The recent reports confirming the existence of surveillance programs run by the US National Security Agency (NSA) have shaken the international online community.
What did the leaks reveal about surveillance programs, and what legal provisions have authorised these activities? What are the effects on Internet users worldwide, especially when the target of the surveillance activities are non-US citizens who are not based in the USA?
Our June IG webinar addressed these questions and more, thanks to privacy expert Katitza Rodriguez, international rights director at the Electronic Frontier Foundation (EFF), who hosted the webinar last week.
The leaked surveillance programs
Earlier last month, The Guardian revealed that at least one company, Verizon, was ordered to hand over all metadata associated with telephone communications originating or terminating in the USA. The order was granted by the secret Foreign Intelligence Surveillance Court, established by the Foreign Intelligence Surveillance Act (FISA), in accordance with the business records provision of the Patriot Act. It was also revealed that the collection of data related to telephone communications had been going on since 2006.
Under this provision, Ms Rodriguez explained, ‘the US Government can compel the production of “any tangible thing” reasonably believed to be relevant to an authorised investigation conducted for the purpose of obtaining foreign intelligence.’
While the data collected did not include the actual telephone conversations, it included records such as the duration of calls, and the originating and terminating telephone numbers.
Yet, this was not the first occurrence. A similar surveillance case was revealed by a former AT&T telecommunications technician seven years ago. Back then, the former employee revealed the surveillance activities to EFF, who initiated a class action against AT&T.
Additional leaks earlier last month, published simultaneously in The Washington Post and The Guardian, revealed the existence of PRISM, an extensive surveillance program operated by the NSA, which targets non-US customers outside the US, and communications held with people outside the US.
Ms Rodriguez explained that PRISM provides access to e-mail content, online chats, file transfers, photos and videos, search history, and information from social networks. According to the leaks, the collection of data is made ‘directly from the servers of these US Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.’
The NSA’s authority comes from provisions in FISA, which grants ‘general acquisition and interception powers to compel access – possibly in real-time – to information from a diverse range of communications and data processing services’, Ms Rodriguez explained.
The effects on Internet users worldwide
The reports suggest that the surveillance program is designed to limit the exposure of US-based targets, but at the same time offer no protection to non-US citizens’ data. So where does this leave non-US citizens who, for example, make use of cloud computing services via companies located in the USA? How can the privacy rights of foreigners be protected?
While many countries follow the same principle of protecting their own nationals, while offering zero protection to foreigners, ‘the problem for non-US citizens is the lack of procedural safeguards on trans-border surveillance, for which there needs to be a global discussion to be able to ensure strong safeguards.’ Ms Rodriguez explained. This is leading to a loss of trust in the giant companies offering cloud services, who may have to hand over personal data if compelled to do so.
The host explained that an even bigger concern is the fact that some power-yielding laws carry vaguely-written provisions. In general, vague wording is not helpful, as this can be used to justify over-reaching surveillance activities – a concern which has also been expressed by UN Special Rapporteur Frank La Rue.
A good way of safeguarding the Internet users’ rights, is for companies to collect less data, that is, collecting only that data which is necessary for business operations. As a result, less data would be available for handing over to government agencies if the companies are compelled do to so. But this is easier said than done, as business models generally encourage companies to collect as much data as possible
Stronger provisions related to whistle-blower laws would also help safeguard individuals who reveal information about secret surveillance activities.
We invite you to listen to the live recording of the webinar:
in which our host Katitza Rodriguez discusses these issues in more detail. During the webinar, Ms Rodriguez also discussed questions and comments by webinar participants, including: Is the ‘cloud’ safe, and how broadly interpreted were certain provisions of the laws authorising the surveillance activities?
You can also download the PowerPoint Presentation in PDF format here. To receive news, announcements and follow-up e-mails regarding our IG webinars, subscribe to our IG webinars group.