[I drafted this blog post in late July 2013. I hesitated before hitting the “Publish” button and, in the end, did not do so. At the time, I felt the piece was too speculative, and perhaps overly cynical about the relationship between technology companies and US intelligence. Since then, enough relevant material has reached the public domain since to change my mind. I’m thinking particularly of several of Bruce Schneier‘s pieces, and Matt Green’s post on the NSA and SSL.]
When I started blogging about privacy (about 8 years ago, at Sun Microsystems), Scott McNealy had long since made his famous remark that “You have zero privacy anyway…”. Eric Schmidt had yet to say that “if you have something you don’t want anyone to know, maybe you shouldn’t be doing it”, but when I saw the revelations about the NSA’s PRISM and XKEYSCORE programs, it set off a train of thought.
Both programs suggest a very close relationship between technology companies and the US intelligence services – and not just a vendor relationship.
For all its carefully-worded denials that it could access service providers’ data “directly” (as opposed to, say, via an intermediate FBI server) the NSA clearly has long-standing and formal arrangements with those companies through whom the majority of digital data would pass at some point in its lifecycle.
The news about XKEYSCORE further suggests that some supposedly safe cryptographic tools are actually open to NSA interception too. Whether or not vendors were intentionally distributing flawed encryption tools, it certainly seems that flawed tools have been allowed to persist in the market even after the NSA knew they were not delivering the level of protection users expected. What inferences you choose to draw from that are another matter.
So, when Scott and Eric warned us that privacy is dead, maybe they weren’t giving us the benefit of their own crystal insight: maybe they were just repeating the latest NSA briefing to tech CEOs whose products or services “might be of interest”.*
I am, of course, not tin-foily enough to mean that as anything other than a joke.**
But where does this leave us, in privacy terms?
My personal view is that the credibility of policy-makers, as effective custodians of what is done in our name, has taken a beating – and I doubt that we have heard the last of the revelations yet. [In fact, the Guardian’s editor, Alan Rusbridger, says the paper has only published 26 of the 58,000 documents it received: 0.045%]
Policy-makers have insisted on law-enforcement and national security exemptions in privacy laws and conventions, and where they have been prepared to compromise, it’s usually only to the extent that the clauses can include some comforting words about necessity and proportionality.
That approach has been shown to be bogus. There is nothing proportionate about the interception methods whose details have been leaked, and the claim that “it’s not ‘collection’ until you actually inspect a given piece of data” is too daft even to qualify as sophistry. Through mass interception, the government creates the capability to inspect everything at will, and that’s an end of it.
The national security justification looks wafer-thin in proportion to the scope of the activities described. Nor is the oversight regime robust enough to convince us that the surveillance activities are necessary (that is, that the same results could not be achieved by other means).
Even so, perhaps citizens would be prepared to accept that interception takes place – even on this massive scale – if they were convinced that the subsequent use of the data were subject to a rigorous and reliable governance regime. But when we look at the current revelations, there’s no evidence that that is the case. For instance, in the US it seems that blanket approvals are frequently granted (by a secret court, in secret sessions, based on secret legal powers), with no opportunity for an agency’s application to be challenged, and a re-approval cycle that seems to note more and more violations… but grant approval anyway.
Even a former FISA judge feels the current system is too sweeping. The NSA says that analysts’ access to intercept data is strictly controlled, with “multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse”… and yet this was the system from which Edward Snowden was able to extract 58,000 documents.
Nor am I much more reassured by the UK’s governance regime. To be sure, it has an Interception of Communications Commissioner, who publishes an annual report. The latest report can be found here: http://iocco-uk.info – but you will find that it is an exercise in saying very little, at some length.
[A UK minister and member of the National Security Committee has gone into print saying that he was not briefed at all on GCHQ’s TEMPORA programme, or on their partnership in PRISM. If these data points accurately reflect the rigour of the UK’s accountability regime for intelligence services, we, as citizens, should be extremely concerned.]
So, here’s where I think we stand:
We should be pressing policymakers to sign up to principles of privacy and make them meaningful.
We should disregard any government assurances about proportionality and necessity criteria unless we can see evidence of a robust governance regime.
We should be insisting that vendors deliver usable security mechanisms, that guarantee us the ability to share and store data with confidentiality.
[It may, exceptionally, be appropriate for a duly-appointed court to hear some cases or evidence behind closed doors, but it cannot be acceptable for any court to exercise legal powers that, themselves, have never been published. Secret law has no place in a democracy.]
** When I drafted this blog post on Aug. 1st, I really did, mostly, mean that as a joke.
* That was before I saw the time-line showing which companies signed up to PRISM when. That chart showed that Google became a PRISM “feed” in February 2009. 11 months later, Eric Schmidt made his “maybe you shouldn’t be doing it” crack.