staff the safety. Typically, local citizens are protected by a infrastructure. But the same legal and logical higher standard of privacy, but they are not principles that guide the NSA programs apply in exempt from surveillance. Intelligence agencies many other nations on a smaller scale, but with gain access to the telecommunications networks similar methods. Most notably, the Snowden that physically cross their territory. And the documents make clear that the British companies that own the upstream networks and Government Communications Headquarters data storage/processing facilities are required by (GCHQ) is not only a close and highly capable law to cooperate. There are no clear minimum partner but a paid subsidiary of the NSA. Much standards of operational protection, even inside of less is known about the practices of other Europe. And there is broad cooperation among European intelligence services, but several intelligence services, including the exchange of (including the German Bundesnachrichtendienst data. The extent of interaction and the standards [BND]) are known to be in close cooperation with of practice for filtering and deleting data prior to the NSA. exchange remain largely unknown. We may learn more as the remainder of Snowden’s Aiming at our goal of identifying the elements of documents are released in the news cycles ahead. a new international (or at least transatlantic) But for now, we can focus on the novel policy standard to contain surveillance practices within a problems that both the US and Europe face with new legal framework, we need to compare the the broad understanding that we are all basically laws governing foreign intelligence surveillance in the same boat. between the US and the largest EU powers and assess the novel policy problems of mass Locating the Act of Infringement on Liberty surveillance that must be addressed. This dual Since 9/11, a quiet shift has occurred in the approach will enable the identification of a relationship between surveillance law and baseline of law and policy today as well as the technology. This change was driven by the nature elements of a new standard that would recoup of the current generation of surveillance lost trust. And of course, implicitly, we will see technology. And it fundamentally altered the the distance between them that must be bridged. definition of the act of infringement - the

new america foundation page 5 moment that personal liberty is violated for the to find what he wants. The analyst’s chances of sake of common security. Is it the moment a finding the suspects are undoubtedly higher. communication is intercepted? Or is it the search And he might even find information that he was and analysis that occur during the processing of not looking for, but which is useful in his the intercepted data and the subsequent actions investigation. But at what cost? taken? Perhaps 99 percent of the data that he has The logic of the last generation of wiretapping collected from this torrent of global places the act of infringement at the point of communications is irrelevant to the investigation. interception. But based on the Snowden Few would dispute the importance of pursuing documents’ depiction of NSA and GCHQ the 1 percent - but what about the rights of the 99 activities, it is clear that we have pushed that back percent that get swept up in the process? In to the act of processing. Mere interception is no order to justify the act of mass surveillance, what longer considered an infringement of rights. the analyst has done as a matter of law and This is a critical distinction. If interception was morality is shifted the moment of infringement infringement, it would not be legally viable to of liberty from interception to processing. conduct mass surveillance. Inevitably, he will have intercepted huge quantities of communications that have nothing Here is how this works. Let us say an intelligence to do with the investigation and should not have analyst is searching for communications between been captured. To justify this, he has simply two suspected terrorists hiding out in Berlin and pushed back the moral red line of surveillance Seattle. Under the old standard, he would seek a and declared that the inadvertent collection of method to intercept all communications between your data requires no legal justification as long as those individuals by placing a tap on the specific he deletes it later. Only when he processes that Internet or telephone lines tied to their accounts. data and uses it for some law enforcement or Or, he would bring a court order for that specific intelligence purpose has he infringed on your data to the email or telephone provider. Of rights. Is it necessary to make this shift? Is it course, he would need cooperation from another proportionate to the crime of the suspected national law enforcement agency to get both ends terrorists? Who decides? Because these activities of the communication in this manner. Under the are all classified, it has not been subject to much new standard, he can attempt to gather ALL of the scrutiny. email and phone calls coming in/out of Berlin (or in/out of Seattle) and store it in a database. He Minimization Practices might not even need cooperation from a partner The intelligence agencies address this dilemma spy agency, depending on what international through “minimization practices.” That is - they lines he has tapped on a permanent basis. Or he delete some of the data that they should not have could also ask the email or telephone provider to collected and stored in the first place. For give him everything they have that might be example, these agencies are never meant to use related to the suspects in Berlin or Seattle for a communications data transmitted between their period of days or weeks or months. Then, he can own citizens and should delete it immediately if go to this database at his leisure and use powerful discovered before it is processed for intelligence processing tools to search through all of this data purposes. But - if they find something of

open technology institue page 6

intelligence value in this data before they delete it rights in order find the terrorists is a function of - then they do NOT delete it, whether it was the power and the limits of technology. We are related to the initial target or not. The NSA’s collecting everything, storing and searching minimization standards have now been because it is technically possible and certainly published. But even those specific standards do more effective to do so. But currently, it is not not provide certainty about which data is deleted technically possible to search ALL of the data and whether it is all deleted before it is searched flowing across the entire Internet in real time and if it was legally off limits in the first place. For pick out ONLY very specific targets such as email example, the rules governing raw data collected addresses or keywords. That can only be done directly off of the Internet appear to be slightly after it is stored and searchable. But someday, it different than for data compelled in bulk from a might be possible to set up a filter that makes it company. And we have other documents unnecessary to intercept all the data and store it suggesting that much of it is not deleted before it for later processing. In other words, if signals is searched and sorted to some degree; and in intelligence agents had an even more powerful some cases (such as with the Israelis), the raw and intrusive technology than they do today, but data is shared with other intelligence agencies it was more precise - they would be able to take before it is minimized. (The NSA disputes the the moment of infringement back to the original significance of the documents detailing these standard of interception. circumstances, but the government has not offered a counter-narrative with similar levels of The key conclusion here is that there is a certain detail.) amount of technological path dependency to any reform effort. Technology has shaped the reason Long story short - the logic of “minimization” is policy-makers and intelligence agency directors at least partly contradictory. Intelligence agencies have declared that surveillance no longer means intercept huge quantities of communications data merely intercepting data but rather involves the in search of a few targets. They are meant to processing of that data. Policy-makers had to delete everything they were not supposed to make this shift in order to accommodate a more collect in the first place. But before they delete it, effective technology to achieve their goals. And if they find anything constituting foreign similarly, the nature of the minimization intelligence value in the data they were not meant practices stems from this basic technological to collect, then they go ahead and keep that too. requirement to intercept and store all of the data. If they only minimize what they did not want Since we have to have all the data to find the bad anyway - that is not minimization, it is just guys, would it not be irresponsible if we did not sorting. It seems likely that they delete a lot of go ahead and look for other bad guys we can see obviously irrelevant or off-limits data before they in the data even if we were not looking for them search it. But we simply do not know exactly in the first place? Or is that an unacceptable step because the oversight of these programs is onto the slippery slope towards Big Brother classified. government?

And here is the real hypothetical mind-bender: the current problem of infringing on everyone’s

new america foundation page 7

Compulsory Private Sector Cooperation disagreement about policy between two The combination of novel policy problems we governments cannot be easily solved by market must disentangle contains one more key element. regulations. But if not that - then what? This problem involves the role of the private sector. Because so much of the Internet and Reactionary Forces - Political and telephone data in the world is carried, stored and Economic processed by private sector companies, they are Throughout the summer of Snowden, we have now complicit in the practices of mass seen a variety of reactions. We can group these surveillance. The now-notorious Prism program into two categories: involves many of the biggest brand names on the 1) political - government to government demands Internet. When compelled by law enforcement for policy change as well as public pressure on with a valid court order, they have no lawful national governments to stop foreign choice but to provide the data requested and to surveillance; disclose nothing about the request. This is a 2) economic - proposed regulations to limit common practice in many nations. But because exposure to surveillance by privileging domestic most of the largest Internet service providers are firms, restricting foreign-owned firms, as well as American companies, the US gains access to changes in consumer behavior in the market. foreign data stored by American companies in far greater quantities than would be possible Political Pressure anywhere else. Up to now, most governments have shied away from a thorough discussion of the NSA Naturally, other governments have begun to put documents in order to avoid revealing their own pressure on these companies to disclose exactly intelligence activities operating on similar how (and how much) information about their principles. Political oversight of intelligence citizens is being transmitted by American services are conducted with very limited companies to American intelligence agencies. resources. And so these agencies are the last But the policy problem is this: if a European island of absolute sovereignty for the nation state. government passed a law that Internet service If politicians do not seek an international providers operating in their countries are agreement to protect the right to private forbidden to pass data to US law enforcement, communications, the agencies certainly will not they place these companies in a contradiction. do so on their own. The price of operating under They are still American companies and subject to laws that permit unlimited surveillance of foreign US law. In these circumstances, they cannot be citizens is the vulnerability of your own citizens in compliance with the law in both countries. to the same treatment by others. [More recent proposals to place consumer warning labels on data processing that might Now that the facts of this situation are public, the happen outside the EU are an attempt to damage done is enormous. It includes the circumvent this problem, but likely will lead to erosion of trust between allied nations, the the same contradictions between national laws.] concerns of millions of citizens about total The same contradiction applies for any country surveillance, and increased fears in the that would pass laws to govern the companies marketplace about economic espionage. In short, governed outside their control. In other words, a the scale of the surveillance programs has

open technology institue page 8

shredded the trust in the security and integrity of uniformly negative in Europe. The outrage was the Internet itself. sufficient to propel the issue into the talking points of all parties contesting the German Most of the political responses from governments elections. Senior officials in the EU have also have criticized Washington and London and taken up the cause. Neelie Kroes, European called for an end to their surveillance practices. Commissioner for Digital Agenda, and Viviane But few have held up their own systems as Reding, European Commissioner for Justice, exemplars to follow. And without a new standard Fundamental Rights and Citizenship, have both to follow, these efforts are unlikely to bear fruit. been vocal in their demands that Washington atone for its sins or face political consequences. The best of them - and the bar is very low - is the The most common demands from Brussels for German/American announcement of policy change in Washington are largely focused negotiations to construct a mutual “No Spy on calls for transparency and an accounting of Agreement.” According to statements from exactly what European data has been collected, by German government officials, the agreement whom, in what ways, and for what purposes. would require the NSA to respect German law Looming in the background is the possibility that and the rights of German citizens in any Europe will cancel key agreements over data surveillance activities conducted in Germany. sharing with the US - such as SWIFT banking The deal would also prohibit any economic data and the “safe harbor” for US commercial espionage against German companies. Such a data services. And of course, the much-heralded pact could serve as a model that could be applied Transatlantic Trade and Investment Partnership between other states as well. negotiations have just begun and mass surveillance is likely to play a turbulent role in However, this announcement should be viewed those discussions. It appears that the political with some skepticism. It was unveiled in the conflicts over surveillance practices are playing weeks prior to a German election in which the out in economic policy. government was well served to deflect this issue. It was negotiated by the intelligence agencies Economic Pressure (BND and NSA) and the specifics were not No law made in Europe can hold American disclosed. Further, it was announced with a intelligence agencies accountable. The only declaration that the NSA had not broken any targets for political backlash that lie within German laws to date. Moreover, there is no European jurisdiction are American technology evidence that the US has ever conducted companies that have been exposed as cooperating industrial espionage against Germany. In short, with the NSA. the “No Spy Agreement” appears to propose an agreement to end problems which it Two approaches to economic policy-making have simultaneously declares are not occurring. emerged in response to Snowden: 1) restricting and regulating the activities of Meanwhile, the pressure rises from the bottom. American technology companies in Europe; and Citizen-led protests against NSA overreach 2) creating incentives for technological continue. Media coverage has been almost

new america foundation page 9 sovereignty over data storage and transport on the that require that all data that is stored or Internet. processed for European consumers be stored and processed inside Europe. Another option would Neither of these digital Maginot lines are likely to be rules requiring or incentivizing the routing of stop the NSA from intercepting European all domestic voice and data traffic to remain as communications. But both may get the attention much as possible on wires located inside the of the US government and focus policymakers on country. The German Interior Minister, Hans- a political solution that would reduce surveillance Peter Friedrich, suggested that any German of European citizens. However, these policies are citizen with concerns about American espionage not without significant risks for European should avoid using Internet services that send political and economic interests. data over US networks. Chancellor Angela Merkel also mentioned a Germany-only routing The first idea has multiple potential applications. solution in response to questions about NSA The simplest proposal is for Brussels or a spying. number of member states to pass laws that require all foreign companies that provide data Layered onto these political suggestions are the storage or processing in European markets to enthusiastic responses of European Internet and refrain from passing that data to other telecommunications companies. In August, governments - or at least to provide transparent Deutsche Telekom and United Internet notification when it happens. Another proposal announced a new offer of “Made in Germany” is to terminate existing agreements that permit email using SSL/TLS encryption. Subsequent American technology companies to do business stories based on Snowden documents revealed in Europe despite the fact that they do not that some common SSL implementations have specifically comply with EU law. Policies like been compromised by the NSA. However, the these would certainly hold Silicon Valley’s feet to German system does not appear to be among the fire, though not in a particularly productive them, and it retains the confidence of Deutsche way. These companies would all remain subject Telekom leadership. The company has more to US law that requires the cooperation that recently announced it will begin routing email Europe would prohibit. Assuming that these traffic to and from certain German email systems firms would not abandon their European on paths that avoid international networks and customers (which would certainly be extremely surveillance. The specific design of these services unpopular), it would put their lawyers in a tough is to circumvent US and UK network access. spot but it is not a game-changer for the NSA. Moreover, European intelligence and law Home grown and guaranteed security in data enforcement agencies also rely on these storage, hardware manufacture, cloud computing companies to provide data and may seek to services and routing are all a part of a new protect those interests. The potential benefits of discussion about “technological sovereignty.” It restoring trust with such a policy would be is both a political response and a marketing undermined by the absence of real results. opportunity. If enough customers (especially enterprise clients and government buyers) took The second idea - technology sovereignty - has their business away from American service more teeth. Proposals include new regulations providers, it could translate into a significant shift

open technology institue page 10

in revenue in the digital marketplace. For this will feature the same trend. Political and reason, even if political Europe decides at some economic leaders across Europe are not only point that it is better to set this issue aside to predicting this outcome - they are encouraging it. protect their own interests in security policy, it is Nationalism is being wielded as an economic quite likely that national economic actors will not weapon against the perception that globalization let it go. of technology markets is responsible for their security problems. Few leaders are currently American technology companies are now in a weighing these concerns against the social and lose-lose situation. Their public image in Europe economic benefits this same global network has is badly bruised by the Snowden revelations. And delivered. yet they are still compelled to comply with US law, even as they face the possibility of increased So far, we have not seen major changes in regulation in foreign markets. At a recent consumer behavior in response to the Snowden conference in Silicon Valley, Facebook CEO Mark revelations and the naming of names among Zuckerberg expressed what many of his peers American companies that are cooperating with may be thinking: “The government blew it.” The the NSA. Several factors likely explain this stasis, Washington justification that they only spy on some of which could change in the future. The foreigners is no help for global Internet least likely to change is the simple reality that companies. Facebook has joined several other many consumers do not care about the NSA, or at high tech firms in a suit against the government least not enough to be even slightly that petitions for the right to release more inconvenienced in their online activities. But as information about the number and nature of the people become more educated about the nature information requests they get. These companies - of modern surveillance and their options to long seen as punching bags in European politics - thwart it, we may see more consumers looking are ironically well positioned as allies for EU for alternatives. The problem is that even if there political leaders seeking to push for reform in were broader consumer knowledge about the Washington. These companies may not be overly need for end-to-end encryption to ensure privacy, concerned with commercial data privacy – but there are not any commercially successful, user- they have no desire to be seen as the friendly solutions to add this level of security onto handmaidens of the NSA or any other popular Internet services like email, social intelligence service. networking, and instant message. That could change and probably will as clever entrepreneurs They are desperate to restore their credibility in toss a stream of new products into the market the market before consumer behavior begins to branded as NSA-busters. shift to non-American alternatives. They have good reason to worry. A recent study by the Consequences Information Technology & Innovation If there is no political solution to set new Foundation projects that the US cloud computing international standards to govern mass industry will lose more than $20 billion in the surveillance, we should expect the combination of next three years because of the NSA scandal. political and economic reactions to achieve at That is just one of many industry segments that least some of their stated goals in Europe. These

new america foundation page 11 are powerful political arguments backed by are the very American firms that Europe seeks to organized public outrage and domestic industry restrict. The pushback against these policies giants that see market opportunity. from the European digital companies with market ambitions outside of Europe would be A major shift in Europe towards technological significant and justified. And these are the sovereignty will have very serious consequences companies often extolled by Brussels as future for the global Internet as well as the European growth centers of the European economy. digital economy. And though it may result in a higher degree of protection against foreign Policies encouraging local routing of Internet surveillance in the short term, it is not likely to traffic may also have unintended consequences in shut out determined electronic espionage from addition to the benefits of avoiding contact with the US (or others) without a political agreement. international exchange points that might be compromised by spy agencies. The architecture But technological isolation carries significant of the Internet is not designed for national shortcomings. The most popular idea - requiring routing and significant changes to routing local data storage in Europe - would certainly patterns would have unknown impact on overall press the pain button for American technology network functionality. Even if the EU blunts this firms. The costs of replicating server problem by making a regional agreement, such infrastructure through the EU would be very policies will likely encourage similar activity in high. And European companies might benefit other nations. But the purposes of national from the initial shake-up. But, short of cutting routing do not typically tend towards protecting American companies out of the market civil rights, but rather the opposite. The altogether, the end result will retain the major localization of Internet traffic will intensify vulnerabilities to American law and exposure to opportunities for national surveillance, data collection. censorship, and the kind of political persecution of online dissidents that the West has fought for Meanwhile, these policies could easily trigger years. Furthermore, these kinds of centralized similar local data storage requirements in other routing practices would introduce vulnerabilities countries or regions around the world. Brazil has of their own that might be exploited by the been very vocal about its intentions to move in intelligence agencies they are designed to thwart. this direction. If many countries took this path, the result would be a balkanization of the Of course, none of these consequences are Internet. It would no longer be possible to host a guaranteed. The effects could be less website or Internet service in one location and dramatically negative. But in any scenario it is make it available to a global market. Every unlikely that economic reactions will change the national market for every digital company would law and motives for surveillance programs. require its own dedicated budget for Given the risks, it would be sensible to make an infrastructure before product launch. Many aggressive attempt at a political solution before companies would choose to limit product falling back on economic and technological offerings to only the most lucrative markets. nationalism as a response to foreign surveillance. Ironically, the only companies in the world with the resources to afford these infrastructure costs

open technology institue page 12

A Path Forward Market Response We have taken a long path to come to our Before we describe a framework for a possible proposal: a call for a strong but pragmatic political solution, it is worth spending some international standard for surveillance operations attention on market forces. The political process in the Internet age. Our purpose in outlining the to build a new international policy for foreign full scope of the problem - from origins to initial intelligence surveillance will be painfully slow. reactions - is not to convey pessimism, but to lay But the market reactions will not. And what out the context in which any viable solution must happens in the market will influence the be conceived. Our conclusion is that any effort outcomes of the political debate. For that reason, that might succeed will have to combine political we must look at where this pressure will appear and economic forces that support reform. And and what form it may take in the short term. sustainable change will require pressure from Here are a few examples of changes we expect to citizens and consumers as well as leadership see or which we believe should be encouraged. from governments and boardrooms. Brussels-San Francisco Alliance: The reaction of We believe solutions will begin with the US and companies under pressure for complicity in Europe - especially between NATO allies. If we government surveillance is a push for can go to war together on the strength of transparency. Some of the major Silicon Valley common commitments to liberalism and giants are publishing as much information about democracy, we can surely develop a common surveillance as the law allows and petitioning for standard for intelligence operations and hold one the authority to do more. Ironically, Europe’s another to it. The problem of mass surveillance most valuable allies in the effort to press cannot be solved at the national level. The Washington for policy reforms may be the Silicon integrity of secure communications is broken Valley companies that are the current focus of because global information networks are only as their anger. An argument made together by private as the least secure link on the paths European political leaders and American CEOs between us. But that cannot justify the about the consequences of failure to reform balkanization of the Internet. Walling off the foreign surveillance practices would be a potent information networks the connect the world is a force. Europe could set a standard of transparency mistake - both politically and economically. The in intelligence cooperation for companies consequences of a global shift towards operating in the EU and gain eager allies in the technological sovereignty would be severe and private sector. still it would likely fail to solve the espionage problem. The current political momentum Security By Design: The starting gun for a new pushing towards that outcome should motivate “crypto arms race” was fired by Edward Snowden. us to find an alternative. If we can establish a His disclosures triggered a frenzy of activity to transatlantic zone of common values, legal design new products and services that are NSA- standards, and operational practices, we will have proof. The private sector will play a large role in a chance of restoring some of the trust that has developing new technologies that seek to provide been lost in the Internet. more security and trust in the Internet marketplace. On the hardware side, this activity

new america foundation page 13 might include new kinds of customized PCs, smartphones, servers, and routers. New The process we propose is straightforward and its cryptographic software tools are also likely to be logic is pragmatic. We do not suffer from in high demand, particularly if they can be used illusions that this could done on a global scale. to augment already popular services. But we But there could be agreement on common should be mindful that if secure software standards for the interception of communications becomes widespread, the pressure to take between nations that share common concern backdoors for surveillance into the hardware layer about the privacy of one another’s citizens. The will increase. way forward is not a magic formula of technical solutions or digital Maginot Lines around Crypto Savvy Consumers: With the right national Internets. The only answer is a steady combination of public and private sector march through difficult politics. We would like to leadership, consumer outrage over the NSA could offer novel policy ideas, a clever diplomatic coup, be channeled into increased digital literacy. Most or brilliant concept for a technical fix. But there people have no idea how the Internet works is nothing like that available. We suggest here a despite its integration into their everyday lives. sequence of steps to guide the process. It is The Snowden story sets off alarm bells for people, simple and straightforward, as it must be to have but it does not give clear guidance for what to do. a chance of success. Insert here a battalion of wily marketing gurus and public service NGOs, and we may see a boom First – nations must decide about mass in consumer demand for strong encryption. surveillance in a public debate. As nations, we Technical literacy does not magically make the have to answer openly the central question that average person immune to foreign surveillance, Snowden forces: should mass surveillance of any but it does improve the probability of security and kind be permissible under the law of democratic privacy on the Internet without waiting for a societies to protect common security at the political solution. expense of individual privacy? As a practical matter virtually all nations will decide in favor of Policy Reforms some forms of mass surveillance with Real change will only be achieved with a political restrictions. Once this Rubicon has been crossed, settlement. There are no market regulations or the tough choices begin as we seek the legal new products that can hold governments barriers that will establish a new balance between accountable to the balance between liberty and security and liberty that accounts for the power of security. To reach agreement on an international new technology. standard for surveillance practices, we will need to see movement in three areas: If mass surveillance is legal in certain cases, the heart of the debate is about how to restrict these 1) Increased transparency about national practices in a credible way without rejecting the surveillance practices; secrecy necessary for success. The FISA court, 2) Negotiated agreement of a new standard for the G-10 Commission, and other such methods in foreign intelligence collection; different nations are the current practice. They 3) Specific reforms/oversight in each nation to are not adequate. National leaders must reengage bring current practices up to the new standard. the core question: How should surveillance

open technology institue page 14

practices be constrained by law to certain multi-stakeholder. We do not believe these circumstances and subject to rigorous oversight? forums are likely to resolve the problem, but they will shed light on it and provide forums for The new rules will have to account for the nature engagement and valuable comparative analysis of of modern surveillance and justify the the thorniest legal and technical issues. infringement on personal liberty in pursuit of common security using the standards of necessity The elements of the new standard will have to and proportionality. These judgments must be address each of the novel policy problems we hard and fast, because upon this base democratic have discussed here. This will not be easy even societies will distinguish “legitimate” surveillance inside of continental Europe. Many of the from the repressive operations of authoritarian European intelligence agencies have similar governments. Intelligence systems that collect practices to the NSA (albeit at a lesser scale) and and store data without clear and enforceable operate on similar legal frameworks. Setting a limits--such as some of the NSA and GCHQ new standard will mean acknowledging the status programs reported in the Snowden documents-- quo, measuring the distance to the new standard, cannot be justified. Further, the moment of and making the necessary changes to cross that infringement on privacy rights must be once gap. International organizations will provide a again fixed to the act of intercepting data, not platform to deliberate the balance of rights and processing it. Total digital surveillance crosses obligations of governments, companies, and the same moral line as total visual surveillance. citizens of all countries participating in the And it follows that we cannot demand process. intelligence agencies to have perfect information. As societies, we accept a reduction in security in Third - Europe will go first. The goal of this work order to preserve individual freedom. This is an should be a transatlantic agreement. But the age-old dilemma that requires modern process will likely begin within the EU where the recalibration in an open, public process within political will to make changes is higher. As EU each nation. Commissioner Neelie Kroes put it in a recent interview with Der Spiegel: “The Snowden Affair Second – international organizations must begin has shown us all that we must finally wake up.” a process of deliberation. The national debates But she also rightly pointed out that the EU can will inevitably run parallel with an international hardly lecture Washington on espionage when its process that seeks a common standard for all own members states are spying on each other. nations that share the ideals of liberty and Despite broad-based public demand for change democracy. The right to privacy is enshrined in and the privacy protections set forth in the international human rights accords, but we must European Convention on Human Rights (ECHR), now make them specific and transparent with there is no clear minimum standard of respect to digital surveillance policy in order to operational privacy extended between European have a chance of regaining the trust of citizens. states. How can Europe even dream about a Many different international organizations will common politics if it is not united around play a role in convening these discussions – some protecting basic rights of citizens? The British of them inter-governmental and some of them are perhaps the outliers in the scope of their

new america foundation page 15 intra-EU surveillance, but they are hardly alone. players in this process will be essential to For example, when the German BND forwards ensuring buy-in and trust at its conclusion. data to the NSA, they may filter out Germans and protect the constitutional rights of their own Fourth – Europe should present a unified policy citizens, but that does not hold for other to Washington. If Europe can set standards Europeans. among its member states that represent real changes, it will be well positioned to take a A European standard begins by extending the leadership role at the international level. same protections to all European citizens that are European leaders can argue the case that if the provided to the citizens of each nation. For the same restrictions and protections from foreign UK, and maybe France, the unification of the EU surveillance can be shared among all EU citizens, around a common policy will be a hard sell. But they can be shared with the US and other it will be a necessary starting point. This will traditional allies. The EU will likely enjoy the mean very strict limits on surveillance. How backing of other states with strong views on strict? We suggest these circumstances should be surveillance such as Brazil. EU engagement with carefully circumscribed around targeted Washington will inevitably play out in a parallel investigations into national security issues such context with other critical transatlantic priorities as terrorism, WMDs, or organized crime. such as the Transatlantic Trade and Investment Political and economic espionage would be Partnership, NATO security policies, and prohibited. This standard could be pegged to the international counter-terrorism measures. They privacy protections in Article 8 of the ECHR, but may be formally separated, but they will be to date, there are no explicit stipulations for what politically linked by a common need for trust and that would mean in practice. It may well be that accountability. European intelligence agencies are already in violation of the law measured against this If the US agrees to a new standard, it will then standard. The court has not ruled on the carry the weight of both the political and question. And even if it did, it is not clear that economic support of the West. From there, it will governments would comply without a political become an attractive club for other countries to negotiation. To set this framework, the EU could join, because it will carry both political and clarify that the national security exception to economic advantages for digital products and Article 8 does not permit unrestricted bulk services. We do no underestimate the level of collection. difficulty in achieving this outcome – but we see no other path more likely to accomplish the goal. The EU process should be set in motion by agreement among European heads of state. The One important point of critical sensitivity negotiations should be conducted by a working between the EU and the US is the firm group including representatives from intelligence prohibition on economic espionage. Here we do agencies, data protection authorities, foreign not mean industrial espionage – spying with the ministries, parliamentary oversight committees, purpose of handing intelligence to domestic and the European Commission. Engagement companies for commercial advantage, such as the with civil society leaders as well as industry Chinese have long done. Little evidence exists to suggest industrial espionage is an issue between

open technology institue page 16

the US and Europe. As of today, there is no identifying key ingredients and a possible proven case even among Snowden's documents. framework for agreement. Through the conduct Furthermore, US intelligence leaders have of this process, governments and their publics repeatedly declared that this would be illegal must take up the central moral, legal and under American law. However, that doesn't mean technical questions that will inform the that there is no economic espionage designed to boundaries for surveillance practices. Given the glean information about market activity that complexity of some of these problems, we should informs political decision-making. For example, begin with concrete, simple steps. former CIA director James Woolsey publicly acknowledged over a decade ago that US The lowest hurdle may be an agreement to halt intelligence spies on European businesses for the economic espionage and political espionage purpose of uncovering bribes paid to other conducted against allied embassies. The governments. As he wrote, rather sarcastically in disclosures about NSA targeting EU delegations the Wall Street Journal: “Yes, my continental strike Europeans as the behavior of an enemy, not European friends, we have spied on you.” Part of an ally. If bugging an Embassy is permissible, we the deal on surveillance must be an end to this must assume that all communications among type of surveillance as well as clear policy answers national political leaders are in bounds, to the reasons Woolsey felt justified in doing it. regardless of their bearing on national security interests. The political cost of these disclosures to Fifth – new surveillance standards must include mutual trust far exceeds any benefit of continuing rigorous policies of oversight and enforcement. the practice. It raises the question of whether the This is perhaps the greatest challenge because it NSA conducted these risky operations with the requires trust. No state will allow an full knowledge of political leaders in the White international organization to control oversight of House. President Obama pointed to the need for intelligence practices. And therefore each nation review and reform in his comments at a press must have transparent and effective enforcement conference at the G-20 in St. Petersburg. mechanisms in place. We propose a mix of oversight between judicial and legislative “And what I’ve said is that because instruments in coordination with the technology is changing so rapidly, because government’s own management of intelligence these capabilities are growing, it is agencies. In the US, this would require important for us to step back and review strengthening Congressional oversight and the what it is that we’re doing, because just FISA court review process. In Germany, it would because we can get information doesn’t require establishing judicial oversight and necessarily always mean that we should. broadening the capabilities of the G-10 There may be costs and benefits to doing Commission. certain things, and we’ve got to weigh those.” Elements of the New Standard We cannot predict the results of these An appealing recommendation for how to begin negotiations – either at the national or this process of introspection and negotiation of international level. But we can conclude by the larger issues of restrictions and control comes

new america foundation page 17 from former BND chief Hansjörg Geiger. In the similar proposal to what we describe here. The wake of the Snowden disclosures, he called for an basic idea would require all parties to make rules “Intelligence Kodex” - a new set of rules for respecting privacy and security of foreign citizens intelligence practices that would be adopted by at the same standards they require for their own NATO countries and inside the EU as a starting citizens. The report concludes with a set of point. Geiger’s Kodex would prohibit political strong recommendations that could easily be and economic espionage and limit surveillance to mistaken for a post-Snowden framework, urgent matters of national security, such as including: counter-terrorism and WMDs. Consider the Geiger Kodex in combination with a legal “The Member States are called argument from German judge and G-10 upon to aspire to a common level of Commission member, Dr. Berthold Huber. protection against intelligence operations Responding to the Snowden Affair and the and, to that end, to draw up a code of apparent absence of privacy standards that apply conduct based on the highest level of to foreign citizens, Huber argued in a law journal protection which exists in any Member that German law (perhaps unique among State, since as a rule it is citizens of other Western nations) contains constitutional privacy states, and hence also of other Member protections that extend not only to German States, that are affected by the operations citizens, but to anyone. He points to specific of foreign intelligence services. A similar sections of Germany’s basic protection of privacy code of conduct should be negotiated with rights that do not distinguish between Germans the USA.” and non-Germans. Though it appears the German government has not interpreted the law This foundational proposal was swept aside by in this way, if it chose to do so, it would be a step the disaster of 9/11 and the subsequent decade of towards establishing a new standard of privacy the war on terror. But just as Mr. Obama speaks against which only limited exceptions would be about ending the war on terror, he must revisit reasonable. the idea of a transatlantic pact on foreign surveillance that resets the balance between The combination of what Geiger and Huber liberty and security. The process will require a suggest is not new. In fact, it was the framework degree of transparency that will not come easily to for a solution to the last major transatlantic the shadow world of intelligence agencies. But dispute over surveillance - a program known as without this level of clarity, it will be nearly Echelon. At the end of the second Clinton impossible to restore any degree of trust back into administration, the European Parliament the digital communications marketplace. The completed a report accusing the NSA and its threshold for trust between nations is the partner intelligence agencies of conducting global expectation that the citizens of allied nations will surveillance of telecommunications. The final be given the same rights as we give our own report of the European Parliament on the citizens. Such a move would mark a decisive Echelon investigation from July 11, 2001 offers a change.

open technology institue page 18

About the Authors

Georg Mascolo was a Public Policy Scholar with the Wilson Center's Global Europe Program and is now a visiting scholar at the Weatherhead Center for International Affairs at Harvard University. He is a journalist and former Editor-In-Chief of Der Spiegel and has written about surveillance since 1990.

Ben Scott is Senior Advisor to the Open Technology Institute at the New America Foundation and directs the European Digital Agenda program at the Stiftung Neue Verantwortung in Berlin. Previously, he served as an advisor on technology issues at the US Department of State.

© 2013 New America Foundation

This report carries a Creative Commons license, which permits re-use of New America content when proper attribution is provided. This means you are free to copy, display and distribute New America’s work, or include our content in derivative works, under the following conditions:

Attribution. You must clearly attribute the work to the New America Foundation, and provide a link back to www.Newamerica.net. Noncommercial. You may not use this work for commercial purposes without explicit prior permission from New America. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one.

For the full legal code of this Creative Commons license, please visit www.creativecommons.org. If you have any questions about citing or reusing New America content, please contact us.

Main Office New America NYC 1899 L Street, NW 199 Lafayette St. Suite 400 Suite 3B Washington, DC 20036 New York, NY 10012 Phone 202 986 2700 Fax 202 986 3696

open technology institue page 20